TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 1dd1674559c0aae976b84e725e4689a1f5667f1c / . / library / aes.c
blob: 69505ef4db4a95ff5683095fb26d0c9d3ceb7983 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnarda658a402015-01-23 09:45:19 +0000[diff] [blame]4 * Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
Manuel Pégourié-Gonnard860b5162015-01-28 17:12:07 +0000[diff] [blame]6 * This file is part of mbed TLS (https://polarssl.org)
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]7 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License along
19 * with this program; if not, write to the Free Software Foundation, Inc.,
20 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 */
22/*
23 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 *
25 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
26 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
27 */
28
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]29#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]30#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]31#else
32#include POLARSSL_CONFIG_FILE
33#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]34
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]35#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]36
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]37#include <string.h>
38
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]39#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]40#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]41#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]43#if defined(POLARSSL_AESNI_C)
44#include "polarssl/aesni.h"
45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#if defined(POLARSSL_SELF_TEST)
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#if defined(POLARSSL_PLATFORM_C)
49#include "polarssl/platform.h"
50#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <stdio.h>
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#define polarssl_printf printf
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#endif /* POLARSSL_PLATFORM_C */
54#endif /* POLARSSL_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]56#if !defined(POLARSSL_AES_ALT)
57
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]58/* Implementation that should never be optimized out by the compiler */
59static void polarssl_zeroize( void *v, size_t n ) {
60 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
61}
62
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63/*
64 * 32-bit integer manipulation macros (little endian)
65 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66#ifndef GET_UINT32_LE
67#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69 (n) = ( (uint32_t) (b)[(i) ] ) \
70 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
71 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
72 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]73}
74#endif
75
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]76#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]77#define PUT_UINT32_LE(n,b,i) \
78{ \
79 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
80 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
81 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
82 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]83}
84#endif
85
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]86#if defined(POLARSSL_PADLOCK_C) && \
87 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]88static int aes_padlock_ace = -1;
89#endif
90
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]91#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]92/*
93 * Forward S-box
94 */
95static const unsigned char FSb[256] =
96{
97 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
98 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
99 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
100 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
101 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
102 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
103 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
104 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
105 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
106 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
107 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
108 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
109 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
110 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
111 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
112 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
113 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
114 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
115 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
116 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
117 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
118 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
119 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
120 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
121 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
122 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
123 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
124 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
125 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
126 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
127 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
128 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
129};
130
131/*
132 * Forward tables
133 */
134#define FT \
135\
136 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
137 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
138 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
139 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
140 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
141 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
142 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
143 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
144 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
145 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
146 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
147 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
148 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
149 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
150 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
151 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
152 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
153 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
154 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
155 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
156 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
157 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
158 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
159 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
160 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
161 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
162 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
163 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
164 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
165 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
166 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
167 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
168 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
169 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
170 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
171 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
172 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
173 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
174 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
175 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
176 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
177 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
178 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
179 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
180 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
181 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
182 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
183 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
184 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
185 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
186 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
187 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
188 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
189 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
190 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
191 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
192 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
193 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
194 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
195 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
196 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
197 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
198 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
199 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
200
201#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]202static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]203#undef V
204
205#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]206static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]207#undef V
208
209#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#undef FT
218
219/*
220 * Reverse S-box
221 */
222static const unsigned char RSb[256] =
223{
224 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
225 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
226 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
227 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
228 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
229 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
230 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
231 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
232 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
233 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
234 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
235 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
236 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
237 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
238 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
239 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
240 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
241 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
242 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
243 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
244 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
245 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
246 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
247 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
248 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
249 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
250 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
251 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
252 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
253 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
254 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
255 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
256};
257
258/*
259 * Reverse tables
260 */
261#define RT \
262\
263 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
264 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
265 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
266 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
267 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
268 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
269 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
270 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
271 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
272 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
273 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
274 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
275 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
276 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
277 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
278 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
279 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
280 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
281 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
282 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
283 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
284 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
285 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
286 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
287 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
288 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
289 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
290 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
291 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
292 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
293 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
294 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
295 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
296 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
297 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
298 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
299 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
300 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
301 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
302 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
303 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
304 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
305 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
306 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
307 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
308 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
309 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
310 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
311 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
312 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
313 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
314 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
315 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
316 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
317 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
318 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
319 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
320 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
321 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
322 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
323 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
324 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
325 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
326 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
327
328#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]329static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]330#undef V
331
332#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]333static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]334#undef V
335
336#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]337static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]338#undef V
339
340#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#undef RT
345
346/*
347 * Round constants
348 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350{
351 0x00000001, 0x00000002, 0x00000004, 0x00000008,
352 0x00000010, 0x00000020, 0x00000040, 0x00000080,
353 0x0000001B, 0x00000036
354};
355
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]356#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357
358/*
359 * Forward S-box & tables
360 */
361static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]362static uint32_t FT0[256];
363static uint32_t FT1[256];
364static uint32_t FT2[256];
365static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367/*
368 * Reverse S-box & tables
369 */
370static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]371static uint32_t RT0[256];
372static uint32_t RT1[256];
373static uint32_t RT2[256];
374static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
376/*
377 * Round constants
378 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]379static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]380
381/*
382 * Tables generation code
383 */
384#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
385#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
386#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
387
388static int aes_init_done = 0;
389
390static void aes_gen_tables( void )
391{
392 int i, x, y, z;
393 int pow[256];
394 int log[256];
395
396 /*
397 * compute pow and log tables over GF(2^8)
398 */
399 for( i = 0, x = 1; i < 256; i++ )
400 {
401 pow[i] = x;
402 log[x] = i;
403 x = ( x ^ XTIME( x ) ) & 0xFF;
404 }
405
406 /*
407 * calculate the round constants
408 */
409 for( i = 0, x = 1; i < 10; i++ )
410 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]411 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]412 x = XTIME( x ) & 0xFF;
413 }
414
415 /*
416 * generate the forward and reverse S-boxes
417 */
418 FSb[0x00] = 0x63;
419 RSb[0x63] = 0x00;
420
421 for( i = 1; i < 256; i++ )
422 {
423 x = pow[255 - log[i]];
424
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]425 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
427 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
428 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429 x ^= y ^ 0x63;
430
431 FSb[i] = (unsigned char) x;
432 RSb[x] = (unsigned char) i;
433 }
434
435 /*
436 * generate the forward and reverse tables
437 */
438 for( i = 0; i < 256; i++ )
439 {
440 x = FSb[i];
441 y = XTIME( x ) & 0xFF;
442 z = ( y ^ x ) & 0xFF;
443
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]444 FT0[i] = ( (uint32_t) y ) ^
445 ( (uint32_t) x << 8 ) ^
446 ( (uint32_t) x << 16 ) ^
447 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448
449 FT1[i] = ROTL8( FT0[i] );
450 FT2[i] = ROTL8( FT1[i] );
451 FT3[i] = ROTL8( FT2[i] );
452
453 x = RSb[i];
454
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]455 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
456 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
457 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
458 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
460 RT1[i] = ROTL8( RT0[i] );
461 RT2[i] = ROTL8( RT1[i] );
462 RT3[i] = ROTL8( RT2[i] );
463 }
464}
465
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]466#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]467
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]468void aes_init( aes_context *ctx )
469{
470 memset( ctx, 0, sizeof( aes_context ) );
471}
472
473void aes_free( aes_context *ctx )
474{
475 if( ctx == NULL )
476 return;
477
478 polarssl_zeroize( ctx, sizeof( aes_context ) );
479}
480
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481/*
482 * AES key schedule (encryption)
483 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]484int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
485 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]487 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]488 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]490#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 if( aes_init_done == 0 )
492 {
493 aes_gen_tables();
494 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]495
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496 }
497#endif
498
499 switch( keysize )
500 {
501 case 128: ctx->nr = 10; break;
502 case 192: ctx->nr = 12; break;
503 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]504 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 }
506
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]507#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
508 if( aes_padlock_ace == -1 )
509 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
510
511 if( aes_padlock_ace )
512 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
513 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]515 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]517#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
518 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]519 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]520#endif
521
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]522 for( i = 0; i < ( keysize >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]524 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 }
526
527 switch( ctx->nr )
528 {
529 case 10:
530
531 for( i = 0; i < 10; i++, RK += 4 )
532 {
533 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]534 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
535 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
536 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
537 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538
539 RK[5] = RK[1] ^ RK[4];
540 RK[6] = RK[2] ^ RK[5];
541 RK[7] = RK[3] ^ RK[6];
542 }
543 break;
544
545 case 12:
546
547 for( i = 0; i < 8; i++, RK += 6 )
548 {
549 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]550 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
551 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
552 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
553 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 RK[7] = RK[1] ^ RK[6];
556 RK[8] = RK[2] ^ RK[7];
557 RK[9] = RK[3] ^ RK[8];
558 RK[10] = RK[4] ^ RK[9];
559 RK[11] = RK[5] ^ RK[10];
560 }
561 break;
562
563 case 14:
564
565 for( i = 0; i < 7; i++, RK += 8 )
566 {
567 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]568 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
569 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
570 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
571 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572
573 RK[9] = RK[1] ^ RK[8];
574 RK[10] = RK[2] ^ RK[9];
575 RK[11] = RK[3] ^ RK[10];
576
577 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]578 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582
583 RK[13] = RK[5] ^ RK[12];
584 RK[14] = RK[6] ^ RK[13];
585 RK[15] = RK[7] ^ RK[14];
586 }
587 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]589
590 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591}
592
593/*
594 * AES key schedule (decryption)
595 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]596int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
597 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]599 int i, j, ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]601 uint32_t *RK;
602 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]603
604 aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]606#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
607 if( aes_padlock_ace == -1 )
608 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
609
610 if( aes_padlock_ace )
611 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]616 /* Also checks keysize */
617 if( ( ret = aes_setkey_enc( &cty, key, keysize ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]618 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]619
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]620 ctx->nr = cty.nr;
621
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]622#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
623 if( aesni_supports( POLARSSL_AESNI_AES ) )
624 {
625 aesni_inverse_key( (unsigned char *) ctx->rk,
626 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]627 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]628 }
629#endif
630
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]631 SK = cty.rk + cty.nr * 4;
632
633 *RK++ = *SK++;
634 *RK++ = *SK++;
635 *RK++ = *SK++;
636 *RK++ = *SK++;
637
638 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
639 {
640 for( j = 0; j < 4; j++, SK++ )
641 {
642 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
643 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
644 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
645 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
646 }
647 }
648
649 *RK++ = *SK++;
650 *RK++ = *SK++;
651 *RK++ = *SK++;
652 *RK++ = *SK++;
653
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]654exit:
655 aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]656
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]657 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658}
659
660#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
661{ \
662 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
663 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
664 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
665 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
666 \
667 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
668 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
669 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
670 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
671 \
672 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
673 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
674 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
675 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
676 \
677 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
678 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
679 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
680 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
681}
682
683#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
684{ \
685 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
686 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
687 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
688 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
689 \
690 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
691 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
692 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
693 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
694 \
695 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
696 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
697 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
698 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
699 \
700 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
701 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
702 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
703 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
704}
705
706/*
707 * AES-ECB block encryption/decryption
708 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]709int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]711 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]712 unsigned char output[16] )
713{
714 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]715 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]717#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]718 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]719 return( aesni_crypt_ecb( ctx, mode, input, output ) );
720#endif
721
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]722#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]723 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724 {
725 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]726 return( 0 );
727
728 // If padlock data misaligned, we just fall back to
729 // unaccelerated mode
730 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731 }
732#endif
733
734 RK = ctx->rk;
735
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]736 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
737 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
738 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
739 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]740
741 if( mode == AES_DECRYPT )
742 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]743 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744 {
745 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
746 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
747 }
748
749 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
750
751 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]752 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
753 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
754 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
755 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]756
757 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]758 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
759 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
760 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
761 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762
763 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]764 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
765 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
766 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
767 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768
769 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]770 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
771 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
772 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
773 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]774 }
775 else /* AES_ENCRYPT */
776 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]777 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]778 {
779 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
780 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
781 }
782
783 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
784
785 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]786 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
787 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
788 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
789 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]790
791 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]792 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
793 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
794 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
795 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796
797 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]798 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
799 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
800 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
801 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802
803 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]804 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
805 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
806 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
807 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]808 }
809
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]810 PUT_UINT32_LE( X0, output, 0 );
811 PUT_UINT32_LE( X1, output, 4 );
812 PUT_UINT32_LE( X2, output, 8 );
813 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]814
815 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816}
817
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]818#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819/*
820 * AES-CBC buffer encryption/decryption
821 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]822int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]823 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]824 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]826 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]827 unsigned char *output )
828{
829 int i;
830 unsigned char temp[16];
831
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]832 if( length % 16 )
833 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
834
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]835#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]836 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837 {
838 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]839 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]840
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]841 // If padlock data misaligned, we just fall back to
842 // unaccelerated mode
843 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844 }
845#endif
846
847 if( mode == AES_DECRYPT )
848 {
849 while( length > 0 )
850 {
851 memcpy( temp, input, 16 );
852 aes_crypt_ecb( ctx, mode, input, output );
853
854 for( i = 0; i < 16; i++ )
855 output[i] = (unsigned char)( output[i] ^ iv[i] );
856
857 memcpy( iv, temp, 16 );
858
859 input += 16;
860 output += 16;
861 length -= 16;
862 }
863 }
864 else
865 {
866 while( length > 0 )
867 {
868 for( i = 0; i < 16; i++ )
869 output[i] = (unsigned char)( input[i] ^ iv[i] );
870
871 aes_crypt_ecb( ctx, mode, output, output );
872 memcpy( iv, output, 16 );
873
874 input += 16;
875 output += 16;
876 length -= 16;
877 }
878 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]879
880 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]881}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]882#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]884#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]885/*
886 * AES-CFB128 buffer encryption/decryption
887 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]888int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]890 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]891 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]892 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]893 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894 unsigned char *output )
895{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]896 int c;
897 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898
899 if( mode == AES_DECRYPT )
900 {
901 while( length-- )
902 {
903 if( n == 0 )
904 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
905
906 c = *input++;
907 *output++ = (unsigned char)( c ^ iv[n] );
908 iv[n] = (unsigned char) c;
909
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]910 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911 }
912 }
913 else
914 {
915 while( length-- )
916 {
917 if( n == 0 )
918 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
919
920 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
921
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]922 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923 }
924 }
925
926 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]927
928 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]930
931/*
932 * AES-CFB8 buffer encryption/decryption
933 */
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]934int aes_crypt_cfb8( aes_context *ctx,
935 int mode,
936 size_t length,
937 unsigned char iv[16],
938 const unsigned char *input,
939 unsigned char *output )
940{
941 unsigned char c;
942 unsigned char ov[17];
943
944 while( length-- )
945 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]946 memcpy( ov, iv, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]947 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
948
949 if( mode == AES_DECRYPT )
950 ov[16] = *input;
951
952 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
953
954 if( mode == AES_ENCRYPT )
955 ov[16] = c;
956
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]957 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]958 }
959
960 return( 0 );
961}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]962#endif /*POLARSSL_CIPHER_MODE_CFB */
963
964#if defined(POLARSSL_CIPHER_MODE_CTR)
965/*
966 * AES-CTR buffer encryption/decryption
967 */
968int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]969 size_t length,
970 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]971 unsigned char nonce_counter[16],
972 unsigned char stream_block[16],
973 const unsigned char *input,
974 unsigned char *output )
975{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]976 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]977 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]978
979 while( length-- )
980 {
981 if( n == 0 ) {
982 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
983
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]984 for( i = 16; i > 0; i-- )
985 if( ++nonce_counter[i - 1] != 0 )
986 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]987 }
988 c = *input++;
989 *output++ = (unsigned char)( c ^ stream_block[n] );
990
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]991 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]992 }
993
994 *nc_off = n;
995
996 return( 0 );
997}
998#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]999
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]1000#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]1002#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003/*
1004 * AES test vectors from:
1005 *
1006 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1007 */
1008static const unsigned char aes_test_ecb_dec[3][16] =
1009{
1010 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1011 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1012 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1013 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1014 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1015 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1016};
1017
1018static const unsigned char aes_test_ecb_enc[3][16] =
1019{
1020 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1021 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1022 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1023 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1024 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1025 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1026};
1027
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1028#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029static const unsigned char aes_test_cbc_dec[3][16] =
1030{
1031 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1032 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1033 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1034 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1035 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1036 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1037};
1038
1039static const unsigned char aes_test_cbc_enc[3][16] =
1040{
1041 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1042 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1043 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1044 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1045 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1046 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1047};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1048#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1050#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051/*
1052 * AES-CFB128 test vectors from:
1053 *
1054 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1055 */
1056static const unsigned char aes_test_cfb128_key[3][32] =
1057{
1058 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1059 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1060 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1061 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1062 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1063 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1064 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1065 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1066 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1067};
1068
1069static const unsigned char aes_test_cfb128_iv[16] =
1070{
1071 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1072 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1073};
1074
1075static const unsigned char aes_test_cfb128_pt[64] =
1076{
1077 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1078 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1079 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1080 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1081 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1082 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1083 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1084 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1085};
1086
1087static const unsigned char aes_test_cfb128_ct[3][64] =
1088{
1089 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1090 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1091 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1092 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1093 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1094 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1095 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1096 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1097 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1098 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1099 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1100 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1101 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1102 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1103 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1104 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1105 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1106 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1107 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1108 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1109 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1110 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1111 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1112 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1113};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1114#endif /* POLARSSL_CIPHER_MODE_CFB */
1115
1116#if defined(POLARSSL_CIPHER_MODE_CTR)
1117/*
1118 * AES-CTR test vectors from:
1119 *
1120 * http://www.faqs.org/rfcs/rfc3686.html
1121 */
1122
1123static const unsigned char aes_test_ctr_key[3][16] =
1124{
1125 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1126 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1127 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1128 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1129 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1130 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1131};
1132
1133static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1134{
1135 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1136 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1137 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1138 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1139 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1140 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1141};
1142
1143static const unsigned char aes_test_ctr_pt[3][48] =
1144{
1145 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1146 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1147
1148 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1149 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1150 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1151 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1152
1153 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1154 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1155 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1156 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1157 0x20, 0x21, 0x22, 0x23 }
1158};
1159
1160static const unsigned char aes_test_ctr_ct[3][48] =
1161{
1162 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1163 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1164 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1165 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1166 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1167 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1168 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1169 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1170 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1171 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1172 0x25, 0xB2, 0x07, 0x2F }
1173};
1174
1175static const int aes_test_ctr_len[3] =
1176 { 16, 32, 36 };
1177#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1178
1179/*
1180 * Checkup routine
1181 */
1182int aes_self_test( int verbose )
1183{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1184 int ret = 0, i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1185 unsigned char key[32];
1186 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1188#if defined(POLARSSL_CIPHER_MODE_CBC)
1189 unsigned char prv[16];
1190#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1191#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1192 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1193#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1194#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1195 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1196 unsigned char nonce_counter[16];
1197 unsigned char stream_block[16];
1198#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1199 aes_context ctx;
1200
1201 memset( key, 0, 32 );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1202 aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1203
1204 /*
1205 * ECB mode
1206 */
1207 for( i = 0; i < 6; i++ )
1208 {
1209 u = i >> 1;
1210 v = i & 1;
1211
1212 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1213 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1214 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1215
1216 memset( buf, 0, 16 );
1217
1218 if( v == AES_DECRYPT )
1219 {
1220 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1221
1222 for( j = 0; j < 10000; j++ )
1223 aes_crypt_ecb( &ctx, v, buf, buf );
1224
1225 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1226 {
1227 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1228 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1230 ret = 1;
1231 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232 }
1233 }
1234 else
1235 {
1236 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1237
1238 for( j = 0; j < 10000; j++ )
1239 aes_crypt_ecb( &ctx, v, buf, buf );
1240
1241 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1242 {
1243 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1244 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1246 ret = 1;
1247 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 }
1249 }
1250
1251 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1252 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1253 }
1254
1255 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1256 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1258#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259 /*
1260 * CBC mode
1261 */
1262 for( i = 0; i < 6; i++ )
1263 {
1264 u = i >> 1;
1265 v = i & 1;
1266
1267 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1268 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1269 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270
1271 memset( iv , 0, 16 );
1272 memset( prv, 0, 16 );
1273 memset( buf, 0, 16 );
1274
1275 if( v == AES_DECRYPT )
1276 {
1277 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1278
1279 for( j = 0; j < 10000; j++ )
1280 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1281
1282 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1283 {
1284 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1285 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1287 ret = 1;
1288 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 }
1290 }
1291 else
1292 {
1293 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1294
1295 for( j = 0; j < 10000; j++ )
1296 {
1297 unsigned char tmp[16];
1298
1299 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1300
1301 memcpy( tmp, prv, 16 );
1302 memcpy( prv, buf, 16 );
1303 memcpy( buf, tmp, 16 );
1304 }
1305
1306 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1307 {
1308 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1309 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1311 ret = 1;
1312 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 }
1314 }
1315
1316 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1317 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 }
1319
1320 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1321 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1322#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1324#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 /*
1326 * CFB128 mode
1327 */
1328 for( i = 0; i < 6; i++ )
1329 {
1330 u = i >> 1;
1331 v = i & 1;
1332
1333 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1334 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1335 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
1337 memcpy( iv, aes_test_cfb128_iv, 16 );
1338 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1339
1340 offset = 0;
1341 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1342
1343 if( v == AES_DECRYPT )
1344 {
1345 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1346 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1347
1348 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1349 {
1350 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1351 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1353 ret = 1;
1354 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 }
1356 }
1357 else
1358 {
1359 memcpy( buf, aes_test_cfb128_pt, 64 );
1360 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1361
1362 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1363 {
1364 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1365 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1366
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1367 ret = 1;
1368 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369 }
1370 }
1371
1372 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1373 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1374 }
1375
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1376 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1377 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1378#endif /* POLARSSL_CIPHER_MODE_CFB */
1379
1380#if defined(POLARSSL_CIPHER_MODE_CTR)
1381 /*
1382 * CTR mode
1383 */
1384 for( i = 0; i < 6; i++ )
1385 {
1386 u = i >> 1;
1387 v = i & 1;
1388
1389 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1390 polarssl_printf( " AES-CTR-128 (%s): ",
1391 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1392
1393 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1394 memcpy( key, aes_test_ctr_key[u], 16 );
1395
1396 offset = 0;
1397 aes_setkey_enc( &ctx, key, 128 );
1398
1399 if( v == AES_DECRYPT )
1400 {
1401 len = aes_test_ctr_len[u];
1402 memcpy( buf, aes_test_ctr_ct[u], len );
1403
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1404 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1405 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1406
1407 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1408 {
1409 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1410 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1411
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1412 ret = 1;
1413 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1414 }
1415 }
1416 else
1417 {
1418 len = aes_test_ctr_len[u];
1419 memcpy( buf, aes_test_ctr_pt[u], len );
1420
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame]1421 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1422 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1423
1424 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1425 {
1426 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1427 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1428
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1429 ret = 1;
1430 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1431 }
1432 }
1433
1434 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1435 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1436 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437
1438 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1439 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1440#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1441
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1442 ret = 0;
1443
1444exit:
1445 aes_free( &ctx );
1446
1447 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1448}
1449
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1450#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1451
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1452#endif /* POLARSSL_AES_C */