TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b9e4e2c97a2e448090ff3fcc0f99b8f6dbc08897 / . / library / aes.c
blob: ca5c90692ded9053c600b67894c936d3a2707a7d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]4 * Copyright (C) 2006-2014, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
27 *
28 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
29 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
30 */
31
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#if !defined(POLARSSL_CONFIG_FILE)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]33#include "polarssl/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]34#else
35#include POLARSSL_CONFIG_FILE
36#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]38#if defined(POLARSSL_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]39
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]40#include "polarssl/aes.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]41#if defined(POLARSSL_PADLOCK_C)
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]42#include "polarssl/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]44#if defined(POLARSSL_AESNI_C)
45#include "polarssl/aesni.h"
46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#if defined(POLARSSL_PLATFORM_C)
49#include "polarssl/platform.h"
50#else
51#define polarssl_printf printf
52#endif
53
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]54#if !defined(POLARSSL_AES_ALT)
55
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]56/*
57 * 32-bit integer manipulation macros (little endian)
58 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]59#ifndef GET_UINT32_LE
60#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]61{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]62 (n) = ( (uint32_t) (b)[(i) ] ) \
63 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
64 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
65 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66}
67#endif
68
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69#ifndef PUT_UINT32_LE
70#define PUT_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71{ \
72 (b)[(i) ] = (unsigned char) ( (n) ); \
73 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
74 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
75 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
76}
77#endif
78
Paul Bakker0e19e9f2012-10-01 11:02:48 +0000[diff] [blame]79#if defined(POLARSSL_PADLOCK_C) && \
80 ( defined(POLARSSL_HAVE_X86) || defined(PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]81static int aes_padlock_ace = -1;
82#endif
83
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]84#if defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85/*
86 * Forward S-box
87 */
88static const unsigned char FSb[256] =
89{
90 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
91 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
92 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
93 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
94 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
95 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
97 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
98 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
99 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
100 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
101 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
102 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
103 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
104 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
105 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
106 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
107 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
108 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
109 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
110 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
111 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
112 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
113 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
114 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
115 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
116 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
117 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
118 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
119 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
120 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
121 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
122};
123
124/*
125 * Forward tables
126 */
127#define FT \
128\
129 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
130 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
131 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
132 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
133 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
134 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
135 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
136 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
137 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
138 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
139 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
140 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
141 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
142 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
143 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
144 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
145 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
146 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
147 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
148 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
149 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
150 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
151 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
152 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
153 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
154 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
155 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
156 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
157 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
158 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
159 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
160 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
161 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
162 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
163 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
164 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
165 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
166 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
167 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
168 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
169 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
170 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
171 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
172 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
173 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
174 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
175 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
176 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
177 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
178 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
179 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
180 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
181 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
182 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
183 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
184 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
185 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
186 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
187 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
188 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
189 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
190 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
191 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
192 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
193
194#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]195static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]196#undef V
197
198#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
202#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#undef FT
211
212/*
213 * Reverse S-box
214 */
215static const unsigned char RSb[256] =
216{
217 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
218 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
219 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
220 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
221 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
222 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
223 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
224 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
225 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
226 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
227 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
228 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
229 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
230 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
231 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
232 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
233 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
234 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
235 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
236 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
237 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
238 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
239 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
240 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
241 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
242 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
243 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
244 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
245 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
246 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
247 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
248 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
249};
250
251/*
252 * Reverse tables
253 */
254#define RT \
255\
256 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
257 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
258 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
259 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
260 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
261 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
262 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
263 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
264 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
265 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
266 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
267 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
268 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
269 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
270 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
271 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
272 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
273 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
274 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
275 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
276 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
277 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
278 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
279 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
280 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
281 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
282 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
283 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
284 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
285 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
286 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
287 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
288 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
289 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
290 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
291 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
292 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
293 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
294 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
295 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
296 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
297 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
298 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
299 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
300 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
301 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
302 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
303 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
304 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
305 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
306 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
307 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
308 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
309 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
310 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
311 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
312 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
313 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
314 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
315 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
316 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
317 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
318 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
319 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
320
321#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]322static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
325#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]326static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
333#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#undef RT
338
339/*
340 * Round constants
341 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343{
344 0x00000001, 0x00000002, 0x00000004, 0x00000008,
345 0x00000010, 0x00000020, 0x00000040, 0x00000080,
346 0x0000001B, 0x00000036
347};
348
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]349#else /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351/*
352 * Forward S-box & tables
353 */
354static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]355static uint32_t FT0[256];
356static uint32_t FT1[256];
357static uint32_t FT2[256];
358static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
360/*
361 * Reverse S-box & tables
362 */
363static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]364static uint32_t RT0[256];
365static uint32_t RT1[256];
366static uint32_t RT2[256];
367static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368
369/*
370 * Round constants
371 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]372static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Tables generation code
376 */
377#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
378#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
379#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
380
381static int aes_init_done = 0;
382
383static void aes_gen_tables( void )
384{
385 int i, x, y, z;
386 int pow[256];
387 int log[256];
388
389 /*
390 * compute pow and log tables over GF(2^8)
391 */
392 for( i = 0, x = 1; i < 256; i++ )
393 {
394 pow[i] = x;
395 log[x] = i;
396 x = ( x ^ XTIME( x ) ) & 0xFF;
397 }
398
399 /*
400 * calculate the round constants
401 */
402 for( i = 0, x = 1; i < 10; i++ )
403 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]404 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405 x = XTIME( x ) & 0xFF;
406 }
407
408 /*
409 * generate the forward and reverse S-boxes
410 */
411 FSb[0x00] = 0x63;
412 RSb[0x63] = 0x00;
413
414 for( i = 1; i < 256; i++ )
415 {
416 x = pow[255 - log[i]];
417
418 y = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
419 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
420 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
421 x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
422 x ^= y ^ 0x63;
423
424 FSb[i] = (unsigned char) x;
425 RSb[x] = (unsigned char) i;
426 }
427
428 /*
429 * generate the forward and reverse tables
430 */
431 for( i = 0; i < 256; i++ )
432 {
433 x = FSb[i];
434 y = XTIME( x ) & 0xFF;
435 z = ( y ^ x ) & 0xFF;
436
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]437 FT0[i] = ( (uint32_t) y ) ^
438 ( (uint32_t) x << 8 ) ^
439 ( (uint32_t) x << 16 ) ^
440 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441
442 FT1[i] = ROTL8( FT0[i] );
443 FT2[i] = ROTL8( FT1[i] );
444 FT3[i] = ROTL8( FT2[i] );
445
446 x = RSb[i];
447
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]448 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
449 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
450 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
451 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452
453 RT1[i] = ROTL8( RT0[i] );
454 RT2[i] = ROTL8( RT1[i] );
455 RT3[i] = ROTL8( RT2[i] );
456 }
457}
458
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]459#endif /* POLARSSL_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461/*
462 * AES key schedule (encryption)
463 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame^]464int aes_setkey_enc( aes_context *ctx, const unsigned char *key,
465 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]467 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]470#if !defined(POLARSSL_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]471 if( aes_init_done == 0 )
472 {
473 aes_gen_tables();
474 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]475
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477#endif
478
479 switch( keysize )
480 {
481 case 128: ctx->nr = 10; break;
482 case 192: ctx->nr = 12; break;
483 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]484 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485 }
486
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]487#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
488 if( aes_padlock_ace == -1 )
489 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
490
491 if( aes_padlock_ace )
492 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
493 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]494#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]495 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]497#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
498 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnardbfa3c9a2013-12-30 13:53:58 +0100[diff] [blame]499 return( aesni_setkey_enc( (unsigned char *) ctx->rk, key, keysize ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]500#endif
501
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 for( i = 0; i < (keysize >> 5); i++ )
503 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]504 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 }
506
507 switch( ctx->nr )
508 {
509 case 10:
510
511 for( i = 0; i < 10; i++, RK += 4 )
512 {
513 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]514 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
515 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
516 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
517 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518
519 RK[5] = RK[1] ^ RK[4];
520 RK[6] = RK[2] ^ RK[5];
521 RK[7] = RK[3] ^ RK[6];
522 }
523 break;
524
525 case 12:
526
527 for( i = 0; i < 8; i++, RK += 6 )
528 {
529 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]530 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
531 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
532 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
533 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534
535 RK[7] = RK[1] ^ RK[6];
536 RK[8] = RK[2] ^ RK[7];
537 RK[9] = RK[3] ^ RK[8];
538 RK[10] = RK[4] ^ RK[9];
539 RK[11] = RK[5] ^ RK[10];
540 }
541 break;
542
543 case 14:
544
545 for( i = 0; i < 7; i++, RK += 8 )
546 {
547 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]548 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
549 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
550 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
551 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552
553 RK[9] = RK[1] ^ RK[8];
554 RK[10] = RK[2] ^ RK[9];
555 RK[11] = RK[3] ^ RK[10];
556
557 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]558 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
559 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
560 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
561 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
563 RK[13] = RK[5] ^ RK[12];
564 RK[14] = RK[6] ^ RK[13];
565 RK[15] = RK[7] ^ RK[14];
566 }
567 break;
568
569 default:
570
571 break;
572 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]573
574 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]575}
576
577/*
578 * AES key schedule (decryption)
579 */
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame^]580int aes_setkey_dec( aes_context *ctx, const unsigned char *key,
581 unsigned int keysize )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582{
583 int i, j;
584 aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
586 uint32_t *SK;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]587 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588
589 switch( keysize )
590 {
591 case 128: ctx->nr = 10; break;
592 case 192: ctx->nr = 12; break;
593 case 256: ctx->nr = 14; break;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]594 default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]595 }
596
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]597#if defined(POLARSSL_PADLOCK_C) && defined(PADLOCK_ALIGN16)
598 if( aes_padlock_ace == -1 )
599 aes_padlock_ace = padlock_supports( PADLOCK_ACE );
600
601 if( aes_padlock_ace )
602 ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
603 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]604#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]605 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]606
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]607 ret = aes_setkey_enc( &cty, key, keysize );
608 if( ret != 0 )
609 return( ret );
610
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]611#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
612 if( aesni_supports( POLARSSL_AESNI_AES ) )
613 {
614 aesni_inverse_key( (unsigned char *) ctx->rk,
615 (const unsigned char *) cty.rk, ctx->nr );
616 goto done;
617 }
618#endif
619
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620 SK = cty.rk + cty.nr * 4;
621
622 *RK++ = *SK++;
623 *RK++ = *SK++;
624 *RK++ = *SK++;
625 *RK++ = *SK++;
626
627 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
628 {
629 for( j = 0; j < 4; j++, SK++ )
630 {
631 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
632 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
633 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
634 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
635 }
636 }
637
638 *RK++ = *SK++;
639 *RK++ = *SK++;
640 *RK++ = *SK++;
641 *RK++ = *SK++;
642
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]643#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]644done:
Paul Bakker0d0de922013-12-30 15:29:04 +0100[diff] [blame]645#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646 memset( &cty, 0, sizeof( aes_context ) );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]647
648 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649}
650
651#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
652{ \
653 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
654 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
655 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
656 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
657 \
658 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
659 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
660 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
661 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
662 \
663 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
664 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
665 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
666 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
667 \
668 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
669 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
670 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
671 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
672}
673
674#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
675{ \
676 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
677 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
678 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
679 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
680 \
681 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
682 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
683 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
684 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
685 \
686 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
687 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
688 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
689 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
690 \
691 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
692 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
693 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
694 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
695}
696
697/*
698 * AES-ECB block encryption/decryption
699 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]700int aes_crypt_ecb( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]702 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 unsigned char output[16] )
704{
705 int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]706 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]707
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]708#if defined(POLARSSL_AESNI_C) && defined(POLARSSL_HAVE_X86_64)
Manuel Pégourié-Gonnard8eaf20b2013-12-18 19:14:53 +0100[diff] [blame]709 if( aesni_supports( POLARSSL_AESNI_AES ) )
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]710 return( aesni_crypt_ecb( ctx, mode, input, output ) );
711#endif
712
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]713#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]714 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]715 {
716 if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]717 return( 0 );
718
719 // If padlock data misaligned, we just fall back to
720 // unaccelerated mode
721 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722 }
723#endif
724
725 RK = ctx->rk;
726
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]727 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
728 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
729 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
730 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731
732 if( mode == AES_DECRYPT )
733 {
734 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
735 {
736 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
737 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
738 }
739
740 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
741
742 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
744 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]749 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
750 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
751 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
752 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753
754 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]755 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
756 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
757 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
758 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759
760 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]761 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
762 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
763 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
764 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765 }
766 else /* AES_ENCRYPT */
767 {
768 for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
769 {
770 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
771 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
772 }
773
774 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
775
776 X0 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]777 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
778 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
779 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
780 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781
782 X1 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]783 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
784 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
785 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
786 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]787
788 X2 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
790 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
791 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
792 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793
794 X3 = *RK++ ^ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]795 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
796 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
797 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
798 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]799 }
800
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]801 PUT_UINT32_LE( X0, output, 0 );
802 PUT_UINT32_LE( X1, output, 4 );
803 PUT_UINT32_LE( X2, output, 8 );
804 PUT_UINT32_LE( X3, output, 12 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]805
806 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807}
808
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]809#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]810/*
811 * AES-CBC buffer encryption/decryption
812 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]813int aes_crypt_cbc( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]815 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]816 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]817 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818 unsigned char *output )
819{
820 int i;
821 unsigned char temp[16];
822
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]823 if( length % 16 )
824 return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
825
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]826#if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]827 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]828 {
829 if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]830 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]831
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]832 // If padlock data misaligned, we just fall back to
833 // unaccelerated mode
834 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835 }
836#endif
837
838 if( mode == AES_DECRYPT )
839 {
840 while( length > 0 )
841 {
842 memcpy( temp, input, 16 );
843 aes_crypt_ecb( ctx, mode, input, output );
844
845 for( i = 0; i < 16; i++ )
846 output[i] = (unsigned char)( output[i] ^ iv[i] );
847
848 memcpy( iv, temp, 16 );
849
850 input += 16;
851 output += 16;
852 length -= 16;
853 }
854 }
855 else
856 {
857 while( length > 0 )
858 {
859 for( i = 0; i < 16; i++ )
860 output[i] = (unsigned char)( input[i] ^ iv[i] );
861
862 aes_crypt_ecb( ctx, mode, output, output );
863 memcpy( iv, output, 16 );
864
865 input += 16;
866 output += 16;
867 length -= 16;
868 }
869 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]870
871 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872}
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]873#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]874
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]875#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]876/*
877 * AES-CFB128 buffer encryption/decryption
878 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]879int aes_crypt_cfb128( aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]881 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]882 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]883 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]884 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]885 unsigned char *output )
886{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]887 int c;
888 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889
890 if( mode == AES_DECRYPT )
891 {
892 while( length-- )
893 {
894 if( n == 0 )
895 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
896
897 c = *input++;
898 *output++ = (unsigned char)( c ^ iv[n] );
899 iv[n] = (unsigned char) c;
900
901 n = (n + 1) & 0x0F;
902 }
903 }
904 else
905 {
906 while( length-- )
907 {
908 if( n == 0 )
909 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
910
911 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
912
913 n = (n + 1) & 0x0F;
914 }
915 }
916
917 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]918
919 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]921
922/*
923 * AES-CFB8 buffer encryption/decryption
924 */
925#include <stdio.h>
926int aes_crypt_cfb8( aes_context *ctx,
927 int mode,
928 size_t length,
929 unsigned char iv[16],
930 const unsigned char *input,
931 unsigned char *output )
932{
933 unsigned char c;
934 unsigned char ov[17];
935
936 while( length-- )
937 {
938 memcpy(ov, iv, 16);
939 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
940
941 if( mode == AES_DECRYPT )
942 ov[16] = *input;
943
944 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
945
946 if( mode == AES_ENCRYPT )
947 ov[16] = c;
948
949 memcpy(iv, ov + 1, 16);
950 }
951
952 return( 0 );
953}
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]954#endif /*POLARSSL_CIPHER_MODE_CFB */
955
956#if defined(POLARSSL_CIPHER_MODE_CTR)
957/*
958 * AES-CTR buffer encryption/decryption
959 */
960int aes_crypt_ctr( aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]961 size_t length,
962 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]963 unsigned char nonce_counter[16],
964 unsigned char stream_block[16],
965 const unsigned char *input,
966 unsigned char *output )
967{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]968 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]969 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]970
971 while( length-- )
972 {
973 if( n == 0 ) {
974 aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
975
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]976 for( i = 16; i > 0; i-- )
977 if( ++nonce_counter[i - 1] != 0 )
978 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]979 }
980 c = *input++;
981 *output++ = (unsigned char)( c ^ stream_block[n] );
982
983 n = (n + 1) & 0x0F;
984 }
985
986 *nc_off = n;
987
988 return( 0 );
989}
990#endif /* POLARSSL_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]991
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]992#endif /* !POLARSSL_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]994#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995
996#include <stdio.h>
997
998/*
999 * AES test vectors from:
1000 *
1001 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1002 */
1003static const unsigned char aes_test_ecb_dec[3][16] =
1004{
1005 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1006 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1007 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1008 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1009 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1010 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1011};
1012
1013static const unsigned char aes_test_ecb_enc[3][16] =
1014{
1015 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1016 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1017 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1018 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1019 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1020 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1021};
1022
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1023#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024static const unsigned char aes_test_cbc_dec[3][16] =
1025{
1026 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1027 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1028 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1029 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1030 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1031 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1032};
1033
1034static const unsigned char aes_test_cbc_enc[3][16] =
1035{
1036 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1037 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1038 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1039 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1040 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1041 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1042};
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1043#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1045#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046/*
1047 * AES-CFB128 test vectors from:
1048 *
1049 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1050 */
1051static const unsigned char aes_test_cfb128_key[3][32] =
1052{
1053 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1054 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1055 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1056 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1057 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1058 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1059 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1060 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1061 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1062};
1063
1064static const unsigned char aes_test_cfb128_iv[16] =
1065{
1066 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1067 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1068};
1069
1070static const unsigned char aes_test_cfb128_pt[64] =
1071{
1072 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1073 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1074 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1075 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1076 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1077 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1078 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1079 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1080};
1081
1082static const unsigned char aes_test_cfb128_ct[3][64] =
1083{
1084 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1085 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1086 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1087 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1088 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1089 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1090 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1091 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1092 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1093 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1094 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1095 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1096 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1097 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1098 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1099 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1100 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1101 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1102 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1103 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1104 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1105 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1106 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1107 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1108};
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1109#endif /* POLARSSL_CIPHER_MODE_CFB */
1110
1111#if defined(POLARSSL_CIPHER_MODE_CTR)
1112/*
1113 * AES-CTR test vectors from:
1114 *
1115 * http://www.faqs.org/rfcs/rfc3686.html
1116 */
1117
1118static const unsigned char aes_test_ctr_key[3][16] =
1119{
1120 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1121 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1122 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1123 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1124 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1125 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1126};
1127
1128static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1129{
1130 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1131 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1132 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1133 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1134 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1135 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1136};
1137
1138static const unsigned char aes_test_ctr_pt[3][48] =
1139{
1140 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1141 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1142
1143 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1144 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1145 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1146 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1147
1148 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1149 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1150 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1151 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1152 0x20, 0x21, 0x22, 0x23 }
1153};
1154
1155static const unsigned char aes_test_ctr_ct[3][48] =
1156{
1157 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1158 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1159 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1160 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1161 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1162 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1163 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1164 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1165 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1166 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1167 0x25, 0xB2, 0x07, 0x2F }
1168};
1169
1170static const int aes_test_ctr_len[3] =
1171 { 16, 32, 36 };
1172#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1173
1174/*
1175 * Checkup routine
1176 */
1177int aes_self_test( int verbose )
1178{
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1179 int i, j, u, v;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180 unsigned char key[32];
1181 unsigned char buf[64];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1182 unsigned char iv[16];
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1183#if defined(POLARSSL_CIPHER_MODE_CBC)
1184 unsigned char prv[16];
1185#endif
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1186#if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1187 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1188#endif
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1189#if defined(POLARSSL_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1190 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1191 unsigned char nonce_counter[16];
1192 unsigned char stream_block[16];
1193#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1194 aes_context ctx;
1195
1196 memset( key, 0, 32 );
1197
1198 /*
1199 * ECB mode
1200 */
1201 for( i = 0; i < 6; i++ )
1202 {
1203 u = i >> 1;
1204 v = i & 1;
1205
1206 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1207 polarssl_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1208 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1209
1210 memset( buf, 0, 16 );
1211
1212 if( v == AES_DECRYPT )
1213 {
1214 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1215
1216 for( j = 0; j < 10000; j++ )
1217 aes_crypt_ecb( &ctx, v, buf, buf );
1218
1219 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1220 {
1221 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1222 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1223
1224 return( 1 );
1225 }
1226 }
1227 else
1228 {
1229 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1230
1231 for( j = 0; j < 10000; j++ )
1232 aes_crypt_ecb( &ctx, v, buf, buf );
1233
1234 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1235 {
1236 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1237 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238
1239 return( 1 );
1240 }
1241 }
1242
1243 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1244 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245 }
1246
1247 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1248 polarssl_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1249
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1250#if defined(POLARSSL_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 /*
1252 * CBC mode
1253 */
1254 for( i = 0; i < 6; i++ )
1255 {
1256 u = i >> 1;
1257 v = i & 1;
1258
1259 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1260 polarssl_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1261 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262
1263 memset( iv , 0, 16 );
1264 memset( prv, 0, 16 );
1265 memset( buf, 0, 16 );
1266
1267 if( v == AES_DECRYPT )
1268 {
1269 aes_setkey_dec( &ctx, key, 128 + u * 64 );
1270
1271 for( j = 0; j < 10000; j++ )
1272 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1273
1274 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1275 {
1276 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1277 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278
1279 return( 1 );
1280 }
1281 }
1282 else
1283 {
1284 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1285
1286 for( j = 0; j < 10000; j++ )
1287 {
1288 unsigned char tmp[16];
1289
1290 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1291
1292 memcpy( tmp, prv, 16 );
1293 memcpy( prv, buf, 16 );
1294 memcpy( buf, tmp, 16 );
1295 }
1296
1297 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1298 {
1299 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1300 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
1302 return( 1 );
1303 }
1304 }
1305
1306 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1307 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 }
1309
1310 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1311 polarssl_printf( "\n" );
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1312#endif /* POLARSSL_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1314#if defined(POLARSSL_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315 /*
1316 * CFB128 mode
1317 */
1318 for( i = 0; i < 6; i++ )
1319 {
1320 u = i >> 1;
1321 v = i & 1;
1322
1323 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1324 polarssl_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1325 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
1327 memcpy( iv, aes_test_cfb128_iv, 16 );
1328 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1329
1330 offset = 0;
1331 aes_setkey_enc( &ctx, key, 128 + u * 64 );
1332
1333 if( v == AES_DECRYPT )
1334 {
1335 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1336 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1337
1338 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1339 {
1340 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1341 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
1343 return( 1 );
1344 }
1345 }
1346 else
1347 {
1348 memcpy( buf, aes_test_cfb128_pt, 64 );
1349 aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1350
1351 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1352 {
1353 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1354 polarssl_printf( "failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355
1356 return( 1 );
1357 }
1358 }
1359
1360 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1361 polarssl_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362 }
1363
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1364 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1365 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1366#endif /* POLARSSL_CIPHER_MODE_CFB */
1367
1368#if defined(POLARSSL_CIPHER_MODE_CTR)
1369 /*
1370 * CTR mode
1371 */
1372 for( i = 0; i < 6; i++ )
1373 {
1374 u = i >> 1;
1375 v = i & 1;
1376
1377 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1378 polarssl_printf( " AES-CTR-128 (%s): ",
1379 ( v == AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1380
1381 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1382 memcpy( key, aes_test_ctr_key[u], 16 );
1383
1384 offset = 0;
1385 aes_setkey_enc( &ctx, key, 128 );
1386
1387 if( v == AES_DECRYPT )
1388 {
1389 len = aes_test_ctr_len[u];
1390 memcpy( buf, aes_test_ctr_ct[u], len );
1391
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame^]1392 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1393 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1394
1395 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1396 {
1397 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1398 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1399
1400 return( 1 );
1401 }
1402 }
1403 else
1404 {
1405 len = aes_test_ctr_len[u];
1406 memcpy( buf, aes_test_ctr_pt[u], len );
1407
Paul Bakkerb9e4e2c2014-05-01 14:18:25 +0200[diff] [blame^]1408 aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1409 buf, buf );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1410
1411 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1412 {
1413 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1414 polarssl_printf( "failed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1415
1416 return( 1 );
1417 }
1418 }
1419
1420 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1421 polarssl_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1422 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1423
1424 if( verbose != 0 )
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]1425 polarssl_printf( "\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1426#endif /* POLARSSL_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427
1428 return( 0 );
1429}
1430
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1431#endif /* POLARSSL_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1433#endif /* POLARSSL_AES_C */