PolarSSL v1.1.4
aes.c
Go to the documentation of this file.
00001 /*
00002  *  FIPS-197 compliant AES implementation
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 /*
00026  *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
00027  *
00028  *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
00029  *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
00030  */
00031 
00032 #include "polarssl/config.h"
00033 
00034 #if defined(POLARSSL_AES_C)
00035 
00036 #include "polarssl/aes.h"
00037 #include "polarssl/padlock.h"
00038 
00039 /*
00040  * 32-bit integer manipulation macros (little endian)
00041  */
00042 #ifndef GET_ULONG_LE
00043 #define GET_ULONG_LE(n,b,i)                             \
00044 {                                                       \
00045     (n) = ( (unsigned long) (b)[(i)    ]       )        \
00046         | ( (unsigned long) (b)[(i) + 1] <<  8 )        \
00047         | ( (unsigned long) (b)[(i) + 2] << 16 )        \
00048         | ( (unsigned long) (b)[(i) + 3] << 24 );       \
00049 }
00050 #endif
00051 
00052 #ifndef PUT_ULONG_LE
00053 #define PUT_ULONG_LE(n,b,i)                             \
00054 {                                                       \
00055     (b)[(i)    ] = (unsigned char) ( (n)       );       \
00056     (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
00057     (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
00058     (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
00059 }
00060 #endif
00061 
00062 #if defined(POLARSSL_AES_ROM_TABLES)
00063 /*
00064  * Forward S-box
00065  */
00066 static const unsigned char FSb[256] =
00067 {
00068     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
00069     0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
00070     0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
00071     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
00072     0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
00073     0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
00074     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
00075     0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
00076     0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
00077     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
00078     0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
00079     0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
00080     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
00081     0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
00082     0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
00083     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
00084     0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
00085     0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
00086     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
00087     0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
00088     0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
00089     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
00090     0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
00091     0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
00092     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
00093     0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
00094     0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
00095     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
00096     0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
00097     0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
00098     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
00099     0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
00100 };
00101 
00102 /*
00103  * Forward tables
00104  */
00105 #define FT \
00106 \
00107     V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
00108     V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
00109     V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
00110     V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
00111     V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
00112     V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
00113     V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
00114     V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
00115     V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
00116     V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
00117     V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
00118     V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
00119     V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
00120     V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
00121     V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
00122     V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
00123     V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
00124     V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
00125     V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
00126     V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
00127     V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
00128     V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
00129     V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
00130     V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
00131     V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
00132     V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
00133     V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
00134     V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
00135     V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
00136     V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
00137     V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
00138     V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
00139     V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
00140     V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
00141     V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
00142     V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
00143     V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
00144     V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
00145     V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
00146     V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
00147     V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
00148     V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
00149     V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
00150     V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
00151     V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
00152     V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
00153     V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
00154     V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
00155     V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
00156     V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
00157     V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
00158     V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
00159     V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
00160     V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
00161     V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
00162     V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
00163     V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
00164     V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
00165     V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
00166     V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
00167     V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
00168     V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
00169     V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
00170     V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
00171 
00172 #define V(a,b,c,d) 0x##a##b##c##d
00173 static const unsigned long FT0[256] = { FT };
00174 #undef V
00175 
00176 #define V(a,b,c,d) 0x##b##c##d##a
00177 static const unsigned long FT1[256] = { FT };
00178 #undef V
00179 
00180 #define V(a,b,c,d) 0x##c##d##a##b
00181 static const unsigned long FT2[256] = { FT };
00182 #undef V
00183 
00184 #define V(a,b,c,d) 0x##d##a##b##c
00185 static const unsigned long FT3[256] = { FT };
00186 #undef V
00187 
00188 #undef FT
00189 
00190 /*
00191  * Reverse S-box
00192  */
00193 static const unsigned char RSb[256] =
00194 {
00195     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
00196     0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
00197     0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
00198     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
00199     0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
00200     0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
00201     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
00202     0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
00203     0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
00204     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
00205     0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
00206     0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
00207     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
00208     0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
00209     0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
00210     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
00211     0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
00212     0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
00213     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
00214     0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
00215     0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
00216     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
00217     0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
00218     0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
00219     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
00220     0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
00221     0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
00222     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
00223     0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
00224     0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
00225     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
00226     0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
00227 };
00228 
00229 /*
00230  * Reverse tables
00231  */
00232 #define RT \
00233 \
00234     V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
00235     V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
00236     V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
00237     V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
00238     V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
00239     V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
00240     V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
00241     V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
00242     V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
00243     V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
00244     V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
00245     V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
00246     V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
00247     V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
00248     V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
00249     V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
00250     V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
00251     V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
00252     V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
00253     V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
00254     V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
00255     V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
00256     V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
00257     V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
00258     V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
00259     V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
00260     V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
00261     V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
00262     V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
00263     V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
00264     V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
00265     V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
00266     V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
00267     V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
00268     V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
00269     V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
00270     V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
00271     V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
00272     V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
00273     V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
00274     V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
00275     V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
00276     V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
00277     V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
00278     V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
00279     V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
00280     V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
00281     V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
00282     V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
00283     V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
00284     V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
00285     V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
00286     V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
00287     V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
00288     V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
00289     V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
00290     V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
00291     V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
00292     V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
00293     V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
00294     V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
00295     V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
00296     V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
00297     V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
00298 
00299 #define V(a,b,c,d) 0x##a##b##c##d
00300 static const unsigned long RT0[256] = { RT };
00301 #undef V
00302 
00303 #define V(a,b,c,d) 0x##b##c##d##a
00304 static const unsigned long RT1[256] = { RT };
00305 #undef V
00306 
00307 #define V(a,b,c,d) 0x##c##d##a##b
00308 static const unsigned long RT2[256] = { RT };
00309 #undef V
00310 
00311 #define V(a,b,c,d) 0x##d##a##b##c
00312 static const unsigned long RT3[256] = { RT };
00313 #undef V
00314 
00315 #undef RT
00316 
00317 /*
00318  * Round constants
00319  */
00320 static const unsigned long RCON[10] =
00321 {
00322     0x00000001, 0x00000002, 0x00000004, 0x00000008,
00323     0x00000010, 0x00000020, 0x00000040, 0x00000080,
00324     0x0000001B, 0x00000036
00325 };
00326 
00327 #else
00328 
00329 /*
00330  * Forward S-box & tables
00331  */
00332 static unsigned char FSb[256];
00333 static unsigned long FT0[256]; 
00334 static unsigned long FT1[256]; 
00335 static unsigned long FT2[256]; 
00336 static unsigned long FT3[256]; 
00337 
00338 /*
00339  * Reverse S-box & tables
00340  */
00341 static unsigned char RSb[256];
00342 static unsigned long RT0[256];
00343 static unsigned long RT1[256];
00344 static unsigned long RT2[256];
00345 static unsigned long RT3[256];
00346 
00347 /*
00348  * Round constants
00349  */
00350 static unsigned long RCON[10];
00351 
00352 /*
00353  * Tables generation code
00354  */
00355 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
00356 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
00357 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
00358 
00359 static int aes_init_done = 0;
00360 
00361 static void aes_gen_tables( void )
00362 {
00363     int i, x, y, z;
00364     int pow[256];
00365     int log[256];
00366 
00367     /*
00368      * compute pow and log tables over GF(2^8)
00369      */
00370     for( i = 0, x = 1; i < 256; i++ )
00371     {
00372         pow[i] = x;
00373         log[x] = i;
00374         x = ( x ^ XTIME( x ) ) & 0xFF;
00375     }
00376 
00377     /*
00378      * calculate the round constants
00379      */
00380     for( i = 0, x = 1; i < 10; i++ )
00381     {
00382         RCON[i] = (unsigned long) x;
00383         x = XTIME( x ) & 0xFF;
00384     }
00385 
00386     /*
00387      * generate the forward and reverse S-boxes
00388      */
00389     FSb[0x00] = 0x63;
00390     RSb[0x63] = 0x00;
00391 
00392     for( i = 1; i < 256; i++ )
00393     {
00394         x = pow[255 - log[i]];
00395 
00396         y  = x; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00397         x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00398         x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00399         x ^= y; y = ( (y << 1) | (y >> 7) ) & 0xFF;
00400         x ^= y ^ 0x63;
00401 
00402         FSb[i] = (unsigned char) x;
00403         RSb[x] = (unsigned char) i;
00404     }
00405 
00406     /*
00407      * generate the forward and reverse tables
00408      */
00409     for( i = 0; i < 256; i++ )
00410     {
00411         x = FSb[i];
00412         y = XTIME( x ) & 0xFF;
00413         z =  ( y ^ x ) & 0xFF;
00414 
00415         FT0[i] = ( (unsigned long) y       ) ^
00416                  ( (unsigned long) x <<  8 ) ^
00417                  ( (unsigned long) x << 16 ) ^
00418                  ( (unsigned long) z << 24 );
00419 
00420         FT1[i] = ROTL8( FT0[i] );
00421         FT2[i] = ROTL8( FT1[i] );
00422         FT3[i] = ROTL8( FT2[i] );
00423 
00424         x = RSb[i];
00425 
00426         RT0[i] = ( (unsigned long) MUL( 0x0E, x )       ) ^
00427                  ( (unsigned long) MUL( 0x09, x ) <<  8 ) ^
00428                  ( (unsigned long) MUL( 0x0D, x ) << 16 ) ^
00429                  ( (unsigned long) MUL( 0x0B, x ) << 24 );
00430 
00431         RT1[i] = ROTL8( RT0[i] );
00432         RT2[i] = ROTL8( RT1[i] );
00433         RT3[i] = ROTL8( RT2[i] );
00434     }
00435 }
00436 
00437 #endif
00438 
00439 /*
00440  * AES key schedule (encryption)
00441  */
00442 int aes_setkey_enc( aes_context *ctx, const unsigned char *key, unsigned int keysize )
00443 {
00444     unsigned int i;
00445     unsigned long *RK;
00446 
00447 #if !defined(POLARSSL_AES_ROM_TABLES)
00448     if( aes_init_done == 0 )
00449     {
00450         aes_gen_tables();
00451         aes_init_done = 1;
00452     }
00453 #endif
00454 
00455     switch( keysize )
00456     {
00457         case 128: ctx->nr = 10; break;
00458         case 192: ctx->nr = 12; break;
00459         case 256: ctx->nr = 14; break;
00460         default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
00461     }
00462 
00463 #if defined(PADLOCK_ALIGN16)
00464     ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
00465 #else
00466     ctx->rk = RK = ctx->buf;
00467 #endif
00468 
00469     for( i = 0; i < (keysize >> 5); i++ )
00470     {
00471         GET_ULONG_LE( RK[i], key, i << 2 );
00472     }
00473 
00474     switch( ctx->nr )
00475     {
00476         case 10:
00477 
00478             for( i = 0; i < 10; i++, RK += 4 )
00479             {
00480                 RK[4]  = RK[0] ^ RCON[i] ^
00481                 ( (unsigned long) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
00482                 ( (unsigned long) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
00483                 ( (unsigned long) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
00484                 ( (unsigned long) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
00485 
00486                 RK[5]  = RK[1] ^ RK[4];
00487                 RK[6]  = RK[2] ^ RK[5];
00488                 RK[7]  = RK[3] ^ RK[6];
00489             }
00490             break;
00491 
00492         case 12:
00493 
00494             for( i = 0; i < 8; i++, RK += 6 )
00495             {
00496                 RK[6]  = RK[0] ^ RCON[i] ^
00497                 ( (unsigned long) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
00498                 ( (unsigned long) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
00499                 ( (unsigned long) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
00500                 ( (unsigned long) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
00501 
00502                 RK[7]  = RK[1] ^ RK[6];
00503                 RK[8]  = RK[2] ^ RK[7];
00504                 RK[9]  = RK[3] ^ RK[8];
00505                 RK[10] = RK[4] ^ RK[9];
00506                 RK[11] = RK[5] ^ RK[10];
00507             }
00508             break;
00509 
00510         case 14:
00511 
00512             for( i = 0; i < 7; i++, RK += 8 )
00513             {
00514                 RK[8]  = RK[0] ^ RCON[i] ^
00515                 ( (unsigned long) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
00516                 ( (unsigned long) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
00517                 ( (unsigned long) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
00518                 ( (unsigned long) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
00519 
00520                 RK[9]  = RK[1] ^ RK[8];
00521                 RK[10] = RK[2] ^ RK[9];
00522                 RK[11] = RK[3] ^ RK[10];
00523 
00524                 RK[12] = RK[4] ^
00525                 ( (unsigned long) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
00526                 ( (unsigned long) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
00527                 ( (unsigned long) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
00528                 ( (unsigned long) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
00529 
00530                 RK[13] = RK[5] ^ RK[12];
00531                 RK[14] = RK[6] ^ RK[13];
00532                 RK[15] = RK[7] ^ RK[14];
00533             }
00534             break;
00535 
00536         default:
00537 
00538             break;
00539     }
00540 
00541     return( 0 );
00542 }
00543 
00544 /*
00545  * AES key schedule (decryption)
00546  */
00547 int aes_setkey_dec( aes_context *ctx, const unsigned char *key, unsigned int keysize )
00548 {
00549     int i, j;
00550     aes_context cty;
00551     unsigned long *RK;
00552     unsigned long *SK;
00553     int ret;
00554 
00555     switch( keysize )
00556     {
00557         case 128: ctx->nr = 10; break;
00558         case 192: ctx->nr = 12; break;
00559         case 256: ctx->nr = 14; break;
00560         default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
00561     }
00562 
00563 #if defined(PADLOCK_ALIGN16)
00564     ctx->rk = RK = PADLOCK_ALIGN16( ctx->buf );
00565 #else
00566     ctx->rk = RK = ctx->buf;
00567 #endif
00568 
00569     ret = aes_setkey_enc( &cty, key, keysize );
00570     if( ret != 0 )
00571         return( ret );
00572 
00573     SK = cty.rk + cty.nr * 4;
00574 
00575     *RK++ = *SK++;
00576     *RK++ = *SK++;
00577     *RK++ = *SK++;
00578     *RK++ = *SK++;
00579 
00580     for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
00581     {
00582         for( j = 0; j < 4; j++, SK++ )
00583         {
00584             *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
00585                     RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
00586                     RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
00587                     RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
00588         }
00589     }
00590 
00591     *RK++ = *SK++;
00592     *RK++ = *SK++;
00593     *RK++ = *SK++;
00594     *RK++ = *SK++;
00595 
00596     memset( &cty, 0, sizeof( aes_context ) );
00597 
00598     return( 0 );
00599 }
00600 
00601 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
00602 {                                               \
00603     X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
00604                  FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
00605                  FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
00606                  FT3[ ( Y3 >> 24 ) & 0xFF ];    \
00607                                                 \
00608     X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
00609                  FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
00610                  FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
00611                  FT3[ ( Y0 >> 24 ) & 0xFF ];    \
00612                                                 \
00613     X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
00614                  FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
00615                  FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
00616                  FT3[ ( Y1 >> 24 ) & 0xFF ];    \
00617                                                 \
00618     X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
00619                  FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
00620                  FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
00621                  FT3[ ( Y2 >> 24 ) & 0xFF ];    \
00622 }
00623 
00624 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
00625 {                                               \
00626     X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
00627                  RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
00628                  RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
00629                  RT3[ ( Y1 >> 24 ) & 0xFF ];    \
00630                                                 \
00631     X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
00632                  RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
00633                  RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
00634                  RT3[ ( Y2 >> 24 ) & 0xFF ];    \
00635                                                 \
00636     X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
00637                  RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
00638                  RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
00639                  RT3[ ( Y3 >> 24 ) & 0xFF ];    \
00640                                                 \
00641     X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
00642                  RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
00643                  RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
00644                  RT3[ ( Y0 >> 24 ) & 0xFF ];    \
00645 }
00646 
00647 /*
00648  * AES-ECB block encryption/decryption
00649  */
00650 int aes_crypt_ecb( aes_context *ctx,
00651                     int mode,
00652                     const unsigned char input[16],
00653                     unsigned char output[16] )
00654 {
00655     int i;
00656     unsigned long *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
00657 
00658 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
00659     if( padlock_supports( PADLOCK_ACE ) )
00660     {
00661         if( padlock_xcryptecb( ctx, mode, input, output ) == 0 )
00662             return( 0 );
00663 
00664         // If padlock data misaligned, we just fall back to
00665         // unaccelerated mode
00666         //
00667     }
00668 #endif
00669 
00670     RK = ctx->rk;
00671 
00672     GET_ULONG_LE( X0, input,  0 ); X0 ^= *RK++;
00673     GET_ULONG_LE( X1, input,  4 ); X1 ^= *RK++;
00674     GET_ULONG_LE( X2, input,  8 ); X2 ^= *RK++;
00675     GET_ULONG_LE( X3, input, 12 ); X3 ^= *RK++;
00676 
00677     if( mode == AES_DECRYPT )
00678     {
00679         for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
00680         {
00681             AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00682             AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00683         }
00684 
00685         AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00686 
00687         X0 = *RK++ ^ \
00688                 ( (unsigned long) RSb[ ( Y0       ) & 0xFF ]       ) ^
00689                 ( (unsigned long) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
00690                 ( (unsigned long) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00691                 ( (unsigned long) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00692 
00693         X1 = *RK++ ^ \
00694                 ( (unsigned long) RSb[ ( Y1       ) & 0xFF ]       ) ^
00695                 ( (unsigned long) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
00696                 ( (unsigned long) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00697                 ( (unsigned long) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00698 
00699         X2 = *RK++ ^ \
00700                 ( (unsigned long) RSb[ ( Y2       ) & 0xFF ]       ) ^
00701                 ( (unsigned long) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
00702                 ( (unsigned long) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00703                 ( (unsigned long) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00704 
00705         X3 = *RK++ ^ \
00706                 ( (unsigned long) RSb[ ( Y3       ) & 0xFF ]       ) ^
00707                 ( (unsigned long) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
00708                 ( (unsigned long) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00709                 ( (unsigned long) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00710     }
00711     else /* AES_ENCRYPT */
00712     {
00713         for( i = (ctx->nr >> 1) - 1; i > 0; i-- )
00714         {
00715             AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00716             AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00717         }
00718 
00719         AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00720 
00721         X0 = *RK++ ^ \
00722                 ( (unsigned long) FSb[ ( Y0       ) & 0xFF ]       ) ^
00723                 ( (unsigned long) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
00724                 ( (unsigned long) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00725                 ( (unsigned long) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00726 
00727         X1 = *RK++ ^ \
00728                 ( (unsigned long) FSb[ ( Y1       ) & 0xFF ]       ) ^
00729                 ( (unsigned long) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
00730                 ( (unsigned long) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00731                 ( (unsigned long) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00732 
00733         X2 = *RK++ ^ \
00734                 ( (unsigned long) FSb[ ( Y2       ) & 0xFF ]       ) ^
00735                 ( (unsigned long) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
00736                 ( (unsigned long) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00737                 ( (unsigned long) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00738 
00739         X3 = *RK++ ^ \
00740                 ( (unsigned long) FSb[ ( Y3       ) & 0xFF ]       ) ^
00741                 ( (unsigned long) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
00742                 ( (unsigned long) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00743                 ( (unsigned long) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00744     }
00745 
00746     PUT_ULONG_LE( X0, output,  0 );
00747     PUT_ULONG_LE( X1, output,  4 );
00748     PUT_ULONG_LE( X2, output,  8 );
00749     PUT_ULONG_LE( X3, output, 12 );
00750 
00751     return( 0 );
00752 }
00753 
00754 /*
00755  * AES-CBC buffer encryption/decryption
00756  */
00757 int aes_crypt_cbc( aes_context *ctx,
00758                     int mode,
00759                     size_t length,
00760                     unsigned char iv[16],
00761                     const unsigned char *input,
00762                     unsigned char *output )
00763 {
00764     int i;
00765     unsigned char temp[16];
00766 
00767     if( length % 16 )
00768         return( POLARSSL_ERR_AES_INVALID_INPUT_LENGTH );
00769 
00770 #if defined(POLARSSL_PADLOCK_C) && defined(POLARSSL_HAVE_X86)
00771     if( padlock_supports( PADLOCK_ACE ) )
00772     {
00773         if( padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
00774             return( 0 );
00775         
00776         // If padlock data misaligned, we just fall back to
00777         // unaccelerated mode
00778         //
00779     }
00780 #endif
00781 
00782     if( mode == AES_DECRYPT )
00783     {
00784         while( length > 0 )
00785         {
00786             memcpy( temp, input, 16 );
00787             aes_crypt_ecb( ctx, mode, input, output );
00788 
00789             for( i = 0; i < 16; i++ )
00790                 output[i] = (unsigned char)( output[i] ^ iv[i] );
00791 
00792             memcpy( iv, temp, 16 );
00793 
00794             input  += 16;
00795             output += 16;
00796             length -= 16;
00797         }
00798     }
00799     else
00800     {
00801         while( length > 0 )
00802         {
00803             for( i = 0; i < 16; i++ )
00804                 output[i] = (unsigned char)( input[i] ^ iv[i] );
00805 
00806             aes_crypt_ecb( ctx, mode, output, output );
00807             memcpy( iv, output, 16 );
00808 
00809             input  += 16;
00810             output += 16;
00811             length -= 16;
00812         }
00813     }
00814 
00815     return( 0 );
00816 }
00817 
00818 #if defined(POLARSSL_CIPHER_MODE_CFB)
00819 /*
00820  * AES-CFB128 buffer encryption/decryption
00821  */
00822 int aes_crypt_cfb128( aes_context *ctx,
00823                        int mode,
00824                        size_t length,
00825                        size_t *iv_off,
00826                        unsigned char iv[16],
00827                        const unsigned char *input,
00828                        unsigned char *output )
00829 {
00830     int c;
00831     size_t n = *iv_off;
00832 
00833     if( mode == AES_DECRYPT )
00834     {
00835         while( length-- )
00836         {
00837             if( n == 0 )
00838                 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
00839 
00840             c = *input++;
00841             *output++ = (unsigned char)( c ^ iv[n] );
00842             iv[n] = (unsigned char) c;
00843 
00844             n = (n + 1) & 0x0F;
00845         }
00846     }
00847     else
00848     {
00849         while( length-- )
00850         {
00851             if( n == 0 )
00852                 aes_crypt_ecb( ctx, AES_ENCRYPT, iv, iv );
00853 
00854             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
00855 
00856             n = (n + 1) & 0x0F;
00857         }
00858     }
00859 
00860     *iv_off = n;
00861 
00862     return( 0 );
00863 }
00864 #endif /*POLARSSL_CIPHER_MODE_CFB */
00865 
00866 #if defined(POLARSSL_CIPHER_MODE_CTR)
00867 /*
00868  * AES-CTR buffer encryption/decryption
00869  */
00870 int aes_crypt_ctr( aes_context *ctx,
00871                        size_t length,
00872                        size_t *nc_off,
00873                        unsigned char nonce_counter[16],
00874                        unsigned char stream_block[16],
00875                        const unsigned char *input,
00876                        unsigned char *output )
00877 {
00878     int c, i, cb;
00879     size_t n = *nc_off;
00880 
00881     while( length-- )
00882     {
00883         if( n == 0 ) {
00884             aes_crypt_ecb( ctx, AES_ENCRYPT, nonce_counter, stream_block );
00885 
00886             i = 15;
00887             do {
00888                nonce_counter[i]++;
00889                cb = nonce_counter[i] == 0;
00890             } while( i-- && cb );
00891 
00892         }
00893         c = *input++;
00894         *output++ = (unsigned char)( c ^ stream_block[n] );
00895 
00896         n = (n + 1) & 0x0F;
00897     }
00898 
00899     *nc_off = n;
00900 
00901     return( 0 );
00902 }
00903 #endif /* POLARSSL_CIPHER_MODE_CTR */
00904 
00905 #if defined(POLARSSL_SELF_TEST)
00906 
00907 #include <stdio.h>
00908 
00909 /*
00910  * AES test vectors from:
00911  *
00912  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
00913  */
00914 static const unsigned char aes_test_ecb_dec[3][16] =
00915 {
00916     { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
00917       0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
00918     { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
00919       0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
00920     { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
00921       0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
00922 };
00923 
00924 static const unsigned char aes_test_ecb_enc[3][16] =
00925 {
00926     { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
00927       0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
00928     { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
00929       0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
00930     { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
00931       0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
00932 };
00933 
00934 static const unsigned char aes_test_cbc_dec[3][16] =
00935 {
00936     { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
00937       0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
00938     { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
00939       0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
00940     { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
00941       0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
00942 };
00943 
00944 static const unsigned char aes_test_cbc_enc[3][16] =
00945 {
00946     { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
00947       0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
00948     { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
00949       0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
00950     { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
00951       0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
00952 };
00953 
00954 #if defined(POLARSSL_CIPHER_MODE_CFB)
00955 /*
00956  * AES-CFB128 test vectors from:
00957  *
00958  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
00959  */
00960 static const unsigned char aes_test_cfb128_key[3][32] =
00961 {
00962     { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
00963       0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
00964     { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
00965       0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
00966       0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
00967     { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
00968       0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
00969       0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
00970       0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
00971 };
00972 
00973 static const unsigned char aes_test_cfb128_iv[16] =
00974 {
00975     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
00976     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
00977 };
00978 
00979 static const unsigned char aes_test_cfb128_pt[64] =
00980 {
00981     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
00982     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
00983     0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
00984     0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
00985     0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
00986     0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
00987     0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
00988     0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
00989 };
00990 
00991 static const unsigned char aes_test_cfb128_ct[3][64] =
00992 {
00993     { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
00994       0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
00995       0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
00996       0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
00997       0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
00998       0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
00999       0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
01000       0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
01001     { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
01002       0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
01003       0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
01004       0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
01005       0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
01006       0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
01007       0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
01008       0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
01009     { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
01010       0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
01011       0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
01012       0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
01013       0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
01014       0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
01015       0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
01016       0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
01017 };
01018 #endif /* POLARSSL_CIPHER_MODE_CFB */
01019 
01020 #if defined(POLARSSL_CIPHER_MODE_CTR)
01021 /*
01022  * AES-CTR test vectors from:
01023  *
01024  * http://www.faqs.org/rfcs/rfc3686.html
01025  */
01026 
01027 static const unsigned char aes_test_ctr_key[3][16] =
01028 {
01029     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
01030       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
01031     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
01032       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
01033     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
01034       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
01035 };
01036 
01037 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
01038 {
01039     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
01040       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
01041     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
01042       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
01043     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
01044       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
01045 };
01046 
01047 static const unsigned char aes_test_ctr_pt[3][48] =
01048 {
01049     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
01050       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
01051 
01052     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01053       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01054       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01055       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
01056 
01057     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01058       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01059       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01060       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
01061       0x20, 0x21, 0x22, 0x23 }
01062 };
01063 
01064 static const unsigned char aes_test_ctr_ct[3][48] =
01065 {
01066     { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
01067       0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
01068     { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
01069       0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
01070       0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
01071       0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
01072     { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
01073       0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
01074       0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
01075       0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
01076       0x25, 0xB2, 0x07, 0x2F }
01077 };
01078 
01079 static const int aes_test_ctr_len[3] =
01080     { 16, 32, 36 };
01081 #endif /* POLARSSL_CIPHER_MODE_CTR */
01082 
01083 /*
01084  * Checkup routine
01085  */
01086 int aes_self_test( int verbose )
01087 {
01088     int i, j, u, v;
01089     unsigned char key[32];
01090     unsigned char buf[64];
01091     unsigned char prv[16];
01092     unsigned char iv[16];
01093 #if defined(POLARSSL_CIPHER_MODE_CTR) || defined(POLARSSL_CIPHER_MODE_CFB)
01094     size_t offset;
01095 #endif
01096 #if defined(POLARSSL_CIPHER_MODE_CTR)
01097     int len;
01098     unsigned char nonce_counter[16];
01099     unsigned char stream_block[16];
01100 #endif
01101     aes_context ctx;
01102 
01103     memset( key, 0, 32 );
01104 
01105     /*
01106      * ECB mode
01107      */
01108     for( i = 0; i < 6; i++ )
01109     {
01110         u = i >> 1;
01111         v = i  & 1;
01112 
01113         if( verbose != 0 )
01114             printf( "  AES-ECB-%3d (%s): ", 128 + u * 64,
01115                     ( v == AES_DECRYPT ) ? "dec" : "enc" );
01116 
01117         memset( buf, 0, 16 );
01118 
01119         if( v == AES_DECRYPT )
01120         {
01121             aes_setkey_dec( &ctx, key, 128 + u * 64 );
01122 
01123             for( j = 0; j < 10000; j++ )
01124                 aes_crypt_ecb( &ctx, v, buf, buf );
01125 
01126             if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
01127             {
01128                 if( verbose != 0 )
01129                     printf( "failed\n" );
01130 
01131                 return( 1 );
01132             }
01133         }
01134         else
01135         {
01136             aes_setkey_enc( &ctx, key, 128 + u * 64 );
01137 
01138             for( j = 0; j < 10000; j++ )
01139                 aes_crypt_ecb( &ctx, v, buf, buf );
01140 
01141             if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
01142             {
01143                 if( verbose != 0 )
01144                     printf( "failed\n" );
01145 
01146                 return( 1 );
01147             }
01148         }
01149 
01150         if( verbose != 0 )
01151             printf( "passed\n" );
01152     }
01153 
01154     if( verbose != 0 )
01155         printf( "\n" );
01156 
01157     /*
01158      * CBC mode
01159      */
01160     for( i = 0; i < 6; i++ )
01161     {
01162         u = i >> 1;
01163         v = i  & 1;
01164 
01165         if( verbose != 0 )
01166             printf( "  AES-CBC-%3d (%s): ", 128 + u * 64,
01167                     ( v == AES_DECRYPT ) ? "dec" : "enc" );
01168 
01169         memset( iv , 0, 16 );
01170         memset( prv, 0, 16 );
01171         memset( buf, 0, 16 );
01172 
01173         if( v == AES_DECRYPT )
01174         {
01175             aes_setkey_dec( &ctx, key, 128 + u * 64 );
01176 
01177             for( j = 0; j < 10000; j++ )
01178                 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
01179 
01180             if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
01181             {
01182                 if( verbose != 0 )
01183                     printf( "failed\n" );
01184 
01185                 return( 1 );
01186             }
01187         }
01188         else
01189         {
01190             aes_setkey_enc( &ctx, key, 128 + u * 64 );
01191 
01192             for( j = 0; j < 10000; j++ )
01193             {
01194                 unsigned char tmp[16];
01195 
01196                 aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
01197 
01198                 memcpy( tmp, prv, 16 );
01199                 memcpy( prv, buf, 16 );
01200                 memcpy( buf, tmp, 16 );
01201             }
01202 
01203             if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
01204             {
01205                 if( verbose != 0 )
01206                     printf( "failed\n" );
01207 
01208                 return( 1 );
01209             }
01210         }
01211 
01212         if( verbose != 0 )
01213             printf( "passed\n" );
01214     }
01215 
01216     if( verbose != 0 )
01217         printf( "\n" );
01218 
01219 #if defined(POLARSSL_CIPHER_MODE_CFB)
01220     /*
01221      * CFB128 mode
01222      */
01223     for( i = 0; i < 6; i++ )
01224     {
01225         u = i >> 1;
01226         v = i  & 1;
01227 
01228         if( verbose != 0 )
01229             printf( "  AES-CFB128-%3d (%s): ", 128 + u * 64,
01230                     ( v == AES_DECRYPT ) ? "dec" : "enc" );
01231 
01232         memcpy( iv,  aes_test_cfb128_iv, 16 );
01233         memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
01234 
01235         offset = 0;
01236         aes_setkey_enc( &ctx, key, 128 + u * 64 );
01237 
01238         if( v == AES_DECRYPT )
01239         {
01240             memcpy( buf, aes_test_cfb128_ct[u], 64 );
01241             aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
01242 
01243             if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
01244             {
01245                 if( verbose != 0 )
01246                     printf( "failed\n" );
01247 
01248                 return( 1 );
01249             }
01250         }
01251         else
01252         {
01253             memcpy( buf, aes_test_cfb128_pt, 64 );
01254             aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
01255 
01256             if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
01257             {
01258                 if( verbose != 0 )
01259                     printf( "failed\n" );
01260 
01261                 return( 1 );
01262             }
01263         }
01264 
01265         if( verbose != 0 )
01266             printf( "passed\n" );
01267     }
01268 
01269     if( verbose != 0 )
01270         printf( "\n" );
01271 #endif /* POLARSSL_CIPHER_MODE_CFB */
01272 
01273 #if defined(POLARSSL_CIPHER_MODE_CTR)
01274     /*
01275      * CTR mode
01276      */
01277     for( i = 0; i < 6; i++ )
01278     {
01279         u = i >> 1;
01280         v = i  & 1;
01281 
01282         if( verbose != 0 )
01283             printf( "  AES-CTR-128 (%s): ",
01284                     ( v == AES_DECRYPT ) ? "dec" : "enc" );
01285 
01286         memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
01287         memcpy( key, aes_test_ctr_key[u], 16 );
01288 
01289         offset = 0;
01290         aes_setkey_enc( &ctx, key, 128 );
01291 
01292         if( v == AES_DECRYPT )
01293         {
01294             len = aes_test_ctr_len[u];
01295             memcpy( buf, aes_test_ctr_ct[u], len );
01296 
01297             aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01298 
01299             if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
01300             {
01301                 if( verbose != 0 )
01302                     printf( "failed\n" );
01303 
01304                 return( 1 );
01305             }
01306         }
01307         else
01308         {
01309             len = aes_test_ctr_len[u];
01310             memcpy( buf, aes_test_ctr_pt[u], len );
01311 
01312             aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, buf, buf );
01313 
01314             if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
01315             {
01316                 if( verbose != 0 )
01317                     printf( "failed\n" );
01318 
01319                 return( 1 );
01320             }
01321         }
01322 
01323         if( verbose != 0 )
01324             printf( "passed\n" );
01325     }
01326 
01327     if( verbose != 0 )
01328         printf( "\n" );
01329 #endif /* POLARSSL_CIPHER_MODE_CTR */
01330 
01331     return( 0 );
01332 }
01333 
01334 #endif
01335 
01336 #endif