]> cvs.zerfleddert.de Git - proxmark3-svn/blob - common/mbedtls/aes.c
Merge pull request #943 from dgorbunov/patch-1
[proxmark3-svn] / common / mbedtls / aes.c
1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23 /*
24 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
25 *
26 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
27 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28 */
29
30 #if !defined(MBEDTLS_CONFIG_FILE)
31 #include "mbedtls/config.h"
32 #else
33 #include MBEDTLS_CONFIG_FILE
34 #endif
35
36 #if defined(MBEDTLS_AES_C)
37
38 #include <string.h>
39
40 #include "mbedtls/aes.h"
41 #include "mbedtls/platform_util.h"
42 #if defined(MBEDTLS_PADLOCK_C)
43 #include "mbedtls/padlock.h"
44 #endif
45 #if defined(MBEDTLS_AESNI_C)
46 #include "mbedtls/aesni.h"
47 #endif
48
49 #if defined(MBEDTLS_SELF_TEST)
50 #if defined(MBEDTLS_PLATFORM_C)
51 #include "mbedtls/platform.h"
52 #else
53 #include <stdio.h>
54 #define mbedtls_printf printf
55 #endif /* MBEDTLS_PLATFORM_C */
56 #endif /* MBEDTLS_SELF_TEST */
57
58 #if !defined(MBEDTLS_AES_ALT)
59
60 /*
61 * 32-bit integer manipulation macros (little endian)
62 */
63 #ifndef GET_UINT32_LE
64 #define GET_UINT32_LE(n,b,i) \
65 { \
66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
70 }
71 #endif
72
73 #ifndef PUT_UINT32_LE
74 #define PUT_UINT32_LE(n,b,i) \
75 { \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
80 }
81 #endif
82
83 #if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
85 static int aes_padlock_ace = -1;
86 #endif
87
88 #if defined(MBEDTLS_AES_ROM_TABLES)
89 /*
90 * Forward S-box
91 */
92 static const unsigned char FSb[256] =
93 {
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126 };
127
128 /*
129 * Forward tables
130 */
131 #define FT \
132 \
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198 #define V(a,b,c,d) 0x##a##b##c##d
199 static const uint32_t FT0[256] = { FT };
200 #undef V
201
202 #if !defined(MBEDTLS_AES_FEWER_TABLES)
203
204 #define V(a,b,c,d) 0x##b##c##d##a
205 static const uint32_t FT1[256] = { FT };
206 #undef V
207
208 #define V(a,b,c,d) 0x##c##d##a##b
209 static const uint32_t FT2[256] = { FT };
210 #undef V
211
212 #define V(a,b,c,d) 0x##d##a##b##c
213 static const uint32_t FT3[256] = { FT };
214 #undef V
215
216 #endif /* !MBEDTLS_AES_FEWER_TABLES */
217
218 #undef FT
219
220 /*
221 * Reverse S-box
222 */
223 static const unsigned char RSb[256] =
224 {
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257 };
258
259 /*
260 * Reverse tables
261 */
262 #define RT \
263 \
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329 #define V(a,b,c,d) 0x##a##b##c##d
330 static const uint32_t RT0[256] = { RT };
331 #undef V
332
333 #if !defined(MBEDTLS_AES_FEWER_TABLES)
334
335 #define V(a,b,c,d) 0x##b##c##d##a
336 static const uint32_t RT1[256] = { RT };
337 #undef V
338
339 #define V(a,b,c,d) 0x##c##d##a##b
340 static const uint32_t RT2[256] = { RT };
341 #undef V
342
343 #define V(a,b,c,d) 0x##d##a##b##c
344 static const uint32_t RT3[256] = { RT };
345 #undef V
346
347 #endif /* !MBEDTLS_AES_FEWER_TABLES */
348
349 #undef RT
350
351 /*
352 * Round constants
353 */
354 static const uint32_t RCON[10] =
355 {
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359 };
360
361 #else /* MBEDTLS_AES_ROM_TABLES */
362
363 /*
364 * Forward S-box & tables
365 */
366 static unsigned char FSb[256];
367 static uint32_t FT0[256];
368 #if !defined(MBEDTLS_AES_FEWER_TABLES)
369 static uint32_t FT1[256];
370 static uint32_t FT2[256];
371 static uint32_t FT3[256];
372 #endif /* !MBEDTLS_AES_FEWER_TABLES */
373
374 /*
375 * Reverse S-box & tables
376 */
377 static unsigned char RSb[256];
378 static uint32_t RT0[256];
379 #if !defined(MBEDTLS_AES_FEWER_TABLES)
380 static uint32_t RT1[256];
381 static uint32_t RT2[256];
382 static uint32_t RT3[256];
383 #endif /* !MBEDTLS_AES_FEWER_TABLES */
384
385 /*
386 * Round constants
387 */
388 static uint32_t RCON[10];
389
390 /*
391 * Tables generation code
392 */
393 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
394 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
395 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
396
397 static int aes_init_done = 0;
398
399 static void aes_gen_tables( void )
400 {
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
420 RCON[i] = (uint32_t) x;
421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
457
458 #if !defined(MBEDTLS_AES_FEWER_TABLES)
459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
462 #endif /* !MBEDTLS_AES_FEWER_TABLES */
463
464 x = RSb[i];
465
466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
470
471 #if !defined(MBEDTLS_AES_FEWER_TABLES)
472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
475 #endif /* !MBEDTLS_AES_FEWER_TABLES */
476 }
477 }
478
479 #undef ROTL8
480
481 #endif /* MBEDTLS_AES_ROM_TABLES */
482
483 #if defined(MBEDTLS_AES_FEWER_TABLES)
484
485 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489 #define AES_RT0(idx) RT0[idx]
490 #define AES_RT1(idx) ROTL8( RT0[idx] )
491 #define AES_RT2(idx) ROTL16( RT0[idx] )
492 #define AES_RT3(idx) ROTL24( RT0[idx] )
493
494 #define AES_FT0(idx) FT0[idx]
495 #define AES_FT1(idx) ROTL8( FT0[idx] )
496 #define AES_FT2(idx) ROTL16( FT0[idx] )
497 #define AES_FT3(idx) ROTL24( FT0[idx] )
498
499 #else /* MBEDTLS_AES_FEWER_TABLES */
500
501 #define AES_RT0(idx) RT0[idx]
502 #define AES_RT1(idx) RT1[idx]
503 #define AES_RT2(idx) RT2[idx]
504 #define AES_RT3(idx) RT3[idx]
505
506 #define AES_FT0(idx) FT0[idx]
507 #define AES_FT1(idx) FT1[idx]
508 #define AES_FT2(idx) FT2[idx]
509 #define AES_FT3(idx) FT3[idx]
510
511 #endif /* MBEDTLS_AES_FEWER_TABLES */
512
513 void mbedtls_aes_init( mbedtls_aes_context *ctx )
514 {
515 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
516 }
517
518 void mbedtls_aes_free( mbedtls_aes_context *ctx )
519 {
520 if( ctx == NULL )
521 return;
522
523 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
524 }
525
526 #if defined(MBEDTLS_CIPHER_MODE_XTS)
527 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
528 {
529 mbedtls_aes_init( &ctx->crypt );
530 mbedtls_aes_init( &ctx->tweak );
531 }
532
533 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
534 {
535 mbedtls_aes_free( &ctx->crypt );
536 mbedtls_aes_free( &ctx->tweak );
537 }
538 #endif /* MBEDTLS_CIPHER_MODE_XTS */
539
540 /*
541 * AES key schedule (encryption)
542 */
543 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
544 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
545 unsigned int keybits )
546 {
547 unsigned int i;
548 uint32_t *RK;
549
550 #if !defined(MBEDTLS_AES_ROM_TABLES)
551 if( aes_init_done == 0 )
552 {
553 aes_gen_tables();
554 aes_init_done = 1;
555
556 }
557 #endif
558
559 switch( keybits )
560 {
561 case 128: ctx->nr = 10; break;
562 case 192: ctx->nr = 12; break;
563 case 256: ctx->nr = 14; break;
564 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
565 }
566
567 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
568 if( aes_padlock_ace == -1 )
569 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
570
571 if( aes_padlock_ace )
572 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
573 else
574 #endif
575 ctx->rk = RK = ctx->buf;
576
577 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
578 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
579 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
580 #endif
581
582 for( i = 0; i < ( keybits >> 5 ); i++ )
583 {
584 GET_UINT32_LE( RK[i], key, i << 2 );
585 }
586
587 switch( ctx->nr )
588 {
589 case 10:
590
591 for( i = 0; i < 10; i++, RK += 4 )
592 {
593 RK[4] = RK[0] ^ RCON[i] ^
594 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
595 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
596 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
597 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
598
599 RK[5] = RK[1] ^ RK[4];
600 RK[6] = RK[2] ^ RK[5];
601 RK[7] = RK[3] ^ RK[6];
602 }
603 break;
604
605 case 12:
606
607 for( i = 0; i < 8; i++, RK += 6 )
608 {
609 RK[6] = RK[0] ^ RCON[i] ^
610 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
611 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
612 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
613 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
614
615 RK[7] = RK[1] ^ RK[6];
616 RK[8] = RK[2] ^ RK[7];
617 RK[9] = RK[3] ^ RK[8];
618 RK[10] = RK[4] ^ RK[9];
619 RK[11] = RK[5] ^ RK[10];
620 }
621 break;
622
623 case 14:
624
625 for( i = 0; i < 7; i++, RK += 8 )
626 {
627 RK[8] = RK[0] ^ RCON[i] ^
628 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
629 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
630 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
631 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
632
633 RK[9] = RK[1] ^ RK[8];
634 RK[10] = RK[2] ^ RK[9];
635 RK[11] = RK[3] ^ RK[10];
636
637 RK[12] = RK[4] ^
638 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
639 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
640 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
641 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
642
643 RK[13] = RK[5] ^ RK[12];
644 RK[14] = RK[6] ^ RK[13];
645 RK[15] = RK[7] ^ RK[14];
646 }
647 break;
648 }
649
650 return( 0 );
651 }
652 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
653
654 /*
655 * AES key schedule (decryption)
656 */
657 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
658 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
659 unsigned int keybits )
660 {
661 int i, j, ret;
662 mbedtls_aes_context cty;
663 uint32_t *RK;
664 uint32_t *SK;
665
666 mbedtls_aes_init( &cty );
667
668 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
669 if( aes_padlock_ace == -1 )
670 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
671
672 if( aes_padlock_ace )
673 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
674 else
675 #endif
676 ctx->rk = RK = ctx->buf;
677
678 /* Also checks keybits */
679 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
680 goto exit;
681
682 ctx->nr = cty.nr;
683
684 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
685 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
686 {
687 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
688 (const unsigned char *) cty.rk, ctx->nr );
689 goto exit;
690 }
691 #endif
692
693 SK = cty.rk + cty.nr * 4;
694
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697 *RK++ = *SK++;
698 *RK++ = *SK++;
699
700 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
701 {
702 for( j = 0; j < 4; j++, SK++ )
703 {
704 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
705 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
706 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
707 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
708 }
709 }
710
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715
716 exit:
717 mbedtls_aes_free( &cty );
718
719 return( ret );
720 }
721
722 #if defined(MBEDTLS_CIPHER_MODE_XTS)
723 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
724 unsigned int keybits,
725 const unsigned char **key1,
726 unsigned int *key1bits,
727 const unsigned char **key2,
728 unsigned int *key2bits )
729 {
730 const unsigned int half_keybits = keybits / 2;
731 const unsigned int half_keybytes = half_keybits / 8;
732
733 switch( keybits )
734 {
735 case 256: break;
736 case 512: break;
737 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
738 }
739
740 *key1bits = half_keybits;
741 *key2bits = half_keybits;
742 *key1 = &key[0];
743 *key2 = &key[half_keybytes];
744
745 return 0;
746 }
747
748 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
749 const unsigned char *key,
750 unsigned int keybits)
751 {
752 int ret;
753 const unsigned char *key1, *key2;
754 unsigned int key1bits, key2bits;
755
756 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
757 &key2, &key2bits );
758 if( ret != 0 )
759 return( ret );
760
761 /* Set the tweak key. Always set tweak key for the encryption mode. */
762 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
763 if( ret != 0 )
764 return( ret );
765
766 /* Set crypt key for encryption. */
767 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
768 }
769
770 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
771 const unsigned char *key,
772 unsigned int keybits)
773 {
774 int ret;
775 const unsigned char *key1, *key2;
776 unsigned int key1bits, key2bits;
777
778 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
779 &key2, &key2bits );
780 if( ret != 0 )
781 return( ret );
782
783 /* Set the tweak key. Always set tweak key for encryption. */
784 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
785 if( ret != 0 )
786 return( ret );
787
788 /* Set crypt key for decryption. */
789 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
790 }
791 #endif /* MBEDTLS_CIPHER_MODE_XTS */
792
793 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
794
795 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
796 { \
797 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
798 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
799 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
800 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
801 \
802 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
803 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
804 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
805 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
806 \
807 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
808 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
809 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
810 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
811 \
812 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
813 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
814 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
815 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
816 }
817
818 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
819 { \
820 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
821 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
822 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
823 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
824 \
825 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
826 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
827 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
828 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
829 \
830 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
831 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
832 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
833 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
834 \
835 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
836 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
837 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
838 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
839 }
840
841 /*
842 * AES-ECB block encryption
843 */
844 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
845 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
846 const unsigned char input[16],
847 unsigned char output[16] )
848 {
849 int i;
850 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
851
852 RK = ctx->rk;
853
854 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
855 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
856 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
857 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
858
859 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
860 {
861 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
862 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
863 }
864
865 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
866
867 X0 = *RK++ ^ \
868 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
869 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
870 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
871 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
872
873 X1 = *RK++ ^ \
874 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
875 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
876 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
877 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
878
879 X2 = *RK++ ^ \
880 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
881 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
882 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
883 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
884
885 X3 = *RK++ ^ \
886 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
887 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
888 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
889 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
890
891 PUT_UINT32_LE( X0, output, 0 );
892 PUT_UINT32_LE( X1, output, 4 );
893 PUT_UINT32_LE( X2, output, 8 );
894 PUT_UINT32_LE( X3, output, 12 );
895
896 return( 0 );
897 }
898 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
899
900 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
901 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
902 const unsigned char input[16],
903 unsigned char output[16] )
904 {
905 mbedtls_internal_aes_encrypt( ctx, input, output );
906 }
907 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
908
909 /*
910 * AES-ECB block decryption
911 */
912 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
913 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
914 const unsigned char input[16],
915 unsigned char output[16] )
916 {
917 int i;
918 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
919
920 RK = ctx->rk;
921
922 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
923 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
924 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
925 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
926
927 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
928 {
929 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
930 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
931 }
932
933 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
934
935 X0 = *RK++ ^ \
936 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
937 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
938 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
939 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
940
941 X1 = *RK++ ^ \
942 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
943 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
944 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
945 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
946
947 X2 = *RK++ ^ \
948 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
949 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
950 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
951 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
952
953 X3 = *RK++ ^ \
954 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
955 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
956 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
957 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
958
959 PUT_UINT32_LE( X0, output, 0 );
960 PUT_UINT32_LE( X1, output, 4 );
961 PUT_UINT32_LE( X2, output, 8 );
962 PUT_UINT32_LE( X3, output, 12 );
963
964 return( 0 );
965 }
966 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
967
968 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
969 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
970 const unsigned char input[16],
971 unsigned char output[16] )
972 {
973 mbedtls_internal_aes_decrypt( ctx, input, output );
974 }
975 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
976
977 /*
978 * AES-ECB block encryption/decryption
979 */
980 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
981 int mode,
982 const unsigned char input[16],
983 unsigned char output[16] )
984 {
985 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
986 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
987 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
988 #endif
989
990 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
991 if( aes_padlock_ace )
992 {
993 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
994 return( 0 );
995
996 // If padlock data misaligned, we just fall back to
997 // unaccelerated mode
998 //
999 }
1000 #endif
1001
1002 if( mode == MBEDTLS_AES_ENCRYPT )
1003 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1004 else
1005 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
1006 }
1007
1008 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1009 /*
1010 * AES-CBC buffer encryption/decryption
1011 */
1012 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
1013 int mode,
1014 size_t length,
1015 unsigned char iv[16],
1016 const unsigned char *input,
1017 unsigned char *output )
1018 {
1019 int i;
1020 unsigned char temp[16];
1021
1022 if( length % 16 )
1023 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1024
1025 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1026 if( aes_padlock_ace )
1027 {
1028 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
1029 return( 0 );
1030
1031 // If padlock data misaligned, we just fall back to
1032 // unaccelerated mode
1033 //
1034 }
1035 #endif
1036
1037 if( mode == MBEDTLS_AES_DECRYPT )
1038 {
1039 while( length > 0 )
1040 {
1041 memcpy( temp, input, 16 );
1042 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1043
1044 for( i = 0; i < 16; i++ )
1045 output[i] = (unsigned char)( output[i] ^ iv[i] );
1046
1047 memcpy( iv, temp, 16 );
1048
1049 input += 16;
1050 output += 16;
1051 length -= 16;
1052 }
1053 }
1054 else
1055 {
1056 while( length > 0 )
1057 {
1058 for( i = 0; i < 16; i++ )
1059 output[i] = (unsigned char)( input[i] ^ iv[i] );
1060
1061 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1062 memcpy( iv, output, 16 );
1063
1064 input += 16;
1065 output += 16;
1066 length -= 16;
1067 }
1068 }
1069
1070 return( 0 );
1071 }
1072 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1073
1074 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1075
1076 /* Endianess with 64 bits values */
1077 #ifndef GET_UINT64_LE
1078 #define GET_UINT64_LE(n,b,i) \
1079 { \
1080 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1081 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1082 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1083 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1084 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1085 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1086 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1087 | ( (uint64_t) (b)[(i) ] ); \
1088 }
1089 #endif
1090
1091 #ifndef PUT_UINT64_LE
1092 #define PUT_UINT64_LE(n,b,i) \
1093 { \
1094 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1095 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1096 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1097 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1098 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1099 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1100 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1101 (b)[(i) ] = (unsigned char) ( (n) ); \
1102 }
1103 #endif
1104
1105 typedef unsigned char mbedtls_be128[16];
1106
1107 /*
1108 * GF(2^128) multiplication function
1109 *
1110 * This function multiplies a field element by x in the polynomial field
1111 * representation. It uses 64-bit word operations to gain speed but compensates
1112 * for machine endianess and hence works correctly on both big and little
1113 * endian machines.
1114 */
1115 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1116 const unsigned char x[16] )
1117 {
1118 uint64_t a, b, ra, rb;
1119
1120 GET_UINT64_LE( a, x, 0 );
1121 GET_UINT64_LE( b, x, 8 );
1122
1123 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1124 rb = ( a >> 63 ) | ( b << 1 );
1125
1126 PUT_UINT64_LE( ra, r, 0 );
1127 PUT_UINT64_LE( rb, r, 8 );
1128 }
1129
1130 /*
1131 * AES-XTS buffer encryption/decryption
1132 */
1133 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1134 int mode,
1135 size_t length,
1136 const unsigned char data_unit[16],
1137 const unsigned char *input,
1138 unsigned char *output )
1139 {
1140 int ret;
1141 size_t blocks = length / 16;
1142 size_t leftover = length % 16;
1143 unsigned char tweak[16];
1144 unsigned char prev_tweak[16];
1145 unsigned char tmp[16];
1146
1147 /* Sectors must be at least 16 bytes. */
1148 if( length < 16 )
1149 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1150
1151 /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
1152 if( length > ( 1 << 20 ) * 16 )
1153 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1154
1155 /* Compute the tweak. */
1156 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1157 data_unit, tweak );
1158 if( ret != 0 )
1159 return( ret );
1160
1161 while( blocks-- )
1162 {
1163 size_t i;
1164
1165 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1166 {
1167 /* We are on the last block in a decrypt operation that has
1168 * leftover bytes, so we need to use the next tweak for this block,
1169 * and this tweak for the lefover bytes. Save the current tweak for
1170 * the leftovers and then update the current tweak for use on this,
1171 * the last full block. */
1172 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1173 mbedtls_gf128mul_x_ble( tweak, tweak );
1174 }
1175
1176 for( i = 0; i < 16; i++ )
1177 tmp[i] = input[i] ^ tweak[i];
1178
1179 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1180 if( ret != 0 )
1181 return( ret );
1182
1183 for( i = 0; i < 16; i++ )
1184 output[i] = tmp[i] ^ tweak[i];
1185
1186 /* Update the tweak for the next block. */
1187 mbedtls_gf128mul_x_ble( tweak, tweak );
1188
1189 output += 16;
1190 input += 16;
1191 }
1192
1193 if( leftover )
1194 {
1195 /* If we are on the leftover bytes in a decrypt operation, we need to
1196 * use the previous tweak for these bytes (as saved in prev_tweak). */
1197 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1198
1199 /* We are now on the final part of the data unit, which doesn't divide
1200 * evenly by 16. It's time for ciphertext stealing. */
1201 size_t i;
1202 unsigned char *prev_output = output - 16;
1203
1204 /* Copy ciphertext bytes from the previous block to our output for each
1205 * byte of cyphertext we won't steal. At the same time, copy the
1206 * remainder of the input for this final round (since the loop bounds
1207 * are the same). */
1208 for( i = 0; i < leftover; i++ )
1209 {
1210 output[i] = prev_output[i];
1211 tmp[i] = input[i] ^ t[i];
1212 }
1213
1214 /* Copy ciphertext bytes from the previous block for input in this
1215 * round. */
1216 for( ; i < 16; i++ )
1217 tmp[i] = prev_output[i] ^ t[i];
1218
1219 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1220 if( ret != 0 )
1221 return ret;
1222
1223 /* Write the result back to the previous block, overriding the previous
1224 * output we copied. */
1225 for( i = 0; i < 16; i++ )
1226 prev_output[i] = tmp[i] ^ t[i];
1227 }
1228
1229 return( 0 );
1230 }
1231 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1232
1233 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1234 /*
1235 * AES-CFB128 buffer encryption/decryption
1236 */
1237 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1238 int mode,
1239 size_t length,
1240 size_t *iv_off,
1241 unsigned char iv[16],
1242 const unsigned char *input,
1243 unsigned char *output )
1244 {
1245 int c;
1246 size_t n = *iv_off;
1247
1248 if( mode == MBEDTLS_AES_DECRYPT )
1249 {
1250 while( length-- )
1251 {
1252 if( n == 0 )
1253 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1254
1255 c = *input++;
1256 *output++ = (unsigned char)( c ^ iv[n] );
1257 iv[n] = (unsigned char) c;
1258
1259 n = ( n + 1 ) & 0x0F;
1260 }
1261 }
1262 else
1263 {
1264 while( length-- )
1265 {
1266 if( n == 0 )
1267 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1268
1269 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1270
1271 n = ( n + 1 ) & 0x0F;
1272 }
1273 }
1274
1275 *iv_off = n;
1276
1277 return( 0 );
1278 }
1279
1280 /*
1281 * AES-CFB8 buffer encryption/decryption
1282 */
1283 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1284 int mode,
1285 size_t length,
1286 unsigned char iv[16],
1287 const unsigned char *input,
1288 unsigned char *output )
1289 {
1290 unsigned char c;
1291 unsigned char ov[17];
1292
1293 while( length-- )
1294 {
1295 memcpy( ov, iv, 16 );
1296 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1297
1298 if( mode == MBEDTLS_AES_DECRYPT )
1299 ov[16] = *input;
1300
1301 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1302
1303 if( mode == MBEDTLS_AES_ENCRYPT )
1304 ov[16] = c;
1305
1306 memcpy( iv, ov + 1, 16 );
1307 }
1308
1309 return( 0 );
1310 }
1311 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1312
1313 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1314 /*
1315 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1316 */
1317 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1318 size_t length,
1319 size_t *iv_off,
1320 unsigned char iv[16],
1321 const unsigned char *input,
1322 unsigned char *output )
1323 {
1324 int ret = 0;
1325 size_t n = *iv_off;
1326
1327 while( length-- )
1328 {
1329 if( n == 0 )
1330 {
1331 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1332 if( ret != 0 )
1333 goto exit;
1334 }
1335 *output++ = *input++ ^ iv[n];
1336
1337 n = ( n + 1 ) & 0x0F;
1338 }
1339
1340 *iv_off = n;
1341
1342 exit:
1343 return( ret );
1344 }
1345 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1346
1347 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1348 /*
1349 * AES-CTR buffer encryption/decryption
1350 */
1351 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1352 size_t length,
1353 size_t *nc_off,
1354 unsigned char nonce_counter[16],
1355 unsigned char stream_block[16],
1356 const unsigned char *input,
1357 unsigned char *output )
1358 {
1359 int c, i;
1360 size_t n = *nc_off;
1361
1362 if ( n > 0x0F )
1363 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1364
1365 while( length-- )
1366 {
1367 if( n == 0 ) {
1368 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1369
1370 for( i = 16; i > 0; i-- )
1371 if( ++nonce_counter[i - 1] != 0 )
1372 break;
1373 }
1374 c = *input++;
1375 *output++ = (unsigned char)( c ^ stream_block[n] );
1376
1377 n = ( n + 1 ) & 0x0F;
1378 }
1379
1380 *nc_off = n;
1381
1382 return( 0 );
1383 }
1384 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1385
1386 #endif /* !MBEDTLS_AES_ALT */
1387
1388 #if defined(MBEDTLS_SELF_TEST)
1389 /*
1390 * AES test vectors from:
1391 *
1392 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1393 */
1394 static const unsigned char aes_test_ecb_dec[3][16] =
1395 {
1396 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1397 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1398 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1399 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1400 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1401 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1402 };
1403
1404 static const unsigned char aes_test_ecb_enc[3][16] =
1405 {
1406 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1407 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1408 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1409 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1410 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1411 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1412 };
1413
1414 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1415 static const unsigned char aes_test_cbc_dec[3][16] =
1416 {
1417 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1418 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1419 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1420 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1421 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1422 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1423 };
1424
1425 static const unsigned char aes_test_cbc_enc[3][16] =
1426 {
1427 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1428 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1429 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1430 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1431 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1432 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1433 };
1434 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1435
1436 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1437 /*
1438 * AES-CFB128 test vectors from:
1439 *
1440 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1441 */
1442 static const unsigned char aes_test_cfb128_key[3][32] =
1443 {
1444 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1445 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1446 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1447 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1448 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1449 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1450 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1451 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1452 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1453 };
1454
1455 static const unsigned char aes_test_cfb128_iv[16] =
1456 {
1457 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1458 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1459 };
1460
1461 static const unsigned char aes_test_cfb128_pt[64] =
1462 {
1463 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1464 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1465 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1466 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1467 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1468 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1469 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1470 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1471 };
1472
1473 static const unsigned char aes_test_cfb128_ct[3][64] =
1474 {
1475 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1476 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1477 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1478 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1479 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1480 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1481 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1482 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1483 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1484 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1485 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1486 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1487 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1488 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1489 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1490 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1491 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1492 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1493 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1494 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1495 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1496 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1497 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1498 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1499 };
1500 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1501
1502 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1503 /*
1504 * AES-OFB test vectors from:
1505 *
1506 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1507 */
1508 static const unsigned char aes_test_ofb_key[3][32] =
1509 {
1510 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1511 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1512 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1513 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1514 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1515 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1516 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1517 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1518 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1519 };
1520
1521 static const unsigned char aes_test_ofb_iv[16] =
1522 {
1523 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1524 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1525 };
1526
1527 static const unsigned char aes_test_ofb_pt[64] =
1528 {
1529 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1530 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1531 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1532 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1533 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1534 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1535 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1536 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1537 };
1538
1539 static const unsigned char aes_test_ofb_ct[3][64] =
1540 {
1541 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1542 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1543 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1544 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1545 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1546 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1547 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1548 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1549 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1550 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1551 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1552 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1553 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1554 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1555 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1556 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1557 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1558 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1559 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1560 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1561 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1562 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1563 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1564 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1565 };
1566 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1567
1568 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1569 /*
1570 * AES-CTR test vectors from:
1571 *
1572 * http://www.faqs.org/rfcs/rfc3686.html
1573 */
1574
1575 static const unsigned char aes_test_ctr_key[3][16] =
1576 {
1577 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1578 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1579 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1580 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1581 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1582 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1583 };
1584
1585 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1586 {
1587 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1589 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1590 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1591 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1592 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1593 };
1594
1595 static const unsigned char aes_test_ctr_pt[3][48] =
1596 {
1597 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1598 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1599
1600 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1601 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1602 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1603 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1604
1605 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1606 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1607 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1608 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1609 0x20, 0x21, 0x22, 0x23 }
1610 };
1611
1612 static const unsigned char aes_test_ctr_ct[3][48] =
1613 {
1614 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1615 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1616 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1617 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1618 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1619 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1620 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1621 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1622 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1623 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1624 0x25, 0xB2, 0x07, 0x2F }
1625 };
1626
1627 static const int aes_test_ctr_len[3] =
1628 { 16, 32, 36 };
1629 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1630
1631 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1632 /*
1633 * AES-XTS test vectors from:
1634 *
1635 * IEEE P1619/D16 Annex B
1636 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1637 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1638 */
1639 static const unsigned char aes_test_xts_key[][32] =
1640 {
1641 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1645 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1646 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1647 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1648 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1649 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1650 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1651 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1652 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1653 };
1654
1655 static const unsigned char aes_test_xts_pt32[][32] =
1656 {
1657 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1661 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1662 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1663 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1664 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1665 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1666 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1667 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1668 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1669 };
1670
1671 static const unsigned char aes_test_xts_ct32[][32] =
1672 {
1673 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1674 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1675 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1676 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1677 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1678 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1679 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1680 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1681 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1682 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1683 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1684 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1685 };
1686
1687 static const unsigned char aes_test_xts_data_unit[][16] =
1688 {
1689 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1691 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1693 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1694 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1695 };
1696
1697 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1698
1699 /*
1700 * Checkup routine
1701 */
1702 int mbedtls_aes_self_test( int verbose )
1703 {
1704 int ret = 0, i, j, u, mode;
1705 unsigned int keybits;
1706 unsigned char key[32];
1707 unsigned char buf[64];
1708 const unsigned char *aes_tests;
1709 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1710 unsigned char iv[16];
1711 #endif
1712 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1713 unsigned char prv[16];
1714 #endif
1715 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1716 defined(MBEDTLS_CIPHER_MODE_OFB)
1717 size_t offset;
1718 #endif
1719 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1720 int len;
1721 #endif
1722 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1723 unsigned char nonce_counter[16];
1724 unsigned char stream_block[16];
1725 #endif
1726 mbedtls_aes_context ctx;
1727
1728 memset( key, 0, 32 );
1729 mbedtls_aes_init( &ctx );
1730
1731 /*
1732 * ECB mode
1733 */
1734 for( i = 0; i < 6; i++ )
1735 {
1736 u = i >> 1;
1737 keybits = 128 + u * 64;
1738 mode = i & 1;
1739
1740 if( verbose != 0 )
1741 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1742 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1743
1744 memset( buf, 0, 16 );
1745
1746 if( mode == MBEDTLS_AES_DECRYPT )
1747 {
1748 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1749 aes_tests = aes_test_ecb_dec[u];
1750 }
1751 else
1752 {
1753 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1754 aes_tests = aes_test_ecb_enc[u];
1755 }
1756
1757 /*
1758 * AES-192 is an optional feature that may be unavailable when
1759 * there is an alternative underlying implementation i.e. when
1760 * MBEDTLS_AES_ALT is defined.
1761 */
1762 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1763 {
1764 mbedtls_printf( "skipped\n" );
1765 continue;
1766 }
1767 else if( ret != 0 )
1768 {
1769 goto exit;
1770 }
1771
1772 for( j = 0; j < 10000; j++ )
1773 {
1774 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1775 if( ret != 0 )
1776 goto exit;
1777 }
1778
1779 if( memcmp( buf, aes_tests, 16 ) != 0 )
1780 {
1781 ret = 1;
1782 goto exit;
1783 }
1784
1785 if( verbose != 0 )
1786 mbedtls_printf( "passed\n" );
1787 }
1788
1789 if( verbose != 0 )
1790 mbedtls_printf( "\n" );
1791
1792 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1793 /*
1794 * CBC mode
1795 */
1796 for( i = 0; i < 6; i++ )
1797 {
1798 u = i >> 1;
1799 keybits = 128 + u * 64;
1800 mode = i & 1;
1801
1802 if( verbose != 0 )
1803 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1804 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1805
1806 memset( iv , 0, 16 );
1807 memset( prv, 0, 16 );
1808 memset( buf, 0, 16 );
1809
1810 if( mode == MBEDTLS_AES_DECRYPT )
1811 {
1812 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1813 aes_tests = aes_test_cbc_dec[u];
1814 }
1815 else
1816 {
1817 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1818 aes_tests = aes_test_cbc_enc[u];
1819 }
1820
1821 /*
1822 * AES-192 is an optional feature that may be unavailable when
1823 * there is an alternative underlying implementation i.e. when
1824 * MBEDTLS_AES_ALT is defined.
1825 */
1826 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1827 {
1828 mbedtls_printf( "skipped\n" );
1829 continue;
1830 }
1831 else if( ret != 0 )
1832 {
1833 goto exit;
1834 }
1835
1836 for( j = 0; j < 10000; j++ )
1837 {
1838 if( mode == MBEDTLS_AES_ENCRYPT )
1839 {
1840 unsigned char tmp[16];
1841
1842 memcpy( tmp, prv, 16 );
1843 memcpy( prv, buf, 16 );
1844 memcpy( buf, tmp, 16 );
1845 }
1846
1847 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1848 if( ret != 0 )
1849 goto exit;
1850
1851 }
1852
1853 if( memcmp( buf, aes_tests, 16 ) != 0 )
1854 {
1855 ret = 1;
1856 goto exit;
1857 }
1858
1859 if( verbose != 0 )
1860 mbedtls_printf( "passed\n" );
1861 }
1862
1863 if( verbose != 0 )
1864 mbedtls_printf( "\n" );
1865 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1866
1867 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1868 /*
1869 * CFB128 mode
1870 */
1871 for( i = 0; i < 6; i++ )
1872 {
1873 u = i >> 1;
1874 keybits = 128 + u * 64;
1875 mode = i & 1;
1876
1877 if( verbose != 0 )
1878 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1879 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1880
1881 memcpy( iv, aes_test_cfb128_iv, 16 );
1882 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1883
1884 offset = 0;
1885 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1886 /*
1887 * AES-192 is an optional feature that may be unavailable when
1888 * there is an alternative underlying implementation i.e. when
1889 * MBEDTLS_AES_ALT is defined.
1890 */
1891 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1892 {
1893 mbedtls_printf( "skipped\n" );
1894 continue;
1895 }
1896 else if( ret != 0 )
1897 {
1898 goto exit;
1899 }
1900
1901 if( mode == MBEDTLS_AES_DECRYPT )
1902 {
1903 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1904 aes_tests = aes_test_cfb128_pt;
1905 }
1906 else
1907 {
1908 memcpy( buf, aes_test_cfb128_pt, 64 );
1909 aes_tests = aes_test_cfb128_ct[u];
1910 }
1911
1912 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1913 if( ret != 0 )
1914 goto exit;
1915
1916 if( memcmp( buf, aes_tests, 64 ) != 0 )
1917 {
1918 ret = 1;
1919 goto exit;
1920 }
1921
1922 if( verbose != 0 )
1923 mbedtls_printf( "passed\n" );
1924 }
1925
1926 if( verbose != 0 )
1927 mbedtls_printf( "\n" );
1928 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1929
1930 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1931 /*
1932 * OFB mode
1933 */
1934 for( i = 0; i < 6; i++ )
1935 {
1936 u = i >> 1;
1937 keybits = 128 + u * 64;
1938 mode = i & 1;
1939
1940 if( verbose != 0 )
1941 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1942 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1943
1944 memcpy( iv, aes_test_ofb_iv, 16 );
1945 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1946
1947 offset = 0;
1948 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1949 /*
1950 * AES-192 is an optional feature that may be unavailable when
1951 * there is an alternative underlying implementation i.e. when
1952 * MBEDTLS_AES_ALT is defined.
1953 */
1954 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1955 {
1956 mbedtls_printf( "skipped\n" );
1957 continue;
1958 }
1959 else if( ret != 0 )
1960 {
1961 goto exit;
1962 }
1963
1964 if( mode == MBEDTLS_AES_DECRYPT )
1965 {
1966 memcpy( buf, aes_test_ofb_ct[u], 64 );
1967 aes_tests = aes_test_ofb_pt;
1968 }
1969 else
1970 {
1971 memcpy( buf, aes_test_ofb_pt, 64 );
1972 aes_tests = aes_test_ofb_ct[u];
1973 }
1974
1975 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1976 if( ret != 0 )
1977 goto exit;
1978
1979 if( memcmp( buf, aes_tests, 64 ) != 0 )
1980 {
1981 ret = 1;
1982 goto exit;
1983 }
1984
1985 if( verbose != 0 )
1986 mbedtls_printf( "passed\n" );
1987 }
1988
1989 if( verbose != 0 )
1990 mbedtls_printf( "\n" );
1991 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1992
1993 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1994 /*
1995 * CTR mode
1996 */
1997 for( i = 0; i < 6; i++ )
1998 {
1999 u = i >> 1;
2000 mode = i & 1;
2001
2002 if( verbose != 0 )
2003 mbedtls_printf( " AES-CTR-128 (%s): ",
2004 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2005
2006 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2007 memcpy( key, aes_test_ctr_key[u], 16 );
2008
2009 offset = 0;
2010 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2011 goto exit;
2012
2013 len = aes_test_ctr_len[u];
2014
2015 if( mode == MBEDTLS_AES_DECRYPT )
2016 {
2017 memcpy( buf, aes_test_ctr_ct[u], len );
2018 aes_tests = aes_test_ctr_pt[u];
2019 }
2020 else
2021 {
2022 memcpy( buf, aes_test_ctr_pt[u], len );
2023 aes_tests = aes_test_ctr_ct[u];
2024 }
2025
2026 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2027 stream_block, buf, buf );
2028 if( ret != 0 )
2029 goto exit;
2030
2031 if( memcmp( buf, aes_tests, len ) != 0 )
2032 {
2033 ret = 1;
2034 goto exit;
2035 }
2036
2037 if( verbose != 0 )
2038 mbedtls_printf( "passed\n" );
2039 }
2040
2041 if( verbose != 0 )
2042 mbedtls_printf( "\n" );
2043 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2044
2045 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2046 {
2047 static const int num_tests =
2048 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2049 mbedtls_aes_xts_context ctx_xts;
2050
2051 /*
2052 * XTS mode
2053 */
2054 mbedtls_aes_xts_init( &ctx_xts );
2055
2056 for( i = 0; i < num_tests << 1; i++ )
2057 {
2058 const unsigned char *data_unit;
2059 u = i >> 1;
2060 mode = i & 1;
2061
2062 if( verbose != 0 )
2063 mbedtls_printf( " AES-XTS-128 (%s): ",
2064 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2065
2066 memset( key, 0, sizeof( key ) );
2067 memcpy( key, aes_test_xts_key[u], 32 );
2068 data_unit = aes_test_xts_data_unit[u];
2069
2070 len = sizeof( *aes_test_xts_ct32 );
2071
2072 if( mode == MBEDTLS_AES_DECRYPT )
2073 {
2074 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2075 if( ret != 0)
2076 goto exit;
2077 memcpy( buf, aes_test_xts_ct32[u], len );
2078 aes_tests = aes_test_xts_pt32[u];
2079 }
2080 else
2081 {
2082 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2083 if( ret != 0)
2084 goto exit;
2085 memcpy( buf, aes_test_xts_pt32[u], len );
2086 aes_tests = aes_test_xts_ct32[u];
2087 }
2088
2089
2090 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2091 buf, buf );
2092 if( ret != 0 )
2093 goto exit;
2094
2095 if( memcmp( buf, aes_tests, len ) != 0 )
2096 {
2097 ret = 1;
2098 goto exit;
2099 }
2100
2101 if( verbose != 0 )
2102 mbedtls_printf( "passed\n" );
2103 }
2104
2105 if( verbose != 0 )
2106 mbedtls_printf( "\n" );
2107
2108 mbedtls_aes_xts_free( &ctx_xts );
2109 }
2110 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2111
2112 ret = 0;
2113
2114 exit:
2115 if( ret != 0 && verbose != 0 )
2116 mbedtls_printf( "failed\n" );
2117
2118 mbedtls_aes_free( &ctx );
2119
2120 return( ret );
2121 }
2122
2123 #endif /* MBEDTLS_SELF_TEST */
2124
2125 #endif /* MBEDTLS_AES_C */
Impressum, Datenschutz