1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_AES_C)
35
36 #include <string.h>
37
38 #include "mbedtls/aes.h"
39 #if defined(MBEDTLS_PADLOCK_C)
40 #include "mbedtls/padlock.h"
41 #endif
42 #if defined(MBEDTLS_AESNI_C)
43 #include "mbedtls/aesni.h"
44 #endif
45
46 #if defined(MBEDTLS_SELF_TEST)
47 #if defined(MBEDTLS_PLATFORM_C)
48 #include "mbedtls/platform.h"
49 #else
50 #include <stdio.h>
51 #define mbedtls_printf printf
52 #endif /* MBEDTLS_PLATFORM_C */
53 #endif /* MBEDTLS_SELF_TEST */
54
55 #if !defined(MBEDTLS_AES_ALT)
56
57 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)58 static void mbedtls_zeroize( void *v, size_t n ) {
59 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
60 }
61
62 /*
63 * 32-bit integer manipulation macros (little endian)
64 */
65 #ifndef GET_UINT32_LE
66 #define GET_UINT32_LE(n,b,i) \
67 { \
68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
72 }
73 #endif
74
75 #ifndef PUT_UINT32_LE
76 #define PUT_UINT32_LE(n,b,i) \
77 { \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
82 }
83 #endif
84
85 #if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
87 static int aes_padlock_ace = -1;
88 #endif
89
90 #if defined(MBEDTLS_AES_ROM_TABLES)
91 /*
92 * Forward S-box
93 */
94 static const unsigned char FSb[256] =
95 {
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128 };
129
130 /*
131 * Forward tables
132 */
133 #define FT \
134 \
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199
200 #define V(a,b,c,d) 0x##a##b##c##d
201 static const uint32_t FT0[256] = { FT };
202 #undef V
203
204 #define V(a,b,c,d) 0x##b##c##d##a
205 static const uint32_t FT1[256] = { FT };
206 #undef V
207
208 #define V(a,b,c,d) 0x##c##d##a##b
209 static const uint32_t FT2[256] = { FT };
210 #undef V
211
212 #define V(a,b,c,d) 0x##d##a##b##c
213 static const uint32_t FT3[256] = { FT };
214 #undef V
215
216 #undef FT
217
218 /*
219 * Reverse S-box
220 */
221 static const unsigned char RSb[256] =
222 {
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255 };
256
257 /*
258 * Reverse tables
259 */
260 #define RT \
261 \
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327 #define V(a,b,c,d) 0x##a##b##c##d
328 static const uint32_t RT0[256] = { RT };
329 #undef V
330
331 #define V(a,b,c,d) 0x##b##c##d##a
332 static const uint32_t RT1[256] = { RT };
333 #undef V
334
335 #define V(a,b,c,d) 0x##c##d##a##b
336 static const uint32_t RT2[256] = { RT };
337 #undef V
338
339 #define V(a,b,c,d) 0x##d##a##b##c
340 static const uint32_t RT3[256] = { RT };
341 #undef V
342
343 #undef RT
344
345 /*
346 * Round constants
347 */
348 static const uint32_t RCON[10] =
349 {
350 0x00000001, 0x00000002, 0x00000004, 0x00000008,
351 0x00000010, 0x00000020, 0x00000040, 0x00000080,
352 0x0000001B, 0x00000036
353 };
354
355 #else /* MBEDTLS_AES_ROM_TABLES */
356
357 /*
358 * Forward S-box & tables
359 */
360 static unsigned char FSb[256];
361 static uint32_t FT0[256];
362 static uint32_t FT1[256];
363 static uint32_t FT2[256];
364 static uint32_t FT3[256];
365
366 /*
367 * Reverse S-box & tables
368 */
369 static unsigned char RSb[256];
370 static uint32_t RT0[256];
371 static uint32_t RT1[256];
372 static uint32_t RT2[256];
373 static uint32_t RT3[256];
374
375 /*
376 * Round constants
377 */
378 static uint32_t RCON[10];
379
380 /*
381 * Tables generation code
382 */
383 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
384 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
385 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
386
387 static int aes_init_done = 0;
388
aes_gen_tables(void)389 static void aes_gen_tables( void )
390 {
391 int i, x, y, z;
392 int pow[256];
393 int log[256];
394
395 /*
396 * compute pow and log tables over GF(2^8)
397 */
398 for( i = 0, x = 1; i < 256; i++ )
399 {
400 pow[i] = x;
401 log[x] = i;
402 x = ( x ^ XTIME( x ) ) & 0xFF;
403 }
404
405 /*
406 * calculate the round constants
407 */
408 for( i = 0, x = 1; i < 10; i++ )
409 {
410 RCON[i] = (uint32_t) x;
411 x = XTIME( x ) & 0xFF;
412 }
413
414 /*
415 * generate the forward and reverse S-boxes
416 */
417 FSb[0x00] = 0x63;
418 RSb[0x63] = 0x00;
419
420 for( i = 1; i < 256; i++ )
421 {
422 x = pow[255 - log[i]];
423
424 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
425 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
427 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
428 x ^= y ^ 0x63;
429
430 FSb[i] = (unsigned char) x;
431 RSb[x] = (unsigned char) i;
432 }
433
434 /*
435 * generate the forward and reverse tables
436 */
437 for( i = 0; i < 256; i++ )
438 {
439 x = FSb[i];
440 y = XTIME( x ) & 0xFF;
441 z = ( y ^ x ) & 0xFF;
442
443 FT0[i] = ( (uint32_t) y ) ^
444 ( (uint32_t) x << 8 ) ^
445 ( (uint32_t) x << 16 ) ^
446 ( (uint32_t) z << 24 );
447
448 FT1[i] = ROTL8( FT0[i] );
449 FT2[i] = ROTL8( FT1[i] );
450 FT3[i] = ROTL8( FT2[i] );
451
452 x = RSb[i];
453
454 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
455 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
456 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
457 ( (uint32_t) MUL( 0x0B, x ) << 24 );
458
459 RT1[i] = ROTL8( RT0[i] );
460 RT2[i] = ROTL8( RT1[i] );
461 RT3[i] = ROTL8( RT2[i] );
462 }
463 }
464
465 #endif /* MBEDTLS_AES_ROM_TABLES */
466
mbedtls_aes_init(mbedtls_aes_context * ctx)467 void mbedtls_aes_init( mbedtls_aes_context *ctx )
468 {
469 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
470 }
471
mbedtls_aes_free(mbedtls_aes_context * ctx)472 void mbedtls_aes_free( mbedtls_aes_context *ctx )
473 {
474 if( ctx == NULL )
475 return;
476
477 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
478 }
479
480 /*
481 * AES key schedule (encryption)
482 */
483 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)484 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
485 unsigned int keybits )
486 {
487 unsigned int i;
488 uint32_t *RK;
489
490 #if !defined(MBEDTLS_AES_ROM_TABLES)
491 if( aes_init_done == 0 )
492 {
493 aes_gen_tables();
494 aes_init_done = 1;
495
496 }
497 #endif
498
499 switch( keybits )
500 {
501 case 128: ctx->nr = 10; break;
502 case 192: ctx->nr = 12; break;
503 case 256: ctx->nr = 14; break;
504 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
505 }
506
507 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
508 if( aes_padlock_ace == -1 )
509 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
510
511 if( aes_padlock_ace )
512 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
513 else
514 #endif
515 ctx->rk = RK = ctx->buf;
516
517 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
518 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
519 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
520 #endif
521
522 for( i = 0; i < ( keybits >> 5 ); i++ )
523 {
524 GET_UINT32_LE( RK[i], key, i << 2 );
525 }
526
527 switch( ctx->nr )
528 {
529 case 10:
530
531 for( i = 0; i < 10; i++, RK += 4 )
532 {
533 RK[4] = RK[0] ^ RCON[i] ^
534 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
535 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
536 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
537 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
538
539 RK[5] = RK[1] ^ RK[4];
540 RK[6] = RK[2] ^ RK[5];
541 RK[7] = RK[3] ^ RK[6];
542 }
543 break;
544
545 case 12:
546
547 for( i = 0; i < 8; i++, RK += 6 )
548 {
549 RK[6] = RK[0] ^ RCON[i] ^
550 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
551 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
552 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
553 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
554
555 RK[7] = RK[1] ^ RK[6];
556 RK[8] = RK[2] ^ RK[7];
557 RK[9] = RK[3] ^ RK[8];
558 RK[10] = RK[4] ^ RK[9];
559 RK[11] = RK[5] ^ RK[10];
560 }
561 break;
562
563 case 14:
564
565 for( i = 0; i < 7; i++, RK += 8 )
566 {
567 RK[8] = RK[0] ^ RCON[i] ^
568 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
569 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
570 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
571 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
572
573 RK[9] = RK[1] ^ RK[8];
574 RK[10] = RK[2] ^ RK[9];
575 RK[11] = RK[3] ^ RK[10];
576
577 RK[12] = RK[4] ^
578 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
582
583 RK[13] = RK[5] ^ RK[12];
584 RK[14] = RK[6] ^ RK[13];
585 RK[15] = RK[7] ^ RK[14];
586 }
587 break;
588 }
589
590 return( 0 );
591 }
592 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
593
594 /*
595 * AES key schedule (decryption)
596 */
597 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)598 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
599 unsigned int keybits )
600 {
601 int i, j, ret;
602 mbedtls_aes_context cty;
603 uint32_t *RK;
604 uint32_t *SK;
605
606 mbedtls_aes_init( &cty );
607
608 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
609 if( aes_padlock_ace == -1 )
610 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
611
612 if( aes_padlock_ace )
613 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
614 else
615 #endif
616 ctx->rk = RK = ctx->buf;
617
618 /* Also checks keybits */
619 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
620 goto exit;
621
622 ctx->nr = cty.nr;
623
624 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
625 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
626 {
627 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
628 (const unsigned char *) cty.rk, ctx->nr );
629 goto exit;
630 }
631 #endif
632
633 SK = cty.rk + cty.nr * 4;
634
635 *RK++ = *SK++;
636 *RK++ = *SK++;
637 *RK++ = *SK++;
638 *RK++ = *SK++;
639
640 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
641 {
642 for( j = 0; j < 4; j++, SK++ )
643 {
644 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
645 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
646 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
647 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
648 }
649 }
650
651 *RK++ = *SK++;
652 *RK++ = *SK++;
653 *RK++ = *SK++;
654 *RK++ = *SK++;
655
656 exit:
657 mbedtls_aes_free( &cty );
658
659 return( ret );
660 }
661 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
662
663 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
664 { \
665 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
666 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
667 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
668 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
669 \
670 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
671 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
672 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
673 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
674 \
675 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
676 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
677 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
678 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
679 \
680 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
681 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
682 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
683 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
684 }
685
686 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
687 { \
688 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
689 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
690 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
691 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
692 \
693 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
694 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
695 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
696 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
697 \
698 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
699 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
700 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
701 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
702 \
703 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
704 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
705 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
706 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
707 }
708
709 /*
710 * AES-ECB block encryption
711 */
712 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])713 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
714 const unsigned char input[16],
715 unsigned char output[16] )
716 {
717 int i;
718 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
719
720 RK = ctx->rk;
721
722 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
723 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
724 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
725 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
726
727 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
728 {
729 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
730 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
731 }
732
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734
735 X0 = *RK++ ^ \
736 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
737 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
740
741 X1 = *RK++ ^ \
742 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
743 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
746
747 X2 = *RK++ ^ \
748 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
749 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
750 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
751 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
752
753 X3 = *RK++ ^ \
754 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
758
759 PUT_UINT32_LE( X0, output, 0 );
760 PUT_UINT32_LE( X1, output, 4 );
761 PUT_UINT32_LE( X2, output, 8 );
762 PUT_UINT32_LE( X3, output, 12 );
763 }
764 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
765
766 /*
767 * AES-ECB block decryption
768 */
769 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])770 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
771 const unsigned char input[16],
772 unsigned char output[16] )
773 {
774 int i;
775 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
776
777 RK = ctx->rk;
778
779 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
780 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
781 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
782 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
783
784 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
785 {
786 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
787 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
788 }
789
790 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
791
792 X0 = *RK++ ^ \
793 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
794 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
795 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
796 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
797
798 X1 = *RK++ ^ \
799 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
800 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
801 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
802 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
803
804 X2 = *RK++ ^ \
805 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
806 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
807 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
808 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
809
810 X3 = *RK++ ^ \
811 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
812 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
813 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
814 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
815
816 PUT_UINT32_LE( X0, output, 0 );
817 PUT_UINT32_LE( X1, output, 4 );
818 PUT_UINT32_LE( X2, output, 8 );
819 PUT_UINT32_LE( X3, output, 12 );
820 }
821 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
822
823 /*
824 * AES-ECB block encryption/decryption
825 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])826 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
827 int mode,
828 const unsigned char input[16],
829 unsigned char output[16] )
830 {
831 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
832 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
833 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
834 #endif
835
836 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
837 if( aes_padlock_ace )
838 {
839 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
840 return( 0 );
841
842 // If padlock data misaligned, we just fall back to
843 // unaccelerated mode
844 //
845 }
846 #endif
847
848 if( mode == MBEDTLS_AES_ENCRYPT )
849 mbedtls_aes_encrypt( ctx, input, output );
850 else
851 mbedtls_aes_decrypt( ctx, input, output );
852
853 return( 0 );
854 }
855
856 #if defined(MBEDTLS_CIPHER_MODE_CBC)
857 /*
858 * AES-CBC buffer encryption/decryption
859 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)860 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
861 int mode,
862 size_t length,
863 unsigned char iv[16],
864 const unsigned char *input,
865 unsigned char *output )
866 {
867 int i;
868 unsigned char temp[16];
869
870 if( length % 16 )
871 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
872
873 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
874 if( aes_padlock_ace )
875 {
876 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
877 return( 0 );
878
879 // If padlock data misaligned, we just fall back to
880 // unaccelerated mode
881 //
882 }
883 #endif
884
885 if( mode == MBEDTLS_AES_DECRYPT )
886 {
887 while( length > 0 )
888 {
889 memcpy( temp, input, 16 );
890 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
891
892 for( i = 0; i < 16; i++ )
893 output[i] = (unsigned char)( output[i] ^ iv[i] );
894
895 memcpy( iv, temp, 16 );
896
897 input += 16;
898 output += 16;
899 length -= 16;
900 }
901 }
902 else
903 {
904 while( length > 0 )
905 {
906 for( i = 0; i < 16; i++ )
907 output[i] = (unsigned char)( input[i] ^ iv[i] );
908
909 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
910 memcpy( iv, output, 16 );
911
912 input += 16;
913 output += 16;
914 length -= 16;
915 }
916 }
917
918 return( 0 );
919 }
920 #endif /* MBEDTLS_CIPHER_MODE_CBC */
921
922 #if defined(MBEDTLS_CIPHER_MODE_CFB)
923 /*
924 * AES-CFB128 buffer encryption/decryption
925 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)926 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
927 int mode,
928 size_t length,
929 size_t *iv_off,
930 unsigned char iv[16],
931 const unsigned char *input,
932 unsigned char *output )
933 {
934 int c;
935 size_t n = *iv_off;
936
937 if( mode == MBEDTLS_AES_DECRYPT )
938 {
939 while( length-- )
940 {
941 if( n == 0 )
942 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
943
944 c = *input++;
945 *output++ = (unsigned char)( c ^ iv[n] );
946 iv[n] = (unsigned char) c;
947
948 n = ( n + 1 ) & 0x0F;
949 }
950 }
951 else
952 {
953 while( length-- )
954 {
955 if( n == 0 )
956 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
957
958 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
959
960 n = ( n + 1 ) & 0x0F;
961 }
962 }
963
964 *iv_off = n;
965
966 return( 0 );
967 }
968
969 /*
970 * AES-CFB8 buffer encryption/decryption
971 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)972 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
973 int mode,
974 size_t length,
975 unsigned char iv[16],
976 const unsigned char *input,
977 unsigned char *output )
978 {
979 unsigned char c;
980 unsigned char ov[17];
981
982 while( length-- )
983 {
984 memcpy( ov, iv, 16 );
985 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
986
987 if( mode == MBEDTLS_AES_DECRYPT )
988 ov[16] = *input;
989
990 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
991
992 if( mode == MBEDTLS_AES_ENCRYPT )
993 ov[16] = c;
994
995 memcpy( iv, ov + 1, 16 );
996 }
997
998 return( 0 );
999 }
1000 #endif /*MBEDTLS_CIPHER_MODE_CFB */
1001
1002 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1003 /*
1004 * AES-CTR buffer encryption/decryption
1005 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1006 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1007 size_t length,
1008 size_t *nc_off,
1009 unsigned char nonce_counter[16],
1010 unsigned char stream_block[16],
1011 const unsigned char *input,
1012 unsigned char *output )
1013 {
1014 int c, i;
1015 size_t n = *nc_off;
1016
1017 while( length-- )
1018 {
1019 if( n == 0 ) {
1020 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1021
1022 for( i = 16; i > 0; i-- )
1023 if( ++nonce_counter[i - 1] != 0 )
1024 break;
1025 }
1026 c = *input++;
1027 *output++ = (unsigned char)( c ^ stream_block[n] );
1028
1029 n = ( n + 1 ) & 0x0F;
1030 }
1031
1032 *nc_off = n;
1033
1034 return( 0 );
1035 }
1036 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1037
1038 #endif /* !MBEDTLS_AES_ALT */
1039
1040 #if defined(MBEDTLS_SELF_TEST)
1041 /*
1042 * AES test vectors from:
1043 *
1044 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1045 */
1046 static const unsigned char aes_test_ecb_dec[3][16] =
1047 {
1048 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1049 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1050 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1051 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1052 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1053 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1054 };
1055
1056 static const unsigned char aes_test_ecb_enc[3][16] =
1057 {
1058 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1059 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1060 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1061 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1062 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1063 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1064 };
1065
1066 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1067 static const unsigned char aes_test_cbc_dec[3][16] =
1068 {
1069 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1070 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1071 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1072 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1073 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1074 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1075 };
1076
1077 static const unsigned char aes_test_cbc_enc[3][16] =
1078 {
1079 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1080 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1081 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1082 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1083 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1084 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1085 };
1086 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1087
1088 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1089 /*
1090 * AES-CFB128 test vectors from:
1091 *
1092 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1093 */
1094 static const unsigned char aes_test_cfb128_key[3][32] =
1095 {
1096 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1097 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1098 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1099 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1100 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1101 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1102 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1103 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1104 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1105 };
1106
1107 static const unsigned char aes_test_cfb128_iv[16] =
1108 {
1109 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1110 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1111 };
1112
1113 static const unsigned char aes_test_cfb128_pt[64] =
1114 {
1115 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1116 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1117 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1118 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1119 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1120 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1121 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1122 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1123 };
1124
1125 static const unsigned char aes_test_cfb128_ct[3][64] =
1126 {
1127 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1128 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1129 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1130 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1131 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1132 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1133 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1134 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1135 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1136 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1137 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1138 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1139 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1140 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1141 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1142 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1143 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1144 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1145 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1146 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1147 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1148 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1149 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1150 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1151 };
1152 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1153
1154 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1155 /*
1156 * AES-CTR test vectors from:
1157 *
1158 * http://www.faqs.org/rfcs/rfc3686.html
1159 */
1160
1161 static const unsigned char aes_test_ctr_key[3][16] =
1162 {
1163 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1164 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1165 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1166 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1167 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1168 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1169 };
1170
1171 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1172 {
1173 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1175 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1176 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1177 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1178 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1179 };
1180
1181 static const unsigned char aes_test_ctr_pt[3][48] =
1182 {
1183 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1184 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1185
1186 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1187 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1188 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1189 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1190
1191 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1192 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1193 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1194 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1195 0x20, 0x21, 0x22, 0x23 }
1196 };
1197
1198 static const unsigned char aes_test_ctr_ct[3][48] =
1199 {
1200 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1201 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1202 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1203 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1204 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1205 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1206 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1207 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1208 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1209 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1210 0x25, 0xB2, 0x07, 0x2F }
1211 };
1212
1213 static const int aes_test_ctr_len[3] =
1214 { 16, 32, 36 };
1215 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1216
1217 /*
1218 * Checkup routine
1219 */
mbedtls_aes_self_test(int verbose)1220 int mbedtls_aes_self_test( int verbose )
1221 {
1222 int ret = 0, i, j, u, v;
1223 unsigned char key[32];
1224 unsigned char buf[64];
1225 unsigned char iv[16];
1226 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1227 unsigned char prv[16];
1228 #endif
1229 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
1230 size_t offset;
1231 #endif
1232 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1233 int len;
1234 unsigned char nonce_counter[16];
1235 unsigned char stream_block[16];
1236 #endif
1237 mbedtls_aes_context ctx;
1238
1239 memset( key, 0, 32 );
1240 mbedtls_aes_init( &ctx );
1241
1242 /*
1243 * ECB mode
1244 */
1245 for( i = 0; i < 6; i++ )
1246 {
1247 u = i >> 1;
1248 v = i & 1;
1249
1250 if( verbose != 0 )
1251 mbedtls_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1252 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1253
1254 memset( buf, 0, 16 );
1255
1256 if( v == MBEDTLS_AES_DECRYPT )
1257 {
1258 mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1259
1260 for( j = 0; j < 10000; j++ )
1261 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1262
1263 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1264 {
1265 if( verbose != 0 )
1266 mbedtls_printf( "failed\n" );
1267
1268 ret = 1;
1269 goto exit;
1270 }
1271 }
1272 else
1273 {
1274 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1275
1276 for( j = 0; j < 10000; j++ )
1277 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1278
1279 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1280 {
1281 if( verbose != 0 )
1282 mbedtls_printf( "failed\n" );
1283
1284 ret = 1;
1285 goto exit;
1286 }
1287 }
1288
1289 if( verbose != 0 )
1290 mbedtls_printf( "passed\n" );
1291 }
1292
1293 if( verbose != 0 )
1294 mbedtls_printf( "\n" );
1295
1296 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1297 /*
1298 * CBC mode
1299 */
1300 for( i = 0; i < 6; i++ )
1301 {
1302 u = i >> 1;
1303 v = i & 1;
1304
1305 if( verbose != 0 )
1306 mbedtls_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1307 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1308
1309 memset( iv , 0, 16 );
1310 memset( prv, 0, 16 );
1311 memset( buf, 0, 16 );
1312
1313 if( v == MBEDTLS_AES_DECRYPT )
1314 {
1315 mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1316
1317 for( j = 0; j < 10000; j++ )
1318 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1319
1320 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1321 {
1322 if( verbose != 0 )
1323 mbedtls_printf( "failed\n" );
1324
1325 ret = 1;
1326 goto exit;
1327 }
1328 }
1329 else
1330 {
1331 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1332
1333 for( j = 0; j < 10000; j++ )
1334 {
1335 unsigned char tmp[16];
1336
1337 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1338
1339 memcpy( tmp, prv, 16 );
1340 memcpy( prv, buf, 16 );
1341 memcpy( buf, tmp, 16 );
1342 }
1343
1344 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1345 {
1346 if( verbose != 0 )
1347 mbedtls_printf( "failed\n" );
1348
1349 ret = 1;
1350 goto exit;
1351 }
1352 }
1353
1354 if( verbose != 0 )
1355 mbedtls_printf( "passed\n" );
1356 }
1357
1358 if( verbose != 0 )
1359 mbedtls_printf( "\n" );
1360 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1361
1362 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1363 /*
1364 * CFB128 mode
1365 */
1366 for( i = 0; i < 6; i++ )
1367 {
1368 u = i >> 1;
1369 v = i & 1;
1370
1371 if( verbose != 0 )
1372 mbedtls_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1373 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1374
1375 memcpy( iv, aes_test_cfb128_iv, 16 );
1376 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1377
1378 offset = 0;
1379 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1380
1381 if( v == MBEDTLS_AES_DECRYPT )
1382 {
1383 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1384 mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1385
1386 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1387 {
1388 if( verbose != 0 )
1389 mbedtls_printf( "failed\n" );
1390
1391 ret = 1;
1392 goto exit;
1393 }
1394 }
1395 else
1396 {
1397 memcpy( buf, aes_test_cfb128_pt, 64 );
1398 mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1399
1400 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1401 {
1402 if( verbose != 0 )
1403 mbedtls_printf( "failed\n" );
1404
1405 ret = 1;
1406 goto exit;
1407 }
1408 }
1409
1410 if( verbose != 0 )
1411 mbedtls_printf( "passed\n" );
1412 }
1413
1414 if( verbose != 0 )
1415 mbedtls_printf( "\n" );
1416 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1417
1418 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1419 /*
1420 * CTR mode
1421 */
1422 for( i = 0; i < 6; i++ )
1423 {
1424 u = i >> 1;
1425 v = i & 1;
1426
1427 if( verbose != 0 )
1428 mbedtls_printf( " AES-CTR-128 (%s): ",
1429 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1430
1431 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1432 memcpy( key, aes_test_ctr_key[u], 16 );
1433
1434 offset = 0;
1435 mbedtls_aes_setkey_enc( &ctx, key, 128 );
1436
1437 if( v == MBEDTLS_AES_DECRYPT )
1438 {
1439 len = aes_test_ctr_len[u];
1440 memcpy( buf, aes_test_ctr_ct[u], len );
1441
1442 mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1443 buf, buf );
1444
1445 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1446 {
1447 if( verbose != 0 )
1448 mbedtls_printf( "failed\n" );
1449
1450 ret = 1;
1451 goto exit;
1452 }
1453 }
1454 else
1455 {
1456 len = aes_test_ctr_len[u];
1457 memcpy( buf, aes_test_ctr_pt[u], len );
1458
1459 mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1460 buf, buf );
1461
1462 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1463 {
1464 if( verbose != 0 )
1465 mbedtls_printf( "failed\n" );
1466
1467 ret = 1;
1468 goto exit;
1469 }
1470 }
1471
1472 if( verbose != 0 )
1473 mbedtls_printf( "passed\n" );
1474 }
1475
1476 if( verbose != 0 )
1477 mbedtls_printf( "\n" );
1478 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1479
1480 ret = 0;
1481
1482 exit:
1483 mbedtls_aes_free( &ctx );
1484
1485 return( ret );
1486 }
1487
1488 #endif /* MBEDTLS_SELF_TEST */
1489
1490 #endif /* MBEDTLS_AES_C */
1491