TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / refs/heads/dev/mbed-crypto-0.1.0-alpha / . / library / aes.c
blob: 4841243027b5033949a91f1c8d61ef64cecfc6e0 [file] [log] [blame]
Jaeden Ameroe54e6932018-08-06 16:19:58 +0100[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of Mbed Crypto (https://tls.mbed.org)
20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
28#if !defined(MBEDCRYPTO_CONFIG_FILE)
29#include "mbedcrypto/config.h"
30#else
31#include MBEDCRYPTO_CONFIG_FILE
32#endif
33
34#if defined(MBEDCRYPTO_AES_C)
35
36#include <string.h>
37
38#include "mbedcrypto/aes.h"
39#include "mbedcrypto/platform_util.h"
40#if defined(MBEDCRYPTO_PADLOCK_C)
41#include "mbedcrypto/padlock.h"
42#endif
43#if defined(MBEDCRYPTO_AESNI_C)
44#include "mbedcrypto/aesni.h"
45#endif
46
47#if defined(MBEDCRYPTO_SELF_TEST)
48#if defined(MBEDCRYPTO_PLATFORM_C)
49#include "mbedcrypto/platform.h"
50#else
51#include <stdio.h>
52#define mbedcrypto_printf printf
53#endif /* MBEDCRYPTO_PLATFORM_C */
54#endif /* MBEDCRYPTO_SELF_TEST */
55
56#if !defined(MBEDCRYPTO_AES_ALT)
57
58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
61#ifndef GET_UINT32_LE
62#define GET_UINT32_LE(n,b,i) \
63{ \
64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
68}
69#endif
70
71#ifndef PUT_UINT32_LE
72#define PUT_UINT32_LE(n,b,i) \
73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
78}
79#endif
80
81#if defined(MBEDCRYPTO_PADLOCK_C) && \
82 ( defined(MBEDCRYPTO_HAVE_X86) || defined(MBEDCRYPTO_PADLOCK_ALIGN16) )
83static int aes_padlock_ace = -1;
84#endif
85
86#if defined(MBEDCRYPTO_AES_ROM_TABLES)
87/*
88 * Forward S-box
89 */
90static const unsigned char FSb[256] =
91{
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
93 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
94 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
95 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
96 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
97 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
98 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
99 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
124};
125
126/*
127 * Forward tables
128 */
129#define FT \
130\
131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
195
196#define V(a,b,c,d) 0x##a##b##c##d
197static const uint32_t FT0[256] = { FT };
198#undef V
199
200#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
201
202#define V(a,b,c,d) 0x##b##c##d##a
203static const uint32_t FT1[256] = { FT };
204#undef V
205
206#define V(a,b,c,d) 0x##c##d##a##b
207static const uint32_t FT2[256] = { FT };
208#undef V
209
210#define V(a,b,c,d) 0x##d##a##b##c
211static const uint32_t FT3[256] = { FT };
212#undef V
213
214#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
215
216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
328static const uint32_t RT0[256] = { RT };
329#undef V
330
331#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
332
333#define V(a,b,c,d) 0x##b##c##d##a
334static const uint32_t RT1[256] = { RT };
335#undef V
336
337#define V(a,b,c,d) 0x##c##d##a##b
338static const uint32_t RT2[256] = { RT };
339#undef V
340
341#define V(a,b,c,d) 0x##d##a##b##c
342static const uint32_t RT3[256] = { RT };
343#undef V
344
345#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
346
347#undef RT
348
349/*
350 * Round constants
351 */
352static const uint32_t RCON[10] =
353{
354 0x00000001, 0x00000002, 0x00000004, 0x00000008,
355 0x00000010, 0x00000020, 0x00000040, 0x00000080,
356 0x0000001B, 0x00000036
357};
358
359#else /* MBEDCRYPTO_AES_ROM_TABLES */
360
361/*
362 * Forward S-box & tables
363 */
364static unsigned char FSb[256];
365static uint32_t FT0[256];
366#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
367static uint32_t FT1[256];
368static uint32_t FT2[256];
369static uint32_t FT3[256];
370#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
371
372/*
373 * Reverse S-box & tables
374 */
375static unsigned char RSb[256];
376static uint32_t RT0[256];
377#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
378static uint32_t RT1[256];
379static uint32_t RT2[256];
380static uint32_t RT3[256];
381#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
382
383/*
384 * Round constants
385 */
386static uint32_t RCON[10];
387
388/*
389 * Tables generation code
390 */
391#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
392#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
393#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
394
395static int aes_init_done = 0;
396
397static void aes_gen_tables( void )
398{
399 int i, x, y, z;
400 int pow[256];
401 int log[256];
402
403 /*
404 * compute pow and log tables over GF(2^8)
405 */
406 for( i = 0, x = 1; i < 256; i++ )
407 {
408 pow[i] = x;
409 log[x] = i;
410 x = ( x ^ XTIME( x ) ) & 0xFF;
411 }
412
413 /*
414 * calculate the round constants
415 */
416 for( i = 0, x = 1; i < 10; i++ )
417 {
418 RCON[i] = (uint32_t) x;
419 x = XTIME( x ) & 0xFF;
420 }
421
422 /*
423 * generate the forward and reverse S-boxes
424 */
425 FSb[0x00] = 0x63;
426 RSb[0x63] = 0x00;
427
428 for( i = 1; i < 256; i++ )
429 {
430 x = pow[255 - log[i]];
431
432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y ^ 0x63;
437
438 FSb[i] = (unsigned char) x;
439 RSb[x] = (unsigned char) i;
440 }
441
442 /*
443 * generate the forward and reverse tables
444 */
445 for( i = 0; i < 256; i++ )
446 {
447 x = FSb[i];
448 y = XTIME( x ) & 0xFF;
449 z = ( y ^ x ) & 0xFF;
450
451 FT0[i] = ( (uint32_t) y ) ^
452 ( (uint32_t) x << 8 ) ^
453 ( (uint32_t) x << 16 ) ^
454 ( (uint32_t) z << 24 );
455
456#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
457 FT1[i] = ROTL8( FT0[i] );
458 FT2[i] = ROTL8( FT1[i] );
459 FT3[i] = ROTL8( FT2[i] );
460#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
461
462 x = RSb[i];
463
464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
467 ( (uint32_t) MUL( 0x0B, x ) << 24 );
468
469#if !defined(MBEDCRYPTO_AES_FEWER_TABLES)
470 RT1[i] = ROTL8( RT0[i] );
471 RT2[i] = ROTL8( RT1[i] );
472 RT3[i] = ROTL8( RT2[i] );
473#endif /* !MBEDCRYPTO_AES_FEWER_TABLES */
474 }
475}
476
477#undef ROTL8
478
479#endif /* MBEDCRYPTO_AES_ROM_TABLES */
480
481#if defined(MBEDCRYPTO_AES_FEWER_TABLES)
482
483#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
484#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
485#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
486
487#define AES_RT0(idx) RT0[idx]
488#define AES_RT1(idx) ROTL8( RT0[idx] )
489#define AES_RT2(idx) ROTL16( RT0[idx] )
490#define AES_RT3(idx) ROTL24( RT0[idx] )
491
492#define AES_FT0(idx) FT0[idx]
493#define AES_FT1(idx) ROTL8( FT0[idx] )
494#define AES_FT2(idx) ROTL16( FT0[idx] )
495#define AES_FT3(idx) ROTL24( FT0[idx] )
496
497#else /* MBEDCRYPTO_AES_FEWER_TABLES */
498
499#define AES_RT0(idx) RT0[idx]
500#define AES_RT1(idx) RT1[idx]
501#define AES_RT2(idx) RT2[idx]
502#define AES_RT3(idx) RT3[idx]
503
504#define AES_FT0(idx) FT0[idx]
505#define AES_FT1(idx) FT1[idx]
506#define AES_FT2(idx) FT2[idx]
507#define AES_FT3(idx) FT3[idx]
508
509#endif /* MBEDCRYPTO_AES_FEWER_TABLES */
510
511void mbedcrypto_aes_init( mbedcrypto_aes_context *ctx )
512{
513 memset( ctx, 0, sizeof( mbedcrypto_aes_context ) );
514}
515
516void mbedcrypto_aes_free( mbedcrypto_aes_context *ctx )
517{
518 if( ctx == NULL )
519 return;
520
521 mbedcrypto_platform_zeroize( ctx, sizeof( mbedcrypto_aes_context ) );
522}
523
524/*
525 * AES key schedule (encryption)
526 */
527#if !defined(MBEDCRYPTO_AES_SETKEY_ENC_ALT)
528int mbedcrypto_aes_setkey_enc( mbedcrypto_aes_context *ctx, const unsigned char *key,
529 unsigned int keybits )
530{
531 unsigned int i;
532 uint32_t *RK;
533
534#if !defined(MBEDCRYPTO_AES_ROM_TABLES)
535 if( aes_init_done == 0 )
536 {
537 aes_gen_tables();
538 aes_init_done = 1;
539
540 }
541#endif
542
543 switch( keybits )
544 {
545 case 128: ctx->nr = 10; break;
546 case 192: ctx->nr = 12; break;
547 case 256: ctx->nr = 14; break;
548 default : return( MBEDCRYPTO_ERR_AES_INVALID_KEY_LENGTH );
549 }
550
551#if defined(MBEDCRYPTO_PADLOCK_C) && defined(MBEDCRYPTO_PADLOCK_ALIGN16)
552 if( aes_padlock_ace == -1 )
553 aes_padlock_ace = mbedcrypto_padlock_has_support( MBEDCRYPTO_PADLOCK_ACE );
554
555 if( aes_padlock_ace )
556 ctx->rk = RK = MBEDCRYPTO_PADLOCK_ALIGN16( ctx->buf );
557 else
558#endif
559 ctx->rk = RK = ctx->buf;
560
561#if defined(MBEDCRYPTO_AESNI_C) && defined(MBEDCRYPTO_HAVE_X86_64)
562 if( mbedcrypto_aesni_has_support( MBEDCRYPTO_AESNI_AES ) )
563 return( mbedcrypto_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
564#endif
565
566 for( i = 0; i < ( keybits >> 5 ); i++ )
567 {
568 GET_UINT32_LE( RK[i], key, i << 2 );
569 }
570
571 switch( ctx->nr )
572 {
573 case 10:
574
575 for( i = 0; i < 10; i++, RK += 4 )
576 {
577 RK[4] = RK[0] ^ RCON[i] ^
578 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
582
583 RK[5] = RK[1] ^ RK[4];
584 RK[6] = RK[2] ^ RK[5];
585 RK[7] = RK[3] ^ RK[6];
586 }
587 break;
588
589 case 12:
590
591 for( i = 0; i < 8; i++, RK += 6 )
592 {
593 RK[6] = RK[0] ^ RCON[i] ^
594 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
595 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
596 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
597 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
598
599 RK[7] = RK[1] ^ RK[6];
600 RK[8] = RK[2] ^ RK[7];
601 RK[9] = RK[3] ^ RK[8];
602 RK[10] = RK[4] ^ RK[9];
603 RK[11] = RK[5] ^ RK[10];
604 }
605 break;
606
607 case 14:
608
609 for( i = 0; i < 7; i++, RK += 8 )
610 {
611 RK[8] = RK[0] ^ RCON[i] ^
612 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
613 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
614 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
615 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
616
617 RK[9] = RK[1] ^ RK[8];
618 RK[10] = RK[2] ^ RK[9];
619 RK[11] = RK[3] ^ RK[10];
620
621 RK[12] = RK[4] ^
622 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
623 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
624 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
625 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
626
627 RK[13] = RK[5] ^ RK[12];
628 RK[14] = RK[6] ^ RK[13];
629 RK[15] = RK[7] ^ RK[14];
630 }
631 break;
632 }
633
634 return( 0 );
635}
636#endif /* !MBEDCRYPTO_AES_SETKEY_ENC_ALT */
637
638/*
639 * AES key schedule (decryption)
640 */
641#if !defined(MBEDCRYPTO_AES_SETKEY_DEC_ALT)
642int mbedcrypto_aes_setkey_dec( mbedcrypto_aes_context *ctx, const unsigned char *key,
643 unsigned int keybits )
644{
645 int i, j, ret;
646 mbedcrypto_aes_context cty;
647 uint32_t *RK;
648 uint32_t *SK;
649
650 mbedcrypto_aes_init( &cty );
651
652#if defined(MBEDCRYPTO_PADLOCK_C) && defined(MBEDCRYPTO_PADLOCK_ALIGN16)
653 if( aes_padlock_ace == -1 )
654 aes_padlock_ace = mbedcrypto_padlock_has_support( MBEDCRYPTO_PADLOCK_ACE );
655
656 if( aes_padlock_ace )
657 ctx->rk = RK = MBEDCRYPTO_PADLOCK_ALIGN16( ctx->buf );
658 else
659#endif
660 ctx->rk = RK = ctx->buf;
661
662 /* Also checks keybits */
663 if( ( ret = mbedcrypto_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
664 goto exit;
665
666 ctx->nr = cty.nr;
667
668#if defined(MBEDCRYPTO_AESNI_C) && defined(MBEDCRYPTO_HAVE_X86_64)
669 if( mbedcrypto_aesni_has_support( MBEDCRYPTO_AESNI_AES ) )
670 {
671 mbedcrypto_aesni_inverse_key( (unsigned char *) ctx->rk,
672 (const unsigned char *) cty.rk, ctx->nr );
673 goto exit;
674 }
675#endif
676
677 SK = cty.rk + cty.nr * 4;
678
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681 *RK++ = *SK++;
682 *RK++ = *SK++;
683
684 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
685 {
686 for( j = 0; j < 4; j++, SK++ )
687 {
688 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
689 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
690 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
691 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
692 }
693 }
694
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697 *RK++ = *SK++;
698 *RK++ = *SK++;
699
700exit:
701 mbedcrypto_aes_free( &cty );
702
703 return( ret );
704}
705#endif /* !MBEDCRYPTO_AES_SETKEY_DEC_ALT */
706
707#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
708{ \
709 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
710 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
711 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
712 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
713 \
714 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
715 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
716 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
717 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
718 \
719 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
720 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
721 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
722 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
723 \
724 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
725 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
726 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
727 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
728}
729
730#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
731{ \
732 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
733 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
734 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
735 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
736 \
737 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
738 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
739 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
740 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
741 \
742 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
743 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
744 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
745 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
746 \
747 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
748 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
749 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
750 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
751}
752
753/*
754 * AES-ECB block encryption
755 */
756#if !defined(MBEDCRYPTO_AES_ENCRYPT_ALT)
757int mbedcrypto_internal_aes_encrypt( mbedcrypto_aes_context *ctx,
758 const unsigned char input[16],
759 unsigned char output[16] )
760{
761 int i;
762 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
763
764 RK = ctx->rk;
765
766 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
767 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
768 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
769 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
770
771 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
772 {
773 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
774 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
775 }
776
777 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
778
779 X0 = *RK++ ^ \
780 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
781 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
782 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
783 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
784
785 X1 = *RK++ ^ \
786 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
787 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
788 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
789 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
790
791 X2 = *RK++ ^ \
792 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
793 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
794 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
795 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
796
797 X3 = *RK++ ^ \
798 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
799 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
800 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
801 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
802
803 PUT_UINT32_LE( X0, output, 0 );
804 PUT_UINT32_LE( X1, output, 4 );
805 PUT_UINT32_LE( X2, output, 8 );
806 PUT_UINT32_LE( X3, output, 12 );
807
808 return( 0 );
809}
810#endif /* !MBEDCRYPTO_AES_ENCRYPT_ALT */
811
812#if !defined(MBEDCRYPTO_DEPRECATED_REMOVED)
813void mbedcrypto_aes_encrypt( mbedcrypto_aes_context *ctx,
814 const unsigned char input[16],
815 unsigned char output[16] )
816{
817 mbedcrypto_internal_aes_encrypt( ctx, input, output );
818}
819#endif /* !MBEDCRYPTO_DEPRECATED_REMOVED */
820
821/*
822 * AES-ECB block decryption
823 */
824#if !defined(MBEDCRYPTO_AES_DECRYPT_ALT)
825int mbedcrypto_internal_aes_decrypt( mbedcrypto_aes_context *ctx,
826 const unsigned char input[16],
827 unsigned char output[16] )
828{
829 int i;
830 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
831
832 RK = ctx->rk;
833
834 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
835 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
836 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
837 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
838
839 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
840 {
841 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
842 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
843 }
844
845 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
846
847 X0 = *RK++ ^ \
848 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
849 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
850 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
851 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
852
853 X1 = *RK++ ^ \
854 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
855 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
856 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
857 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
858
859 X2 = *RK++ ^ \
860 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
861 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
862 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
863 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
864
865 X3 = *RK++ ^ \
866 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
867 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
868 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
869 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
870
871 PUT_UINT32_LE( X0, output, 0 );
872 PUT_UINT32_LE( X1, output, 4 );
873 PUT_UINT32_LE( X2, output, 8 );
874 PUT_UINT32_LE( X3, output, 12 );
875
876 return( 0 );
877}
878#endif /* !MBEDCRYPTO_AES_DECRYPT_ALT */
879
880#if !defined(MBEDCRYPTO_DEPRECATED_REMOVED)
881void mbedcrypto_aes_decrypt( mbedcrypto_aes_context *ctx,
882 const unsigned char input[16],
883 unsigned char output[16] )
884{
885 mbedcrypto_internal_aes_decrypt( ctx, input, output );
886}
887#endif /* !MBEDCRYPTO_DEPRECATED_REMOVED */
888
889/*
890 * AES-ECB block encryption/decryption
891 */
892int mbedcrypto_aes_crypt_ecb( mbedcrypto_aes_context *ctx,
893 int mode,
894 const unsigned char input[16],
895 unsigned char output[16] )
896{
897#if defined(MBEDCRYPTO_AESNI_C) && defined(MBEDCRYPTO_HAVE_X86_64)
898 if( mbedcrypto_aesni_has_support( MBEDCRYPTO_AESNI_AES ) )
899 return( mbedcrypto_aesni_crypt_ecb( ctx, mode, input, output ) );
900#endif
901
902#if defined(MBEDCRYPTO_PADLOCK_C) && defined(MBEDCRYPTO_HAVE_X86)
903 if( aes_padlock_ace )
904 {
905 if( mbedcrypto_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
906 return( 0 );
907
908 // If padlock data misaligned, we just fall back to
909 // unaccelerated mode
910 //
911 }
912#endif
913
914 if( mode == MBEDCRYPTO_AES_ENCRYPT )
915 return( mbedcrypto_internal_aes_encrypt( ctx, input, output ) );
916 else
917 return( mbedcrypto_internal_aes_decrypt( ctx, input, output ) );
918}
919
920#if defined(MBEDCRYPTO_CIPHER_MODE_CBC)
921/*
922 * AES-CBC buffer encryption/decryption
923 */
924int mbedcrypto_aes_crypt_cbc( mbedcrypto_aes_context *ctx,
925 int mode,
926 size_t length,
927 unsigned char iv[16],
928 const unsigned char *input,
929 unsigned char *output )
930{
931 int i;
932 unsigned char temp[16];
933
934 if( length % 16 )
935 return( MBEDCRYPTO_ERR_AES_INVALID_INPUT_LENGTH );
936
937#if defined(MBEDCRYPTO_PADLOCK_C) && defined(MBEDCRYPTO_HAVE_X86)
938 if( aes_padlock_ace )
939 {
940 if( mbedcrypto_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
941 return( 0 );
942
943 // If padlock data misaligned, we just fall back to
944 // unaccelerated mode
945 //
946 }
947#endif
948
949 if( mode == MBEDCRYPTO_AES_DECRYPT )
950 {
951 while( length > 0 )
952 {
953 memcpy( temp, input, 16 );
954 mbedcrypto_aes_crypt_ecb( ctx, mode, input, output );
955
956 for( i = 0; i < 16; i++ )
957 output[i] = (unsigned char)( output[i] ^ iv[i] );
958
959 memcpy( iv, temp, 16 );
960
961 input += 16;
962 output += 16;
963 length -= 16;
964 }
965 }
966 else
967 {
968 while( length > 0 )
969 {
970 for( i = 0; i < 16; i++ )
971 output[i] = (unsigned char)( input[i] ^ iv[i] );
972
973 mbedcrypto_aes_crypt_ecb( ctx, mode, output, output );
974 memcpy( iv, output, 16 );
975
976 input += 16;
977 output += 16;
978 length -= 16;
979 }
980 }
981
982 return( 0 );
983}
984#endif /* MBEDCRYPTO_CIPHER_MODE_CBC */
985
986#if defined(MBEDCRYPTO_CIPHER_MODE_CFB)
987/*
988 * AES-CFB128 buffer encryption/decryption
989 */
990int mbedcrypto_aes_crypt_cfb128( mbedcrypto_aes_context *ctx,
991 int mode,
992 size_t length,
993 size_t *iv_off,
994 unsigned char iv[16],
995 const unsigned char *input,
996 unsigned char *output )
997{
998 int c;
999 size_t n = *iv_off;
1000
1001 if( mode == MBEDCRYPTO_AES_DECRYPT )
1002 {
1003 while( length-- )
1004 {
1005 if( n == 0 )
1006 mbedcrypto_aes_crypt_ecb( ctx, MBEDCRYPTO_AES_ENCRYPT, iv, iv );
1007
1008 c = *input++;
1009 *output++ = (unsigned char)( c ^ iv[n] );
1010 iv[n] = (unsigned char) c;
1011
1012 n = ( n + 1 ) & 0x0F;
1013 }
1014 }
1015 else
1016 {
1017 while( length-- )
1018 {
1019 if( n == 0 )
1020 mbedcrypto_aes_crypt_ecb( ctx, MBEDCRYPTO_AES_ENCRYPT, iv, iv );
1021
1022 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1023
1024 n = ( n + 1 ) & 0x0F;
1025 }
1026 }
1027
1028 *iv_off = n;
1029
1030 return( 0 );
1031}
1032
1033/*
1034 * AES-CFB8 buffer encryption/decryption
1035 */
1036int mbedcrypto_aes_crypt_cfb8( mbedcrypto_aes_context *ctx,
1037 int mode,
1038 size_t length,
1039 unsigned char iv[16],
1040 const unsigned char *input,
1041 unsigned char *output )
1042{
1043 unsigned char c;
1044 unsigned char ov[17];
1045
1046 while( length-- )
1047 {
1048 memcpy( ov, iv, 16 );
1049 mbedcrypto_aes_crypt_ecb( ctx, MBEDCRYPTO_AES_ENCRYPT, iv, iv );
1050
1051 if( mode == MBEDCRYPTO_AES_DECRYPT )
1052 ov[16] = *input;
1053
1054 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1055
1056 if( mode == MBEDCRYPTO_AES_ENCRYPT )
1057 ov[16] = c;
1058
1059 memcpy( iv, ov + 1, 16 );
1060 }
1061
1062 return( 0 );
1063}
1064#endif /*MBEDCRYPTO_CIPHER_MODE_CFB */
1065
1066#if defined(MBEDCRYPTO_CIPHER_MODE_CTR)
1067/*
1068 * AES-CTR buffer encryption/decryption
1069 */
1070int mbedcrypto_aes_crypt_ctr( mbedcrypto_aes_context *ctx,
1071 size_t length,
1072 size_t *nc_off,
1073 unsigned char nonce_counter[16],
1074 unsigned char stream_block[16],
1075 const unsigned char *input,
1076 unsigned char *output )
1077{
1078 int c, i;
1079 size_t n = *nc_off;
1080
1081 while( length-- )
1082 {
1083 if( n == 0 ) {
1084 mbedcrypto_aes_crypt_ecb( ctx, MBEDCRYPTO_AES_ENCRYPT, nonce_counter, stream_block );
1085
1086 for( i = 16; i > 0; i-- )
1087 if( ++nonce_counter[i - 1] != 0 )
1088 break;
1089 }
1090 c = *input++;
1091 *output++ = (unsigned char)( c ^ stream_block[n] );
1092
1093 n = ( n + 1 ) & 0x0F;
1094 }
1095
1096 *nc_off = n;
1097
1098 return( 0 );
1099}
1100#endif /* MBEDCRYPTO_CIPHER_MODE_CTR */
1101
1102#endif /* !MBEDCRYPTO_AES_ALT */
1103
1104#if defined(MBEDCRYPTO_SELF_TEST)
1105/*
1106 * AES test vectors from:
1107 *
1108 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1109 */
1110static const unsigned char aes_test_ecb_dec[3][16] =
1111{
1112 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1113 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1114 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1115 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1116 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1117 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1118};
1119
1120static const unsigned char aes_test_ecb_enc[3][16] =
1121{
1122 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1123 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1124 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1125 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1126 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1127 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1128};
1129
1130#if defined(MBEDCRYPTO_CIPHER_MODE_CBC)
1131static const unsigned char aes_test_cbc_dec[3][16] =
1132{
1133 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1134 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1135 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1136 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1137 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1138 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1139};
1140
1141static const unsigned char aes_test_cbc_enc[3][16] =
1142{
1143 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1144 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1145 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1146 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1147 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1148 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1149};
1150#endif /* MBEDCRYPTO_CIPHER_MODE_CBC */
1151
1152#if defined(MBEDCRYPTO_CIPHER_MODE_CFB)
1153/*
1154 * AES-CFB128 test vectors from:
1155 *
1156 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1157 */
1158static const unsigned char aes_test_cfb128_key[3][32] =
1159{
1160 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1161 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1162 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1163 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1164 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1165 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1166 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1167 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1168 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1169};
1170
1171static const unsigned char aes_test_cfb128_iv[16] =
1172{
1173 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1174 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1175};
1176
1177static const unsigned char aes_test_cfb128_pt[64] =
1178{
1179 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1180 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1181 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1182 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1183 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1184 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1185 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1186 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1187};
1188
1189static const unsigned char aes_test_cfb128_ct[3][64] =
1190{
1191 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1192 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1193 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1194 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1195 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1196 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1197 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1198 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1199 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1200 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1201 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1202 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1203 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1204 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1205 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1206 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1207 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1208 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1209 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1210 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1211 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1212 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1213 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1214 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1215};
1216#endif /* MBEDCRYPTO_CIPHER_MODE_CFB */
1217
1218#if defined(MBEDCRYPTO_CIPHER_MODE_CTR)
1219/*
1220 * AES-CTR test vectors from:
1221 *
1222 * http://www.faqs.org/rfcs/rfc3686.html
1223 */
1224
1225static const unsigned char aes_test_ctr_key[3][16] =
1226{
1227 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1228 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1229 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1230 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1231 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1232 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1233};
1234
1235static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1236{
1237 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1239 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1240 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1241 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1242 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1243};
1244
1245static const unsigned char aes_test_ctr_pt[3][48] =
1246{
1247 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1248 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1249
1250 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1251 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1252 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1253 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1254
1255 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1256 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1257 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1258 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1259 0x20, 0x21, 0x22, 0x23 }
1260};
1261
1262static const unsigned char aes_test_ctr_ct[3][48] =
1263{
1264 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1265 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1266 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1267 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1268 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1269 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1270 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1271 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1272 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1273 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1274 0x25, 0xB2, 0x07, 0x2F }
1275};
1276
1277static const int aes_test_ctr_len[3] =
1278 { 16, 32, 36 };
1279#endif /* MBEDCRYPTO_CIPHER_MODE_CTR */
1280
1281/*
1282 * Checkup routine
1283 */
1284int mbedcrypto_aes_self_test( int verbose )
1285{
1286 int ret = 0, i, j, u, mode;
1287 unsigned int keybits;
1288 unsigned char key[32];
1289 unsigned char buf[64];
1290 const unsigned char *aes_tests;
1291#if defined(MBEDCRYPTO_CIPHER_MODE_CBC) || defined(MBEDCRYPTO_CIPHER_MODE_CFB)
1292 unsigned char iv[16];
1293#endif
1294#if defined(MBEDCRYPTO_CIPHER_MODE_CBC)
1295 unsigned char prv[16];
1296#endif
1297#if defined(MBEDCRYPTO_CIPHER_MODE_CTR) || defined(MBEDCRYPTO_CIPHER_MODE_CFB)
1298 size_t offset;
1299#endif
1300#if defined(MBEDCRYPTO_CIPHER_MODE_CTR)
1301 int len;
1302 unsigned char nonce_counter[16];
1303 unsigned char stream_block[16];
1304#endif
1305 mbedcrypto_aes_context ctx;
1306
1307 memset( key, 0, 32 );
1308 mbedcrypto_aes_init( &ctx );
1309
1310 /*
1311 * ECB mode
1312 */
1313 for( i = 0; i < 6; i++ )
1314 {
1315 u = i >> 1;
1316 keybits = 128 + u * 64;
1317 mode = i & 1;
1318
1319 if( verbose != 0 )
1320 mbedcrypto_printf( " AES-ECB-%3d (%s): ", keybits,
1321 ( mode == MBEDCRYPTO_AES_DECRYPT ) ? "dec" : "enc" );
1322
1323 memset( buf, 0, 16 );
1324
1325 if( mode == MBEDCRYPTO_AES_DECRYPT )
1326 {
1327 ret = mbedcrypto_aes_setkey_dec( &ctx, key, keybits );
1328 aes_tests = aes_test_ecb_dec[u];
1329 }
1330 else
1331 {
1332 ret = mbedcrypto_aes_setkey_enc( &ctx, key, keybits );
1333 aes_tests = aes_test_ecb_enc[u];
1334 }
1335
1336 /*
1337 * AES-192 is an optional feature that may be unavailable when
1338 * there is an alternative underlying implementation i.e. when
1339 * MBEDCRYPTO_AES_ALT is defined.
1340 */
1341 if( ret == MBEDCRYPTO_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1342 {
1343 mbedcrypto_printf( "skipped\n" );
1344 continue;
1345 }
1346 else if( ret != 0 )
1347 {
1348 goto exit;
1349 }
1350
1351 for( j = 0; j < 10000; j++ )
1352 {
1353 ret = mbedcrypto_aes_crypt_ecb( &ctx, mode, buf, buf );
1354 if( ret != 0 )
1355 goto exit;
1356 }
1357
1358 if( memcmp( buf, aes_tests, 16 ) != 0 )
1359 {
1360 ret = 1;
1361 goto exit;
1362 }
1363
1364 if( verbose != 0 )
1365 mbedcrypto_printf( "passed\n" );
1366 }
1367
1368 if( verbose != 0 )
1369 mbedcrypto_printf( "\n" );
1370
1371#if defined(MBEDCRYPTO_CIPHER_MODE_CBC)
1372 /*
1373 * CBC mode
1374 */
1375 for( i = 0; i < 6; i++ )
1376 {
1377 u = i >> 1;
1378 keybits = 128 + u * 64;
1379 mode = i & 1;
1380
1381 if( verbose != 0 )
1382 mbedcrypto_printf( " AES-CBC-%3d (%s): ", keybits,
1383 ( mode == MBEDCRYPTO_AES_DECRYPT ) ? "dec" : "enc" );
1384
1385 memset( iv , 0, 16 );
1386 memset( prv, 0, 16 );
1387 memset( buf, 0, 16 );
1388
1389 if( mode == MBEDCRYPTO_AES_DECRYPT )
1390 {
1391 ret = mbedcrypto_aes_setkey_dec( &ctx, key, keybits );
1392 aes_tests = aes_test_cbc_dec[u];
1393 }
1394 else
1395 {
1396 ret = mbedcrypto_aes_setkey_enc( &ctx, key, keybits );
1397 aes_tests = aes_test_cbc_enc[u];
1398 }
1399
1400 /*
1401 * AES-192 is an optional feature that may be unavailable when
1402 * there is an alternative underlying implementation i.e. when
1403 * MBEDCRYPTO_AES_ALT is defined.
1404 */
1405 if( ret == MBEDCRYPTO_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1406 {
1407 mbedcrypto_printf( "skipped\n" );
1408 continue;
1409 }
1410 else if( ret != 0 )
1411 {
1412 goto exit;
1413 }
1414
1415 for( j = 0; j < 10000; j++ )
1416 {
1417 if( mode == MBEDCRYPTO_AES_ENCRYPT )
1418 {
1419 unsigned char tmp[16];
1420
1421 memcpy( tmp, prv, 16 );
1422 memcpy( prv, buf, 16 );
1423 memcpy( buf, tmp, 16 );
1424 }
1425
1426 ret = mbedcrypto_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1427 if( ret != 0 )
1428 goto exit;
1429
1430 }
1431
1432 if( memcmp( buf, aes_tests, 16 ) != 0 )
1433 {
1434 ret = 1;
1435 goto exit;
1436 }
1437
1438 if( verbose != 0 )
1439 mbedcrypto_printf( "passed\n" );
1440 }
1441
1442 if( verbose != 0 )
1443 mbedcrypto_printf( "\n" );
1444#endif /* MBEDCRYPTO_CIPHER_MODE_CBC */
1445
1446#if defined(MBEDCRYPTO_CIPHER_MODE_CFB)
1447 /*
1448 * CFB128 mode
1449 */
1450 for( i = 0; i < 6; i++ )
1451 {
1452 u = i >> 1;
1453 keybits = 128 + u * 64;
1454 mode = i & 1;
1455
1456 if( verbose != 0 )
1457 mbedcrypto_printf( " AES-CFB128-%3d (%s): ", keybits,
1458 ( mode == MBEDCRYPTO_AES_DECRYPT ) ? "dec" : "enc" );
1459
1460 memcpy( iv, aes_test_cfb128_iv, 16 );
1461 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1462
1463 offset = 0;
1464 ret = mbedcrypto_aes_setkey_enc( &ctx, key, keybits );
1465 /*
1466 * AES-192 is an optional feature that may be unavailable when
1467 * there is an alternative underlying implementation i.e. when
1468 * MBEDCRYPTO_AES_ALT is defined.
1469 */
1470 if( ret == MBEDCRYPTO_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1471 {
1472 mbedcrypto_printf( "skipped\n" );
1473 continue;
1474 }
1475 else if( ret != 0 )
1476 {
1477 goto exit;
1478 }
1479
1480 if( mode == MBEDCRYPTO_AES_DECRYPT )
1481 {
1482 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1483 aes_tests = aes_test_cfb128_pt;
1484 }
1485 else
1486 {
1487 memcpy( buf, aes_test_cfb128_pt, 64 );
1488 aes_tests = aes_test_cfb128_ct[u];
1489 }
1490
1491 ret = mbedcrypto_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1492 if( ret != 0 )
1493 goto exit;
1494
1495 if( memcmp( buf, aes_tests, 64 ) != 0 )
1496 {
1497 ret = 1;
1498 goto exit;
1499 }
1500
1501 if( verbose != 0 )
1502 mbedcrypto_printf( "passed\n" );
1503 }
1504
1505 if( verbose != 0 )
1506 mbedcrypto_printf( "\n" );
1507#endif /* MBEDCRYPTO_CIPHER_MODE_CFB */
1508
1509#if defined(MBEDCRYPTO_CIPHER_MODE_CTR)
1510 /*
1511 * CTR mode
1512 */
1513 for( i = 0; i < 6; i++ )
1514 {
1515 u = i >> 1;
1516 mode = i & 1;
1517
1518 if( verbose != 0 )
1519 mbedcrypto_printf( " AES-CTR-128 (%s): ",
1520 ( mode == MBEDCRYPTO_AES_DECRYPT ) ? "dec" : "enc" );
1521
1522 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1523 memcpy( key, aes_test_ctr_key[u], 16 );
1524
1525 offset = 0;
1526 if( ( ret = mbedcrypto_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1527 goto exit;
1528
1529 len = aes_test_ctr_len[u];
1530
1531 if( mode == MBEDCRYPTO_AES_DECRYPT )
1532 {
1533 memcpy( buf, aes_test_ctr_ct[u], len );
1534 aes_tests = aes_test_ctr_pt[u];
1535 }
1536 else
1537 {
1538 memcpy( buf, aes_test_ctr_pt[u], len );
1539 aes_tests = aes_test_ctr_ct[u];
1540 }
1541
1542 ret = mbedcrypto_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1543 stream_block, buf, buf );
1544 if( ret != 0 )
1545 goto exit;
1546
1547 if( memcmp( buf, aes_tests, len ) != 0 )
1548 {
1549 ret = 1;
1550 goto exit;
1551 }
1552
1553 if( verbose != 0 )
1554 mbedcrypto_printf( "passed\n" );
1555 }
1556
1557 if( verbose != 0 )
1558 mbedcrypto_printf( "\n" );
1559#endif /* MBEDCRYPTO_CIPHER_MODE_CTR */
1560
1561 ret = 0;
1562
1563exit:
1564 if( ret != 0 && verbose != 0 )
1565 mbedcrypto_printf( "failed\n" );
1566
1567 mbedcrypto_aes_free( &ctx );
1568
1569 return( ret );
1570}
1571
1572#endif /* MBEDCRYPTO_SELF_TEST */
1573
1574#endif /* MBEDCRYPTO_AES_C */