2 * FIPS-197 compliant AES implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_AES_C)
38 #include "mbedtls/aes.h"
39 #if defined(MBEDTLS_PADLOCK_C)
40 #include "mbedtls/padlock.h"
42 #if defined(MBEDTLS_AESNI_C)
43 #include "mbedtls/aesni.h"
46 #if defined(MBEDTLS_SELF_TEST)
47 #if defined(MBEDTLS_PLATFORM_C)
48 #include "mbedtls/platform.h"
51 #define mbedtls_printf printf
52 #endif /* MBEDTLS_PLATFORM_C */
53 #endif /* MBEDTLS_SELF_TEST */
55 #if !defined(MBEDTLS_AES_ALT)
57 /* Implementation that should never be optimized out by the compiler */
58 static void mbedtls_zeroize( void *v, size_t n ) {
59 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
63 * 32-bit integer manipulation macros (little endian)
66 #define GET_UINT32_LE(n,b,i) \
68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
76 #define PUT_UINT32_LE(n,b,i) \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
85 #if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
87 static int aes_padlock_ace = -1;
90 #if defined(MBEDTLS_AES_ROM_TABLES)
94 static const unsigned char FSb[256] =
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
200 #define V(a,b,c,d) 0x##a##b##c##d
201 static const uint32_t FT0[256] = { FT };
204 #define V(a,b,c,d) 0x##b##c##d##a
205 static const uint32_t FT1[256] = { FT };
208 #define V(a,b,c,d) 0x##c##d##a##b
209 static const uint32_t FT2[256] = { FT };
212 #define V(a,b,c,d) 0x##d##a##b##c
213 static const uint32_t FT3[256] = { FT };
221 static const unsigned char RSb[256] =
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
327 #define V(a,b,c,d) 0x##a##b##c##d
328 static const uint32_t RT0[256] = { RT };
331 #define V(a,b,c,d) 0x##b##c##d##a
332 static const uint32_t RT1[256] = { RT };
335 #define V(a,b,c,d) 0x##c##d##a##b
336 static const uint32_t RT2[256] = { RT };
339 #define V(a,b,c,d) 0x##d##a##b##c
340 static const uint32_t RT3[256] = { RT };
348 static const uint32_t RCON[10] =
350 0x00000001, 0x00000002, 0x00000004, 0x00000008,
351 0x00000010, 0x00000020, 0x00000040, 0x00000080,
352 0x0000001B, 0x00000036
355 #else /* MBEDTLS_AES_ROM_TABLES */
358 * Forward S-box & tables
360 static unsigned char FSb[256];
361 static uint32_t FT0[256];
362 static uint32_t FT1[256];
363 static uint32_t FT2[256];
364 static uint32_t FT3[256];
367 * Reverse S-box & tables
369 static unsigned char RSb[256];
370 static uint32_t RT0[256];
371 static uint32_t RT1[256];
372 static uint32_t RT2[256];
373 static uint32_t RT3[256];
378 static uint32_t RCON[10];
381 * Tables generation code
383 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
384 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
385 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
387 static int aes_init_done = 0;
389 static void aes_gen_tables( void )
396 * compute pow and log tables over GF(2^8)
398 for( i = 0, x = 1; i < 256; i++ )
402 x = ( x ^ XTIME( x ) ) & 0xFF;
406 * calculate the round constants
408 for( i = 0, x = 1; i < 10; i++ )
410 RCON[i] = (uint32_t) x;
411 x = XTIME( x ) & 0xFF;
415 * generate the forward and reverse S-boxes
420 for( i = 1; i < 256; i++ )
422 x = pow[255 - log[i]];
424 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
425 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
427 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
430 FSb[i] = (unsigned char) x;
431 RSb[x] = (unsigned char) i;
435 * generate the forward and reverse tables
437 for( i = 0; i < 256; i++ )
440 y = XTIME( x ) & 0xFF;
441 z = ( y ^ x ) & 0xFF;
443 FT0[i] = ( (uint32_t) y ) ^
444 ( (uint32_t) x << 8 ) ^
445 ( (uint32_t) x << 16 ) ^
446 ( (uint32_t) z << 24 );
448 FT1[i] = ROTL8( FT0[i] );
449 FT2[i] = ROTL8( FT1[i] );
450 FT3[i] = ROTL8( FT2[i] );
454 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
455 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
456 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
457 ( (uint32_t) MUL( 0x0B, x ) << 24 );
459 RT1[i] = ROTL8( RT0[i] );
460 RT2[i] = ROTL8( RT1[i] );
461 RT3[i] = ROTL8( RT2[i] );
465 #endif /* MBEDTLS_AES_ROM_TABLES */
467 void mbedtls_aes_init( mbedtls_aes_context *ctx )
469 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
472 void mbedtls_aes_free( mbedtls_aes_context *ctx )
477 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
481 * AES key schedule (encryption)
483 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
484 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
485 unsigned int keybits )
490 #if !defined(MBEDTLS_AES_ROM_TABLES)
491 if( aes_init_done == 0 )
501 case 128: ctx->nr = 10; break;
502 case 192: ctx->nr = 12; break;
503 case 256: ctx->nr = 14; break;
504 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
507 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
508 if( aes_padlock_ace == -1 )
509 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
511 if( aes_padlock_ace )
512 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
515 ctx->rk = RK = ctx->buf;
517 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
518 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
519 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
522 for( i = 0; i < ( keybits >> 5 ); i++ )
524 GET_UINT32_LE( RK[i], key, i << 2 );
531 for( i = 0; i < 10; i++, RK += 4 )
533 RK[4] = RK[0] ^ RCON[i] ^
534 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
535 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
536 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
537 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
539 RK[5] = RK[1] ^ RK[4];
540 RK[6] = RK[2] ^ RK[5];
541 RK[7] = RK[3] ^ RK[6];
547 for( i = 0; i < 8; i++, RK += 6 )
549 RK[6] = RK[0] ^ RCON[i] ^
550 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
551 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
552 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
553 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
555 RK[7] = RK[1] ^ RK[6];
556 RK[8] = RK[2] ^ RK[7];
557 RK[9] = RK[3] ^ RK[8];
558 RK[10] = RK[4] ^ RK[9];
559 RK[11] = RK[5] ^ RK[10];
565 for( i = 0; i < 7; i++, RK += 8 )
567 RK[8] = RK[0] ^ RCON[i] ^
568 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
569 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
570 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
571 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
573 RK[9] = RK[1] ^ RK[8];
574 RK[10] = RK[2] ^ RK[9];
575 RK[11] = RK[3] ^ RK[10];
578 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
583 RK[13] = RK[5] ^ RK[12];
584 RK[14] = RK[6] ^ RK[13];
585 RK[15] = RK[7] ^ RK[14];
592 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
595 * AES key schedule (decryption)
597 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
598 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
599 unsigned int keybits )
602 mbedtls_aes_context cty;
606 mbedtls_aes_init( &cty );
608 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
609 if( aes_padlock_ace == -1 )
610 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
612 if( aes_padlock_ace )
613 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
616 ctx->rk = RK = ctx->buf;
618 /* Also checks keybits */
619 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
624 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
625 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
627 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
628 (const unsigned char *) cty.rk, ctx->nr );
633 SK = cty.rk + cty.nr * 4;
640 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
642 for( j = 0; j < 4; j++, SK++ )
644 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
645 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
646 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
647 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
657 mbedtls_aes_free( &cty );
661 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
663 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
665 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
666 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
667 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
668 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
670 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
671 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
672 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
673 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
675 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
676 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
677 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
678 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
680 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
681 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
682 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
683 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
686 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
688 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
689 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
690 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
691 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
693 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
694 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
695 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
696 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
698 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
699 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
700 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
701 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
703 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
704 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
705 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
706 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
710 * AES-ECB block encryption
712 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
713 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
714 const unsigned char input[16],
715 unsigned char output[16] )
718 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
722 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
723 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
724 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
725 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
727 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
729 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
730 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
736 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
737 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
742 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
743 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
748 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
749 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
750 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
751 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
754 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
759 PUT_UINT32_LE( X0, output, 0 );
760 PUT_UINT32_LE( X1, output, 4 );
761 PUT_UINT32_LE( X2, output, 8 );
762 PUT_UINT32_LE( X3, output, 12 );
764 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
767 * AES-ECB block decryption
769 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
770 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
771 const unsigned char input[16],
772 unsigned char output[16] )
775 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
779 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
780 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
781 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
782 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
784 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
786 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
787 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
790 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
793 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
794 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
795 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
796 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
799 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
800 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
801 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
802 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
805 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
806 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
807 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
808 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
811 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
812 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
813 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
814 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
816 PUT_UINT32_LE( X0, output, 0 );
817 PUT_UINT32_LE( X1, output, 4 );
818 PUT_UINT32_LE( X2, output, 8 );
819 PUT_UINT32_LE( X3, output, 12 );
821 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
824 * AES-ECB block encryption/decryption
826 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
828 const unsigned char input[16],
829 unsigned char output[16] )
831 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
832 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
833 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
836 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
837 if( aes_padlock_ace )
839 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
842 // If padlock data misaligned, we just fall back to
843 // unaccelerated mode
848 if( mode == MBEDTLS_AES_ENCRYPT )
849 mbedtls_aes_encrypt( ctx, input, output );
851 mbedtls_aes_decrypt( ctx, input, output );
856 #if defined(MBEDTLS_CIPHER_MODE_CBC)
858 * AES-CBC buffer encryption/decryption
860 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
863 unsigned char iv[16],
864 const unsigned char *input,
865 unsigned char *output )
868 unsigned char temp[16];
871 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
873 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
874 if( aes_padlock_ace )
876 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
879 // If padlock data misaligned, we just fall back to
880 // unaccelerated mode
885 if( mode == MBEDTLS_AES_DECRYPT )
889 memcpy( temp, input, 16 );
890 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
892 for( i = 0; i < 16; i++ )
893 output[i] = (unsigned char)( output[i] ^ iv[i] );
895 memcpy( iv, temp, 16 );
906 for( i = 0; i < 16; i++ )
907 output[i] = (unsigned char)( input[i] ^ iv[i] );
909 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
910 memcpy( iv, output, 16 );
920 #endif /* MBEDTLS_CIPHER_MODE_CBC */
922 #if defined(MBEDTLS_CIPHER_MODE_CFB)
924 * AES-CFB128 buffer encryption/decryption
926 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
930 unsigned char iv[16],
931 const unsigned char *input,
932 unsigned char *output )
937 if( mode == MBEDTLS_AES_DECRYPT )
942 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
945 *output++ = (unsigned char)( c ^ iv[n] );
946 iv[n] = (unsigned char) c;
948 n = ( n + 1 ) & 0x0F;
956 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
958 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
960 n = ( n + 1 ) & 0x0F;
970 * AES-CFB8 buffer encryption/decryption
972 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
975 unsigned char iv[16],
976 const unsigned char *input,
977 unsigned char *output )
980 unsigned char ov[17];
984 memcpy( ov, iv, 16 );
985 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
987 if( mode == MBEDTLS_AES_DECRYPT )
990 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
992 if( mode == MBEDTLS_AES_ENCRYPT )
995 memcpy( iv, ov + 1, 16 );
1000 #endif /*MBEDTLS_CIPHER_MODE_CFB */
1002 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1004 * AES-CTR buffer encryption/decryption
1006 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1009 unsigned char nonce_counter[16],
1010 unsigned char stream_block[16],
1011 const unsigned char *input,
1012 unsigned char *output )
1020 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1022 for( i = 16; i > 0; i-- )
1023 if( ++nonce_counter[i - 1] != 0 )
1027 *output++ = (unsigned char)( c ^ stream_block[n] );
1029 n = ( n + 1 ) & 0x0F;
1036 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1038 #endif /* !MBEDTLS_AES_ALT */
1040 #if defined(MBEDTLS_SELF_TEST)
1042 * AES test vectors from:
1044 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1046 static const unsigned char aes_test_ecb_dec[3][16] =
1048 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1049 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1050 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1051 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1052 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1053 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1056 static const unsigned char aes_test_ecb_enc[3][16] =
1058 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1059 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1060 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1061 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1062 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1063 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1066 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1067 static const unsigned char aes_test_cbc_dec[3][16] =
1069 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1070 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1071 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1072 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1073 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1074 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1077 static const unsigned char aes_test_cbc_enc[3][16] =
1079 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1080 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1081 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1082 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1083 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1084 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1086 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1088 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1090 * AES-CFB128 test vectors from:
1092 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1094 static const unsigned char aes_test_cfb128_key[3][32] =
1096 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1097 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1098 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1099 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1100 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1101 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1102 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1103 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1104 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1107 static const unsigned char aes_test_cfb128_iv[16] =
1109 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1110 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1113 static const unsigned char aes_test_cfb128_pt[64] =
1115 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1116 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1117 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1118 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1119 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1120 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1121 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1122 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1125 static const unsigned char aes_test_cfb128_ct[3][64] =
1127 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1128 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1129 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1130 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1131 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1132 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1133 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1134 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1135 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1136 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1137 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1138 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1139 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1140 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1141 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1142 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1143 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1144 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1145 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1146 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1147 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1148 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1149 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1150 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1152 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1154 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1156 * AES-CTR test vectors from:
1158 * http://www.faqs.org/rfcs/rfc3686.html
1161 static const unsigned char aes_test_ctr_key[3][16] =
1163 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1164 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1165 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1166 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1167 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1168 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1171 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1173 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1175 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1176 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1177 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1178 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1181 static const unsigned char aes_test_ctr_pt[3][48] =
1183 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1184 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1186 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1187 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1188 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1189 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1191 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1192 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1193 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1194 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1195 0x20, 0x21, 0x22, 0x23 }
1198 static const unsigned char aes_test_ctr_ct[3][48] =
1200 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1201 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1202 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1203 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1204 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1205 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1206 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1207 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1208 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1209 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1210 0x25, 0xB2, 0x07, 0x2F }
1213 static const int aes_test_ctr_len[3] =
1215 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1220 int mbedtls_aes_self_test( int verbose )
1222 int ret = 0, i, j, u, v;
1223 unsigned char key[32];
1224 unsigned char buf[64];
1225 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1226 unsigned char iv[16];
1228 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1229 unsigned char prv[16];
1231 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
1234 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1236 unsigned char nonce_counter[16];
1237 unsigned char stream_block[16];
1239 mbedtls_aes_context ctx;
1241 memset( key, 0, 32 );
1242 mbedtls_aes_init( &ctx );
1247 for( i = 0; i < 6; i++ )
1253 mbedtls_printf( " AES-ECB-%3d (%s): ", 128 + u * 64,
1254 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1256 memset( buf, 0, 16 );
1258 if( v == MBEDTLS_AES_DECRYPT )
1260 mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1262 for( j = 0; j < 10000; j++ )
1263 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1265 if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1268 mbedtls_printf( "failed\n" );
1276 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1278 for( j = 0; j < 10000; j++ )
1279 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1281 if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1284 mbedtls_printf( "failed\n" );
1292 mbedtls_printf( "passed\n" );
1296 mbedtls_printf( "\n" );
1298 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1302 for( i = 0; i < 6; i++ )
1308 mbedtls_printf( " AES-CBC-%3d (%s): ", 128 + u * 64,
1309 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1311 memset( iv , 0, 16 );
1312 memset( prv, 0, 16 );
1313 memset( buf, 0, 16 );
1315 if( v == MBEDTLS_AES_DECRYPT )
1317 mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1319 for( j = 0; j < 10000; j++ )
1320 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1322 if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1325 mbedtls_printf( "failed\n" );
1333 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1335 for( j = 0; j < 10000; j++ )
1337 unsigned char tmp[16];
1339 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1341 memcpy( tmp, prv, 16 );
1342 memcpy( prv, buf, 16 );
1343 memcpy( buf, tmp, 16 );
1346 if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1349 mbedtls_printf( "failed\n" );
1357 mbedtls_printf( "passed\n" );
1361 mbedtls_printf( "\n" );
1362 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1364 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1368 for( i = 0; i < 6; i++ )
1374 mbedtls_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64,
1375 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1377 memcpy( iv, aes_test_cfb128_iv, 16 );
1378 memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1381 mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1383 if( v == MBEDTLS_AES_DECRYPT )
1385 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1386 mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1388 if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1391 mbedtls_printf( "failed\n" );
1399 memcpy( buf, aes_test_cfb128_pt, 64 );
1400 mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1402 if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1405 mbedtls_printf( "failed\n" );
1413 mbedtls_printf( "passed\n" );
1417 mbedtls_printf( "\n" );
1418 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1420 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1424 for( i = 0; i < 6; i++ )
1430 mbedtls_printf( " AES-CTR-128 (%s): ",
1431 ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1433 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1434 memcpy( key, aes_test_ctr_key[u], 16 );
1437 mbedtls_aes_setkey_enc( &ctx, key, 128 );
1439 if( v == MBEDTLS_AES_DECRYPT )
1441 len = aes_test_ctr_len[u];
1442 memcpy( buf, aes_test_ctr_ct[u], len );
1444 mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1447 if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1450 mbedtls_printf( "failed\n" );
1458 len = aes_test_ctr_len[u];
1459 memcpy( buf, aes_test_ctr_pt[u], len );
1461 mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1464 if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1467 mbedtls_printf( "failed\n" );
1475 mbedtls_printf( "passed\n" );
1479 mbedtls_printf( "\n" );
1480 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1485 mbedtls_aes_free( &ctx );
1490 #endif /* MBEDTLS_SELF_TEST */
1492 #endif /* MBEDTLS_AES_C */