2 * FIPS-197 compliant AES implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_AES_C)
38 #include "mbedtls/aes.h"
39 #include "mbedtls/platform.h"
40 #include "mbedtls/platform_util.h"
41 #if defined(MBEDTLS_PADLOCK_C)
42 #include "mbedtls/padlock.h"
44 #if defined(MBEDTLS_AESNI_C)
45 #include "mbedtls/aesni.h"
48 #if defined(MBEDTLS_SELF_TEST)
49 #if defined(MBEDTLS_PLATFORM_C)
50 #include "mbedtls/platform.h"
53 #define mbedtls_printf printf
54 #endif /* MBEDTLS_PLATFORM_C */
55 #endif /* MBEDTLS_SELF_TEST */
57 #if !defined(MBEDTLS_AES_ALT)
59 /* Parameter validation macros based on platform_util.h */
60 #define AES_VALIDATE_RET( cond ) \
61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
62 #define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
66 * 32-bit integer manipulation macros (little endian)
69 #define GET_UINT32_LE(n,b,i) \
71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
79 #define PUT_UINT32_LE(n,b,i) \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
88 #if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
90 static int aes_padlock_ace = -1;
93 #if defined(MBEDTLS_AES_ROM_TABLES)
97 static const unsigned char FSb[256] =
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
203 #define V(a,b,c,d) 0x##a##b##c##d
204 static const uint32_t FT0[256] = { FT };
207 #if !defined(MBEDTLS_AES_FEWER_TABLES)
209 #define V(a,b,c,d) 0x##b##c##d##a
210 static const uint32_t FT1[256] = { FT };
213 #define V(a,b,c,d) 0x##c##d##a##b
214 static const uint32_t FT2[256] = { FT };
217 #define V(a,b,c,d) 0x##d##a##b##c
218 static const uint32_t FT3[256] = { FT };
221 #endif /* !MBEDTLS_AES_FEWER_TABLES */
228 static const unsigned char RSb[256] =
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
334 #define V(a,b,c,d) 0x##a##b##c##d
335 static const uint32_t RT0[256] = { RT };
338 #if !defined(MBEDTLS_AES_FEWER_TABLES)
340 #define V(a,b,c,d) 0x##b##c##d##a
341 static const uint32_t RT1[256] = { RT };
344 #define V(a,b,c,d) 0x##c##d##a##b
345 static const uint32_t RT2[256] = { RT };
348 #define V(a,b,c,d) 0x##d##a##b##c
349 static const uint32_t RT3[256] = { RT };
352 #endif /* !MBEDTLS_AES_FEWER_TABLES */
359 static const uint32_t RCON[10] =
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
366 #else /* MBEDTLS_AES_ROM_TABLES */
369 * Forward S-box & tables
371 static unsigned char FSb[256];
372 static uint32_t FT0[256];
373 #if !defined(MBEDTLS_AES_FEWER_TABLES)
374 static uint32_t FT1[256];
375 static uint32_t FT2[256];
376 static uint32_t FT3[256];
377 #endif /* !MBEDTLS_AES_FEWER_TABLES */
380 * Reverse S-box & tables
382 static unsigned char RSb[256];
383 static uint32_t RT0[256];
384 #if !defined(MBEDTLS_AES_FEWER_TABLES)
385 static uint32_t RT1[256];
386 static uint32_t RT2[256];
387 static uint32_t RT3[256];
388 #endif /* !MBEDTLS_AES_FEWER_TABLES */
393 static uint32_t RCON[10];
396 * Tables generation code
398 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
399 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
400 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
402 static int aes_init_done = 0;
404 static void aes_gen_tables( void )
411 * compute pow and log tables over GF(2^8)
413 for( i = 0, x = 1; i < 256; i++ )
417 x = ( x ^ XTIME( x ) ) & 0xFF;
421 * calculate the round constants
423 for( i = 0, x = 1; i < 10; i++ )
425 RCON[i] = (uint32_t) x;
426 x = XTIME( x ) & 0xFF;
430 * generate the forward and reverse S-boxes
435 for( i = 1; i < 256; i++ )
437 x = pow[255 - log[i]];
439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
450 * generate the forward and reverse tables
452 for( i = 0; i < 256; i++ )
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
463 #if !defined(MBEDTLS_AES_FEWER_TABLES)
464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
467 #endif /* !MBEDTLS_AES_FEWER_TABLES */
471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
476 #if !defined(MBEDTLS_AES_FEWER_TABLES)
477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
480 #endif /* !MBEDTLS_AES_FEWER_TABLES */
486 #endif /* MBEDTLS_AES_ROM_TABLES */
488 #if defined(MBEDTLS_AES_FEWER_TABLES)
490 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
494 #define AES_RT0(idx) RT0[idx]
495 #define AES_RT1(idx) ROTL8( RT0[idx] )
496 #define AES_RT2(idx) ROTL16( RT0[idx] )
497 #define AES_RT3(idx) ROTL24( RT0[idx] )
499 #define AES_FT0(idx) FT0[idx]
500 #define AES_FT1(idx) ROTL8( FT0[idx] )
501 #define AES_FT2(idx) ROTL16( FT0[idx] )
502 #define AES_FT3(idx) ROTL24( FT0[idx] )
504 #else /* MBEDTLS_AES_FEWER_TABLES */
506 #define AES_RT0(idx) RT0[idx]
507 #define AES_RT1(idx) RT1[idx]
508 #define AES_RT2(idx) RT2[idx]
509 #define AES_RT3(idx) RT3[idx]
511 #define AES_FT0(idx) FT0[idx]
512 #define AES_FT1(idx) FT1[idx]
513 #define AES_FT2(idx) FT2[idx]
514 #define AES_FT3(idx) FT3[idx]
516 #endif /* MBEDTLS_AES_FEWER_TABLES */
518 void mbedtls_aes_init( mbedtls_aes_context *ctx )
520 AES_VALIDATE( ctx != NULL );
522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
525 void mbedtls_aes_free( mbedtls_aes_context *ctx )
530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
533 #if defined(MBEDTLS_CIPHER_MODE_XTS)
534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
536 AES_VALIDATE( ctx != NULL );
538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
550 #endif /* MBEDTLS_CIPHER_MODE_XTS */
553 * AES key schedule (encryption)
555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
557 unsigned int keybits )
562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
573 #if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
582 if( aes_padlock_ace == -1 )
583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
585 if( aes_padlock_ace )
586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
589 ctx->rk = RK = ctx->buf;
591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
596 for( i = 0; i < ( keybits >> 5 ); i++ )
598 GET_UINT32_LE( RK[i], key, i << 2 );
605 for( i = 0; i < 10; i++, RK += 4 )
607 RK[4] = RK[0] ^ RCON[i] ^
608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
621 for( i = 0; i < 8; i++, RK += 6 )
623 RK[6] = RK[0] ^ RCON[i] ^
624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
639 for( i = 0; i < 7; i++, RK += 8 )
641 RK[8] = RK[0] ^ RCON[i] ^
642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
669 * AES key schedule (decryption)
671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
673 unsigned int keybits )
676 mbedtls_aes_context cty;
680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
683 mbedtls_aes_init( &cty );
685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
686 if( aes_padlock_ace == -1 )
687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
689 if( aes_padlock_ace )
690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
693 ctx->rk = RK = ctx->buf;
695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
705 (const unsigned char *) cty.rk, ctx->nr );
710 SK = cty.rk + cty.nr * 4;
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 for( j = 0; j < 4; j++, SK++ )
721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
734 mbedtls_aes_free( &cty );
739 #if defined(MBEDTLS_CIPHER_MODE_XTS)
740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
741 unsigned int keybits,
742 const unsigned char **key1,
743 unsigned int *key1bits,
744 const unsigned char **key2,
745 unsigned int *key2bits )
747 const unsigned int half_keybits = keybits / 2;
748 const unsigned int half_keybytes = half_keybits / 8;
754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
757 *key1bits = half_keybits;
758 *key2bits = half_keybits;
760 *key2 = &key[half_keybytes];
765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
781 /* Set the tweak key. Always set tweak key for the encryption mode. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
786 /* Set crypt key for encryption. */
787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
806 /* Set the tweak key. Always set tweak key for encryption. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
811 /* Set crypt key for decryption. */
812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814 #endif /* MBEDTLS_CIPHER_MODE_XTS */
816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
821 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
826 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
831 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
836 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
837 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
838 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
839 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
842 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
845 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
850 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
855 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
860 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
862 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
867 * AES-ECB block encryption
869 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
870 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
871 const unsigned char input[16],
872 unsigned char output[16] )
875 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
879 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
880 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
881 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
882 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
884 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
886 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
887 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
890 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
893 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
894 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
895 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
899 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
900 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
901 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
905 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
906 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
907 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
908 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
911 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
912 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
913 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
914 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
916 PUT_UINT32_LE( X0, output, 0 );
917 PUT_UINT32_LE( X1, output, 4 );
918 PUT_UINT32_LE( X2, output, 8 );
919 PUT_UINT32_LE( X3, output, 12 );
923 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
925 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
926 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
927 const unsigned char input[16],
928 unsigned char output[16] )
930 mbedtls_internal_aes_encrypt( ctx, input, output );
932 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
935 * AES-ECB block decryption
937 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
938 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
939 const unsigned char input[16],
940 unsigned char output[16] )
943 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
947 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
948 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
949 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
950 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
952 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
954 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
955 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
958 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
961 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
962 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
963 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
964 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
967 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
968 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
969 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
970 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
973 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
974 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
975 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
976 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
979 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
980 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
981 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
982 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
984 PUT_UINT32_LE( X0, output, 0 );
985 PUT_UINT32_LE( X1, output, 4 );
986 PUT_UINT32_LE( X2, output, 8 );
987 PUT_UINT32_LE( X3, output, 12 );
991 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
993 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
994 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
995 const unsigned char input[16],
996 unsigned char output[16] )
998 mbedtls_internal_aes_decrypt( ctx, input, output );
1000 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1003 * AES-ECB block encryption/decryption
1005 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
1007 const unsigned char input[16],
1008 unsigned char output[16] )
1010 AES_VALIDATE_RET( ctx != NULL );
1011 AES_VALIDATE_RET( input != NULL );
1012 AES_VALIDATE_RET( output != NULL );
1013 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1014 mode == MBEDTLS_AES_DECRYPT );
1016 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1017 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
1018 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
1021 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1022 if( aes_padlock_ace )
1024 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
1027 // If padlock data misaligned, we just fall back to
1028 // unaccelerated mode
1033 if( mode == MBEDTLS_AES_ENCRYPT )
1034 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1036 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
1039 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1041 * AES-CBC buffer encryption/decryption
1043 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
1046 unsigned char iv[16],
1047 const unsigned char *input,
1048 unsigned char *output )
1051 unsigned char temp[16];
1053 AES_VALIDATE_RET( ctx != NULL );
1054 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1055 mode == MBEDTLS_AES_DECRYPT );
1056 AES_VALIDATE_RET( iv != NULL );
1057 AES_VALIDATE_RET( input != NULL );
1058 AES_VALIDATE_RET( output != NULL );
1061 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1063 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1064 if( aes_padlock_ace )
1066 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
1069 // If padlock data misaligned, we just fall back to
1070 // unaccelerated mode
1075 if( mode == MBEDTLS_AES_DECRYPT )
1079 memcpy( temp, input, 16 );
1080 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1082 for( i = 0; i < 16; i++ )
1083 output[i] = (unsigned char)( output[i] ^ iv[i] );
1085 memcpy( iv, temp, 16 );
1096 for( i = 0; i < 16; i++ )
1097 output[i] = (unsigned char)( input[i] ^ iv[i] );
1099 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1100 memcpy( iv, output, 16 );
1110 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1112 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1114 /* Endianess with 64 bits values */
1115 #ifndef GET_UINT64_LE
1116 #define GET_UINT64_LE(n,b,i) \
1118 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1119 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1120 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1121 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1122 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1123 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1124 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1125 | ( (uint64_t) (b)[(i) ] ); \
1129 #ifndef PUT_UINT64_LE
1130 #define PUT_UINT64_LE(n,b,i) \
1132 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1133 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1134 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1135 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1136 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1137 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1138 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1139 (b)[(i) ] = (unsigned char) ( (n) ); \
1143 typedef unsigned char mbedtls_be128[16];
1146 * GF(2^128) multiplication function
1148 * This function multiplies a field element by x in the polynomial field
1149 * representation. It uses 64-bit word operations to gain speed but compensates
1150 * for machine endianess and hence works correctly on both big and little
1153 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1154 const unsigned char x[16] )
1156 uint64_t a, b, ra, rb;
1158 GET_UINT64_LE( a, x, 0 );
1159 GET_UINT64_LE( b, x, 8 );
1161 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1162 rb = ( a >> 63 ) | ( b << 1 );
1164 PUT_UINT64_LE( ra, r, 0 );
1165 PUT_UINT64_LE( rb, r, 8 );
1169 * AES-XTS buffer encryption/decryption
1171 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1174 const unsigned char data_unit[16],
1175 const unsigned char *input,
1176 unsigned char *output )
1179 size_t blocks = length / 16;
1180 size_t leftover = length % 16;
1181 unsigned char tweak[16];
1182 unsigned char prev_tweak[16];
1183 unsigned char tmp[16];
1185 AES_VALIDATE_RET( ctx != NULL );
1186 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1187 mode == MBEDTLS_AES_DECRYPT );
1188 AES_VALIDATE_RET( data_unit != NULL );
1189 AES_VALIDATE_RET( input != NULL );
1190 AES_VALIDATE_RET( output != NULL );
1192 /* Data units must be at least 16 bytes long. */
1194 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1196 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1197 if( length > ( 1 << 20 ) * 16 )
1198 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1200 /* Compute the tweak. */
1201 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1210 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1212 /* We are on the last block in a decrypt operation that has
1213 * leftover bytes, so we need to use the next tweak for this block,
1214 * and this tweak for the lefover bytes. Save the current tweak for
1215 * the leftovers and then update the current tweak for use on this,
1216 * the last full block. */
1217 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1218 mbedtls_gf128mul_x_ble( tweak, tweak );
1221 for( i = 0; i < 16; i++ )
1222 tmp[i] = input[i] ^ tweak[i];
1224 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1228 for( i = 0; i < 16; i++ )
1229 output[i] = tmp[i] ^ tweak[i];
1231 /* Update the tweak for the next block. */
1232 mbedtls_gf128mul_x_ble( tweak, tweak );
1240 /* If we are on the leftover bytes in a decrypt operation, we need to
1241 * use the previous tweak for these bytes (as saved in prev_tweak). */
1242 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1244 /* We are now on the final part of the data unit, which doesn't divide
1245 * evenly by 16. It's time for ciphertext stealing. */
1247 unsigned char *prev_output = output - 16;
1249 /* Copy ciphertext bytes from the previous block to our output for each
1250 * byte of cyphertext we won't steal. At the same time, copy the
1251 * remainder of the input for this final round (since the loop bounds
1253 for( i = 0; i < leftover; i++ )
1255 output[i] = prev_output[i];
1256 tmp[i] = input[i] ^ t[i];
1259 /* Copy ciphertext bytes from the previous block for input in this
1261 for( ; i < 16; i++ )
1262 tmp[i] = prev_output[i] ^ t[i];
1264 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1268 /* Write the result back to the previous block, overriding the previous
1269 * output we copied. */
1270 for( i = 0; i < 16; i++ )
1271 prev_output[i] = tmp[i] ^ t[i];
1276 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1278 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1280 * AES-CFB128 buffer encryption/decryption
1282 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1286 unsigned char iv[16],
1287 const unsigned char *input,
1288 unsigned char *output )
1293 AES_VALIDATE_RET( ctx != NULL );
1294 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1295 mode == MBEDTLS_AES_DECRYPT );
1296 AES_VALIDATE_RET( iv_off != NULL );
1297 AES_VALIDATE_RET( iv != NULL );
1298 AES_VALIDATE_RET( input != NULL );
1299 AES_VALIDATE_RET( output != NULL );
1304 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1306 if( mode == MBEDTLS_AES_DECRYPT )
1311 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1314 *output++ = (unsigned char)( c ^ iv[n] );
1315 iv[n] = (unsigned char) c;
1317 n = ( n + 1 ) & 0x0F;
1325 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1327 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1329 n = ( n + 1 ) & 0x0F;
1339 * AES-CFB8 buffer encryption/decryption
1341 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1344 unsigned char iv[16],
1345 const unsigned char *input,
1346 unsigned char *output )
1349 unsigned char ov[17];
1351 AES_VALIDATE_RET( ctx != NULL );
1352 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1353 mode == MBEDTLS_AES_DECRYPT );
1354 AES_VALIDATE_RET( iv != NULL );
1355 AES_VALIDATE_RET( input != NULL );
1356 AES_VALIDATE_RET( output != NULL );
1359 memcpy( ov, iv, 16 );
1360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1362 if( mode == MBEDTLS_AES_DECRYPT )
1365 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1367 if( mode == MBEDTLS_AES_ENCRYPT )
1370 memcpy( iv, ov + 1, 16 );
1375 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1377 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1379 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1381 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1384 unsigned char iv[16],
1385 const unsigned char *input,
1386 unsigned char *output )
1391 AES_VALIDATE_RET( ctx != NULL );
1392 AES_VALIDATE_RET( iv_off != NULL );
1393 AES_VALIDATE_RET( iv != NULL );
1394 AES_VALIDATE_RET( input != NULL );
1395 AES_VALIDATE_RET( output != NULL );
1400 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1406 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1410 *output++ = *input++ ^ iv[n];
1412 n = ( n + 1 ) & 0x0F;
1420 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1422 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1424 * AES-CTR buffer encryption/decryption
1426 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1429 unsigned char nonce_counter[16],
1430 unsigned char stream_block[16],
1431 const unsigned char *input,
1432 unsigned char *output )
1437 AES_VALIDATE_RET( ctx != NULL );
1438 AES_VALIDATE_RET( nc_off != NULL );
1439 AES_VALIDATE_RET( nonce_counter != NULL );
1440 AES_VALIDATE_RET( stream_block != NULL );
1441 AES_VALIDATE_RET( input != NULL );
1442 AES_VALIDATE_RET( output != NULL );
1447 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1452 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1454 for( i = 16; i > 0; i-- )
1455 if( ++nonce_counter[i - 1] != 0 )
1459 *output++ = (unsigned char)( c ^ stream_block[n] );
1461 n = ( n + 1 ) & 0x0F;
1468 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1470 #endif /* !MBEDTLS_AES_ALT */
1472 #if defined(MBEDTLS_SELF_TEST)
1474 * AES test vectors from:
1476 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1478 static const unsigned char aes_test_ecb_dec[3][16] =
1480 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1481 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1482 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1483 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1484 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1485 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1488 static const unsigned char aes_test_ecb_enc[3][16] =
1490 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1491 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1492 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1493 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1494 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1495 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1498 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1499 static const unsigned char aes_test_cbc_dec[3][16] =
1501 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1502 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1503 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1504 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1505 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1506 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1509 static const unsigned char aes_test_cbc_enc[3][16] =
1511 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1512 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1513 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1514 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1515 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1516 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1518 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1520 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1522 * AES-CFB128 test vectors from:
1524 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1526 static const unsigned char aes_test_cfb128_key[3][32] =
1528 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1529 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1530 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1531 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1532 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1533 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1534 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1535 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1536 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1539 static const unsigned char aes_test_cfb128_iv[16] =
1541 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1542 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1545 static const unsigned char aes_test_cfb128_pt[64] =
1547 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1548 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1549 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1550 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1551 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1552 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1553 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1554 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1557 static const unsigned char aes_test_cfb128_ct[3][64] =
1559 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1560 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1561 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1562 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1563 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1564 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1565 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1566 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1567 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1568 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1569 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1570 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1571 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1572 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1573 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1574 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1575 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1576 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1577 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1578 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1579 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1580 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1581 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1582 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1584 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1586 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1588 * AES-OFB test vectors from:
1590 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1592 static const unsigned char aes_test_ofb_key[3][32] =
1594 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1595 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1596 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1597 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1598 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1599 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1600 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1601 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1602 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1605 static const unsigned char aes_test_ofb_iv[16] =
1607 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1608 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1611 static const unsigned char aes_test_ofb_pt[64] =
1613 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1614 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1615 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1616 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1617 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1618 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1619 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1620 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1623 static const unsigned char aes_test_ofb_ct[3][64] =
1625 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1626 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1627 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1628 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1629 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1630 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1631 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1632 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1633 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1634 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1635 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1636 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1637 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1638 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1639 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1640 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1641 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1642 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1643 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1644 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1645 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1646 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1647 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1648 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1650 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1652 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1654 * AES-CTR test vectors from:
1656 * http://www.faqs.org/rfcs/rfc3686.html
1659 static const unsigned char aes_test_ctr_key[3][16] =
1661 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1662 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1663 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1664 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1665 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1666 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1669 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1671 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1673 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1674 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1675 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1676 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1679 static const unsigned char aes_test_ctr_pt[3][48] =
1681 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1682 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1684 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1685 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1686 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1687 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1689 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1690 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1691 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1692 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1693 0x20, 0x21, 0x22, 0x23 }
1696 static const unsigned char aes_test_ctr_ct[3][48] =
1698 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1699 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1700 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1701 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1702 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1703 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1704 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1705 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1706 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1707 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1708 0x25, 0xB2, 0x07, 0x2F }
1711 static const int aes_test_ctr_len[3] =
1713 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1715 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1717 * AES-XTS test vectors from:
1719 * IEEE P1619/D16 Annex B
1720 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1721 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1723 static const unsigned char aes_test_xts_key[][32] =
1725 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1729 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1730 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1731 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1732 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1733 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1734 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1735 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1739 static const unsigned char aes_test_xts_pt32[][32] =
1741 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1745 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1746 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1747 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1749 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1755 static const unsigned char aes_test_xts_ct32[][32] =
1757 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1758 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1759 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1760 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1761 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1762 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1763 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1764 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1765 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1766 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1767 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1768 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1771 static const unsigned char aes_test_xts_data_unit[][16] =
1773 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1775 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1777 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1781 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1786 int mbedtls_aes_self_test( int verbose )
1788 int ret = 0, i, j, u, mode;
1789 unsigned int keybits;
1790 unsigned char key[32];
1791 unsigned char buf[64];
1792 const unsigned char *aes_tests;
1793 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1794 unsigned char iv[16];
1796 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1797 unsigned char prv[16];
1799 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1800 defined(MBEDTLS_CIPHER_MODE_OFB)
1803 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1806 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1807 unsigned char nonce_counter[16];
1808 unsigned char stream_block[16];
1810 mbedtls_aes_context ctx;
1812 memset( key, 0, 32 );
1813 mbedtls_aes_init( &ctx );
1818 for( i = 0; i < 6; i++ )
1821 keybits = 128 + u * 64;
1825 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1826 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1828 memset( buf, 0, 16 );
1830 if( mode == MBEDTLS_AES_DECRYPT )
1832 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1833 aes_tests = aes_test_ecb_dec[u];
1837 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1838 aes_tests = aes_test_ecb_enc[u];
1842 * AES-192 is an optional feature that may be unavailable when
1843 * there is an alternative underlying implementation i.e. when
1844 * MBEDTLS_AES_ALT is defined.
1846 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1848 mbedtls_printf( "skipped\n" );
1856 for( j = 0; j < 10000; j++ )
1858 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1863 if( memcmp( buf, aes_tests, 16 ) != 0 )
1870 mbedtls_printf( "passed\n" );
1874 mbedtls_printf( "\n" );
1876 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1880 for( i = 0; i < 6; i++ )
1883 keybits = 128 + u * 64;
1887 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1888 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1890 memset( iv , 0, 16 );
1891 memset( prv, 0, 16 );
1892 memset( buf, 0, 16 );
1894 if( mode == MBEDTLS_AES_DECRYPT )
1896 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1897 aes_tests = aes_test_cbc_dec[u];
1901 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1902 aes_tests = aes_test_cbc_enc[u];
1906 * AES-192 is an optional feature that may be unavailable when
1907 * there is an alternative underlying implementation i.e. when
1908 * MBEDTLS_AES_ALT is defined.
1910 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1912 mbedtls_printf( "skipped\n" );
1920 for( j = 0; j < 10000; j++ )
1922 if( mode == MBEDTLS_AES_ENCRYPT )
1924 unsigned char tmp[16];
1926 memcpy( tmp, prv, 16 );
1927 memcpy( prv, buf, 16 );
1928 memcpy( buf, tmp, 16 );
1931 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1937 if( memcmp( buf, aes_tests, 16 ) != 0 )
1944 mbedtls_printf( "passed\n" );
1948 mbedtls_printf( "\n" );
1949 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1951 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1955 for( i = 0; i < 6; i++ )
1958 keybits = 128 + u * 64;
1962 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1963 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1965 memcpy( iv, aes_test_cfb128_iv, 16 );
1966 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1969 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1971 * AES-192 is an optional feature that may be unavailable when
1972 * there is an alternative underlying implementation i.e. when
1973 * MBEDTLS_AES_ALT is defined.
1975 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1977 mbedtls_printf( "skipped\n" );
1985 if( mode == MBEDTLS_AES_DECRYPT )
1987 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1988 aes_tests = aes_test_cfb128_pt;
1992 memcpy( buf, aes_test_cfb128_pt, 64 );
1993 aes_tests = aes_test_cfb128_ct[u];
1996 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2000 if( memcmp( buf, aes_tests, 64 ) != 0 )
2007 mbedtls_printf( "passed\n" );
2011 mbedtls_printf( "\n" );
2012 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2014 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2018 for( i = 0; i < 6; i++ )
2021 keybits = 128 + u * 64;
2025 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2026 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2028 memcpy( iv, aes_test_ofb_iv, 16 );
2029 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2032 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2034 * AES-192 is an optional feature that may be unavailable when
2035 * there is an alternative underlying implementation i.e. when
2036 * MBEDTLS_AES_ALT is defined.
2038 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2040 mbedtls_printf( "skipped\n" );
2048 if( mode == MBEDTLS_AES_DECRYPT )
2050 memcpy( buf, aes_test_ofb_ct[u], 64 );
2051 aes_tests = aes_test_ofb_pt;
2055 memcpy( buf, aes_test_ofb_pt, 64 );
2056 aes_tests = aes_test_ofb_ct[u];
2059 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2063 if( memcmp( buf, aes_tests, 64 ) != 0 )
2070 mbedtls_printf( "passed\n" );
2074 mbedtls_printf( "\n" );
2075 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2077 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2081 for( i = 0; i < 6; i++ )
2087 mbedtls_printf( " AES-CTR-128 (%s): ",
2088 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2090 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2091 memcpy( key, aes_test_ctr_key[u], 16 );
2094 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2097 len = aes_test_ctr_len[u];
2099 if( mode == MBEDTLS_AES_DECRYPT )
2101 memcpy( buf, aes_test_ctr_ct[u], len );
2102 aes_tests = aes_test_ctr_pt[u];
2106 memcpy( buf, aes_test_ctr_pt[u], len );
2107 aes_tests = aes_test_ctr_ct[u];
2110 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2111 stream_block, buf, buf );
2115 if( memcmp( buf, aes_tests, len ) != 0 )
2122 mbedtls_printf( "passed\n" );
2126 mbedtls_printf( "\n" );
2127 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2129 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2131 static const int num_tests =
2132 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2133 mbedtls_aes_xts_context ctx_xts;
2138 mbedtls_aes_xts_init( &ctx_xts );
2140 for( i = 0; i < num_tests << 1; i++ )
2142 const unsigned char *data_unit;
2147 mbedtls_printf( " AES-XTS-128 (%s): ",
2148 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2150 memset( key, 0, sizeof( key ) );
2151 memcpy( key, aes_test_xts_key[u], 32 );
2152 data_unit = aes_test_xts_data_unit[u];
2154 len = sizeof( *aes_test_xts_ct32 );
2156 if( mode == MBEDTLS_AES_DECRYPT )
2158 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2161 memcpy( buf, aes_test_xts_ct32[u], len );
2162 aes_tests = aes_test_xts_pt32[u];
2166 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2169 memcpy( buf, aes_test_xts_pt32[u], len );
2170 aes_tests = aes_test_xts_ct32[u];
2174 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2179 if( memcmp( buf, aes_tests, len ) != 0 )
2186 mbedtls_printf( "passed\n" );
2190 mbedtls_printf( "\n" );
2192 mbedtls_aes_xts_free( &ctx_xts );
2194 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2199 if( ret != 0 && verbose != 0 )
2200 mbedtls_printf( "failed\n" );
2202 mbedtls_aes_free( &ctx );
2207 #endif /* MBEDTLS_SELF_TEST */
2209 #endif /* MBEDTLS_AES_C */