sandbox / mbedtls

Important changes to repositories hosted on mbed.com

Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.

To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.

It is also possible to export all your personal repositories from the account settings page.

Fork of mbedtls by Christopher Haster

source/gcm.c@4:bef26f687287, 2016-04-07 (annotated)

Committer:
Brian Daniels
Date:
Thu Apr 07 11:11:18 2016 +0100
Revision:
4:bef26f687287
Parent:
1:24750b9ad5ef 
Adding ported selftest test case

Who changed what in which revision?

UserRevisionLine numberNew contents of line
Christopher Haster 1:24750b9ad5ef 1 /*
Christopher Haster 1:24750b9ad5ef 2 * NIST SP800-38D compliant GCM implementation
Christopher Haster 1:24750b9ad5ef 3 *
Christopher Haster 1:24750b9ad5ef 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Christopher Haster 1:24750b9ad5ef 5 * SPDX-License-Identifier: Apache-2.0
Christopher Haster 1:24750b9ad5ef 6 *
Christopher Haster 1:24750b9ad5ef 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
Christopher Haster 1:24750b9ad5ef 8 * not use this file except in compliance with the License.
Christopher Haster 1:24750b9ad5ef 9 * You may obtain a copy of the License at
Christopher Haster 1:24750b9ad5ef 10 *
Christopher Haster 1:24750b9ad5ef 11 * http://www.apache.org/licenses/LICENSE-2.0
Christopher Haster 1:24750b9ad5ef 12 *
Christopher Haster 1:24750b9ad5ef 13 * Unless required by applicable law or agreed to in writing, software
Christopher Haster 1:24750b9ad5ef 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
Christopher Haster 1:24750b9ad5ef 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
Christopher Haster 1:24750b9ad5ef 16 * See the License for the specific language governing permissions and
Christopher Haster 1:24750b9ad5ef 17 * limitations under the License.
Christopher Haster 1:24750b9ad5ef 18 *
Christopher Haster 1:24750b9ad5ef 19 * This file is part of mbed TLS (https://tls.mbed.org)
Christopher Haster 1:24750b9ad5ef 20 */
Christopher Haster 1:24750b9ad5ef 21
Christopher Haster 1:24750b9ad5ef 22 /*
Christopher Haster 1:24750b9ad5ef 23 * http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Christopher Haster 1:24750b9ad5ef 24 *
Christopher Haster 1:24750b9ad5ef 25 * See also:
Christopher Haster 1:24750b9ad5ef 26 * [MGV] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
Christopher Haster 1:24750b9ad5ef 27 *
Christopher Haster 1:24750b9ad5ef 28 * We use the algorithm described as Shoup's method with 4-bit tables in
Christopher Haster 1:24750b9ad5ef 29 * [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
Christopher Haster 1:24750b9ad5ef 30 */
Christopher Haster 1:24750b9ad5ef 31
Christopher Haster 1:24750b9ad5ef 32 #if !defined(MBEDTLS_CONFIG_FILE)
Christopher Haster 1:24750b9ad5ef 33 #include "mbedtls/config.h"
Christopher Haster 1:24750b9ad5ef 34 #else
Christopher Haster 1:24750b9ad5ef 35 #include MBEDTLS_CONFIG_FILE
Christopher Haster 1:24750b9ad5ef 36 #endif
Christopher Haster 1:24750b9ad5ef 37
Christopher Haster 1:24750b9ad5ef 38 #if defined(MBEDTLS_GCM_C)
Christopher Haster 1:24750b9ad5ef 39
Christopher Haster 1:24750b9ad5ef 40 #include "mbedtls/gcm.h"
Christopher Haster 1:24750b9ad5ef 41
Christopher Haster 1:24750b9ad5ef 42 #include <string.h>
Christopher Haster 1:24750b9ad5ef 43
Christopher Haster 1:24750b9ad5ef 44 #if defined(MBEDTLS_AESNI_C)
Christopher Haster 1:24750b9ad5ef 45 #include "mbedtls/aesni.h"
Christopher Haster 1:24750b9ad5ef 46 #endif
Christopher Haster 1:24750b9ad5ef 47
Christopher Haster 1:24750b9ad5ef 48 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
Christopher Haster 1:24750b9ad5ef 49 #if defined(MBEDTLS_PLATFORM_C)
Christopher Haster 1:24750b9ad5ef 50 #include "mbedtls/platform.h"
Christopher Haster 1:24750b9ad5ef 51 #else
Christopher Haster 1:24750b9ad5ef 52 #include <stdio.h>
Christopher Haster 1:24750b9ad5ef 53 #define mbedtls_printf printf
Christopher Haster 1:24750b9ad5ef 54 #endif /* MBEDTLS_PLATFORM_C */
Christopher Haster 1:24750b9ad5ef 55 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
Christopher Haster 1:24750b9ad5ef 56
Christopher Haster 1:24750b9ad5ef 57 /*
Christopher Haster 1:24750b9ad5ef 58 * 32-bit integer manipulation macros (big endian)
Christopher Haster 1:24750b9ad5ef 59 */
Christopher Haster 1:24750b9ad5ef 60 #ifndef GET_UINT32_BE
Christopher Haster 1:24750b9ad5ef 61 #define GET_UINT32_BE(n,b,i) \
Christopher Haster 1:24750b9ad5ef 62 { \
Christopher Haster 1:24750b9ad5ef 63 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
Christopher Haster 1:24750b9ad5ef 64 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
Christopher Haster 1:24750b9ad5ef 65 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
Christopher Haster 1:24750b9ad5ef 66 | ( (uint32_t) (b)[(i) + 3] ); \
Christopher Haster 1:24750b9ad5ef 67 }
Christopher Haster 1:24750b9ad5ef 68 #endif
Christopher Haster 1:24750b9ad5ef 69
Christopher Haster 1:24750b9ad5ef 70 #ifndef PUT_UINT32_BE
Christopher Haster 1:24750b9ad5ef 71 #define PUT_UINT32_BE(n,b,i) \
Christopher Haster 1:24750b9ad5ef 72 { \
Christopher Haster 1:24750b9ad5ef 73 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
Christopher Haster 1:24750b9ad5ef 74 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
Christopher Haster 1:24750b9ad5ef 75 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
Christopher Haster 1:24750b9ad5ef 76 (b)[(i) + 3] = (unsigned char) ( (n) ); \
Christopher Haster 1:24750b9ad5ef 77 }
Christopher Haster 1:24750b9ad5ef 78 #endif
Christopher Haster 1:24750b9ad5ef 79
Christopher Haster 1:24750b9ad5ef 80 /* Implementation that should never be optimized out by the compiler */
Christopher Haster 1:24750b9ad5ef 81 static void mbedtls_zeroize( void *v, size_t n ) {
Christopher Haster 1:24750b9ad5ef 82 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
Christopher Haster 1:24750b9ad5ef 83 }
Christopher Haster 1:24750b9ad5ef 84
Christopher Haster 1:24750b9ad5ef 85 /*
Christopher Haster 1:24750b9ad5ef 86 * Initialize a context
Christopher Haster 1:24750b9ad5ef 87 */
Christopher Haster 1:24750b9ad5ef 88 void mbedtls_gcm_init( mbedtls_gcm_context *ctx )
Christopher Haster 1:24750b9ad5ef 89 {
Christopher Haster 1:24750b9ad5ef 90 memset( ctx, 0, sizeof( mbedtls_gcm_context ) );
Christopher Haster 1:24750b9ad5ef 91 }
Christopher Haster 1:24750b9ad5ef 92
Christopher Haster 1:24750b9ad5ef 93 /*
Christopher Haster 1:24750b9ad5ef 94 * Precompute small multiples of H, that is set
Christopher Haster 1:24750b9ad5ef 95 * HH[i] || HL[i] = H times i,
Christopher Haster 1:24750b9ad5ef 96 * where i is seen as a field element as in [MGV], ie high-order bits
Christopher Haster 1:24750b9ad5ef 97 * correspond to low powers of P. The result is stored in the same way, that
Christopher Haster 1:24750b9ad5ef 98 * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL
Christopher Haster 1:24750b9ad5ef 99 * corresponds to P^127.
Christopher Haster 1:24750b9ad5ef 100 */
Christopher Haster 1:24750b9ad5ef 101 static int gcm_gen_table( mbedtls_gcm_context *ctx )
Christopher Haster 1:24750b9ad5ef 102 {
Christopher Haster 1:24750b9ad5ef 103 int ret, i, j;
Christopher Haster 1:24750b9ad5ef 104 uint64_t hi, lo;
Christopher Haster 1:24750b9ad5ef 105 uint64_t vl, vh;
Christopher Haster 1:24750b9ad5ef 106 unsigned char h[16];
Christopher Haster 1:24750b9ad5ef 107 size_t olen = 0;
Christopher Haster 1:24750b9ad5ef 108
Christopher Haster 1:24750b9ad5ef 109 memset( h, 0, 16 );
Christopher Haster 1:24750b9ad5ef 110 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 111 return( ret );
Christopher Haster 1:24750b9ad5ef 112
Christopher Haster 1:24750b9ad5ef 113 /* pack h as two 64-bits ints, big-endian */
Christopher Haster 1:24750b9ad5ef 114 GET_UINT32_BE( hi, h, 0 );
Christopher Haster 1:24750b9ad5ef 115 GET_UINT32_BE( lo, h, 4 );
Christopher Haster 1:24750b9ad5ef 116 vh = (uint64_t) hi << 32 | lo;
Christopher Haster 1:24750b9ad5ef 117
Christopher Haster 1:24750b9ad5ef 118 GET_UINT32_BE( hi, h, 8 );
Christopher Haster 1:24750b9ad5ef 119 GET_UINT32_BE( lo, h, 12 );
Christopher Haster 1:24750b9ad5ef 120 vl = (uint64_t) hi << 32 | lo;
Christopher Haster 1:24750b9ad5ef 121
Christopher Haster 1:24750b9ad5ef 122 /* 8 = 1000 corresponds to 1 in GF(2^128) */
Christopher Haster 1:24750b9ad5ef 123 ctx->HL[8] = vl;
Christopher Haster 1:24750b9ad5ef 124 ctx->HH[8] = vh;
Christopher Haster 1:24750b9ad5ef 125
Christopher Haster 1:24750b9ad5ef 126 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Christopher Haster 1:24750b9ad5ef 127 /* With CLMUL support, we need only h, not the rest of the table */
Christopher Haster 1:24750b9ad5ef 128 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) )
Christopher Haster 1:24750b9ad5ef 129 return( 0 );
Christopher Haster 1:24750b9ad5ef 130 #endif
Christopher Haster 1:24750b9ad5ef 131
Christopher Haster 1:24750b9ad5ef 132 /* 0 corresponds to 0 in GF(2^128) */
Christopher Haster 1:24750b9ad5ef 133 ctx->HH[0] = 0;
Christopher Haster 1:24750b9ad5ef 134 ctx->HL[0] = 0;
Christopher Haster 1:24750b9ad5ef 135
Christopher Haster 1:24750b9ad5ef 136 for( i = 4; i > 0; i >>= 1 )
Christopher Haster 1:24750b9ad5ef 137 {
Christopher Haster 1:24750b9ad5ef 138 uint32_t T = ( vl & 1 ) * 0xe1000000U;
Christopher Haster 1:24750b9ad5ef 139 vl = ( vh << 63 ) | ( vl >> 1 );
Christopher Haster 1:24750b9ad5ef 140 vh = ( vh >> 1 ) ^ ( (uint64_t) T << 32);
Christopher Haster 1:24750b9ad5ef 141
Christopher Haster 1:24750b9ad5ef 142 ctx->HL[i] = vl;
Christopher Haster 1:24750b9ad5ef 143 ctx->HH[i] = vh;
Christopher Haster 1:24750b9ad5ef 144 }
Christopher Haster 1:24750b9ad5ef 145
Christopher Haster 1:24750b9ad5ef 146 for( i = 2; i <= 8; i *= 2 )
Christopher Haster 1:24750b9ad5ef 147 {
Christopher Haster 1:24750b9ad5ef 148 uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i;
Christopher Haster 1:24750b9ad5ef 149 vh = *HiH;
Christopher Haster 1:24750b9ad5ef 150 vl = *HiL;
Christopher Haster 1:24750b9ad5ef 151 for( j = 1; j < i; j++ )
Christopher Haster 1:24750b9ad5ef 152 {
Christopher Haster 1:24750b9ad5ef 153 HiH[j] = vh ^ ctx->HH[j];
Christopher Haster 1:24750b9ad5ef 154 HiL[j] = vl ^ ctx->HL[j];
Christopher Haster 1:24750b9ad5ef 155 }
Christopher Haster 1:24750b9ad5ef 156 }
Christopher Haster 1:24750b9ad5ef 157
Christopher Haster 1:24750b9ad5ef 158 return( 0 );
Christopher Haster 1:24750b9ad5ef 159 }
Christopher Haster 1:24750b9ad5ef 160
Christopher Haster 1:24750b9ad5ef 161 int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 162 mbedtls_cipher_id_t cipher,
Christopher Haster 1:24750b9ad5ef 163 const unsigned char *key,
Christopher Haster 1:24750b9ad5ef 164 unsigned int keybits )
Christopher Haster 1:24750b9ad5ef 165 {
Christopher Haster 1:24750b9ad5ef 166 int ret;
Christopher Haster 1:24750b9ad5ef 167 const mbedtls_cipher_info_t *cipher_info;
Christopher Haster 1:24750b9ad5ef 168
Christopher Haster 1:24750b9ad5ef 169 cipher_info = mbedtls_cipher_info_from_values( cipher, keybits, MBEDTLS_MODE_ECB );
Christopher Haster 1:24750b9ad5ef 170 if( cipher_info == NULL )
Christopher Haster 1:24750b9ad5ef 171 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 172
Christopher Haster 1:24750b9ad5ef 173 if( cipher_info->block_size != 16 )
Christopher Haster 1:24750b9ad5ef 174 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 175
Christopher Haster 1:24750b9ad5ef 176 mbedtls_cipher_free( &ctx->cipher_ctx );
Christopher Haster 1:24750b9ad5ef 177
Christopher Haster 1:24750b9ad5ef 178 if( ( ret = mbedtls_cipher_setup( &ctx->cipher_ctx, cipher_info ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 179 return( ret );
Christopher Haster 1:24750b9ad5ef 180
Christopher Haster 1:24750b9ad5ef 181 if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, keybits,
Christopher Haster 1:24750b9ad5ef 182 MBEDTLS_ENCRYPT ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 183 {
Christopher Haster 1:24750b9ad5ef 184 return( ret );
Christopher Haster 1:24750b9ad5ef 185 }
Christopher Haster 1:24750b9ad5ef 186
Christopher Haster 1:24750b9ad5ef 187 if( ( ret = gcm_gen_table( ctx ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 188 return( ret );
Christopher Haster 1:24750b9ad5ef 189
Christopher Haster 1:24750b9ad5ef 190 return( 0 );
Christopher Haster 1:24750b9ad5ef 191 }
Christopher Haster 1:24750b9ad5ef 192
Christopher Haster 1:24750b9ad5ef 193 /*
Christopher Haster 1:24750b9ad5ef 194 * Shoup's method for multiplication use this table with
Christopher Haster 1:24750b9ad5ef 195 * last4[x] = x times P^128
Christopher Haster 1:24750b9ad5ef 196 * where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
Christopher Haster 1:24750b9ad5ef 197 */
Christopher Haster 1:24750b9ad5ef 198 static const uint64_t last4[16] =
Christopher Haster 1:24750b9ad5ef 199 {
Christopher Haster 1:24750b9ad5ef 200 0x0000, 0x1c20, 0x3840, 0x2460,
Christopher Haster 1:24750b9ad5ef 201 0x7080, 0x6ca0, 0x48c0, 0x54e0,
Christopher Haster 1:24750b9ad5ef 202 0xe100, 0xfd20, 0xd940, 0xc560,
Christopher Haster 1:24750b9ad5ef 203 0x9180, 0x8da0, 0xa9c0, 0xb5e0
Christopher Haster 1:24750b9ad5ef 204 };
Christopher Haster 1:24750b9ad5ef 205
Christopher Haster 1:24750b9ad5ef 206 /*
Christopher Haster 1:24750b9ad5ef 207 * Sets output to x times H using the precomputed tables.
Christopher Haster 1:24750b9ad5ef 208 * x and output are seen as elements of GF(2^128) as in [MGV].
Christopher Haster 1:24750b9ad5ef 209 */
Christopher Haster 1:24750b9ad5ef 210 static void gcm_mult( mbedtls_gcm_context *ctx, const unsigned char x[16],
Christopher Haster 1:24750b9ad5ef 211 unsigned char output[16] )
Christopher Haster 1:24750b9ad5ef 212 {
Christopher Haster 1:24750b9ad5ef 213 int i = 0;
Christopher Haster 1:24750b9ad5ef 214 unsigned char lo, hi, rem;
Christopher Haster 1:24750b9ad5ef 215 uint64_t zh, zl;
Christopher Haster 1:24750b9ad5ef 216
Christopher Haster 1:24750b9ad5ef 217 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Christopher Haster 1:24750b9ad5ef 218 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) {
Christopher Haster 1:24750b9ad5ef 219 unsigned char h[16];
Christopher Haster 1:24750b9ad5ef 220
Christopher Haster 1:24750b9ad5ef 221 PUT_UINT32_BE( ctx->HH[8] >> 32, h, 0 );
Christopher Haster 1:24750b9ad5ef 222 PUT_UINT32_BE( ctx->HH[8], h, 4 );
Christopher Haster 1:24750b9ad5ef 223 PUT_UINT32_BE( ctx->HL[8] >> 32, h, 8 );
Christopher Haster 1:24750b9ad5ef 224 PUT_UINT32_BE( ctx->HL[8], h, 12 );
Christopher Haster 1:24750b9ad5ef 225
Christopher Haster 1:24750b9ad5ef 226 mbedtls_aesni_gcm_mult( output, x, h );
Christopher Haster 1:24750b9ad5ef 227 return;
Christopher Haster 1:24750b9ad5ef 228 }
Christopher Haster 1:24750b9ad5ef 229 #endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
Christopher Haster 1:24750b9ad5ef 230
Christopher Haster 1:24750b9ad5ef 231 lo = x[15] & 0xf;
Christopher Haster 1:24750b9ad5ef 232
Christopher Haster 1:24750b9ad5ef 233 zh = ctx->HH[lo];
Christopher Haster 1:24750b9ad5ef 234 zl = ctx->HL[lo];
Christopher Haster 1:24750b9ad5ef 235
Christopher Haster 1:24750b9ad5ef 236 for( i = 15; i >= 0; i-- )
Christopher Haster 1:24750b9ad5ef 237 {
Christopher Haster 1:24750b9ad5ef 238 lo = x[i] & 0xf;
Christopher Haster 1:24750b9ad5ef 239 hi = x[i] >> 4;
Christopher Haster 1:24750b9ad5ef 240
Christopher Haster 1:24750b9ad5ef 241 if( i != 15 )
Christopher Haster 1:24750b9ad5ef 242 {
Christopher Haster 1:24750b9ad5ef 243 rem = (unsigned char) zl & 0xf;
Christopher Haster 1:24750b9ad5ef 244 zl = ( zh << 60 ) | ( zl >> 4 );
Christopher Haster 1:24750b9ad5ef 245 zh = ( zh >> 4 );
Christopher Haster 1:24750b9ad5ef 246 zh ^= (uint64_t) last4[rem] << 48;
Christopher Haster 1:24750b9ad5ef 247 zh ^= ctx->HH[lo];
Christopher Haster 1:24750b9ad5ef 248 zl ^= ctx->HL[lo];
Christopher Haster 1:24750b9ad5ef 249
Christopher Haster 1:24750b9ad5ef 250 }
Christopher Haster 1:24750b9ad5ef 251
Christopher Haster 1:24750b9ad5ef 252 rem = (unsigned char) zl & 0xf;
Christopher Haster 1:24750b9ad5ef 253 zl = ( zh << 60 ) | ( zl >> 4 );
Christopher Haster 1:24750b9ad5ef 254 zh = ( zh >> 4 );
Christopher Haster 1:24750b9ad5ef 255 zh ^= (uint64_t) last4[rem] << 48;
Christopher Haster 1:24750b9ad5ef 256 zh ^= ctx->HH[hi];
Christopher Haster 1:24750b9ad5ef 257 zl ^= ctx->HL[hi];
Christopher Haster 1:24750b9ad5ef 258 }
Christopher Haster 1:24750b9ad5ef 259
Christopher Haster 1:24750b9ad5ef 260 PUT_UINT32_BE( zh >> 32, output, 0 );
Christopher Haster 1:24750b9ad5ef 261 PUT_UINT32_BE( zh, output, 4 );
Christopher Haster 1:24750b9ad5ef 262 PUT_UINT32_BE( zl >> 32, output, 8 );
Christopher Haster 1:24750b9ad5ef 263 PUT_UINT32_BE( zl, output, 12 );
Christopher Haster 1:24750b9ad5ef 264 }
Christopher Haster 1:24750b9ad5ef 265
Christopher Haster 1:24750b9ad5ef 266 int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 267 int mode,
Christopher Haster 1:24750b9ad5ef 268 const unsigned char *iv,
Christopher Haster 1:24750b9ad5ef 269 size_t iv_len,
Christopher Haster 1:24750b9ad5ef 270 const unsigned char *add,
Christopher Haster 1:24750b9ad5ef 271 size_t add_len )
Christopher Haster 1:24750b9ad5ef 272 {
Christopher Haster 1:24750b9ad5ef 273 int ret;
Christopher Haster 1:24750b9ad5ef 274 unsigned char work_buf[16];
Christopher Haster 1:24750b9ad5ef 275 size_t i;
Christopher Haster 1:24750b9ad5ef 276 const unsigned char *p;
Christopher Haster 1:24750b9ad5ef 277 size_t use_len, olen = 0;
Christopher Haster 1:24750b9ad5ef 278
Christopher Haster 1:24750b9ad5ef 279 /* IV and AD are limited to 2^64 bits, so 2^61 bytes */
Christopher Haster 1:24750b9ad5ef 280 if( ( (uint64_t) iv_len ) >> 61 != 0 ||
Christopher Haster 1:24750b9ad5ef 281 ( (uint64_t) add_len ) >> 61 != 0 )
Christopher Haster 1:24750b9ad5ef 282 {
Christopher Haster 1:24750b9ad5ef 283 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 284 }
Christopher Haster 1:24750b9ad5ef 285
Christopher Haster 1:24750b9ad5ef 286 memset( ctx->y, 0x00, sizeof(ctx->y) );
Christopher Haster 1:24750b9ad5ef 287 memset( ctx->buf, 0x00, sizeof(ctx->buf) );
Christopher Haster 1:24750b9ad5ef 288
Christopher Haster 1:24750b9ad5ef 289 ctx->mode = mode;
Christopher Haster 1:24750b9ad5ef 290 ctx->len = 0;
Christopher Haster 1:24750b9ad5ef 291 ctx->add_len = 0;
Christopher Haster 1:24750b9ad5ef 292
Christopher Haster 1:24750b9ad5ef 293 if( iv_len == 12 )
Christopher Haster 1:24750b9ad5ef 294 {
Christopher Haster 1:24750b9ad5ef 295 memcpy( ctx->y, iv, iv_len );
Christopher Haster 1:24750b9ad5ef 296 ctx->y[15] = 1;
Christopher Haster 1:24750b9ad5ef 297 }
Christopher Haster 1:24750b9ad5ef 298 else
Christopher Haster 1:24750b9ad5ef 299 {
Christopher Haster 1:24750b9ad5ef 300 memset( work_buf, 0x00, 16 );
Christopher Haster 1:24750b9ad5ef 301 PUT_UINT32_BE( iv_len * 8, work_buf, 12 );
Christopher Haster 1:24750b9ad5ef 302
Christopher Haster 1:24750b9ad5ef 303 p = iv;
Christopher Haster 1:24750b9ad5ef 304 while( iv_len > 0 )
Christopher Haster 1:24750b9ad5ef 305 {
Christopher Haster 1:24750b9ad5ef 306 use_len = ( iv_len < 16 ) ? iv_len : 16;
Christopher Haster 1:24750b9ad5ef 307
Christopher Haster 1:24750b9ad5ef 308 for( i = 0; i < use_len; i++ )
Christopher Haster 1:24750b9ad5ef 309 ctx->y[i] ^= p[i];
Christopher Haster 1:24750b9ad5ef 310
Christopher Haster 1:24750b9ad5ef 311 gcm_mult( ctx, ctx->y, ctx->y );
Christopher Haster 1:24750b9ad5ef 312
Christopher Haster 1:24750b9ad5ef 313 iv_len -= use_len;
Christopher Haster 1:24750b9ad5ef 314 p += use_len;
Christopher Haster 1:24750b9ad5ef 315 }
Christopher Haster 1:24750b9ad5ef 316
Christopher Haster 1:24750b9ad5ef 317 for( i = 0; i < 16; i++ )
Christopher Haster 1:24750b9ad5ef 318 ctx->y[i] ^= work_buf[i];
Christopher Haster 1:24750b9ad5ef 319
Christopher Haster 1:24750b9ad5ef 320 gcm_mult( ctx, ctx->y, ctx->y );
Christopher Haster 1:24750b9ad5ef 321 }
Christopher Haster 1:24750b9ad5ef 322
Christopher Haster 1:24750b9ad5ef 323 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ctx->base_ectr,
Christopher Haster 1:24750b9ad5ef 324 &olen ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 325 {
Christopher Haster 1:24750b9ad5ef 326 return( ret );
Christopher Haster 1:24750b9ad5ef 327 }
Christopher Haster 1:24750b9ad5ef 328
Christopher Haster 1:24750b9ad5ef 329 ctx->add_len = add_len;
Christopher Haster 1:24750b9ad5ef 330 p = add;
Christopher Haster 1:24750b9ad5ef 331 while( add_len > 0 )
Christopher Haster 1:24750b9ad5ef 332 {
Christopher Haster 1:24750b9ad5ef 333 use_len = ( add_len < 16 ) ? add_len : 16;
Christopher Haster 1:24750b9ad5ef 334
Christopher Haster 1:24750b9ad5ef 335 for( i = 0; i < use_len; i++ )
Christopher Haster 1:24750b9ad5ef 336 ctx->buf[i] ^= p[i];
Christopher Haster 1:24750b9ad5ef 337
Christopher Haster 1:24750b9ad5ef 338 gcm_mult( ctx, ctx->buf, ctx->buf );
Christopher Haster 1:24750b9ad5ef 339
Christopher Haster 1:24750b9ad5ef 340 add_len -= use_len;
Christopher Haster 1:24750b9ad5ef 341 p += use_len;
Christopher Haster 1:24750b9ad5ef 342 }
Christopher Haster 1:24750b9ad5ef 343
Christopher Haster 1:24750b9ad5ef 344 return( 0 );
Christopher Haster 1:24750b9ad5ef 345 }
Christopher Haster 1:24750b9ad5ef 346
Christopher Haster 1:24750b9ad5ef 347 int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 348 size_t length,
Christopher Haster 1:24750b9ad5ef 349 const unsigned char *input,
Christopher Haster 1:24750b9ad5ef 350 unsigned char *output )
Christopher Haster 1:24750b9ad5ef 351 {
Christopher Haster 1:24750b9ad5ef 352 int ret;
Christopher Haster 1:24750b9ad5ef 353 unsigned char ectr[16];
Christopher Haster 1:24750b9ad5ef 354 size_t i;
Christopher Haster 1:24750b9ad5ef 355 const unsigned char *p;
Christopher Haster 1:24750b9ad5ef 356 unsigned char *out_p = output;
Christopher Haster 1:24750b9ad5ef 357 size_t use_len, olen = 0;
Christopher Haster 1:24750b9ad5ef 358
Christopher Haster 1:24750b9ad5ef 359 if( output > input && (size_t) ( output - input ) < length )
Christopher Haster 1:24750b9ad5ef 360 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 361
Christopher Haster 1:24750b9ad5ef 362 /* Total length is restricted to 2^39 - 256 bits, ie 2^36 - 2^5 bytes
Christopher Haster 1:24750b9ad5ef 363 * Also check for possible overflow */
Christopher Haster 1:24750b9ad5ef 364 if( ctx->len + length < ctx->len ||
Christopher Haster 1:24750b9ad5ef 365 (uint64_t) ctx->len + length > 0x03FFFFE0ull )
Christopher Haster 1:24750b9ad5ef 366 {
Christopher Haster 1:24750b9ad5ef 367 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 368 }
Christopher Haster 1:24750b9ad5ef 369
Christopher Haster 1:24750b9ad5ef 370 ctx->len += length;
Christopher Haster 1:24750b9ad5ef 371
Christopher Haster 1:24750b9ad5ef 372 p = input;
Christopher Haster 1:24750b9ad5ef 373 while( length > 0 )
Christopher Haster 1:24750b9ad5ef 374 {
Christopher Haster 1:24750b9ad5ef 375 use_len = ( length < 16 ) ? length : 16;
Christopher Haster 1:24750b9ad5ef 376
Christopher Haster 1:24750b9ad5ef 377 for( i = 16; i > 12; i-- )
Christopher Haster 1:24750b9ad5ef 378 if( ++ctx->y[i - 1] != 0 )
Christopher Haster 1:24750b9ad5ef 379 break;
Christopher Haster 1:24750b9ad5ef 380
Christopher Haster 1:24750b9ad5ef 381 if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, ctx->y, 16, ectr,
Christopher Haster 1:24750b9ad5ef 382 &olen ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 383 {
Christopher Haster 1:24750b9ad5ef 384 return( ret );
Christopher Haster 1:24750b9ad5ef 385 }
Christopher Haster 1:24750b9ad5ef 386
Christopher Haster 1:24750b9ad5ef 387 for( i = 0; i < use_len; i++ )
Christopher Haster 1:24750b9ad5ef 388 {
Christopher Haster 1:24750b9ad5ef 389 if( ctx->mode == MBEDTLS_GCM_DECRYPT )
Christopher Haster 1:24750b9ad5ef 390 ctx->buf[i] ^= p[i];
Christopher Haster 1:24750b9ad5ef 391 out_p[i] = ectr[i] ^ p[i];
Christopher Haster 1:24750b9ad5ef 392 if( ctx->mode == MBEDTLS_GCM_ENCRYPT )
Christopher Haster 1:24750b9ad5ef 393 ctx->buf[i] ^= out_p[i];
Christopher Haster 1:24750b9ad5ef 394 }
Christopher Haster 1:24750b9ad5ef 395
Christopher Haster 1:24750b9ad5ef 396 gcm_mult( ctx, ctx->buf, ctx->buf );
Christopher Haster 1:24750b9ad5ef 397
Christopher Haster 1:24750b9ad5ef 398 length -= use_len;
Christopher Haster 1:24750b9ad5ef 399 p += use_len;
Christopher Haster 1:24750b9ad5ef 400 out_p += use_len;
Christopher Haster 1:24750b9ad5ef 401 }
Christopher Haster 1:24750b9ad5ef 402
Christopher Haster 1:24750b9ad5ef 403 return( 0 );
Christopher Haster 1:24750b9ad5ef 404 }
Christopher Haster 1:24750b9ad5ef 405
Christopher Haster 1:24750b9ad5ef 406 int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 407 unsigned char *tag,
Christopher Haster 1:24750b9ad5ef 408 size_t tag_len )
Christopher Haster 1:24750b9ad5ef 409 {
Christopher Haster 1:24750b9ad5ef 410 unsigned char work_buf[16];
Christopher Haster 1:24750b9ad5ef 411 size_t i;
Christopher Haster 1:24750b9ad5ef 412 uint64_t orig_len = ctx->len * 8;
Christopher Haster 1:24750b9ad5ef 413 uint64_t orig_add_len = ctx->add_len * 8;
Christopher Haster 1:24750b9ad5ef 414
Christopher Haster 1:24750b9ad5ef 415 if( tag_len > 16 || tag_len < 4 )
Christopher Haster 1:24750b9ad5ef 416 return( MBEDTLS_ERR_GCM_BAD_INPUT );
Christopher Haster 1:24750b9ad5ef 417
Christopher Haster 1:24750b9ad5ef 418 if( tag_len != 0 )
Christopher Haster 1:24750b9ad5ef 419 memcpy( tag, ctx->base_ectr, tag_len );
Christopher Haster 1:24750b9ad5ef 420
Christopher Haster 1:24750b9ad5ef 421 if( orig_len || orig_add_len )
Christopher Haster 1:24750b9ad5ef 422 {
Christopher Haster 1:24750b9ad5ef 423 memset( work_buf, 0x00, 16 );
Christopher Haster 1:24750b9ad5ef 424
Christopher Haster 1:24750b9ad5ef 425 PUT_UINT32_BE( ( orig_add_len >> 32 ), work_buf, 0 );
Christopher Haster 1:24750b9ad5ef 426 PUT_UINT32_BE( ( orig_add_len ), work_buf, 4 );
Christopher Haster 1:24750b9ad5ef 427 PUT_UINT32_BE( ( orig_len >> 32 ), work_buf, 8 );
Christopher Haster 1:24750b9ad5ef 428 PUT_UINT32_BE( ( orig_len ), work_buf, 12 );
Christopher Haster 1:24750b9ad5ef 429
Christopher Haster 1:24750b9ad5ef 430 for( i = 0; i < 16; i++ )
Christopher Haster 1:24750b9ad5ef 431 ctx->buf[i] ^= work_buf[i];
Christopher Haster 1:24750b9ad5ef 432
Christopher Haster 1:24750b9ad5ef 433 gcm_mult( ctx, ctx->buf, ctx->buf );
Christopher Haster 1:24750b9ad5ef 434
Christopher Haster 1:24750b9ad5ef 435 for( i = 0; i < tag_len; i++ )
Christopher Haster 1:24750b9ad5ef 436 tag[i] ^= ctx->buf[i];
Christopher Haster 1:24750b9ad5ef 437 }
Christopher Haster 1:24750b9ad5ef 438
Christopher Haster 1:24750b9ad5ef 439 return( 0 );
Christopher Haster 1:24750b9ad5ef 440 }
Christopher Haster 1:24750b9ad5ef 441
Christopher Haster 1:24750b9ad5ef 442 int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 443 int mode,
Christopher Haster 1:24750b9ad5ef 444 size_t length,
Christopher Haster 1:24750b9ad5ef 445 const unsigned char *iv,
Christopher Haster 1:24750b9ad5ef 446 size_t iv_len,
Christopher Haster 1:24750b9ad5ef 447 const unsigned char *add,
Christopher Haster 1:24750b9ad5ef 448 size_t add_len,
Christopher Haster 1:24750b9ad5ef 449 const unsigned char *input,
Christopher Haster 1:24750b9ad5ef 450 unsigned char *output,
Christopher Haster 1:24750b9ad5ef 451 size_t tag_len,
Christopher Haster 1:24750b9ad5ef 452 unsigned char *tag )
Christopher Haster 1:24750b9ad5ef 453 {
Christopher Haster 1:24750b9ad5ef 454 int ret;
Christopher Haster 1:24750b9ad5ef 455
Christopher Haster 1:24750b9ad5ef 456 if( ( ret = mbedtls_gcm_starts( ctx, mode, iv, iv_len, add, add_len ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 457 return( ret );
Christopher Haster 1:24750b9ad5ef 458
Christopher Haster 1:24750b9ad5ef 459 if( ( ret = mbedtls_gcm_update( ctx, length, input, output ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 460 return( ret );
Christopher Haster 1:24750b9ad5ef 461
Christopher Haster 1:24750b9ad5ef 462 if( ( ret = mbedtls_gcm_finish( ctx, tag, tag_len ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 463 return( ret );
Christopher Haster 1:24750b9ad5ef 464
Christopher Haster 1:24750b9ad5ef 465 return( 0 );
Christopher Haster 1:24750b9ad5ef 466 }
Christopher Haster 1:24750b9ad5ef 467
Christopher Haster 1:24750b9ad5ef 468 int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
Christopher Haster 1:24750b9ad5ef 469 size_t length,
Christopher Haster 1:24750b9ad5ef 470 const unsigned char *iv,
Christopher Haster 1:24750b9ad5ef 471 size_t iv_len,
Christopher Haster 1:24750b9ad5ef 472 const unsigned char *add,
Christopher Haster 1:24750b9ad5ef 473 size_t add_len,
Christopher Haster 1:24750b9ad5ef 474 const unsigned char *tag,
Christopher Haster 1:24750b9ad5ef 475 size_t tag_len,
Christopher Haster 1:24750b9ad5ef 476 const unsigned char *input,
Christopher Haster 1:24750b9ad5ef 477 unsigned char *output )
Christopher Haster 1:24750b9ad5ef 478 {
Christopher Haster 1:24750b9ad5ef 479 int ret;
Christopher Haster 1:24750b9ad5ef 480 unsigned char check_tag[16];
Christopher Haster 1:24750b9ad5ef 481 size_t i;
Christopher Haster 1:24750b9ad5ef 482 int diff;
Christopher Haster 1:24750b9ad5ef 483
Christopher Haster 1:24750b9ad5ef 484 if( ( ret = mbedtls_gcm_crypt_and_tag( ctx, MBEDTLS_GCM_DECRYPT, length,
Christopher Haster 1:24750b9ad5ef 485 iv, iv_len, add, add_len,
Christopher Haster 1:24750b9ad5ef 486 input, output, tag_len, check_tag ) ) != 0 )
Christopher Haster 1:24750b9ad5ef 487 {
Christopher Haster 1:24750b9ad5ef 488 return( ret );
Christopher Haster 1:24750b9ad5ef 489 }
Christopher Haster 1:24750b9ad5ef 490
Christopher Haster 1:24750b9ad5ef 491 /* Check tag in "constant-time" */
Christopher Haster 1:24750b9ad5ef 492 for( diff = 0, i = 0; i < tag_len; i++ )
Christopher Haster 1:24750b9ad5ef 493 diff |= tag[i] ^ check_tag[i];
Christopher Haster 1:24750b9ad5ef 494
Christopher Haster 1:24750b9ad5ef 495 if( diff != 0 )
Christopher Haster 1:24750b9ad5ef 496 {
Christopher Haster 1:24750b9ad5ef 497 mbedtls_zeroize( output, length );
Christopher Haster 1:24750b9ad5ef 498 return( MBEDTLS_ERR_GCM_AUTH_FAILED );
Christopher Haster 1:24750b9ad5ef 499 }
Christopher Haster 1:24750b9ad5ef 500
Christopher Haster 1:24750b9ad5ef 501 return( 0 );
Christopher Haster 1:24750b9ad5ef 502 }
Christopher Haster 1:24750b9ad5ef 503
Christopher Haster 1:24750b9ad5ef 504 void mbedtls_gcm_free( mbedtls_gcm_context *ctx )
Christopher Haster 1:24750b9ad5ef 505 {
Christopher Haster 1:24750b9ad5ef 506 mbedtls_cipher_free( &ctx->cipher_ctx );
Christopher Haster 1:24750b9ad5ef 507 mbedtls_zeroize( ctx, sizeof( mbedtls_gcm_context ) );
Christopher Haster 1:24750b9ad5ef 508 }
Christopher Haster 1:24750b9ad5ef 509
Christopher Haster 1:24750b9ad5ef 510 #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
Christopher Haster 1:24750b9ad5ef 511 /*
Christopher Haster 1:24750b9ad5ef 512 * AES-GCM test vectors from:
Christopher Haster 1:24750b9ad5ef 513 *
Christopher Haster 1:24750b9ad5ef 514 * http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmtestvectors.zip
Christopher Haster 1:24750b9ad5ef 515 */
Christopher Haster 1:24750b9ad5ef 516 #define MAX_TESTS 6
Christopher Haster 1:24750b9ad5ef 517
Christopher Haster 1:24750b9ad5ef 518 static const int key_index[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 519 { 0, 0, 1, 1, 1, 1 };
Christopher Haster 1:24750b9ad5ef 520
Christopher Haster 1:24750b9ad5ef 521 static const unsigned char key[MAX_TESTS][32] =
Christopher Haster 1:24750b9ad5ef 522 {
Christopher Haster 1:24750b9ad5ef 523 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Christopher Haster 1:24750b9ad5ef 524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Christopher Haster 1:24750b9ad5ef 525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Christopher Haster 1:24750b9ad5ef 526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
Christopher Haster 1:24750b9ad5ef 527 { 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
Christopher Haster 1:24750b9ad5ef 528 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
Christopher Haster 1:24750b9ad5ef 529 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
Christopher Haster 1:24750b9ad5ef 530 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 },
Christopher Haster 1:24750b9ad5ef 531 };
Christopher Haster 1:24750b9ad5ef 532
Christopher Haster 1:24750b9ad5ef 533 static const size_t iv_len[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 534 { 12, 12, 12, 12, 8, 60 };
Christopher Haster 1:24750b9ad5ef 535
Christopher Haster 1:24750b9ad5ef 536 static const int iv_index[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 537 { 0, 0, 1, 1, 1, 2 };
Christopher Haster 1:24750b9ad5ef 538
Christopher Haster 1:24750b9ad5ef 539 static const unsigned char iv[MAX_TESTS][64] =
Christopher Haster 1:24750b9ad5ef 540 {
Christopher Haster 1:24750b9ad5ef 541 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Christopher Haster 1:24750b9ad5ef 542 0x00, 0x00, 0x00, 0x00 },
Christopher Haster 1:24750b9ad5ef 543 { 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
Christopher Haster 1:24750b9ad5ef 544 0xde, 0xca, 0xf8, 0x88 },
Christopher Haster 1:24750b9ad5ef 545 { 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
Christopher Haster 1:24750b9ad5ef 546 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
Christopher Haster 1:24750b9ad5ef 547 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
Christopher Haster 1:24750b9ad5ef 548 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
Christopher Haster 1:24750b9ad5ef 549 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
Christopher Haster 1:24750b9ad5ef 550 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
Christopher Haster 1:24750b9ad5ef 551 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
Christopher Haster 1:24750b9ad5ef 552 0xa6, 0x37, 0xb3, 0x9b },
Christopher Haster 1:24750b9ad5ef 553 };
Christopher Haster 1:24750b9ad5ef 554
Christopher Haster 1:24750b9ad5ef 555 static const size_t add_len[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 556 { 0, 0, 0, 20, 20, 20 };
Christopher Haster 1:24750b9ad5ef 557
Christopher Haster 1:24750b9ad5ef 558 static const int add_index[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 559 { 0, 0, 0, 1, 1, 1 };
Christopher Haster 1:24750b9ad5ef 560
Christopher Haster 1:24750b9ad5ef 561 static const unsigned char additional[MAX_TESTS][64] =
Christopher Haster 1:24750b9ad5ef 562 {
Christopher Haster 1:24750b9ad5ef 563 { 0x00 },
Christopher Haster 1:24750b9ad5ef 564 { 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
Christopher Haster 1:24750b9ad5ef 565 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
Christopher Haster 1:24750b9ad5ef 566 0xab, 0xad, 0xda, 0xd2 },
Christopher Haster 1:24750b9ad5ef 567 };
Christopher Haster 1:24750b9ad5ef 568
Christopher Haster 1:24750b9ad5ef 569 static const size_t pt_len[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 570 { 0, 16, 64, 60, 60, 60 };
Christopher Haster 1:24750b9ad5ef 571
Christopher Haster 1:24750b9ad5ef 572 static const int pt_index[MAX_TESTS] =
Christopher Haster 1:24750b9ad5ef 573 { 0, 0, 1, 1, 1, 1 };
Christopher Haster 1:24750b9ad5ef 574
Christopher Haster 1:24750b9ad5ef 575 static const unsigned char pt[MAX_TESTS][64] =
Christopher Haster 1:24750b9ad5ef 576 {
Christopher Haster 1:24750b9ad5ef 577 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
Christopher Haster 1:24750b9ad5ef 578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
Christopher Haster 1:24750b9ad5ef 579 { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
Christopher Haster 1:24750b9ad5ef 580 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
Christopher Haster 1:24750b9ad5ef 581 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
Christopher Haster 1:24750b9ad5ef 582 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
Christopher Haster 1:24750b9ad5ef 583 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
Christopher Haster 1:24750b9ad5ef 584 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
Christopher Haster 1:24750b9ad5ef 585 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
Christopher Haster 1:24750b9ad5ef 586 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
Christopher Haster 1:24750b9ad5ef 587 };
Christopher Haster 1:24750b9ad5ef 588
Christopher Haster 1:24750b9ad5ef 589 static const unsigned char ct[MAX_TESTS * 3][64] =
Christopher Haster 1:24750b9ad5ef 590 {
Christopher Haster 1:24750b9ad5ef 591 { 0x00 },
Christopher Haster 1:24750b9ad5ef 592 { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
Christopher Haster 1:24750b9ad5ef 593 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 },
Christopher Haster 1:24750b9ad5ef 594 { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
Christopher Haster 1:24750b9ad5ef 595 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
Christopher Haster 1:24750b9ad5ef 596 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
Christopher Haster 1:24750b9ad5ef 597 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
Christopher Haster 1:24750b9ad5ef 598 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
Christopher Haster 1:24750b9ad5ef 599 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
Christopher Haster 1:24750b9ad5ef 600 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
Christopher Haster 1:24750b9ad5ef 601 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 },
Christopher Haster 1:24750b9ad5ef 602 { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
Christopher Haster 1:24750b9ad5ef 603 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
Christopher Haster 1:24750b9ad5ef 604 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
Christopher Haster 1:24750b9ad5ef 605 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
Christopher Haster 1:24750b9ad5ef 606 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
Christopher Haster 1:24750b9ad5ef 607 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
Christopher Haster 1:24750b9ad5ef 608 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
Christopher Haster 1:24750b9ad5ef 609 0x3d, 0x58, 0xe0, 0x91 },
Christopher Haster 1:24750b9ad5ef 610 { 0x61, 0x35, 0x3b, 0x4c, 0x28, 0x06, 0x93, 0x4a,
Christopher Haster 1:24750b9ad5ef 611 0x77, 0x7f, 0xf5, 0x1f, 0xa2, 0x2a, 0x47, 0x55,
Christopher Haster 1:24750b9ad5ef 612 0x69, 0x9b, 0x2a, 0x71, 0x4f, 0xcd, 0xc6, 0xf8,
Christopher Haster 1:24750b9ad5ef 613 0x37, 0x66, 0xe5, 0xf9, 0x7b, 0x6c, 0x74, 0x23,
Christopher Haster 1:24750b9ad5ef 614 0x73, 0x80, 0x69, 0x00, 0xe4, 0x9f, 0x24, 0xb2,
Christopher Haster 1:24750b9ad5ef 615 0x2b, 0x09, 0x75, 0x44, 0xd4, 0x89, 0x6b, 0x42,
Christopher Haster 1:24750b9ad5ef 616 0x49, 0x89, 0xb5, 0xe1, 0xeb, 0xac, 0x0f, 0x07,
Christopher Haster 1:24750b9ad5ef 617 0xc2, 0x3f, 0x45, 0x98 },
Christopher Haster 1:24750b9ad5ef 618 { 0x8c, 0xe2, 0x49, 0x98, 0x62, 0x56, 0x15, 0xb6,
Christopher Haster 1:24750b9ad5ef 619 0x03, 0xa0, 0x33, 0xac, 0xa1, 0x3f, 0xb8, 0x94,
Christopher Haster 1:24750b9ad5ef 620 0xbe, 0x91, 0x12, 0xa5, 0xc3, 0xa2, 0x11, 0xa8,
Christopher Haster 1:24750b9ad5ef 621 0xba, 0x26, 0x2a, 0x3c, 0xca, 0x7e, 0x2c, 0xa7,
Christopher Haster 1:24750b9ad5ef 622 0x01, 0xe4, 0xa9, 0xa4, 0xfb, 0xa4, 0x3c, 0x90,
Christopher Haster 1:24750b9ad5ef 623 0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
Christopher Haster 1:24750b9ad5ef 624 0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
Christopher Haster 1:24750b9ad5ef 625 0x4c, 0x34, 0xae, 0xe5 },
Christopher Haster 1:24750b9ad5ef 626 { 0x00 },
Christopher Haster 1:24750b9ad5ef 627 { 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
Christopher Haster 1:24750b9ad5ef 628 0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
Christopher Haster 1:24750b9ad5ef 629 { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
Christopher Haster 1:24750b9ad5ef 630 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
Christopher Haster 1:24750b9ad5ef 631 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
Christopher Haster 1:24750b9ad5ef 632 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
Christopher Haster 1:24750b9ad5ef 633 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
Christopher Haster 1:24750b9ad5ef 634 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
Christopher Haster 1:24750b9ad5ef 635 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
Christopher Haster 1:24750b9ad5ef 636 0xcc, 0xda, 0x27, 0x10, 0xac, 0xad, 0xe2, 0x56 },
Christopher Haster 1:24750b9ad5ef 637 { 0x39, 0x80, 0xca, 0x0b, 0x3c, 0x00, 0xe8, 0x41,
Christopher Haster 1:24750b9ad5ef 638 0xeb, 0x06, 0xfa, 0xc4, 0x87, 0x2a, 0x27, 0x57,
Christopher Haster 1:24750b9ad5ef 639 0x85, 0x9e, 0x1c, 0xea, 0xa6, 0xef, 0xd9, 0x84,
Christopher Haster 1:24750b9ad5ef 640 0x62, 0x85, 0x93, 0xb4, 0x0c, 0xa1, 0xe1, 0x9c,
Christopher Haster 1:24750b9ad5ef 641 0x7d, 0x77, 0x3d, 0x00, 0xc1, 0x44, 0xc5, 0x25,
Christopher Haster 1:24750b9ad5ef 642 0xac, 0x61, 0x9d, 0x18, 0xc8, 0x4a, 0x3f, 0x47,
Christopher Haster 1:24750b9ad5ef 643 0x18, 0xe2, 0x44, 0x8b, 0x2f, 0xe3, 0x24, 0xd9,
Christopher Haster 1:24750b9ad5ef 644 0xcc, 0xda, 0x27, 0x10 },
Christopher Haster 1:24750b9ad5ef 645 { 0x0f, 0x10, 0xf5, 0x99, 0xae, 0x14, 0xa1, 0x54,
Christopher Haster 1:24750b9ad5ef 646 0xed, 0x24, 0xb3, 0x6e, 0x25, 0x32, 0x4d, 0xb8,
Christopher Haster 1:24750b9ad5ef 647 0xc5, 0x66, 0x63, 0x2e, 0xf2, 0xbb, 0xb3, 0x4f,
Christopher Haster 1:24750b9ad5ef 648 0x83, 0x47, 0x28, 0x0f, 0xc4, 0x50, 0x70, 0x57,
Christopher Haster 1:24750b9ad5ef 649 0xfd, 0xdc, 0x29, 0xdf, 0x9a, 0x47, 0x1f, 0x75,
Christopher Haster 1:24750b9ad5ef 650 0xc6, 0x65, 0x41, 0xd4, 0xd4, 0xda, 0xd1, 0xc9,
Christopher Haster 1:24750b9ad5ef 651 0xe9, 0x3a, 0x19, 0xa5, 0x8e, 0x8b, 0x47, 0x3f,
Christopher Haster 1:24750b9ad5ef 652 0xa0, 0xf0, 0x62, 0xf7 },
Christopher Haster 1:24750b9ad5ef 653 { 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
Christopher Haster 1:24750b9ad5ef 654 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
Christopher Haster 1:24750b9ad5ef 655 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
Christopher Haster 1:24750b9ad5ef 656 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
Christopher Haster 1:24750b9ad5ef 657 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
Christopher Haster 1:24750b9ad5ef 658 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
Christopher Haster 1:24750b9ad5ef 659 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
Christopher Haster 1:24750b9ad5ef 660 0xe9, 0xb7, 0x37, 0x3b },
Christopher Haster 1:24750b9ad5ef 661 { 0x00 },
Christopher Haster 1:24750b9ad5ef 662 { 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,
Christopher Haster 1:24750b9ad5ef 663 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18 },
Christopher Haster 1:24750b9ad5ef 664 { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
Christopher Haster 1:24750b9ad5ef 665 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
Christopher Haster 1:24750b9ad5ef 666 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
Christopher Haster 1:24750b9ad5ef 667 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
Christopher Haster 1:24750b9ad5ef 668 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
Christopher Haster 1:24750b9ad5ef 669 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
Christopher Haster 1:24750b9ad5ef 670 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
Christopher Haster 1:24750b9ad5ef 671 0xbc, 0xc9, 0xf6, 0x62, 0x89, 0x80, 0x15, 0xad },
Christopher Haster 1:24750b9ad5ef 672 { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
Christopher Haster 1:24750b9ad5ef 673 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
Christopher Haster 1:24750b9ad5ef 674 0x64, 0x3a, 0x8c, 0xdc, 0xbf, 0xe5, 0xc0, 0xc9,
Christopher Haster 1:24750b9ad5ef 675 0x75, 0x98, 0xa2, 0xbd, 0x25, 0x55, 0xd1, 0xaa,
Christopher Haster 1:24750b9ad5ef 676 0x8c, 0xb0, 0x8e, 0x48, 0x59, 0x0d, 0xbb, 0x3d,
Christopher Haster 1:24750b9ad5ef 677 0xa7, 0xb0, 0x8b, 0x10, 0x56, 0x82, 0x88, 0x38,
Christopher Haster 1:24750b9ad5ef 678 0xc5, 0xf6, 0x1e, 0x63, 0x93, 0xba, 0x7a, 0x0a,
Christopher Haster 1:24750b9ad5ef 679 0xbc, 0xc9, 0xf6, 0x62 },
Christopher Haster 1:24750b9ad5ef 680 { 0xc3, 0x76, 0x2d, 0xf1, 0xca, 0x78, 0x7d, 0x32,
Christopher Haster 1:24750b9ad5ef 681 0xae, 0x47, 0xc1, 0x3b, 0xf1, 0x98, 0x44, 0xcb,
Christopher Haster 1:24750b9ad5ef 682 0xaf, 0x1a, 0xe1, 0x4d, 0x0b, 0x97, 0x6a, 0xfa,
Christopher Haster 1:24750b9ad5ef 683 0xc5, 0x2f, 0xf7, 0xd7, 0x9b, 0xba, 0x9d, 0xe0,
Christopher Haster 1:24750b9ad5ef 684 0xfe, 0xb5, 0x82, 0xd3, 0x39, 0x34, 0xa4, 0xf0,
Christopher Haster 1:24750b9ad5ef 685 0x95, 0x4c, 0xc2, 0x36, 0x3b, 0xc7, 0x3f, 0x78,
Christopher Haster 1:24750b9ad5ef 686 0x62, 0xac, 0x43, 0x0e, 0x64, 0xab, 0xe4, 0x99,
Christopher Haster 1:24750b9ad5ef 687 0xf4, 0x7c, 0x9b, 0x1f },
Christopher Haster 1:24750b9ad5ef 688 { 0x5a, 0x8d, 0xef, 0x2f, 0x0c, 0x9e, 0x53, 0xf1,
Christopher Haster 1:24750b9ad5ef 689 0xf7, 0x5d, 0x78, 0x53, 0x65, 0x9e, 0x2a, 0x20,
Christopher Haster 1:24750b9ad5ef 690 0xee, 0xb2, 0xb2, 0x2a, 0xaf, 0xde, 0x64, 0x19,
Christopher Haster 1:24750b9ad5ef 691 0xa0, 0x58, 0xab, 0x4f, 0x6f, 0x74, 0x6b, 0xf4,
Christopher Haster 1:24750b9ad5ef 692 0x0f, 0xc0, 0xc3, 0xb7, 0x80, 0xf2, 0x44, 0x45,
Christopher Haster 1:24750b9ad5ef 693 0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
Christopher Haster 1:24750b9ad5ef 694 0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
Christopher Haster 1:24750b9ad5ef 695 0x44, 0xae, 0x7e, 0x3f },
Christopher Haster 1:24750b9ad5ef 696 };
Christopher Haster 1:24750b9ad5ef 697
Christopher Haster 1:24750b9ad5ef 698 static const unsigned char tag[MAX_TESTS * 3][16] =
Christopher Haster 1:24750b9ad5ef 699 {
Christopher Haster 1:24750b9ad5ef 700 { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
Christopher Haster 1:24750b9ad5ef 701 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
Christopher Haster 1:24750b9ad5ef 702 { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd,
Christopher Haster 1:24750b9ad5ef 703 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf },
Christopher Haster 1:24750b9ad5ef 704 { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6,
Christopher Haster 1:24750b9ad5ef 705 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 },
Christopher Haster 1:24750b9ad5ef 706 { 0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
Christopher Haster 1:24750b9ad5ef 707 0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47 },
Christopher Haster 1:24750b9ad5ef 708 { 0x36, 0x12, 0xd2, 0xe7, 0x9e, 0x3b, 0x07, 0x85,
Christopher Haster 1:24750b9ad5ef 709 0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
Christopher Haster 1:24750b9ad5ef 710 { 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
Christopher Haster 1:24750b9ad5ef 711 0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
Christopher Haster 1:24750b9ad5ef 712 { 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
Christopher Haster 1:24750b9ad5ef 713 0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
Christopher Haster 1:24750b9ad5ef 714 { 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
Christopher Haster 1:24750b9ad5ef 715 0x8e, 0xf4, 0xd4, 0x58, 0x75, 0x14, 0xf0, 0xfb },
Christopher Haster 1:24750b9ad5ef 716 { 0x99, 0x24, 0xa7, 0xc8, 0x58, 0x73, 0x36, 0xbf,
Christopher Haster 1:24750b9ad5ef 717 0xb1, 0x18, 0x02, 0x4d, 0xb8, 0x67, 0x4a, 0x14 },
Christopher Haster 1:24750b9ad5ef 718 { 0x25, 0x19, 0x49, 0x8e, 0x80, 0xf1, 0x47, 0x8f,
Christopher Haster 1:24750b9ad5ef 719 0x37, 0xba, 0x55, 0xbd, 0x6d, 0x27, 0x61, 0x8c },
Christopher Haster 1:24750b9ad5ef 720 { 0x65, 0xdc, 0xc5, 0x7f, 0xcf, 0x62, 0x3a, 0x24,
Christopher Haster 1:24750b9ad5ef 721 0x09, 0x4f, 0xcc, 0xa4, 0x0d, 0x35, 0x33, 0xf8 },
Christopher Haster 1:24750b9ad5ef 722 { 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
Christopher Haster 1:24750b9ad5ef 723 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 },
Christopher Haster 1:24750b9ad5ef 724 { 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9,
Christopher Haster 1:24750b9ad5ef 725 0xa9, 0x63, 0xb4, 0xf1, 0xc4, 0xcb, 0x73, 0x8b },
Christopher Haster 1:24750b9ad5ef 726 { 0xd0, 0xd1, 0xc8, 0xa7, 0x99, 0x99, 0x6b, 0xf0,
Christopher Haster 1:24750b9ad5ef 727 0x26, 0x5b, 0x98, 0xb5, 0xd4, 0x8a, 0xb9, 0x19 },
Christopher Haster 1:24750b9ad5ef 728 { 0xb0, 0x94, 0xda, 0xc5, 0xd9, 0x34, 0x71, 0xbd,
Christopher Haster 1:24750b9ad5ef 729 0xec, 0x1a, 0x50, 0x22, 0x70, 0xe3, 0xcc, 0x6c },
Christopher Haster 1:24750b9ad5ef 730 { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
Christopher Haster 1:24750b9ad5ef 731 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b },
Christopher Haster 1:24750b9ad5ef 732 { 0x3a, 0x33, 0x7d, 0xbf, 0x46, 0xa7, 0x92, 0xc4,
Christopher Haster 1:24750b9ad5ef 733 0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
Christopher Haster 1:24750b9ad5ef 734 { 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
Christopher Haster 1:24750b9ad5ef 735 0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
Christopher Haster 1:24750b9ad5ef 736 };
Christopher Haster 1:24750b9ad5ef 737
Christopher Haster 1:24750b9ad5ef 738 int mbedtls_gcm_self_test( int verbose )
Christopher Haster 1:24750b9ad5ef 739 {
Christopher Haster 1:24750b9ad5ef 740 mbedtls_gcm_context ctx;
Christopher Haster 1:24750b9ad5ef 741 unsigned char buf[64];
Christopher Haster 1:24750b9ad5ef 742 unsigned char tag_buf[16];
Christopher Haster 1:24750b9ad5ef 743 int i, j, ret;
Christopher Haster 1:24750b9ad5ef 744 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
Christopher Haster 1:24750b9ad5ef 745
Christopher Haster 1:24750b9ad5ef 746 mbedtls_gcm_init( &ctx );
Christopher Haster 1:24750b9ad5ef 747
Christopher Haster 1:24750b9ad5ef 748 for( j = 0; j < 3; j++ )
Christopher Haster 1:24750b9ad5ef 749 {
Christopher Haster 1:24750b9ad5ef 750 int key_len = 128 + 64 * j;
Christopher Haster 1:24750b9ad5ef 751
Christopher Haster 1:24750b9ad5ef 752 for( i = 0; i < MAX_TESTS; i++ )
Christopher Haster 1:24750b9ad5ef 753 {
Christopher Haster 1:24750b9ad5ef 754 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 755 mbedtls_printf( " AES-GCM-%3d #%d (%s): ",
Christopher Haster 1:24750b9ad5ef 756 key_len, i, "enc" );
Christopher Haster 1:24750b9ad5ef 757
Christopher Haster 1:24750b9ad5ef 758 mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len );
Christopher Haster 1:24750b9ad5ef 759
Christopher Haster 1:24750b9ad5ef 760 ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT,
Christopher Haster 1:24750b9ad5ef 761 pt_len[i],
Christopher Haster 1:24750b9ad5ef 762 iv[iv_index[i]], iv_len[i],
Christopher Haster 1:24750b9ad5ef 763 additional[add_index[i]], add_len[i],
Christopher Haster 1:24750b9ad5ef 764 pt[pt_index[i]], buf, 16, tag_buf );
Christopher Haster 1:24750b9ad5ef 765
Christopher Haster 1:24750b9ad5ef 766 if( ret != 0 ||
Christopher Haster 1:24750b9ad5ef 767 memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
Christopher Haster 1:24750b9ad5ef 768 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
Christopher Haster 1:24750b9ad5ef 769 {
Christopher Haster 1:24750b9ad5ef 770 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 771 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 772
Christopher Haster 1:24750b9ad5ef 773 return( 1 );
Christopher Haster 1:24750b9ad5ef 774 }
Christopher Haster 1:24750b9ad5ef 775
Christopher Haster 1:24750b9ad5ef 776 mbedtls_gcm_free( &ctx );
Christopher Haster 1:24750b9ad5ef 777
Christopher Haster 1:24750b9ad5ef 778 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 779 mbedtls_printf( "passed\n" );
Christopher Haster 1:24750b9ad5ef 780
Christopher Haster 1:24750b9ad5ef 781 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 782 mbedtls_printf( " AES-GCM-%3d #%d (%s): ",
Christopher Haster 1:24750b9ad5ef 783 key_len, i, "dec" );
Christopher Haster 1:24750b9ad5ef 784
Christopher Haster 1:24750b9ad5ef 785 mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len );
Christopher Haster 1:24750b9ad5ef 786
Christopher Haster 1:24750b9ad5ef 787 ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT,
Christopher Haster 1:24750b9ad5ef 788 pt_len[i],
Christopher Haster 1:24750b9ad5ef 789 iv[iv_index[i]], iv_len[i],
Christopher Haster 1:24750b9ad5ef 790 additional[add_index[i]], add_len[i],
Christopher Haster 1:24750b9ad5ef 791 ct[j * 6 + i], buf, 16, tag_buf );
Christopher Haster 1:24750b9ad5ef 792
Christopher Haster 1:24750b9ad5ef 793 if( ret != 0 ||
Christopher Haster 1:24750b9ad5ef 794 memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
Christopher Haster 1:24750b9ad5ef 795 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
Christopher Haster 1:24750b9ad5ef 796 {
Christopher Haster 1:24750b9ad5ef 797 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 798 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 799
Christopher Haster 1:24750b9ad5ef 800 return( 1 );
Christopher Haster 1:24750b9ad5ef 801 }
Christopher Haster 1:24750b9ad5ef 802
Christopher Haster 1:24750b9ad5ef 803 mbedtls_gcm_free( &ctx );
Christopher Haster 1:24750b9ad5ef 804
Christopher Haster 1:24750b9ad5ef 805 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 806 mbedtls_printf( "passed\n" );
Christopher Haster 1:24750b9ad5ef 807
Christopher Haster 1:24750b9ad5ef 808 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 809 mbedtls_printf( " AES-GCM-%3d #%d split (%s): ",
Christopher Haster 1:24750b9ad5ef 810 key_len, i, "enc" );
Christopher Haster 1:24750b9ad5ef 811
Christopher Haster 1:24750b9ad5ef 812 mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len );
Christopher Haster 1:24750b9ad5ef 813
Christopher Haster 1:24750b9ad5ef 814 ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT,
Christopher Haster 1:24750b9ad5ef 815 iv[iv_index[i]], iv_len[i],
Christopher Haster 1:24750b9ad5ef 816 additional[add_index[i]], add_len[i] );
Christopher Haster 1:24750b9ad5ef 817 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 818 {
Christopher Haster 1:24750b9ad5ef 819 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 820 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 821
Christopher Haster 1:24750b9ad5ef 822 return( 1 );
Christopher Haster 1:24750b9ad5ef 823 }
Christopher Haster 1:24750b9ad5ef 824
Christopher Haster 1:24750b9ad5ef 825 if( pt_len[i] > 32 )
Christopher Haster 1:24750b9ad5ef 826 {
Christopher Haster 1:24750b9ad5ef 827 size_t rest_len = pt_len[i] - 32;
Christopher Haster 1:24750b9ad5ef 828 ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf );
Christopher Haster 1:24750b9ad5ef 829 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 830 {
Christopher Haster 1:24750b9ad5ef 831 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 832 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 833
Christopher Haster 1:24750b9ad5ef 834 return( 1 );
Christopher Haster 1:24750b9ad5ef 835 }
Christopher Haster 1:24750b9ad5ef 836
Christopher Haster 1:24750b9ad5ef 837 ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32,
Christopher Haster 1:24750b9ad5ef 838 buf + 32 );
Christopher Haster 1:24750b9ad5ef 839 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 840 {
Christopher Haster 1:24750b9ad5ef 841 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 842 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 843
Christopher Haster 1:24750b9ad5ef 844 return( 1 );
Christopher Haster 1:24750b9ad5ef 845 }
Christopher Haster 1:24750b9ad5ef 846 }
Christopher Haster 1:24750b9ad5ef 847 else
Christopher Haster 1:24750b9ad5ef 848 {
Christopher Haster 1:24750b9ad5ef 849 ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf );
Christopher Haster 1:24750b9ad5ef 850 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 851 {
Christopher Haster 1:24750b9ad5ef 852 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 853 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 854
Christopher Haster 1:24750b9ad5ef 855 return( 1 );
Christopher Haster 1:24750b9ad5ef 856 }
Christopher Haster 1:24750b9ad5ef 857 }
Christopher Haster 1:24750b9ad5ef 858
Christopher Haster 1:24750b9ad5ef 859 ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
Christopher Haster 1:24750b9ad5ef 860 if( ret != 0 ||
Christopher Haster 1:24750b9ad5ef 861 memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 ||
Christopher Haster 1:24750b9ad5ef 862 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
Christopher Haster 1:24750b9ad5ef 863 {
Christopher Haster 1:24750b9ad5ef 864 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 865 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 866
Christopher Haster 1:24750b9ad5ef 867 return( 1 );
Christopher Haster 1:24750b9ad5ef 868 }
Christopher Haster 1:24750b9ad5ef 869
Christopher Haster 1:24750b9ad5ef 870 mbedtls_gcm_free( &ctx );
Christopher Haster 1:24750b9ad5ef 871
Christopher Haster 1:24750b9ad5ef 872 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 873 mbedtls_printf( "passed\n" );
Christopher Haster 1:24750b9ad5ef 874
Christopher Haster 1:24750b9ad5ef 875 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 876 mbedtls_printf( " AES-GCM-%3d #%d split (%s): ",
Christopher Haster 1:24750b9ad5ef 877 key_len, i, "dec" );
Christopher Haster 1:24750b9ad5ef 878
Christopher Haster 1:24750b9ad5ef 879 mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len );
Christopher Haster 1:24750b9ad5ef 880
Christopher Haster 1:24750b9ad5ef 881 ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT,
Christopher Haster 1:24750b9ad5ef 882 iv[iv_index[i]], iv_len[i],
Christopher Haster 1:24750b9ad5ef 883 additional[add_index[i]], add_len[i] );
Christopher Haster 1:24750b9ad5ef 884 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 885 {
Christopher Haster 1:24750b9ad5ef 886 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 887 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 888
Christopher Haster 1:24750b9ad5ef 889 return( 1 );
Christopher Haster 1:24750b9ad5ef 890 }
Christopher Haster 1:24750b9ad5ef 891
Christopher Haster 1:24750b9ad5ef 892 if( pt_len[i] > 32 )
Christopher Haster 1:24750b9ad5ef 893 {
Christopher Haster 1:24750b9ad5ef 894 size_t rest_len = pt_len[i] - 32;
Christopher Haster 1:24750b9ad5ef 895 ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf );
Christopher Haster 1:24750b9ad5ef 896 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 897 {
Christopher Haster 1:24750b9ad5ef 898 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 899 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 900
Christopher Haster 1:24750b9ad5ef 901 return( 1 );
Christopher Haster 1:24750b9ad5ef 902 }
Christopher Haster 1:24750b9ad5ef 903
Christopher Haster 1:24750b9ad5ef 904 ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32,
Christopher Haster 1:24750b9ad5ef 905 buf + 32 );
Christopher Haster 1:24750b9ad5ef 906 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 907 {
Christopher Haster 1:24750b9ad5ef 908 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 909 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 910
Christopher Haster 1:24750b9ad5ef 911 return( 1 );
Christopher Haster 1:24750b9ad5ef 912 }
Christopher Haster 1:24750b9ad5ef 913 }
Christopher Haster 1:24750b9ad5ef 914 else
Christopher Haster 1:24750b9ad5ef 915 {
Christopher Haster 1:24750b9ad5ef 916 ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i], buf );
Christopher Haster 1:24750b9ad5ef 917 if( ret != 0 )
Christopher Haster 1:24750b9ad5ef 918 {
Christopher Haster 1:24750b9ad5ef 919 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 920 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 921
Christopher Haster 1:24750b9ad5ef 922 return( 1 );
Christopher Haster 1:24750b9ad5ef 923 }
Christopher Haster 1:24750b9ad5ef 924 }
Christopher Haster 1:24750b9ad5ef 925
Christopher Haster 1:24750b9ad5ef 926 ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 );
Christopher Haster 1:24750b9ad5ef 927 if( ret != 0 ||
Christopher Haster 1:24750b9ad5ef 928 memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 ||
Christopher Haster 1:24750b9ad5ef 929 memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 )
Christopher Haster 1:24750b9ad5ef 930 {
Christopher Haster 1:24750b9ad5ef 931 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 932 mbedtls_printf( "failed\n" );
Christopher Haster 1:24750b9ad5ef 933
Christopher Haster 1:24750b9ad5ef 934 return( 1 );
Christopher Haster 1:24750b9ad5ef 935 }
Christopher Haster 1:24750b9ad5ef 936
Christopher Haster 1:24750b9ad5ef 937 mbedtls_gcm_free( &ctx );
Christopher Haster 1:24750b9ad5ef 938
Christopher Haster 1:24750b9ad5ef 939 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 940 mbedtls_printf( "passed\n" );
Christopher Haster 1:24750b9ad5ef 941
Christopher Haster 1:24750b9ad5ef 942 }
Christopher Haster 1:24750b9ad5ef 943 }
Christopher Haster 1:24750b9ad5ef 944
Christopher Haster 1:24750b9ad5ef 945 if( verbose != 0 )
Christopher Haster 1:24750b9ad5ef 946 mbedtls_printf( "\n" );
Christopher Haster 1:24750b9ad5ef 947
Christopher Haster 1:24750b9ad5ef 948 return( 0 );
Christopher Haster 1:24750b9ad5ef 949 }
Christopher Haster 1:24750b9ad5ef 950
Christopher Haster 1:24750b9ad5ef 951 #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */
Christopher Haster 1:24750b9ad5ef 952
Christopher Haster 1:24750b9ad5ef 953 #endif /* MBEDTLS_GCM_C */