Knight KE
/
Game_Master
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Embed:
(wiki syntax)
Show/hide line numbers
aes.c
00001 /* 00002 * FIPS-197 compliant AES implementation 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 00023 * 00024 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 00025 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 00026 */ 00027 00028 #if !defined(MBEDTLS_CONFIG_FILE) 00029 #include "mbedtls/config.h" 00030 #else 00031 #include MBEDTLS_CONFIG_FILE 00032 #endif 00033 00034 #if defined(MBEDTLS_AES_C) 00035 00036 #include <string.h> 00037 00038 #include "mbedtls/aes.h" 00039 #include "mbedtls/platform_util.h" 00040 #if defined(MBEDTLS_PADLOCK_C) 00041 #include "mbedtls/padlock.h" 00042 #endif 00043 #if defined(MBEDTLS_AESNI_C) 00044 #include "mbedtls/aesni.h" 00045 #endif 00046 00047 #if defined(MBEDTLS_SELF_TEST) 00048 #if defined(MBEDTLS_PLATFORM_C) 00049 #include "mbedtls/platform.h" 00050 #else 00051 #include <stdio.h> 00052 #define mbedtls_printf printf 00053 #endif /* MBEDTLS_PLATFORM_C */ 00054 #endif /* MBEDTLS_SELF_TEST */ 00055 00056 #if !defined(MBEDTLS_AES_ALT) 00057 00058 /* 00059 * 32-bit integer manipulation macros (little endian) 00060 */ 00061 #ifndef GET_UINT32_LE 00062 #define GET_UINT32_LE(n,b,i) \ 00063 { \ 00064 (n) = ( (uint32_t) (b)[(i) ] ) \ 00065 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 00066 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 00067 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 00068 } 00069 #endif 00070 00071 #ifndef PUT_UINT32_LE 00072 #define PUT_UINT32_LE(n,b,i) \ 00073 { \ 00074 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 00075 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 00076 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 00077 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 00078 } 00079 #endif 00080 00081 #if defined(MBEDTLS_PADLOCK_C) && \ 00082 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 00083 static int aes_padlock_ace = -1; 00084 #endif 00085 00086 #if defined(MBEDTLS_AES_ROM_TABLES) 00087 /* 00088 * Forward S-box 00089 */ 00090 static const unsigned char FSb[256] = 00091 { 00092 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 00093 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 00094 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 00095 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 00096 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 00097 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 00098 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 00099 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 00100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 00101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 00102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 00103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 00104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 00105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 00106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 00107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 00108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 00109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 00110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 00111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 00112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 00113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 00114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 00115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 00116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 00117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 00118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 00119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 00120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 00121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 00122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 00123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 00124 }; 00125 00126 /* 00127 * Forward tables 00128 */ 00129 #define FT \ 00130 \ 00131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 00132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 00133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 00134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 00135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 00136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 00137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 00138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 00139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 00140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 00141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 00142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 00143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 00144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 00145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 00146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 00147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 00148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 00149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 00150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 00151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 00152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 00153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 00154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 00155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 00156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 00157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 00158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 00159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 00160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 00161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 00162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 00163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 00164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 00165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 00166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 00167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 00168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 00169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 00170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 00171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 00172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 00173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 00174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 00175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 00176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 00177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 00178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 00179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 00180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 00181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 00182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 00183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 00184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 00185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 00186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 00187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 00188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 00189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 00190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 00191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 00192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 00193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 00194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 00195 00196 #define V(a,b,c,d) 0x##a##b##c##d 00197 static const uint32_t FT0[256] = { FT }; 00198 #undef V 00199 00200 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00201 00202 #define V(a,b,c,d) 0x##b##c##d##a 00203 static const uint32_t FT1[256] = { FT }; 00204 #undef V 00205 00206 #define V(a,b,c,d) 0x##c##d##a##b 00207 static const uint32_t FT2[256] = { FT }; 00208 #undef V 00209 00210 #define V(a,b,c,d) 0x##d##a##b##c 00211 static const uint32_t FT3[256] = { FT }; 00212 #undef V 00213 00214 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00215 00216 #undef FT 00217 00218 /* 00219 * Reverse S-box 00220 */ 00221 static const unsigned char RSb[256] = 00222 { 00223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 00224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 00225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 00226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 00227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 00228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 00229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 00230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 00231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 00232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 00233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 00234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 00235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 00236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 00237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 00238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 00239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 00240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 00241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 00242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 00243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 00244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 00245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 00246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 00247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 00248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 00249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 00250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 00251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 00252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 00253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 00254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 00255 }; 00256 00257 /* 00258 * Reverse tables 00259 */ 00260 #define RT \ 00261 \ 00262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 00263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 00264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 00265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 00266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 00267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 00268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 00269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 00270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 00271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 00272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 00273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 00274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 00275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 00276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 00277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 00278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 00279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 00280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 00281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 00282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 00283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 00284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 00285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 00286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 00287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 00288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 00289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 00290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 00291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 00292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 00293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 00294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 00295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 00296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 00297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 00298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 00299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 00300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 00301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 00302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 00303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 00304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 00305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 00306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 00307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 00308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 00309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 00310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 00311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 00312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 00313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 00314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 00315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 00316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 00317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 00318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 00319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 00320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 00321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 00322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 00323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 00324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 00325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 00326 00327 #define V(a,b,c,d) 0x##a##b##c##d 00328 static const uint32_t RT0[256] = { RT }; 00329 #undef V 00330 00331 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00332 00333 #define V(a,b,c,d) 0x##b##c##d##a 00334 static const uint32_t RT1[256] = { RT }; 00335 #undef V 00336 00337 #define V(a,b,c,d) 0x##c##d##a##b 00338 static const uint32_t RT2[256] = { RT }; 00339 #undef V 00340 00341 #define V(a,b,c,d) 0x##d##a##b##c 00342 static const uint32_t RT3[256] = { RT }; 00343 #undef V 00344 00345 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00346 00347 #undef RT 00348 00349 /* 00350 * Round constants 00351 */ 00352 static const uint32_t RCON[10] = 00353 { 00354 0x00000001, 0x00000002, 0x00000004, 0x00000008, 00355 0x00000010, 0x00000020, 0x00000040, 0x00000080, 00356 0x0000001B, 0x00000036 00357 }; 00358 00359 #else /* MBEDTLS_AES_ROM_TABLES */ 00360 00361 /* 00362 * Forward S-box & tables 00363 */ 00364 static unsigned char FSb[256]; 00365 static uint32_t FT0[256]; 00366 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00367 static uint32_t FT1[256]; 00368 static uint32_t FT2[256]; 00369 static uint32_t FT3[256]; 00370 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00371 00372 /* 00373 * Reverse S-box & tables 00374 */ 00375 static unsigned char RSb[256]; 00376 static uint32_t RT0[256]; 00377 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00378 static uint32_t RT1[256]; 00379 static uint32_t RT2[256]; 00380 static uint32_t RT3[256]; 00381 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00382 00383 /* 00384 * Round constants 00385 */ 00386 static uint32_t RCON[10]; 00387 00388 /* 00389 * Tables generation code 00390 */ 00391 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 ) 00392 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) ) 00393 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 ) 00394 00395 static int aes_init_done = 0; 00396 00397 static void aes_gen_tables( void ) 00398 { 00399 int i, x, y, z; 00400 int pow[256]; 00401 int log[256]; 00402 00403 /* 00404 * compute pow and log tables over GF(2^8) 00405 */ 00406 for( i = 0, x = 1; i < 256; i++ ) 00407 { 00408 pow[i] = x; 00409 log[x] = i; 00410 x = ( x ^ XTIME( x ) ) & 0xFF; 00411 } 00412 00413 /* 00414 * calculate the round constants 00415 */ 00416 for( i = 0, x = 1; i < 10; i++ ) 00417 { 00418 RCON[i] = (uint32_t) x; 00419 x = XTIME( x ) & 0xFF; 00420 } 00421 00422 /* 00423 * generate the forward and reverse S-boxes 00424 */ 00425 FSb[0x00] = 0x63; 00426 RSb[0x63] = 0x00; 00427 00428 for( i = 1; i < 256; i++ ) 00429 { 00430 x = pow[255 - log[i]]; 00431 00432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00436 x ^= y ^ 0x63; 00437 00438 FSb[i] = (unsigned char) x; 00439 RSb[x] = (unsigned char) i; 00440 } 00441 00442 /* 00443 * generate the forward and reverse tables 00444 */ 00445 for( i = 0; i < 256; i++ ) 00446 { 00447 x = FSb[i]; 00448 y = XTIME( x ) & 0xFF; 00449 z = ( y ^ x ) & 0xFF; 00450 00451 FT0[i] = ( (uint32_t) y ) ^ 00452 ( (uint32_t) x << 8 ) ^ 00453 ( (uint32_t) x << 16 ) ^ 00454 ( (uint32_t) z << 24 ); 00455 00456 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00457 FT1[i] = ROTL8( FT0[i] ); 00458 FT2[i] = ROTL8( FT1[i] ); 00459 FT3[i] = ROTL8( FT2[i] ); 00460 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00461 00462 x = RSb[i]; 00463 00464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 00465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 00466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 00467 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 00468 00469 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00470 RT1[i] = ROTL8( RT0[i] ); 00471 RT2[i] = ROTL8( RT1[i] ); 00472 RT3[i] = ROTL8( RT2[i] ); 00473 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00474 } 00475 } 00476 00477 #undef ROTL8 00478 00479 #endif /* MBEDTLS_AES_ROM_TABLES */ 00480 00481 #if defined(MBEDTLS_AES_FEWER_TABLES) 00482 00483 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 00484 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 00485 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 00486 00487 #define AES_RT0(idx) RT0[idx] 00488 #define AES_RT1(idx) ROTL8( RT0[idx] ) 00489 #define AES_RT2(idx) ROTL16( RT0[idx] ) 00490 #define AES_RT3(idx) ROTL24( RT0[idx] ) 00491 00492 #define AES_FT0(idx) FT0[idx] 00493 #define AES_FT1(idx) ROTL8( FT0[idx] ) 00494 #define AES_FT2(idx) ROTL16( FT0[idx] ) 00495 #define AES_FT3(idx) ROTL24( FT0[idx] ) 00496 00497 #else /* MBEDTLS_AES_FEWER_TABLES */ 00498 00499 #define AES_RT0(idx) RT0[idx] 00500 #define AES_RT1(idx) RT1[idx] 00501 #define AES_RT2(idx) RT2[idx] 00502 #define AES_RT3(idx) RT3[idx] 00503 00504 #define AES_FT0(idx) FT0[idx] 00505 #define AES_FT1(idx) FT1[idx] 00506 #define AES_FT2(idx) FT2[idx] 00507 #define AES_FT3(idx) FT3[idx] 00508 00509 #endif /* MBEDTLS_AES_FEWER_TABLES */ 00510 00511 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 00512 { 00513 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 00514 } 00515 00516 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 00517 { 00518 if( ctx == NULL ) 00519 return; 00520 00521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 00522 } 00523 00524 /* 00525 * AES key schedule (encryption) 00526 */ 00527 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 00528 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 00529 unsigned int keybits ) 00530 { 00531 unsigned int i; 00532 uint32_t *RK; 00533 00534 #if !defined(MBEDTLS_AES_ROM_TABLES) 00535 if( aes_init_done == 0 ) 00536 { 00537 aes_gen_tables(); 00538 aes_init_done = 1; 00539 00540 } 00541 #endif 00542 00543 switch( keybits ) 00544 { 00545 case 128: ctx->nr = 10; break; 00546 case 192: ctx->nr = 12; break; 00547 case 256: ctx->nr = 14; break; 00548 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00549 } 00550 00551 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00552 if( aes_padlock_ace == -1 ) 00553 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00554 00555 if( aes_padlock_ace ) 00556 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00557 else 00558 #endif 00559 ctx->rk = RK = ctx->buf ; 00560 00561 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00562 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00563 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk , key, keybits ) ); 00564 #endif 00565 00566 for( i = 0; i < ( keybits >> 5 ); i++ ) 00567 { 00568 GET_UINT32_LE( RK[i], key, i << 2 ); 00569 } 00570 00571 switch( ctx->nr ) 00572 { 00573 case 10: 00574 00575 for( i = 0; i < 10; i++, RK += 4 ) 00576 { 00577 RK[4] = RK[0] ^ RCON[i] ^ 00578 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 00579 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 00580 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 00581 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 00582 00583 RK[5] = RK[1] ^ RK[4]; 00584 RK[6] = RK[2] ^ RK[5]; 00585 RK[7] = RK[3] ^ RK[6]; 00586 } 00587 break; 00588 00589 case 12: 00590 00591 for( i = 0; i < 8; i++, RK += 6 ) 00592 { 00593 RK[6] = RK[0] ^ RCON[i] ^ 00594 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 00595 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 00596 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 00597 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 00598 00599 RK[7] = RK[1] ^ RK[6]; 00600 RK[8] = RK[2] ^ RK[7]; 00601 RK[9] = RK[3] ^ RK[8]; 00602 RK[10] = RK[4] ^ RK[9]; 00603 RK[11] = RK[5] ^ RK[10]; 00604 } 00605 break; 00606 00607 case 14: 00608 00609 for( i = 0; i < 7; i++, RK += 8 ) 00610 { 00611 RK[8] = RK[0] ^ RCON[i] ^ 00612 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 00613 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 00614 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 00615 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 00616 00617 RK[9] = RK[1] ^ RK[8]; 00618 RK[10] = RK[2] ^ RK[9]; 00619 RK[11] = RK[3] ^ RK[10]; 00620 00621 RK[12] = RK[4] ^ 00622 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 00623 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 00624 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 00625 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 00626 00627 RK[13] = RK[5] ^ RK[12]; 00628 RK[14] = RK[6] ^ RK[13]; 00629 RK[15] = RK[7] ^ RK[14]; 00630 } 00631 break; 00632 } 00633 00634 return( 0 ); 00635 } 00636 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 00637 00638 /* 00639 * AES key schedule (decryption) 00640 */ 00641 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 00642 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 00643 unsigned int keybits ) 00644 { 00645 int i, j, ret; 00646 mbedtls_aes_context cty; 00647 uint32_t *RK; 00648 uint32_t *SK; 00649 00650 mbedtls_aes_init( &cty ); 00651 00652 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00653 if( aes_padlock_ace == -1 ) 00654 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00655 00656 if( aes_padlock_ace ) 00657 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00658 else 00659 #endif 00660 ctx->rk = RK = ctx->buf ; 00661 00662 /* Also checks keybits */ 00663 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 00664 goto exit; 00665 00666 ctx->nr = cty.nr ; 00667 00668 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00669 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00670 { 00671 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk , 00672 (const unsigned char *) cty.rk , ctx->nr ); 00673 goto exit; 00674 } 00675 #endif 00676 00677 SK = cty.rk + cty.nr * 4; 00678 00679 *RK++ = *SK++; 00680 *RK++ = *SK++; 00681 *RK++ = *SK++; 00682 *RK++ = *SK++; 00683 00684 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 00685 { 00686 for( j = 0; j < 4; j++, SK++ ) 00687 { 00688 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 00689 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 00690 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 00691 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 00692 } 00693 } 00694 00695 *RK++ = *SK++; 00696 *RK++ = *SK++; 00697 *RK++ = *SK++; 00698 *RK++ = *SK++; 00699 00700 exit: 00701 mbedtls_aes_free( &cty ); 00702 00703 return( ret ); 00704 } 00705 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 00706 00707 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00708 { \ 00709 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \ 00710 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 00711 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 00712 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \ 00713 \ 00714 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \ 00715 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 00716 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 00717 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \ 00718 \ 00719 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \ 00720 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 00721 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 00722 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \ 00723 \ 00724 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \ 00725 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 00726 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 00727 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \ 00728 } 00729 00730 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00731 { \ 00732 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \ 00733 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 00734 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 00735 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \ 00736 \ 00737 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \ 00738 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 00739 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 00740 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \ 00741 \ 00742 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \ 00743 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 00744 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 00745 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \ 00746 \ 00747 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \ 00748 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 00749 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 00750 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \ 00751 } 00752 00753 /* 00754 * AES-ECB block encryption 00755 */ 00756 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 00757 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 00758 const unsigned char input[16], 00759 unsigned char output[16] ) 00760 { 00761 int i; 00762 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00763 00764 RK = ctx->rk ; 00765 00766 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00767 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00768 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00769 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00770 00771 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00772 { 00773 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00774 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00775 } 00776 00777 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00778 00779 X0 = *RK++ ^ \ 00780 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 00781 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00782 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00783 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00784 00785 X1 = *RK++ ^ \ 00786 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 00787 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00788 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00789 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00790 00791 X2 = *RK++ ^ \ 00792 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 00793 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00794 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00795 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00796 00797 X3 = *RK++ ^ \ 00798 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 00799 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00800 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00801 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00802 00803 PUT_UINT32_LE( X0, output, 0 ); 00804 PUT_UINT32_LE( X1, output, 4 ); 00805 PUT_UINT32_LE( X2, output, 8 ); 00806 PUT_UINT32_LE( X3, output, 12 ); 00807 00808 return( 0 ); 00809 } 00810 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 00811 00812 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00813 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 00814 const unsigned char input[16], 00815 unsigned char output[16] ) 00816 { 00817 mbedtls_internal_aes_encrypt( ctx, input, output ); 00818 } 00819 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 00820 00821 /* 00822 * AES-ECB block decryption 00823 */ 00824 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 00825 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 00826 const unsigned char input[16], 00827 unsigned char output[16] ) 00828 { 00829 int i; 00830 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00831 00832 RK = ctx->rk ; 00833 00834 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00835 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00836 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00837 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00838 00839 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00840 { 00841 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00842 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00843 } 00844 00845 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00846 00847 X0 = *RK++ ^ \ 00848 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 00849 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00850 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00851 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00852 00853 X1 = *RK++ ^ \ 00854 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 00855 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00856 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00857 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00858 00859 X2 = *RK++ ^ \ 00860 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 00861 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00862 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00863 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00864 00865 X3 = *RK++ ^ \ 00866 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 00867 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00868 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00869 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00870 00871 PUT_UINT32_LE( X0, output, 0 ); 00872 PUT_UINT32_LE( X1, output, 4 ); 00873 PUT_UINT32_LE( X2, output, 8 ); 00874 PUT_UINT32_LE( X3, output, 12 ); 00875 00876 return( 0 ); 00877 } 00878 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 00879 00880 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00881 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 00882 const unsigned char input[16], 00883 unsigned char output[16] ) 00884 { 00885 mbedtls_internal_aes_decrypt( ctx, input, output ); 00886 } 00887 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 00888 00889 /* 00890 * AES-ECB block encryption/decryption 00891 */ 00892 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 00893 int mode, 00894 const unsigned char input[16], 00895 unsigned char output[16] ) 00896 { 00897 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00898 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00899 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 00900 #endif 00901 00902 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 00903 if( aes_padlock_ace ) 00904 { 00905 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 00906 return( 0 ); 00907 00908 // If padlock data misaligned, we just fall back to 00909 // unaccelerated mode 00910 // 00911 } 00912 #endif 00913 00914 if( mode == MBEDTLS_AES_ENCRYPT ) 00915 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 00916 else 00917 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 00918 } 00919 00920 #if defined(MBEDTLS_CIPHER_MODE_CBC) 00921 /* 00922 * AES-CBC buffer encryption/decryption 00923 */ 00924 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 00925 int mode, 00926 size_t length, 00927 unsigned char iv[16], 00928 const unsigned char *input, 00929 unsigned char *output ) 00930 { 00931 int i; 00932 unsigned char temp[16]; 00933 00934 if( length % 16 ) 00935 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 00936 00937 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 00938 if( aes_padlock_ace ) 00939 { 00940 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 00941 return( 0 ); 00942 00943 // If padlock data misaligned, we just fall back to 00944 // unaccelerated mode 00945 // 00946 } 00947 #endif 00948 00949 if( mode == MBEDTLS_AES_DECRYPT ) 00950 { 00951 while( length > 0 ) 00952 { 00953 memcpy( temp, input, 16 ); 00954 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 00955 00956 for( i = 0; i < 16; i++ ) 00957 output[i] = (unsigned char)( output[i] ^ iv[i] ); 00958 00959 memcpy( iv, temp, 16 ); 00960 00961 input += 16; 00962 output += 16; 00963 length -= 16; 00964 } 00965 } 00966 else 00967 { 00968 while( length > 0 ) 00969 { 00970 for( i = 0; i < 16; i++ ) 00971 output[i] = (unsigned char)( input[i] ^ iv[i] ); 00972 00973 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 00974 memcpy( iv, output, 16 ); 00975 00976 input += 16; 00977 output += 16; 00978 length -= 16; 00979 } 00980 } 00981 00982 return( 0 ); 00983 } 00984 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 00985 00986 #if defined(MBEDTLS_CIPHER_MODE_CFB) 00987 /* 00988 * AES-CFB128 buffer encryption/decryption 00989 */ 00990 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 00991 int mode, 00992 size_t length, 00993 size_t *iv_off, 00994 unsigned char iv[16], 00995 const unsigned char *input, 00996 unsigned char *output ) 00997 { 00998 int c; 00999 size_t n = *iv_off; 01000 01001 if( mode == MBEDTLS_AES_DECRYPT ) 01002 { 01003 while( length-- ) 01004 { 01005 if( n == 0 ) 01006 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01007 01008 c = *input++; 01009 *output++ = (unsigned char)( c ^ iv[n] ); 01010 iv[n] = (unsigned char) c; 01011 01012 n = ( n + 1 ) & 0x0F; 01013 } 01014 } 01015 else 01016 { 01017 while( length-- ) 01018 { 01019 if( n == 0 ) 01020 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01021 01022 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 01023 01024 n = ( n + 1 ) & 0x0F; 01025 } 01026 } 01027 01028 *iv_off = n; 01029 01030 return( 0 ); 01031 } 01032 01033 /* 01034 * AES-CFB8 buffer encryption/decryption 01035 */ 01036 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 01037 int mode, 01038 size_t length, 01039 unsigned char iv[16], 01040 const unsigned char *input, 01041 unsigned char *output ) 01042 { 01043 unsigned char c; 01044 unsigned char ov[17]; 01045 01046 while( length-- ) 01047 { 01048 memcpy( ov, iv, 16 ); 01049 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01050 01051 if( mode == MBEDTLS_AES_DECRYPT ) 01052 ov[16] = *input; 01053 01054 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 01055 01056 if( mode == MBEDTLS_AES_ENCRYPT ) 01057 ov[16] = c; 01058 01059 memcpy( iv, ov + 1, 16 ); 01060 } 01061 01062 return( 0 ); 01063 } 01064 #endif /*MBEDTLS_CIPHER_MODE_CFB */ 01065 01066 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01067 /* 01068 * AES-CTR buffer encryption/decryption 01069 */ 01070 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 01071 size_t length, 01072 size_t *nc_off, 01073 unsigned char nonce_counter[16], 01074 unsigned char stream_block[16], 01075 const unsigned char *input, 01076 unsigned char *output ) 01077 { 01078 int c, i; 01079 size_t n = *nc_off; 01080 01081 if ( n > 0x0F ) 01082 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 01083 01084 while( length-- ) 01085 { 01086 if( n == 0 ) { 01087 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 01088 01089 for( i = 16; i > 0; i-- ) 01090 if( ++nonce_counter[i - 1] != 0 ) 01091 break; 01092 } 01093 c = *input++; 01094 *output++ = (unsigned char)( c ^ stream_block[n] ); 01095 01096 n = ( n + 1 ) & 0x0F; 01097 } 01098 01099 *nc_off = n; 01100 01101 return( 0 ); 01102 } 01103 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01104 01105 #endif /* !MBEDTLS_AES_ALT */ 01106 01107 #if defined(MBEDTLS_SELF_TEST) 01108 /* 01109 * AES test vectors from: 01110 * 01111 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 01112 */ 01113 static const unsigned char aes_test_ecb_dec[3][16] = 01114 { 01115 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 01116 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 01117 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 01118 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 01119 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 01120 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 01121 }; 01122 01123 static const unsigned char aes_test_ecb_enc[3][16] = 01124 { 01125 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 01126 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 01127 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 01128 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 01129 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 01130 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 01131 }; 01132 01133 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01134 static const unsigned char aes_test_cbc_dec[3][16] = 01135 { 01136 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 01137 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 01138 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 01139 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 01140 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 01141 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 01142 }; 01143 01144 static const unsigned char aes_test_cbc_enc[3][16] = 01145 { 01146 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 01147 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 01148 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 01149 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 01150 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 01151 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 01152 }; 01153 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01154 01155 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01156 /* 01157 * AES-CFB128 test vectors from: 01158 * 01159 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 01160 */ 01161 static const unsigned char aes_test_cfb128_key[3][32] = 01162 { 01163 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 01164 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 01165 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 01166 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 01167 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 01168 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 01169 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 01170 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 01171 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 01172 }; 01173 01174 static const unsigned char aes_test_cfb128_iv[16] = 01175 { 01176 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01177 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 01178 }; 01179 01180 static const unsigned char aes_test_cfb128_pt[64] = 01181 { 01182 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 01183 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 01184 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 01185 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 01186 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 01187 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 01188 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 01189 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 01190 }; 01191 01192 static const unsigned char aes_test_cfb128_ct[3][64] = 01193 { 01194 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 01195 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 01196 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 01197 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 01198 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 01199 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 01200 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 01201 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 01202 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 01203 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 01204 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 01205 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 01206 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 01207 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 01208 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 01209 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 01210 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 01211 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 01212 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 01213 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 01214 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 01215 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 01216 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 01217 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 01218 }; 01219 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01220 01221 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01222 /* 01223 * AES-CTR test vectors from: 01224 * 01225 * http://www.faqs.org/rfcs/rfc3686.html 01226 */ 01227 01228 static const unsigned char aes_test_ctr_key[3][16] = 01229 { 01230 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 01231 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 01232 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 01233 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 01234 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 01235 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 01236 }; 01237 01238 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 01239 { 01240 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 01241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 01242 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 01243 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 01244 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 01245 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 01246 }; 01247 01248 static const unsigned char aes_test_ctr_pt[3][48] = 01249 { 01250 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 01251 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 01252 01253 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01254 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01255 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01256 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 01257 01258 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01259 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01260 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01261 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 01262 0x20, 0x21, 0x22, 0x23 } 01263 }; 01264 01265 static const unsigned char aes_test_ctr_ct[3][48] = 01266 { 01267 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 01268 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 01269 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 01270 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 01271 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 01272 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 01273 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 01274 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 01275 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 01276 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 01277 0x25, 0xB2, 0x07, 0x2F } 01278 }; 01279 01280 static const int aes_test_ctr_len[3] = 01281 { 16, 32, 36 }; 01282 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01283 01284 /* 01285 * Checkup routine 01286 */ 01287 int mbedtls_aes_self_test( int verbose ) 01288 { 01289 int ret = 0, i, j, u, mode; 01290 unsigned int keybits; 01291 unsigned char key[32]; 01292 unsigned char buf[64]; 01293 const unsigned char *aes_tests; 01294 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 01295 unsigned char iv[16]; 01296 #endif 01297 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01298 unsigned char prv[16]; 01299 #endif 01300 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) 01301 size_t offset; 01302 #endif 01303 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01304 int len; 01305 unsigned char nonce_counter[16]; 01306 unsigned char stream_block[16]; 01307 #endif 01308 mbedtls_aes_context ctx; 01309 01310 memset( key, 0, 32 ); 01311 mbedtls_aes_init( &ctx ); 01312 01313 /* 01314 * ECB mode 01315 */ 01316 for( i = 0; i < 6; i++ ) 01317 { 01318 u = i >> 1; 01319 keybits = 128 + u * 64; 01320 mode = i & 1; 01321 01322 if( verbose != 0 ) 01323 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 01324 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01325 01326 memset( buf, 0, 16 ); 01327 01328 if( mode == MBEDTLS_AES_DECRYPT ) 01329 { 01330 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01331 aes_tests = aes_test_ecb_dec[u]; 01332 } 01333 else 01334 { 01335 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01336 aes_tests = aes_test_ecb_enc[u]; 01337 } 01338 01339 /* 01340 * AES-192 is an optional feature that may be unavailable when 01341 * there is an alternative underlying implementation i.e. when 01342 * MBEDTLS_AES_ALT is defined. 01343 */ 01344 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01345 { 01346 mbedtls_printf( "skipped\n" ); 01347 continue; 01348 } 01349 else if( ret != 0 ) 01350 { 01351 goto exit; 01352 } 01353 01354 for( j = 0; j < 10000; j++ ) 01355 { 01356 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 01357 if( ret != 0 ) 01358 goto exit; 01359 } 01360 01361 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01362 { 01363 ret = 1; 01364 goto exit; 01365 } 01366 01367 if( verbose != 0 ) 01368 mbedtls_printf( "passed\n" ); 01369 } 01370 01371 if( verbose != 0 ) 01372 mbedtls_printf( "\n" ); 01373 01374 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01375 /* 01376 * CBC mode 01377 */ 01378 for( i = 0; i < 6; i++ ) 01379 { 01380 u = i >> 1; 01381 keybits = 128 + u * 64; 01382 mode = i & 1; 01383 01384 if( verbose != 0 ) 01385 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 01386 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01387 01388 memset( iv , 0, 16 ); 01389 memset( prv, 0, 16 ); 01390 memset( buf, 0, 16 ); 01391 01392 if( mode == MBEDTLS_AES_DECRYPT ) 01393 { 01394 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01395 aes_tests = aes_test_cbc_dec[u]; 01396 } 01397 else 01398 { 01399 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01400 aes_tests = aes_test_cbc_enc[u]; 01401 } 01402 01403 /* 01404 * AES-192 is an optional feature that may be unavailable when 01405 * there is an alternative underlying implementation i.e. when 01406 * MBEDTLS_AES_ALT is defined. 01407 */ 01408 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01409 { 01410 mbedtls_printf( "skipped\n" ); 01411 continue; 01412 } 01413 else if( ret != 0 ) 01414 { 01415 goto exit; 01416 } 01417 01418 for( j = 0; j < 10000; j++ ) 01419 { 01420 if( mode == MBEDTLS_AES_ENCRYPT ) 01421 { 01422 unsigned char tmp[16]; 01423 01424 memcpy( tmp, prv, 16 ); 01425 memcpy( prv, buf, 16 ); 01426 memcpy( buf, tmp, 16 ); 01427 } 01428 01429 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 01430 if( ret != 0 ) 01431 goto exit; 01432 01433 } 01434 01435 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01436 { 01437 ret = 1; 01438 goto exit; 01439 } 01440 01441 if( verbose != 0 ) 01442 mbedtls_printf( "passed\n" ); 01443 } 01444 01445 if( verbose != 0 ) 01446 mbedtls_printf( "\n" ); 01447 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01448 01449 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01450 /* 01451 * CFB128 mode 01452 */ 01453 for( i = 0; i < 6; i++ ) 01454 { 01455 u = i >> 1; 01456 keybits = 128 + u * 64; 01457 mode = i & 1; 01458 01459 if( verbose != 0 ) 01460 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 01461 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01462 01463 memcpy( iv, aes_test_cfb128_iv, 16 ); 01464 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 01465 01466 offset = 0; 01467 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01468 /* 01469 * AES-192 is an optional feature that may be unavailable when 01470 * there is an alternative underlying implementation i.e. when 01471 * MBEDTLS_AES_ALT is defined. 01472 */ 01473 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01474 { 01475 mbedtls_printf( "skipped\n" ); 01476 continue; 01477 } 01478 else if( ret != 0 ) 01479 { 01480 goto exit; 01481 } 01482 01483 if( mode == MBEDTLS_AES_DECRYPT ) 01484 { 01485 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 01486 aes_tests = aes_test_cfb128_pt; 01487 } 01488 else 01489 { 01490 memcpy( buf, aes_test_cfb128_pt, 64 ); 01491 aes_tests = aes_test_cfb128_ct[u]; 01492 } 01493 01494 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 01495 if( ret != 0 ) 01496 goto exit; 01497 01498 if( memcmp( buf, aes_tests, 64 ) != 0 ) 01499 { 01500 ret = 1; 01501 goto exit; 01502 } 01503 01504 if( verbose != 0 ) 01505 mbedtls_printf( "passed\n" ); 01506 } 01507 01508 if( verbose != 0 ) 01509 mbedtls_printf( "\n" ); 01510 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01511 01512 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01513 /* 01514 * CTR mode 01515 */ 01516 for( i = 0; i < 6; i++ ) 01517 { 01518 u = i >> 1; 01519 mode = i & 1; 01520 01521 if( verbose != 0 ) 01522 mbedtls_printf( " AES-CTR-128 (%s): ", 01523 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01524 01525 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 01526 memcpy( key, aes_test_ctr_key[u], 16 ); 01527 01528 offset = 0; 01529 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 01530 goto exit; 01531 01532 len = aes_test_ctr_len[u]; 01533 01534 if( mode == MBEDTLS_AES_DECRYPT ) 01535 { 01536 memcpy( buf, aes_test_ctr_ct[u], len ); 01537 aes_tests = aes_test_ctr_pt[u]; 01538 } 01539 else 01540 { 01541 memcpy( buf, aes_test_ctr_pt[u], len ); 01542 aes_tests = aes_test_ctr_ct[u]; 01543 } 01544 01545 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 01546 stream_block, buf, buf ); 01547 if( ret != 0 ) 01548 goto exit; 01549 01550 if( memcmp( buf, aes_tests, len ) != 0 ) 01551 { 01552 ret = 1; 01553 goto exit; 01554 } 01555 01556 if( verbose != 0 ) 01557 mbedtls_printf( "passed\n" ); 01558 } 01559 01560 if( verbose != 0 ) 01561 mbedtls_printf( "\n" ); 01562 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01563 01564 ret = 0; 01565 01566 exit: 01567 if( ret != 0 && verbose != 0 ) 01568 mbedtls_printf( "failed\n" ); 01569 01570 mbedtls_aes_free( &ctx ); 01571 01572 return( ret ); 01573 } 01574 01575 #endif /* MBEDTLS_SELF_TEST */ 01576 01577 #endif /* MBEDTLS_AES_C */
Generated on Tue Jul 12 2022 12:43:28 by
1.7.2