Kenji Arai
/
TYBLE16_mbedlized_os5_several_examples_1st
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: nRF51_Vdd TextLCD BME280
Embed:
(wiki syntax)
Show/hide line numbers
aes.c
00001 /* 00002 * FIPS-197 compliant AES implementation 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 00023 * 00024 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 00025 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 00026 */ 00027 00028 #if !defined(MBEDTLS_CONFIG_FILE) 00029 #include "mbedtls/config.h" 00030 #else 00031 #include MBEDTLS_CONFIG_FILE 00032 #endif 00033 00034 #if defined(MBEDTLS_AES_C) 00035 00036 #include <string.h> 00037 00038 #include "mbedtls/aes.h" 00039 #include "mbedtls/platform_util.h" 00040 #if defined(MBEDTLS_PADLOCK_C) 00041 #include "mbedtls/padlock.h" 00042 #endif 00043 #if defined(MBEDTLS_AESNI_C) 00044 #include "mbedtls/aesni.h" 00045 #endif 00046 00047 #if defined(MBEDTLS_SELF_TEST) 00048 #if defined(MBEDTLS_PLATFORM_C) 00049 #include "mbedtls/platform.h" 00050 #else 00051 #include <stdio.h> 00052 #define mbedtls_printf printf 00053 #endif /* MBEDTLS_PLATFORM_C */ 00054 #endif /* MBEDTLS_SELF_TEST */ 00055 00056 #if !defined(MBEDTLS_AES_ALT) 00057 00058 /* 00059 * 32-bit integer manipulation macros (little endian) 00060 */ 00061 #ifndef GET_UINT32_LE 00062 #define GET_UINT32_LE(n,b,i) \ 00063 { \ 00064 (n) = ( (uint32_t) (b)[(i) ] ) \ 00065 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 00066 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 00067 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 00068 } 00069 #endif 00070 00071 #ifndef PUT_UINT32_LE 00072 #define PUT_UINT32_LE(n,b,i) \ 00073 { \ 00074 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 00075 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 00076 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 00077 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 00078 } 00079 #endif 00080 00081 #if defined(MBEDTLS_PADLOCK_C) && \ 00082 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 00083 static int aes_padlock_ace = -1; 00084 #endif 00085 00086 #if defined(MBEDTLS_AES_ROM_TABLES) 00087 /* 00088 * Forward S-box 00089 */ 00090 static const unsigned char FSb[256] = 00091 { 00092 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 00093 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 00094 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 00095 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 00096 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 00097 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 00098 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 00099 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 00100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 00101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 00102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 00103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 00104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 00105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 00106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 00107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 00108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 00109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 00110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 00111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 00112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 00113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 00114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 00115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 00116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 00117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 00118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 00119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 00120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 00121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 00122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 00123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 00124 }; 00125 00126 /* 00127 * Forward tables 00128 */ 00129 #define FT \ 00130 \ 00131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 00132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 00133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 00134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 00135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 00136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 00137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 00138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 00139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 00140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 00141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 00142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 00143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 00144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 00145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 00146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 00147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 00148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 00149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 00150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 00151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 00152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 00153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 00154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 00155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 00156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 00157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 00158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 00159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 00160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 00161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 00162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 00163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 00164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 00165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 00166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 00167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 00168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 00169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 00170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 00171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 00172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 00173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 00174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 00175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 00176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 00177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 00178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 00179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 00180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 00181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 00182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 00183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 00184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 00185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 00186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 00187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 00188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 00189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 00190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 00191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 00192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 00193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 00194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 00195 00196 #define V(a,b,c,d) 0x##a##b##c##d 00197 static const uint32_t FT0[256] = { FT }; 00198 #undef V 00199 00200 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00201 00202 #define V(a,b,c,d) 0x##b##c##d##a 00203 static const uint32_t FT1[256] = { FT }; 00204 #undef V 00205 00206 #define V(a,b,c,d) 0x##c##d##a##b 00207 static const uint32_t FT2[256] = { FT }; 00208 #undef V 00209 00210 #define V(a,b,c,d) 0x##d##a##b##c 00211 static const uint32_t FT3[256] = { FT }; 00212 #undef V 00213 00214 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00215 00216 #undef FT 00217 00218 /* 00219 * Reverse S-box 00220 */ 00221 static const unsigned char RSb[256] = 00222 { 00223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 00224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 00225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 00226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 00227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 00228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 00229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 00230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 00231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 00232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 00233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 00234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 00235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 00236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 00237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 00238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 00239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 00240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 00241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 00242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 00243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 00244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 00245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 00246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 00247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 00248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 00249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 00250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 00251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 00252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 00253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 00254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 00255 }; 00256 00257 /* 00258 * Reverse tables 00259 */ 00260 #define RT \ 00261 \ 00262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 00263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 00264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 00265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 00266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 00267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 00268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 00269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 00270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 00271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 00272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 00273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 00274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 00275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 00276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 00277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 00278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 00279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 00280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 00281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 00282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 00283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 00284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 00285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 00286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 00287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 00288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 00289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 00290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 00291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 00292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 00293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 00294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 00295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 00296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 00297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 00298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 00299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 00300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 00301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 00302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 00303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 00304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 00305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 00306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 00307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 00308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 00309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 00310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 00311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 00312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 00313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 00314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 00315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 00316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 00317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 00318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 00319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 00320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 00321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 00322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 00323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 00324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 00325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 00326 00327 #define V(a,b,c,d) 0x##a##b##c##d 00328 static const uint32_t RT0[256] = { RT }; 00329 #undef V 00330 00331 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00332 00333 #define V(a,b,c,d) 0x##b##c##d##a 00334 static const uint32_t RT1[256] = { RT }; 00335 #undef V 00336 00337 #define V(a,b,c,d) 0x##c##d##a##b 00338 static const uint32_t RT2[256] = { RT }; 00339 #undef V 00340 00341 #define V(a,b,c,d) 0x##d##a##b##c 00342 static const uint32_t RT3[256] = { RT }; 00343 #undef V 00344 00345 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00346 00347 #undef RT 00348 00349 /* 00350 * Round constants 00351 */ 00352 static const uint32_t RCON[10] = 00353 { 00354 0x00000001, 0x00000002, 0x00000004, 0x00000008, 00355 0x00000010, 0x00000020, 0x00000040, 0x00000080, 00356 0x0000001B, 0x00000036 00357 }; 00358 00359 #else /* MBEDTLS_AES_ROM_TABLES */ 00360 00361 /* 00362 * Forward S-box & tables 00363 */ 00364 static unsigned char FSb[256]; 00365 static uint32_t FT0[256]; 00366 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00367 static uint32_t FT1[256]; 00368 static uint32_t FT2[256]; 00369 static uint32_t FT3[256]; 00370 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00371 00372 /* 00373 * Reverse S-box & tables 00374 */ 00375 static unsigned char RSb[256]; 00376 static uint32_t RT0[256]; 00377 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00378 static uint32_t RT1[256]; 00379 static uint32_t RT2[256]; 00380 static uint32_t RT3[256]; 00381 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00382 00383 /* 00384 * Round constants 00385 */ 00386 static uint32_t RCON[10]; 00387 00388 /* 00389 * Tables generation code 00390 */ 00391 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 ) 00392 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) ) 00393 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 ) 00394 00395 static int aes_init_done = 0; 00396 00397 static void aes_gen_tables( void ) 00398 { 00399 int i, x, y, z; 00400 int pow[256]; 00401 int log[256]; 00402 00403 /* 00404 * compute pow and log tables over GF(2^8) 00405 */ 00406 for( i = 0, x = 1; i < 256; i++ ) 00407 { 00408 pow[i] = x; 00409 log[x] = i; 00410 x = ( x ^ XTIME( x ) ) & 0xFF; 00411 } 00412 00413 /* 00414 * calculate the round constants 00415 */ 00416 for( i = 0, x = 1; i < 10; i++ ) 00417 { 00418 RCON[i] = (uint32_t) x; 00419 x = XTIME( x ) & 0xFF; 00420 } 00421 00422 /* 00423 * generate the forward and reverse S-boxes 00424 */ 00425 FSb[0x00] = 0x63; 00426 RSb[0x63] = 0x00; 00427 00428 for( i = 1; i < 256; i++ ) 00429 { 00430 x = pow[255 - log[i]]; 00431 00432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00436 x ^= y ^ 0x63; 00437 00438 FSb[i] = (unsigned char) x; 00439 RSb[x] = (unsigned char) i; 00440 } 00441 00442 /* 00443 * generate the forward and reverse tables 00444 */ 00445 for( i = 0; i < 256; i++ ) 00446 { 00447 x = FSb[i]; 00448 y = XTIME( x ) & 0xFF; 00449 z = ( y ^ x ) & 0xFF; 00450 00451 FT0[i] = ( (uint32_t) y ) ^ 00452 ( (uint32_t) x << 8 ) ^ 00453 ( (uint32_t) x << 16 ) ^ 00454 ( (uint32_t) z << 24 ); 00455 00456 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00457 FT1[i] = ROTL8( FT0[i] ); 00458 FT2[i] = ROTL8( FT1[i] ); 00459 FT3[i] = ROTL8( FT2[i] ); 00460 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00461 00462 x = RSb[i]; 00463 00464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 00465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 00466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 00467 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 00468 00469 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00470 RT1[i] = ROTL8( RT0[i] ); 00471 RT2[i] = ROTL8( RT1[i] ); 00472 RT3[i] = ROTL8( RT2[i] ); 00473 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00474 } 00475 } 00476 00477 #undef ROTL8 00478 00479 #endif /* MBEDTLS_AES_ROM_TABLES */ 00480 00481 #if defined(MBEDTLS_AES_FEWER_TABLES) 00482 00483 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 00484 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 00485 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 00486 00487 #define AES_RT0(idx) RT0[idx] 00488 #define AES_RT1(idx) ROTL8( RT0[idx] ) 00489 #define AES_RT2(idx) ROTL16( RT0[idx] ) 00490 #define AES_RT3(idx) ROTL24( RT0[idx] ) 00491 00492 #define AES_FT0(idx) FT0[idx] 00493 #define AES_FT1(idx) ROTL8( FT0[idx] ) 00494 #define AES_FT2(idx) ROTL16( FT0[idx] ) 00495 #define AES_FT3(idx) ROTL24( FT0[idx] ) 00496 00497 #else /* MBEDTLS_AES_FEWER_TABLES */ 00498 00499 #define AES_RT0(idx) RT0[idx] 00500 #define AES_RT1(idx) RT1[idx] 00501 #define AES_RT2(idx) RT2[idx] 00502 #define AES_RT3(idx) RT3[idx] 00503 00504 #define AES_FT0(idx) FT0[idx] 00505 #define AES_FT1(idx) FT1[idx] 00506 #define AES_FT2(idx) FT2[idx] 00507 #define AES_FT3(idx) FT3[idx] 00508 00509 #endif /* MBEDTLS_AES_FEWER_TABLES */ 00510 00511 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 00512 { 00513 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 00514 } 00515 00516 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 00517 { 00518 if( ctx == NULL ) 00519 return; 00520 00521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 00522 } 00523 00524 #if defined(MBEDTLS_CIPHER_MODE_XTS) 00525 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 00526 { 00527 mbedtls_aes_init( &ctx->crypt ); 00528 mbedtls_aes_init( &ctx->tweak ); 00529 } 00530 00531 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 00532 { 00533 mbedtls_aes_free( &ctx->crypt ); 00534 mbedtls_aes_free( &ctx->tweak ); 00535 } 00536 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 00537 00538 /* 00539 * AES key schedule (encryption) 00540 */ 00541 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 00542 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 00543 unsigned int keybits ) 00544 { 00545 unsigned int i; 00546 uint32_t *RK; 00547 00548 #if !defined(MBEDTLS_AES_ROM_TABLES) 00549 if( aes_init_done == 0 ) 00550 { 00551 aes_gen_tables(); 00552 aes_init_done = 1; 00553 00554 } 00555 #endif 00556 00557 switch( keybits ) 00558 { 00559 case 128: ctx->nr = 10; break; 00560 case 192: ctx->nr = 12; break; 00561 case 256: ctx->nr = 14; break; 00562 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00563 } 00564 00565 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00566 if( aes_padlock_ace == -1 ) 00567 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00568 00569 if( aes_padlock_ace ) 00570 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00571 else 00572 #endif 00573 ctx->rk = RK = ctx->buf ; 00574 00575 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00576 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00577 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk , key, keybits ) ); 00578 #endif 00579 00580 for( i = 0; i < ( keybits >> 5 ); i++ ) 00581 { 00582 GET_UINT32_LE( RK[i], key, i << 2 ); 00583 } 00584 00585 switch( ctx->nr ) 00586 { 00587 case 10: 00588 00589 for( i = 0; i < 10; i++, RK += 4 ) 00590 { 00591 RK[4] = RK[0] ^ RCON[i] ^ 00592 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 00593 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 00594 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 00595 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 00596 00597 RK[5] = RK[1] ^ RK[4]; 00598 RK[6] = RK[2] ^ RK[5]; 00599 RK[7] = RK[3] ^ RK[6]; 00600 } 00601 break; 00602 00603 case 12: 00604 00605 for( i = 0; i < 8; i++, RK += 6 ) 00606 { 00607 RK[6] = RK[0] ^ RCON[i] ^ 00608 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 00609 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 00610 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 00611 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 00612 00613 RK[7] = RK[1] ^ RK[6]; 00614 RK[8] = RK[2] ^ RK[7]; 00615 RK[9] = RK[3] ^ RK[8]; 00616 RK[10] = RK[4] ^ RK[9]; 00617 RK[11] = RK[5] ^ RK[10]; 00618 } 00619 break; 00620 00621 case 14: 00622 00623 for( i = 0; i < 7; i++, RK += 8 ) 00624 { 00625 RK[8] = RK[0] ^ RCON[i] ^ 00626 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 00627 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 00628 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 00629 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 00630 00631 RK[9] = RK[1] ^ RK[8]; 00632 RK[10] = RK[2] ^ RK[9]; 00633 RK[11] = RK[3] ^ RK[10]; 00634 00635 RK[12] = RK[4] ^ 00636 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 00637 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 00638 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 00639 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 00640 00641 RK[13] = RK[5] ^ RK[12]; 00642 RK[14] = RK[6] ^ RK[13]; 00643 RK[15] = RK[7] ^ RK[14]; 00644 } 00645 break; 00646 } 00647 00648 return( 0 ); 00649 } 00650 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 00651 00652 /* 00653 * AES key schedule (decryption) 00654 */ 00655 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 00656 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 00657 unsigned int keybits ) 00658 { 00659 int i, j, ret; 00660 mbedtls_aes_context cty; 00661 uint32_t *RK; 00662 uint32_t *SK; 00663 00664 mbedtls_aes_init( &cty ); 00665 00666 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00667 if( aes_padlock_ace == -1 ) 00668 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00669 00670 if( aes_padlock_ace ) 00671 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00672 else 00673 #endif 00674 ctx->rk = RK = ctx->buf ; 00675 00676 /* Also checks keybits */ 00677 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 00678 goto exit; 00679 00680 ctx->nr = cty.nr ; 00681 00682 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00683 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00684 { 00685 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk , 00686 (const unsigned char *) cty.rk , ctx->nr ); 00687 goto exit; 00688 } 00689 #endif 00690 00691 SK = cty.rk + cty.nr * 4; 00692 00693 *RK++ = *SK++; 00694 *RK++ = *SK++; 00695 *RK++ = *SK++; 00696 *RK++ = *SK++; 00697 00698 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 00699 { 00700 for( j = 0; j < 4; j++, SK++ ) 00701 { 00702 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 00703 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 00704 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 00705 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 00706 } 00707 } 00708 00709 *RK++ = *SK++; 00710 *RK++ = *SK++; 00711 *RK++ = *SK++; 00712 *RK++ = *SK++; 00713 00714 exit: 00715 mbedtls_aes_free( &cty ); 00716 00717 return( ret ); 00718 } 00719 00720 #if defined(MBEDTLS_CIPHER_MODE_XTS) 00721 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 00722 unsigned int keybits, 00723 const unsigned char **key1, 00724 unsigned int *key1bits, 00725 const unsigned char **key2, 00726 unsigned int *key2bits ) 00727 { 00728 const unsigned int half_keybits = keybits / 2; 00729 const unsigned int half_keybytes = half_keybits / 8; 00730 00731 switch( keybits ) 00732 { 00733 case 256: break; 00734 case 512: break; 00735 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00736 } 00737 00738 *key1bits = half_keybits; 00739 *key2bits = half_keybits; 00740 *key1 = &key[0]; 00741 *key2 = &key[half_keybytes]; 00742 00743 return 0; 00744 } 00745 00746 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 00747 const unsigned char *key, 00748 unsigned int keybits) 00749 { 00750 int ret; 00751 const unsigned char *key1, *key2; 00752 unsigned int key1bits, key2bits; 00753 00754 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 00755 &key2, &key2bits ); 00756 if( ret != 0 ) 00757 return( ret ); 00758 00759 /* Set the tweak key. Always set tweak key for the encryption mode. */ 00760 ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits ); 00761 if( ret != 0 ) 00762 return( ret ); 00763 00764 /* Set crypt key for encryption. */ 00765 return mbedtls_aes_setkey_enc( &ctx->crypt , key1, key1bits ); 00766 } 00767 00768 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 00769 const unsigned char *key, 00770 unsigned int keybits) 00771 { 00772 int ret; 00773 const unsigned char *key1, *key2; 00774 unsigned int key1bits, key2bits; 00775 00776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 00777 &key2, &key2bits ); 00778 if( ret != 0 ) 00779 return( ret ); 00780 00781 /* Set the tweak key. Always set tweak key for encryption. */ 00782 ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits ); 00783 if( ret != 0 ) 00784 return( ret ); 00785 00786 /* Set crypt key for decryption. */ 00787 return mbedtls_aes_setkey_dec( &ctx->crypt , key1, key1bits ); 00788 } 00789 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 00790 00791 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 00792 00793 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00794 { \ 00795 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \ 00796 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 00797 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 00798 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \ 00799 \ 00800 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \ 00801 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 00802 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 00803 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \ 00804 \ 00805 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \ 00806 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 00807 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 00808 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \ 00809 \ 00810 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \ 00811 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 00812 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 00813 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \ 00814 } 00815 00816 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00817 { \ 00818 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \ 00819 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 00820 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 00821 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \ 00822 \ 00823 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \ 00824 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 00825 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 00826 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \ 00827 \ 00828 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \ 00829 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 00830 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 00831 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \ 00832 \ 00833 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \ 00834 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 00835 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 00836 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \ 00837 } 00838 00839 /* 00840 * AES-ECB block encryption 00841 */ 00842 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 00843 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 00844 const unsigned char input[16], 00845 unsigned char output[16] ) 00846 { 00847 int i; 00848 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00849 00850 RK = ctx->rk ; 00851 00852 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00853 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00854 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00855 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00856 00857 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00858 { 00859 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00860 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00861 } 00862 00863 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00864 00865 X0 = *RK++ ^ \ 00866 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 00867 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00868 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00869 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00870 00871 X1 = *RK++ ^ \ 00872 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 00873 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00874 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00875 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00876 00877 X2 = *RK++ ^ \ 00878 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 00879 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00880 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00881 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00882 00883 X3 = *RK++ ^ \ 00884 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 00885 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00886 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00887 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00888 00889 PUT_UINT32_LE( X0, output, 0 ); 00890 PUT_UINT32_LE( X1, output, 4 ); 00891 PUT_UINT32_LE( X2, output, 8 ); 00892 PUT_UINT32_LE( X3, output, 12 ); 00893 00894 return( 0 ); 00895 } 00896 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 00897 00898 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00899 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 00900 const unsigned char input[16], 00901 unsigned char output[16] ) 00902 { 00903 mbedtls_internal_aes_encrypt( ctx, input, output ); 00904 } 00905 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 00906 00907 /* 00908 * AES-ECB block decryption 00909 */ 00910 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 00911 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 00912 const unsigned char input[16], 00913 unsigned char output[16] ) 00914 { 00915 int i; 00916 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00917 00918 RK = ctx->rk ; 00919 00920 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00921 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00922 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00923 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00924 00925 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00926 { 00927 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00928 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00929 } 00930 00931 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00932 00933 X0 = *RK++ ^ \ 00934 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 00935 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00936 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00937 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00938 00939 X1 = *RK++ ^ \ 00940 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 00941 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00942 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00943 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00944 00945 X2 = *RK++ ^ \ 00946 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 00947 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00948 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00949 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00950 00951 X3 = *RK++ ^ \ 00952 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 00953 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00954 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00955 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00956 00957 PUT_UINT32_LE( X0, output, 0 ); 00958 PUT_UINT32_LE( X1, output, 4 ); 00959 PUT_UINT32_LE( X2, output, 8 ); 00960 PUT_UINT32_LE( X3, output, 12 ); 00961 00962 return( 0 ); 00963 } 00964 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 00965 00966 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00967 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 00968 const unsigned char input[16], 00969 unsigned char output[16] ) 00970 { 00971 mbedtls_internal_aes_decrypt( ctx, input, output ); 00972 } 00973 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 00974 00975 /* 00976 * AES-ECB block encryption/decryption 00977 */ 00978 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 00979 int mode, 00980 const unsigned char input[16], 00981 unsigned char output[16] ) 00982 { 00983 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00984 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00985 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 00986 #endif 00987 00988 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 00989 if( aes_padlock_ace ) 00990 { 00991 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 00992 return( 0 ); 00993 00994 // If padlock data misaligned, we just fall back to 00995 // unaccelerated mode 00996 // 00997 } 00998 #endif 00999 01000 if( mode == MBEDTLS_AES_ENCRYPT ) 01001 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 01002 else 01003 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 01004 } 01005 01006 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01007 /* 01008 * AES-CBC buffer encryption/decryption 01009 */ 01010 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 01011 int mode, 01012 size_t length, 01013 unsigned char iv[16], 01014 const unsigned char *input, 01015 unsigned char *output ) 01016 { 01017 int i; 01018 unsigned char temp[16]; 01019 01020 if( length % 16 ) 01021 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 01022 01023 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 01024 if( aes_padlock_ace ) 01025 { 01026 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 01027 return( 0 ); 01028 01029 // If padlock data misaligned, we just fall back to 01030 // unaccelerated mode 01031 // 01032 } 01033 #endif 01034 01035 if( mode == MBEDTLS_AES_DECRYPT ) 01036 { 01037 while( length > 0 ) 01038 { 01039 memcpy( temp, input, 16 ); 01040 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 01041 01042 for( i = 0; i < 16; i++ ) 01043 output[i] = (unsigned char)( output[i] ^ iv[i] ); 01044 01045 memcpy( iv, temp, 16 ); 01046 01047 input += 16; 01048 output += 16; 01049 length -= 16; 01050 } 01051 } 01052 else 01053 { 01054 while( length > 0 ) 01055 { 01056 for( i = 0; i < 16; i++ ) 01057 output[i] = (unsigned char)( input[i] ^ iv[i] ); 01058 01059 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 01060 memcpy( iv, output, 16 ); 01061 01062 input += 16; 01063 output += 16; 01064 length -= 16; 01065 } 01066 } 01067 01068 return( 0 ); 01069 } 01070 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01071 01072 #if defined(MBEDTLS_CIPHER_MODE_XTS) 01073 01074 /* Endianess with 64 bits values */ 01075 #ifndef GET_UINT64_LE 01076 #define GET_UINT64_LE(n,b,i) \ 01077 { \ 01078 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 01079 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 01080 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 01081 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 01082 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 01083 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 01084 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 01085 | ( (uint64_t) (b)[(i) ] ); \ 01086 } 01087 #endif 01088 01089 #ifndef PUT_UINT64_LE 01090 #define PUT_UINT64_LE(n,b,i) \ 01091 { \ 01092 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 01093 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 01094 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 01095 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 01096 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 01097 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 01098 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 01099 (b)[(i) ] = (unsigned char) ( (n) ); \ 01100 } 01101 #endif 01102 01103 typedef unsigned char mbedtls_be128[16]; 01104 01105 /* 01106 * GF(2^128) multiplication function 01107 * 01108 * This function multiplies a field element by x in the polynomial field 01109 * representation. It uses 64-bit word operations to gain speed but compensates 01110 * for machine endianess and hence works correctly on both big and little 01111 * endian machines. 01112 */ 01113 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 01114 const unsigned char x[16] ) 01115 { 01116 uint64_t a, b, ra, rb; 01117 01118 GET_UINT64_LE( a, x, 0 ); 01119 GET_UINT64_LE( b, x, 8 ); 01120 01121 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 01122 rb = ( a >> 63 ) | ( b << 1 ); 01123 01124 PUT_UINT64_LE( ra, r, 0 ); 01125 PUT_UINT64_LE( rb, r, 8 ); 01126 } 01127 01128 /* 01129 * AES-XTS buffer encryption/decryption 01130 */ 01131 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 01132 int mode, 01133 size_t length, 01134 const unsigned char data_unit[16], 01135 const unsigned char *input, 01136 unsigned char *output ) 01137 { 01138 int ret; 01139 size_t blocks = length / 16; 01140 size_t leftover = length % 16; 01141 unsigned char tweak[16]; 01142 unsigned char prev_tweak[16]; 01143 unsigned char tmp[16]; 01144 01145 /* Sectors must be at least 16 bytes. */ 01146 if( length < 16 ) 01147 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 01148 01149 /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */ 01150 if( length > ( 1 << 20 ) * 16 ) 01151 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 01152 01153 /* Compute the tweak. */ 01154 ret = mbedtls_aes_crypt_ecb( &ctx->tweak , MBEDTLS_AES_ENCRYPT, 01155 data_unit, tweak ); 01156 if( ret != 0 ) 01157 return( ret ); 01158 01159 while( blocks-- ) 01160 { 01161 size_t i; 01162 01163 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 01164 { 01165 /* We are on the last block in a decrypt operation that has 01166 * leftover bytes, so we need to use the next tweak for this block, 01167 * and this tweak for the lefover bytes. Save the current tweak for 01168 * the leftovers and then update the current tweak for use on this, 01169 * the last full block. */ 01170 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 01171 mbedtls_gf128mul_x_ble( tweak, tweak ); 01172 } 01173 01174 for( i = 0; i < 16; i++ ) 01175 tmp[i] = input[i] ^ tweak[i]; 01176 01177 ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp ); 01178 if( ret != 0 ) 01179 return( ret ); 01180 01181 for( i = 0; i < 16; i++ ) 01182 output[i] = tmp[i] ^ tweak[i]; 01183 01184 /* Update the tweak for the next block. */ 01185 mbedtls_gf128mul_x_ble( tweak, tweak ); 01186 01187 output += 16; 01188 input += 16; 01189 } 01190 01191 if( leftover ) 01192 { 01193 /* If we are on the leftover bytes in a decrypt operation, we need to 01194 * use the previous tweak for these bytes (as saved in prev_tweak). */ 01195 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 01196 01197 /* We are now on the final part of the data unit, which doesn't divide 01198 * evenly by 16. It's time for ciphertext stealing. */ 01199 size_t i; 01200 unsigned char *prev_output = output - 16; 01201 01202 /* Copy ciphertext bytes from the previous block to our output for each 01203 * byte of cyphertext we won't steal. At the same time, copy the 01204 * remainder of the input for this final round (since the loop bounds 01205 * are the same). */ 01206 for( i = 0; i < leftover; i++ ) 01207 { 01208 output[i] = prev_output[i]; 01209 tmp[i] = input[i] ^ t[i]; 01210 } 01211 01212 /* Copy ciphertext bytes from the previous block for input in this 01213 * round. */ 01214 for( ; i < 16; i++ ) 01215 tmp[i] = prev_output[i] ^ t[i]; 01216 01217 ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp ); 01218 if( ret != 0 ) 01219 return ret; 01220 01221 /* Write the result back to the previous block, overriding the previous 01222 * output we copied. */ 01223 for( i = 0; i < 16; i++ ) 01224 prev_output[i] = tmp[i] ^ t[i]; 01225 } 01226 01227 return( 0 ); 01228 } 01229 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 01230 01231 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01232 /* 01233 * AES-CFB128 buffer encryption/decryption 01234 */ 01235 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 01236 int mode, 01237 size_t length, 01238 size_t *iv_off, 01239 unsigned char iv[16], 01240 const unsigned char *input, 01241 unsigned char *output ) 01242 { 01243 int c; 01244 size_t n = *iv_off; 01245 01246 if( mode == MBEDTLS_AES_DECRYPT ) 01247 { 01248 while( length-- ) 01249 { 01250 if( n == 0 ) 01251 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01252 01253 c = *input++; 01254 *output++ = (unsigned char)( c ^ iv[n] ); 01255 iv[n] = (unsigned char) c; 01256 01257 n = ( n + 1 ) & 0x0F; 01258 } 01259 } 01260 else 01261 { 01262 while( length-- ) 01263 { 01264 if( n == 0 ) 01265 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01266 01267 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 01268 01269 n = ( n + 1 ) & 0x0F; 01270 } 01271 } 01272 01273 *iv_off = n; 01274 01275 return( 0 ); 01276 } 01277 01278 /* 01279 * AES-CFB8 buffer encryption/decryption 01280 */ 01281 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 01282 int mode, 01283 size_t length, 01284 unsigned char iv[16], 01285 const unsigned char *input, 01286 unsigned char *output ) 01287 { 01288 unsigned char c; 01289 unsigned char ov[17]; 01290 01291 while( length-- ) 01292 { 01293 memcpy( ov, iv, 16 ); 01294 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01295 01296 if( mode == MBEDTLS_AES_DECRYPT ) 01297 ov[16] = *input; 01298 01299 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 01300 01301 if( mode == MBEDTLS_AES_ENCRYPT ) 01302 ov[16] = c; 01303 01304 memcpy( iv, ov + 1, 16 ); 01305 } 01306 01307 return( 0 ); 01308 } 01309 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01310 01311 #if defined(MBEDTLS_CIPHER_MODE_OFB) 01312 /* 01313 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 01314 */ 01315 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 01316 size_t length, 01317 size_t *iv_off, 01318 unsigned char iv[16], 01319 const unsigned char *input, 01320 unsigned char *output ) 01321 { 01322 int ret = 0; 01323 size_t n = *iv_off; 01324 01325 while( length-- ) 01326 { 01327 if( n == 0 ) 01328 { 01329 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01330 if( ret != 0 ) 01331 goto exit; 01332 } 01333 *output++ = *input++ ^ iv[n]; 01334 01335 n = ( n + 1 ) & 0x0F; 01336 } 01337 01338 *iv_off = n; 01339 01340 exit: 01341 return( ret ); 01342 } 01343 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 01344 01345 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01346 /* 01347 * AES-CTR buffer encryption/decryption 01348 */ 01349 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 01350 size_t length, 01351 size_t *nc_off, 01352 unsigned char nonce_counter[16], 01353 unsigned char stream_block[16], 01354 const unsigned char *input, 01355 unsigned char *output ) 01356 { 01357 int c, i; 01358 size_t n = *nc_off; 01359 01360 if ( n > 0x0F ) 01361 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 01362 01363 while( length-- ) 01364 { 01365 if( n == 0 ) { 01366 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 01367 01368 for( i = 16; i > 0; i-- ) 01369 if( ++nonce_counter[i - 1] != 0 ) 01370 break; 01371 } 01372 c = *input++; 01373 *output++ = (unsigned char)( c ^ stream_block[n] ); 01374 01375 n = ( n + 1 ) & 0x0F; 01376 } 01377 01378 *nc_off = n; 01379 01380 return( 0 ); 01381 } 01382 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01383 01384 #endif /* !MBEDTLS_AES_ALT */ 01385 01386 #if defined(MBEDTLS_SELF_TEST) 01387 /* 01388 * AES test vectors from: 01389 * 01390 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 01391 */ 01392 static const unsigned char aes_test_ecb_dec[3][16] = 01393 { 01394 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 01395 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 01396 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 01397 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 01398 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 01399 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 01400 }; 01401 01402 static const unsigned char aes_test_ecb_enc[3][16] = 01403 { 01404 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 01405 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 01406 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 01407 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 01408 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 01409 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 01410 }; 01411 01412 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01413 static const unsigned char aes_test_cbc_dec[3][16] = 01414 { 01415 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 01416 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 01417 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 01418 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 01419 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 01420 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 01421 }; 01422 01423 static const unsigned char aes_test_cbc_enc[3][16] = 01424 { 01425 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 01426 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 01427 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 01428 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 01429 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 01430 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 01431 }; 01432 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01433 01434 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01435 /* 01436 * AES-CFB128 test vectors from: 01437 * 01438 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 01439 */ 01440 static const unsigned char aes_test_cfb128_key[3][32] = 01441 { 01442 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 01443 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 01444 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 01445 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 01446 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 01447 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 01448 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 01449 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 01450 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 01451 }; 01452 01453 static const unsigned char aes_test_cfb128_iv[16] = 01454 { 01455 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01456 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 01457 }; 01458 01459 static const unsigned char aes_test_cfb128_pt[64] = 01460 { 01461 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 01462 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 01463 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 01464 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 01465 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 01466 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 01467 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 01468 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 01469 }; 01470 01471 static const unsigned char aes_test_cfb128_ct[3][64] = 01472 { 01473 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 01474 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 01475 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 01476 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 01477 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 01478 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 01479 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 01480 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 01481 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 01482 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 01483 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 01484 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 01485 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 01486 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 01487 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 01488 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 01489 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 01490 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 01491 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 01492 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 01493 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 01494 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 01495 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 01496 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 01497 }; 01498 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01499 01500 #if defined(MBEDTLS_CIPHER_MODE_OFB) 01501 /* 01502 * AES-OFB test vectors from: 01503 * 01504 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 01505 */ 01506 static const unsigned char aes_test_ofb_key[3][32] = 01507 { 01508 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 01509 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 01510 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 01511 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 01512 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 01513 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 01514 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 01515 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 01516 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 01517 }; 01518 01519 static const unsigned char aes_test_ofb_iv[16] = 01520 { 01521 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01522 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 01523 }; 01524 01525 static const unsigned char aes_test_ofb_pt[64] = 01526 { 01527 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 01528 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 01529 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 01530 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 01531 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 01532 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 01533 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 01534 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 01535 }; 01536 01537 static const unsigned char aes_test_ofb_ct[3][64] = 01538 { 01539 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 01540 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 01541 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 01542 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 01543 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 01544 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 01545 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 01546 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 01547 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 01548 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 01549 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 01550 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 01551 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 01552 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 01553 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 01554 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 01555 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 01556 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 01557 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 01558 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 01559 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 01560 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 01561 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 01562 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 01563 }; 01564 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 01565 01566 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01567 /* 01568 * AES-CTR test vectors from: 01569 * 01570 * http://www.faqs.org/rfcs/rfc3686.html 01571 */ 01572 01573 static const unsigned char aes_test_ctr_key[3][16] = 01574 { 01575 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 01576 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 01577 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 01578 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 01579 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 01580 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 01581 }; 01582 01583 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 01584 { 01585 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 01586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 01587 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 01588 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 01589 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 01590 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 01591 }; 01592 01593 static const unsigned char aes_test_ctr_pt[3][48] = 01594 { 01595 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 01596 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 01597 01598 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01599 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01600 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01601 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 01602 01603 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01604 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01605 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01606 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 01607 0x20, 0x21, 0x22, 0x23 } 01608 }; 01609 01610 static const unsigned char aes_test_ctr_ct[3][48] = 01611 { 01612 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 01613 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 01614 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 01615 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 01616 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 01617 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 01618 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 01619 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 01620 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 01621 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 01622 0x25, 0xB2, 0x07, 0x2F } 01623 }; 01624 01625 static const int aes_test_ctr_len[3] = 01626 { 16, 32, 36 }; 01627 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01628 01629 #if defined(MBEDTLS_CIPHER_MODE_XTS) 01630 /* 01631 * AES-XTS test vectors from: 01632 * 01633 * IEEE P1619/D16 Annex B 01634 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 01635 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 01636 */ 01637 static const unsigned char aes_test_xts_key[][32] = 01638 { 01639 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01643 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 01644 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 01645 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 01646 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 01647 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 01648 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 01649 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 01650 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 01651 }; 01652 01653 static const unsigned char aes_test_xts_pt32[][32] = 01654 { 01655 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01659 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01660 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01661 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01662 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 01663 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01664 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01665 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01666 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 01667 }; 01668 01669 static const unsigned char aes_test_xts_ct32[][32] = 01670 { 01671 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 01672 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 01673 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 01674 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 01675 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 01676 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 01677 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 01678 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 01679 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 01680 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 01681 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 01682 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 01683 }; 01684 01685 static const unsigned char aes_test_xts_data_unit[][16] = 01686 { 01687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01689 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 01690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01691 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 01692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01693 }; 01694 01695 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 01696 01697 /* 01698 * Checkup routine 01699 */ 01700 int mbedtls_aes_self_test( int verbose ) 01701 { 01702 int ret = 0, i, j, u, mode; 01703 unsigned int keybits; 01704 unsigned char key[32]; 01705 unsigned char buf[64]; 01706 const unsigned char *aes_tests; 01707 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 01708 unsigned char iv[16]; 01709 #endif 01710 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01711 unsigned char prv[16]; 01712 #endif 01713 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 01714 defined(MBEDTLS_CIPHER_MODE_OFB) 01715 size_t offset; 01716 #endif 01717 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 01718 int len; 01719 #endif 01720 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01721 unsigned char nonce_counter[16]; 01722 unsigned char stream_block[16]; 01723 #endif 01724 mbedtls_aes_context ctx; 01725 01726 memset( key, 0, 32 ); 01727 mbedtls_aes_init( &ctx ); 01728 01729 /* 01730 * ECB mode 01731 */ 01732 for( i = 0; i < 6; i++ ) 01733 { 01734 u = i >> 1; 01735 keybits = 128 + u * 64; 01736 mode = i & 1; 01737 01738 if( verbose != 0 ) 01739 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 01740 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01741 01742 memset( buf, 0, 16 ); 01743 01744 if( mode == MBEDTLS_AES_DECRYPT ) 01745 { 01746 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01747 aes_tests = aes_test_ecb_dec[u]; 01748 } 01749 else 01750 { 01751 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01752 aes_tests = aes_test_ecb_enc[u]; 01753 } 01754 01755 /* 01756 * AES-192 is an optional feature that may be unavailable when 01757 * there is an alternative underlying implementation i.e. when 01758 * MBEDTLS_AES_ALT is defined. 01759 */ 01760 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01761 { 01762 mbedtls_printf( "skipped\n" ); 01763 continue; 01764 } 01765 else if( ret != 0 ) 01766 { 01767 goto exit; 01768 } 01769 01770 for( j = 0; j < 10000; j++ ) 01771 { 01772 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 01773 if( ret != 0 ) 01774 goto exit; 01775 } 01776 01777 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01778 { 01779 ret = 1; 01780 goto exit; 01781 } 01782 01783 if( verbose != 0 ) 01784 mbedtls_printf( "passed\n" ); 01785 } 01786 01787 if( verbose != 0 ) 01788 mbedtls_printf( "\n" ); 01789 01790 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01791 /* 01792 * CBC mode 01793 */ 01794 for( i = 0; i < 6; i++ ) 01795 { 01796 u = i >> 1; 01797 keybits = 128 + u * 64; 01798 mode = i & 1; 01799 01800 if( verbose != 0 ) 01801 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 01802 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01803 01804 memset( iv , 0, 16 ); 01805 memset( prv, 0, 16 ); 01806 memset( buf, 0, 16 ); 01807 01808 if( mode == MBEDTLS_AES_DECRYPT ) 01809 { 01810 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01811 aes_tests = aes_test_cbc_dec[u]; 01812 } 01813 else 01814 { 01815 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01816 aes_tests = aes_test_cbc_enc[u]; 01817 } 01818 01819 /* 01820 * AES-192 is an optional feature that may be unavailable when 01821 * there is an alternative underlying implementation i.e. when 01822 * MBEDTLS_AES_ALT is defined. 01823 */ 01824 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01825 { 01826 mbedtls_printf( "skipped\n" ); 01827 continue; 01828 } 01829 else if( ret != 0 ) 01830 { 01831 goto exit; 01832 } 01833 01834 for( j = 0; j < 10000; j++ ) 01835 { 01836 if( mode == MBEDTLS_AES_ENCRYPT ) 01837 { 01838 unsigned char tmp[16]; 01839 01840 memcpy( tmp, prv, 16 ); 01841 memcpy( prv, buf, 16 ); 01842 memcpy( buf, tmp, 16 ); 01843 } 01844 01845 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 01846 if( ret != 0 ) 01847 goto exit; 01848 01849 } 01850 01851 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01852 { 01853 ret = 1; 01854 goto exit; 01855 } 01856 01857 if( verbose != 0 ) 01858 mbedtls_printf( "passed\n" ); 01859 } 01860 01861 if( verbose != 0 ) 01862 mbedtls_printf( "\n" ); 01863 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01864 01865 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01866 /* 01867 * CFB128 mode 01868 */ 01869 for( i = 0; i < 6; i++ ) 01870 { 01871 u = i >> 1; 01872 keybits = 128 + u * 64; 01873 mode = i & 1; 01874 01875 if( verbose != 0 ) 01876 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 01877 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01878 01879 memcpy( iv, aes_test_cfb128_iv, 16 ); 01880 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 01881 01882 offset = 0; 01883 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01884 /* 01885 * AES-192 is an optional feature that may be unavailable when 01886 * there is an alternative underlying implementation i.e. when 01887 * MBEDTLS_AES_ALT is defined. 01888 */ 01889 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01890 { 01891 mbedtls_printf( "skipped\n" ); 01892 continue; 01893 } 01894 else if( ret != 0 ) 01895 { 01896 goto exit; 01897 } 01898 01899 if( mode == MBEDTLS_AES_DECRYPT ) 01900 { 01901 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 01902 aes_tests = aes_test_cfb128_pt; 01903 } 01904 else 01905 { 01906 memcpy( buf, aes_test_cfb128_pt, 64 ); 01907 aes_tests = aes_test_cfb128_ct[u]; 01908 } 01909 01910 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 01911 if( ret != 0 ) 01912 goto exit; 01913 01914 if( memcmp( buf, aes_tests, 64 ) != 0 ) 01915 { 01916 ret = 1; 01917 goto exit; 01918 } 01919 01920 if( verbose != 0 ) 01921 mbedtls_printf( "passed\n" ); 01922 } 01923 01924 if( verbose != 0 ) 01925 mbedtls_printf( "\n" ); 01926 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01927 01928 #if defined(MBEDTLS_CIPHER_MODE_OFB) 01929 /* 01930 * OFB mode 01931 */ 01932 for( i = 0; i < 6; i++ ) 01933 { 01934 u = i >> 1; 01935 keybits = 128 + u * 64; 01936 mode = i & 1; 01937 01938 if( verbose != 0 ) 01939 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 01940 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01941 01942 memcpy( iv, aes_test_ofb_iv, 16 ); 01943 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 01944 01945 offset = 0; 01946 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01947 /* 01948 * AES-192 is an optional feature that may be unavailable when 01949 * there is an alternative underlying implementation i.e. when 01950 * MBEDTLS_AES_ALT is defined. 01951 */ 01952 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) 01953 { 01954 mbedtls_printf( "skipped\n" ); 01955 continue; 01956 } 01957 else if( ret != 0 ) 01958 { 01959 goto exit; 01960 } 01961 01962 if( mode == MBEDTLS_AES_DECRYPT ) 01963 { 01964 memcpy( buf, aes_test_ofb_ct[u], 64 ); 01965 aes_tests = aes_test_ofb_pt; 01966 } 01967 else 01968 { 01969 memcpy( buf, aes_test_ofb_pt, 64 ); 01970 aes_tests = aes_test_ofb_ct[u]; 01971 } 01972 01973 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 01974 if( ret != 0 ) 01975 goto exit; 01976 01977 if( memcmp( buf, aes_tests, 64 ) != 0 ) 01978 { 01979 ret = 1; 01980 goto exit; 01981 } 01982 01983 if( verbose != 0 ) 01984 mbedtls_printf( "passed\n" ); 01985 } 01986 01987 if( verbose != 0 ) 01988 mbedtls_printf( "\n" ); 01989 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 01990 01991 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01992 /* 01993 * CTR mode 01994 */ 01995 for( i = 0; i < 6; i++ ) 01996 { 01997 u = i >> 1; 01998 mode = i & 1; 01999 02000 if( verbose != 0 ) 02001 mbedtls_printf( " AES-CTR-128 (%s): ", 02002 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 02003 02004 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 02005 memcpy( key, aes_test_ctr_key[u], 16 ); 02006 02007 offset = 0; 02008 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 02009 goto exit; 02010 02011 len = aes_test_ctr_len[u]; 02012 02013 if( mode == MBEDTLS_AES_DECRYPT ) 02014 { 02015 memcpy( buf, aes_test_ctr_ct[u], len ); 02016 aes_tests = aes_test_ctr_pt[u]; 02017 } 02018 else 02019 { 02020 memcpy( buf, aes_test_ctr_pt[u], len ); 02021 aes_tests = aes_test_ctr_ct[u]; 02022 } 02023 02024 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 02025 stream_block, buf, buf ); 02026 if( ret != 0 ) 02027 goto exit; 02028 02029 if( memcmp( buf, aes_tests, len ) != 0 ) 02030 { 02031 ret = 1; 02032 goto exit; 02033 } 02034 02035 if( verbose != 0 ) 02036 mbedtls_printf( "passed\n" ); 02037 } 02038 02039 if( verbose != 0 ) 02040 mbedtls_printf( "\n" ); 02041 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 02042 02043 #if defined(MBEDTLS_CIPHER_MODE_XTS) 02044 { 02045 static const int num_tests = 02046 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 02047 mbedtls_aes_xts_context ctx_xts; 02048 02049 /* 02050 * XTS mode 02051 */ 02052 mbedtls_aes_xts_init( &ctx_xts ); 02053 02054 for( i = 0; i < num_tests << 1; i++ ) 02055 { 02056 const unsigned char *data_unit; 02057 u = i >> 1; 02058 mode = i & 1; 02059 02060 if( verbose != 0 ) 02061 mbedtls_printf( " AES-XTS-128 (%s): ", 02062 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 02063 02064 memset( key, 0, sizeof( key ) ); 02065 memcpy( key, aes_test_xts_key[u], 32 ); 02066 data_unit = aes_test_xts_data_unit[u]; 02067 02068 len = sizeof( *aes_test_xts_ct32 ); 02069 02070 if( mode == MBEDTLS_AES_DECRYPT ) 02071 { 02072 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 02073 if( ret != 0) 02074 goto exit; 02075 memcpy( buf, aes_test_xts_ct32[u], len ); 02076 aes_tests = aes_test_xts_pt32[u]; 02077 } 02078 else 02079 { 02080 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 02081 if( ret != 0) 02082 goto exit; 02083 memcpy( buf, aes_test_xts_pt32[u], len ); 02084 aes_tests = aes_test_xts_ct32[u]; 02085 } 02086 02087 02088 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 02089 buf, buf ); 02090 if( ret != 0 ) 02091 goto exit; 02092 02093 if( memcmp( buf, aes_tests, len ) != 0 ) 02094 { 02095 ret = 1; 02096 goto exit; 02097 } 02098 02099 if( verbose != 0 ) 02100 mbedtls_printf( "passed\n" ); 02101 } 02102 02103 if( verbose != 0 ) 02104 mbedtls_printf( "\n" ); 02105 02106 mbedtls_aes_xts_free( &ctx_xts ); 02107 } 02108 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 02109 02110 ret = 0; 02111 02112 exit: 02113 if( ret != 0 && verbose != 0 ) 02114 mbedtls_printf( "failed\n" ); 02115 02116 mbedtls_aes_free( &ctx ); 02117 02118 return( ret ); 02119 } 02120 02121 #endif /* MBEDTLS_SELF_TEST */ 02122 02123 #endif /* MBEDTLS_AES_C */
Generated on Tue Jul 12 2022 15:15:39 by
1.7.2