Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers aes.c Source File

aes.c

00001 /*
00002  *  FIPS-197 compliant AES implementation
00003  *
00004  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
00005  *  SPDX-License-Identifier: Apache-2.0
00006  *
00007  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
00008  *  not use this file except in compliance with the License.
00009  *  You may obtain a copy of the License at
00010  *
00011  *  http://www.apache.org/licenses/LICENSE-2.0
00012  *
00013  *  Unless required by applicable law or agreed to in writing, software
00014  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
00015  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00016  *  See the License for the specific language governing permissions and
00017  *  limitations under the License.
00018  *
00019  *  This file is part of mbed TLS (https://tls.mbed.org)
00020  */
00021 /*
00022  *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
00023  *
00024  *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
00025  *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
00026  */
00027 
00028 #if !defined(MBEDTLS_CONFIG_FILE)
00029 #include "mbedtls/config.h"
00030 #else
00031 #include MBEDTLS_CONFIG_FILE
00032 #endif
00033 
00034 #if defined(MBEDTLS_AES_C)
00035 
00036 #include <string.h>
00037 
00038 #include "mbedtls/aes.h"
00039 #include "mbedtls/platform.h"
00040 #include "mbedtls/platform_util.h"
00041 #if defined(MBEDTLS_PADLOCK_C)
00042 #include "mbedtls/padlock.h"
00043 #endif
00044 #if defined(MBEDTLS_AESNI_C)
00045 #include "mbedtls/aesni.h"
00046 #endif
00047 
00048 #if defined(MBEDTLS_SELF_TEST)
00049 #if defined(MBEDTLS_PLATFORM_C)
00050 #include "mbedtls/platform.h"
00051 #else
00052 #include <stdio.h>
00053 #define mbedtls_printf printf
00054 #endif /* MBEDTLS_PLATFORM_C */
00055 #endif /* MBEDTLS_SELF_TEST */
00056 
00057 #if !defined(MBEDTLS_AES_ALT)
00058 
00059 /* Parameter validation macros based on platform_util.h */
00060 #define AES_VALIDATE_RET( cond )    \
00061     MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
00062 #define AES_VALIDATE( cond )        \
00063     MBEDTLS_INTERNAL_VALIDATE( cond )
00064 
00065 /*
00066  * 32-bit integer manipulation macros (little endian)
00067  */
00068 #ifndef GET_UINT32_LE
00069 #define GET_UINT32_LE(n,b,i)                            \
00070 {                                                       \
00071     (n) = ( (uint32_t) (b)[(i)    ]       )             \
00072         | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
00073         | ( (uint32_t) (b)[(i) + 2] << 16 )             \
00074         | ( (uint32_t) (b)[(i) + 3] << 24 );            \
00075 }
00076 #endif
00077 
00078 #ifndef PUT_UINT32_LE
00079 #define PUT_UINT32_LE(n,b,i)                                    \
00080 {                                                               \
00081     (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
00082     (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
00083     (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
00084     (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
00085 }
00086 #endif
00087 
00088 #if defined(MBEDTLS_PADLOCK_C) &&                      \
00089     ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
00090 static int aes_padlock_ace = -1;
00091 #endif
00092 
00093 #if defined(MBEDTLS_AES_ROM_TABLES)
00094 /*
00095  * Forward S-box
00096  */
00097 static const unsigned char FSb[256] =
00098 {
00099     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
00100     0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
00101     0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
00102     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
00103     0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
00104     0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
00105     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
00106     0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
00107     0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
00108     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
00109     0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
00110     0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
00111     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
00112     0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
00113     0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
00114     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
00115     0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
00116     0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
00117     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
00118     0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
00119     0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
00120     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
00121     0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
00122     0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
00123     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
00124     0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
00125     0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
00126     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
00127     0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
00128     0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
00129     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
00130     0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
00131 };
00132 
00133 /*
00134  * Forward tables
00135  */
00136 #define FT \
00137 \
00138     V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
00139     V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
00140     V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
00141     V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
00142     V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
00143     V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
00144     V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
00145     V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
00146     V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
00147     V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
00148     V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
00149     V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
00150     V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
00151     V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
00152     V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
00153     V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
00154     V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
00155     V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
00156     V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
00157     V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
00158     V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
00159     V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
00160     V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
00161     V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
00162     V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
00163     V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
00164     V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
00165     V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
00166     V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
00167     V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
00168     V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
00169     V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
00170     V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
00171     V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
00172     V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
00173     V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
00174     V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
00175     V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
00176     V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
00177     V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
00178     V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
00179     V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
00180     V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
00181     V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
00182     V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
00183     V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
00184     V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
00185     V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
00186     V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
00187     V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
00188     V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
00189     V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
00190     V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
00191     V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
00192     V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
00193     V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
00194     V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
00195     V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
00196     V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
00197     V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
00198     V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
00199     V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
00200     V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
00201     V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
00202 
00203 #define V(a,b,c,d) 0x##a##b##c##d
00204 static const uint32_t FT0[256] = { FT };
00205 #undef V
00206 
00207 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00208 
00209 #define V(a,b,c,d) 0x##b##c##d##a
00210 static const uint32_t FT1[256] = { FT };
00211 #undef V
00212 
00213 #define V(a,b,c,d) 0x##c##d##a##b
00214 static const uint32_t FT2[256] = { FT };
00215 #undef V
00216 
00217 #define V(a,b,c,d) 0x##d##a##b##c
00218 static const uint32_t FT3[256] = { FT };
00219 #undef V
00220 
00221 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00222 
00223 #undef FT
00224 
00225 /*
00226  * Reverse S-box
00227  */
00228 static const unsigned char RSb[256] =
00229 {
00230     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
00231     0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
00232     0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
00233     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
00234     0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
00235     0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
00236     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
00237     0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
00238     0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
00239     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
00240     0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
00241     0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
00242     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
00243     0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
00244     0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
00245     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
00246     0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
00247     0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
00248     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
00249     0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
00250     0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
00251     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
00252     0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
00253     0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
00254     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
00255     0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
00256     0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
00257     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
00258     0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
00259     0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
00260     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
00261     0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
00262 };
00263 
00264 /*
00265  * Reverse tables
00266  */
00267 #define RT \
00268 \
00269     V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
00270     V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
00271     V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
00272     V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
00273     V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
00274     V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
00275     V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
00276     V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
00277     V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
00278     V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
00279     V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
00280     V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
00281     V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
00282     V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
00283     V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
00284     V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
00285     V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
00286     V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
00287     V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
00288     V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
00289     V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
00290     V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
00291     V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
00292     V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
00293     V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
00294     V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
00295     V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
00296     V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
00297     V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
00298     V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
00299     V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
00300     V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
00301     V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
00302     V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
00303     V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
00304     V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
00305     V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
00306     V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
00307     V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
00308     V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
00309     V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
00310     V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
00311     V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
00312     V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
00313     V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
00314     V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
00315     V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
00316     V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
00317     V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
00318     V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
00319     V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
00320     V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
00321     V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
00322     V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
00323     V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
00324     V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
00325     V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
00326     V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
00327     V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
00328     V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
00329     V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
00330     V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
00331     V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
00332     V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
00333 
00334 #define V(a,b,c,d) 0x##a##b##c##d
00335 static const uint32_t RT0[256] = { RT };
00336 #undef V
00337 
00338 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00339 
00340 #define V(a,b,c,d) 0x##b##c##d##a
00341 static const uint32_t RT1[256] = { RT };
00342 #undef V
00343 
00344 #define V(a,b,c,d) 0x##c##d##a##b
00345 static const uint32_t RT2[256] = { RT };
00346 #undef V
00347 
00348 #define V(a,b,c,d) 0x##d##a##b##c
00349 static const uint32_t RT3[256] = { RT };
00350 #undef V
00351 
00352 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00353 
00354 #undef RT
00355 
00356 /*
00357  * Round constants
00358  */
00359 static const uint32_t RCON[10] =
00360 {
00361     0x00000001, 0x00000002, 0x00000004, 0x00000008,
00362     0x00000010, 0x00000020, 0x00000040, 0x00000080,
00363     0x0000001B, 0x00000036
00364 };
00365 
00366 #else /* MBEDTLS_AES_ROM_TABLES */
00367 
00368 /*
00369  * Forward S-box & tables
00370  */
00371 static unsigned char FSb[256];
00372 static uint32_t FT0[256];
00373 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00374 static uint32_t FT1[256];
00375 static uint32_t FT2[256];
00376 static uint32_t FT3[256];
00377 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00378 
00379 /*
00380  * Reverse S-box & tables
00381  */
00382 static unsigned char RSb[256];
00383 static uint32_t RT0[256];
00384 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00385 static uint32_t RT1[256];
00386 static uint32_t RT2[256];
00387 static uint32_t RT3[256];
00388 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00389 
00390 /*
00391  * Round constants
00392  */
00393 static uint32_t RCON[10];
00394 
00395 /*
00396  * Tables generation code
00397  */
00398 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
00399 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
00400 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
00401 
00402 static int aes_init_done = 0;
00403 
00404 static void aes_gen_tables( void )
00405 {
00406     int i, x, y, z;
00407     int pow[256];
00408     int log[256];
00409 
00410     /*
00411      * compute pow and log tables over GF(2^8)
00412      */
00413     for( i = 0, x = 1; i < 256; i++ )
00414     {
00415         pow[i] = x;
00416         log[x] = i;
00417         x = ( x ^ XTIME( x ) ) & 0xFF;
00418     }
00419 
00420     /*
00421      * calculate the round constants
00422      */
00423     for( i = 0, x = 1; i < 10; i++ )
00424     {
00425         RCON[i] = (uint32_t) x;
00426         x = XTIME( x ) & 0xFF;
00427     }
00428 
00429     /*
00430      * generate the forward and reverse S-boxes
00431      */
00432     FSb[0x00] = 0x63;
00433     RSb[0x63] = 0x00;
00434 
00435     for( i = 1; i < 256; i++ )
00436     {
00437         x = pow[255 - log[i]];
00438 
00439         y  = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
00440         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
00441         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
00442         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
00443         x ^= y ^ 0x63;
00444 
00445         FSb[i] = (unsigned char) x;
00446         RSb[x] = (unsigned char) i;
00447     }
00448 
00449     /*
00450      * generate the forward and reverse tables
00451      */
00452     for( i = 0; i < 256; i++ )
00453     {
00454         x = FSb[i];
00455         y = XTIME( x ) & 0xFF;
00456         z =  ( y ^ x ) & 0xFF;
00457 
00458         FT0[i] = ( (uint32_t) y       ) ^
00459                  ( (uint32_t) x <<  8 ) ^
00460                  ( (uint32_t) x << 16 ) ^
00461                  ( (uint32_t) z << 24 );
00462 
00463 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00464         FT1[i] = ROTL8( FT0[i] );
00465         FT2[i] = ROTL8( FT1[i] );
00466         FT3[i] = ROTL8( FT2[i] );
00467 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00468 
00469         x = RSb[i];
00470 
00471         RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
00472                  ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
00473                  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
00474                  ( (uint32_t) MUL( 0x0B, x ) << 24 );
00475 
00476 #if !defined(MBEDTLS_AES_FEWER_TABLES)
00477         RT1[i] = ROTL8( RT0[i] );
00478         RT2[i] = ROTL8( RT1[i] );
00479         RT3[i] = ROTL8( RT2[i] );
00480 #endif /* !MBEDTLS_AES_FEWER_TABLES */
00481     }
00482 }
00483 
00484 #undef ROTL8
00485 
00486 #endif /* MBEDTLS_AES_ROM_TABLES */
00487 
00488 #if defined(MBEDTLS_AES_FEWER_TABLES)
00489 
00490 #define ROTL8(x)  ( (uint32_t)( ( x ) <<  8 ) + (uint32_t)( ( x ) >> 24 ) )
00491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
00492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >>  8 ) )
00493 
00494 #define AES_RT0(idx) RT0[idx]
00495 #define AES_RT1(idx) ROTL8(  RT0[idx] )
00496 #define AES_RT2(idx) ROTL16( RT0[idx] )
00497 #define AES_RT3(idx) ROTL24( RT0[idx] )
00498 
00499 #define AES_FT0(idx) FT0[idx]
00500 #define AES_FT1(idx) ROTL8(  FT0[idx] )
00501 #define AES_FT2(idx) ROTL16( FT0[idx] )
00502 #define AES_FT3(idx) ROTL24( FT0[idx] )
00503 
00504 #else /* MBEDTLS_AES_FEWER_TABLES */
00505 
00506 #define AES_RT0(idx) RT0[idx]
00507 #define AES_RT1(idx) RT1[idx]
00508 #define AES_RT2(idx) RT2[idx]
00509 #define AES_RT3(idx) RT3[idx]
00510 
00511 #define AES_FT0(idx) FT0[idx]
00512 #define AES_FT1(idx) FT1[idx]
00513 #define AES_FT2(idx) FT2[idx]
00514 #define AES_FT3(idx) FT3[idx]
00515 
00516 #endif /* MBEDTLS_AES_FEWER_TABLES */
00517 
00518 void mbedtls_aes_init( mbedtls_aes_context *ctx )
00519 {
00520     AES_VALIDATE( ctx != NULL );
00521 
00522     memset( ctx, 0, sizeof( mbedtls_aes_context ) );
00523 }
00524 
00525 void mbedtls_aes_free( mbedtls_aes_context *ctx )
00526 {
00527     if( ctx == NULL )
00528         return;
00529 
00530     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
00531 }
00532 
00533 #if defined(MBEDTLS_CIPHER_MODE_XTS)
00534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
00535 {
00536     AES_VALIDATE( ctx != NULL );
00537 
00538     mbedtls_aes_init( &ctx->crypt  );
00539     mbedtls_aes_init( &ctx->tweak  );
00540 }
00541 
00542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
00543 {
00544     if( ctx == NULL )
00545         return;
00546 
00547     mbedtls_aes_free( &ctx->crypt  );
00548     mbedtls_aes_free( &ctx->tweak  );
00549 }
00550 #endif /* MBEDTLS_CIPHER_MODE_XTS */
00551 
00552 /*
00553  * AES key schedule (encryption)
00554  */
00555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
00556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
00557                     unsigned int keybits )
00558 {
00559     unsigned int i;
00560     uint32_t *RK;
00561 
00562     AES_VALIDATE_RET( ctx != NULL );
00563     AES_VALIDATE_RET( key != NULL );
00564 
00565     switch( keybits )
00566     {
00567         case 128: ctx->nr  = 10; break;
00568         case 192: ctx->nr  = 12; break;
00569         case 256: ctx->nr  = 14; break;
00570         default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
00571     }
00572 
00573 #if !defined(MBEDTLS_AES_ROM_TABLES)
00574     if( aes_init_done == 0 )
00575     {
00576         aes_gen_tables();
00577         aes_init_done = 1;
00578     }
00579 #endif
00580 
00581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
00582     if( aes_padlock_ace == -1 )
00583         aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
00584 
00585     if( aes_padlock_ace )
00586         ctx->rk  = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf  );
00587     else
00588 #endif
00589     ctx->rk  = RK = ctx->buf ;
00590 
00591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
00592     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
00593         return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk , key, keybits ) );
00594 #endif
00595 
00596     for( i = 0; i < ( keybits >> 5 ); i++ )
00597     {
00598         GET_UINT32_LE( RK[i], key, i << 2 );
00599     }
00600 
00601     switch( ctx->nr  )
00602     {
00603         case 10:
00604 
00605             for( i = 0; i < 10; i++, RK += 4 )
00606             {
00607                 RK[4]  = RK[0] ^ RCON[i] ^
00608                 ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
00609                 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
00610                 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
00611                 ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
00612 
00613                 RK[5]  = RK[1] ^ RK[4];
00614                 RK[6]  = RK[2] ^ RK[5];
00615                 RK[7]  = RK[3] ^ RK[6];
00616             }
00617             break;
00618 
00619         case 12:
00620 
00621             for( i = 0; i < 8; i++, RK += 6 )
00622             {
00623                 RK[6]  = RK[0] ^ RCON[i] ^
00624                 ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
00625                 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
00626                 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
00627                 ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
00628 
00629                 RK[7]  = RK[1] ^ RK[6];
00630                 RK[8]  = RK[2] ^ RK[7];
00631                 RK[9]  = RK[3] ^ RK[8];
00632                 RK[10] = RK[4] ^ RK[9];
00633                 RK[11] = RK[5] ^ RK[10];
00634             }
00635             break;
00636 
00637         case 14:
00638 
00639             for( i = 0; i < 7; i++, RK += 8 )
00640             {
00641                 RK[8]  = RK[0] ^ RCON[i] ^
00642                 ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
00643                 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
00644                 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
00645                 ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
00646 
00647                 RK[9]  = RK[1] ^ RK[8];
00648                 RK[10] = RK[2] ^ RK[9];
00649                 RK[11] = RK[3] ^ RK[10];
00650 
00651                 RK[12] = RK[4] ^
00652                 ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
00653                 ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
00654                 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
00655                 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
00656 
00657                 RK[13] = RK[5] ^ RK[12];
00658                 RK[14] = RK[6] ^ RK[13];
00659                 RK[15] = RK[7] ^ RK[14];
00660             }
00661             break;
00662     }
00663 
00664     return( 0 );
00665 }
00666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
00667 
00668 /*
00669  * AES key schedule (decryption)
00670  */
00671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
00672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
00673                     unsigned int keybits )
00674 {
00675     int i, j, ret;
00676     mbedtls_aes_context cty;
00677     uint32_t *RK;
00678     uint32_t *SK;
00679 
00680     AES_VALIDATE_RET( ctx != NULL );
00681     AES_VALIDATE_RET( key != NULL );
00682 
00683     mbedtls_aes_init( &cty );
00684 
00685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
00686     if( aes_padlock_ace == -1 )
00687         aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
00688 
00689     if( aes_padlock_ace )
00690         ctx->rk  = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf  );
00691     else
00692 #endif
00693     ctx->rk  = RK = ctx->buf ;
00694 
00695     /* Also checks keybits */
00696     if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
00697         goto exit;
00698 
00699     ctx->nr  = cty.nr ;
00700 
00701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
00702     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
00703     {
00704         mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk ,
00705                            (const unsigned char *) cty.rk , ctx->nr  );
00706         goto exit;
00707     }
00708 #endif
00709 
00710     SK = cty.rk  + cty.nr  * 4;
00711 
00712     *RK++ = *SK++;
00713     *RK++ = *SK++;
00714     *RK++ = *SK++;
00715     *RK++ = *SK++;
00716 
00717     for( i = ctx->nr  - 1, SK -= 8; i > 0; i--, SK -= 8 )
00718     {
00719         for( j = 0; j < 4; j++, SK++ )
00720         {
00721             *RK++ = AES_RT0( FSb[ ( *SK       ) & 0xFF ] ) ^
00722                     AES_RT1( FSb[ ( *SK >>  8 ) & 0xFF ] ) ^
00723                     AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
00724                     AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
00725         }
00726     }
00727 
00728     *RK++ = *SK++;
00729     *RK++ = *SK++;
00730     *RK++ = *SK++;
00731     *RK++ = *SK++;
00732 
00733 exit:
00734     mbedtls_aes_free( &cty );
00735 
00736     return( ret );
00737 }
00738 
00739 #if defined(MBEDTLS_CIPHER_MODE_XTS)
00740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
00741                                         unsigned int keybits,
00742                                         const unsigned char **key1,
00743                                         unsigned int *key1bits,
00744                                         const unsigned char **key2,
00745                                         unsigned int *key2bits )
00746 {
00747     const unsigned int half_keybits = keybits / 2;
00748     const unsigned int half_keybytes = half_keybits / 8;
00749 
00750     switch( keybits )
00751     {
00752         case 256: break;
00753         case 512: break;
00754         default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
00755     }
00756 
00757     *key1bits = half_keybits;
00758     *key2bits = half_keybits;
00759     *key1 = &key[0];
00760     *key2 = &key[half_keybytes];
00761 
00762     return 0;
00763 }
00764 
00765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
00766                                 const unsigned char *key,
00767                                 unsigned int keybits)
00768 {
00769     int ret;
00770     const unsigned char *key1, *key2;
00771     unsigned int key1bits, key2bits;
00772 
00773     AES_VALIDATE_RET( ctx != NULL );
00774     AES_VALIDATE_RET( key != NULL );
00775 
00776     ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
00777                                        &key2, &key2bits );
00778     if( ret != 0 )
00779         return( ret );
00780 
00781     /* Set the tweak key. Always set tweak key for the encryption mode. */
00782     ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits );
00783     if( ret != 0 )
00784         return( ret );
00785 
00786     /* Set crypt key for encryption. */
00787     return mbedtls_aes_setkey_enc( &ctx->crypt , key1, key1bits );
00788 }
00789 
00790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
00791                                 const unsigned char *key,
00792                                 unsigned int keybits)
00793 {
00794     int ret;
00795     const unsigned char *key1, *key2;
00796     unsigned int key1bits, key2bits;
00797 
00798     AES_VALIDATE_RET( ctx != NULL );
00799     AES_VALIDATE_RET( key != NULL );
00800 
00801     ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
00802                                        &key2, &key2bits );
00803     if( ret != 0 )
00804         return( ret );
00805 
00806     /* Set the tweak key. Always set tweak key for encryption. */
00807     ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits );
00808     if( ret != 0 )
00809         return( ret );
00810 
00811     /* Set crypt key for decryption. */
00812     return mbedtls_aes_setkey_dec( &ctx->crypt , key1, key1bits );
00813 }
00814 #endif /* MBEDTLS_CIPHER_MODE_XTS */
00815 
00816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
00817 
00818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                     \
00819     do                                                          \
00820     {                                                           \
00821         (X0) = *RK++ ^ AES_FT0( ( (Y0)       ) & 0xFF ) ^       \
00822                        AES_FT1( ( (Y1) >>  8 ) & 0xFF ) ^       \
00823                        AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^       \
00824                        AES_FT3( ( (Y3) >> 24 ) & 0xFF );        \
00825                                                                 \
00826         (X1) = *RK++ ^ AES_FT0( ( (Y1)       ) & 0xFF ) ^       \
00827                        AES_FT1( ( (Y2) >>  8 ) & 0xFF ) ^       \
00828                        AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^       \
00829                        AES_FT3( ( (Y0) >> 24 ) & 0xFF );        \
00830                                                                 \
00831         (X2) = *RK++ ^ AES_FT0( ( (Y2)       ) & 0xFF ) ^       \
00832                        AES_FT1( ( (Y3) >>  8 ) & 0xFF ) ^       \
00833                        AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^       \
00834                        AES_FT3( ( (Y1) >> 24 ) & 0xFF );        \
00835                                                                 \
00836         (X3) = *RK++ ^ AES_FT0( ( (Y3)       ) & 0xFF ) ^       \
00837                        AES_FT1( ( (Y0) >>  8 ) & 0xFF ) ^       \
00838                        AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^       \
00839                        AES_FT3( ( (Y2) >> 24 ) & 0xFF );        \
00840     } while( 0 )
00841 
00842 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)                 \
00843     do                                                      \
00844     {                                                       \
00845         (X0) = *RK++ ^ AES_RT0( ( (Y0)       ) & 0xFF ) ^   \
00846                        AES_RT1( ( (Y3) >>  8 ) & 0xFF ) ^   \
00847                        AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^   \
00848                        AES_RT3( ( (Y1) >> 24 ) & 0xFF );    \
00849                                                             \
00850         (X1) = *RK++ ^ AES_RT0( ( (Y1)       ) & 0xFF ) ^   \
00851                        AES_RT1( ( (Y0) >>  8 ) & 0xFF ) ^   \
00852                        AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^   \
00853                        AES_RT3( ( (Y2) >> 24 ) & 0xFF );    \
00854                                                             \
00855         (X2) = *RK++ ^ AES_RT0( ( (Y2)       ) & 0xFF ) ^   \
00856                        AES_RT1( ( (Y1) >>  8 ) & 0xFF ) ^   \
00857                        AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^   \
00858                        AES_RT3( ( (Y3) >> 24 ) & 0xFF );    \
00859                                                             \
00860         (X3) = *RK++ ^ AES_RT0( ( (Y3)       ) & 0xFF ) ^   \
00861                        AES_RT1( ( (Y2) >>  8 ) & 0xFF ) ^   \
00862                        AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^   \
00863                        AES_RT3( ( (Y0) >> 24 ) & 0xFF );    \
00864     } while( 0 )
00865 
00866 /*
00867  * AES-ECB block encryption
00868  */
00869 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
00870 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
00871                                   const unsigned char input[16],
00872                                   unsigned char output[16] )
00873 {
00874     int i;
00875     uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
00876 
00877     RK = ctx->rk ;
00878 
00879     GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
00880     GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
00881     GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
00882     GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
00883 
00884     for( i = ( ctx->nr  >> 1 ) - 1; i > 0; i-- )
00885     {
00886         AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00887         AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00888     }
00889 
00890     AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00891 
00892     X0 = *RK++ ^ \
00893             ( (uint32_t) FSb[ ( Y0       ) & 0xFF ]       ) ^
00894             ( (uint32_t) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
00895             ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00896             ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00897 
00898     X1 = *RK++ ^ \
00899             ( (uint32_t) FSb[ ( Y1       ) & 0xFF ]       ) ^
00900             ( (uint32_t) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
00901             ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00902             ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00903 
00904     X2 = *RK++ ^ \
00905             ( (uint32_t) FSb[ ( Y2       ) & 0xFF ]       ) ^
00906             ( (uint32_t) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
00907             ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00908             ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00909 
00910     X3 = *RK++ ^ \
00911             ( (uint32_t) FSb[ ( Y3       ) & 0xFF ]       ) ^
00912             ( (uint32_t) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
00913             ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00914             ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00915 
00916     PUT_UINT32_LE( X0, output,  0 );
00917     PUT_UINT32_LE( X1, output,  4 );
00918     PUT_UINT32_LE( X2, output,  8 );
00919     PUT_UINT32_LE( X3, output, 12 );
00920 
00921     return( 0 );
00922 }
00923 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
00924 
00925 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
00926 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
00927                           const unsigned char input[16],
00928                           unsigned char output[16] )
00929 {
00930     mbedtls_internal_aes_encrypt( ctx, input, output );
00931 }
00932 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
00933 
00934 /*
00935  * AES-ECB block decryption
00936  */
00937 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
00938 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
00939                                   const unsigned char input[16],
00940                                   unsigned char output[16] )
00941 {
00942     int i;
00943     uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
00944 
00945     RK = ctx->rk ;
00946 
00947     GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
00948     GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
00949     GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
00950     GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
00951 
00952     for( i = ( ctx->nr  >> 1 ) - 1; i > 0; i-- )
00953     {
00954         AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00955         AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
00956     }
00957 
00958     AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
00959 
00960     X0 = *RK++ ^ \
00961             ( (uint32_t) RSb[ ( Y0       ) & 0xFF ]       ) ^
00962             ( (uint32_t) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
00963             ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
00964             ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
00965 
00966     X1 = *RK++ ^ \
00967             ( (uint32_t) RSb[ ( Y1       ) & 0xFF ]       ) ^
00968             ( (uint32_t) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
00969             ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
00970             ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
00971 
00972     X2 = *RK++ ^ \
00973             ( (uint32_t) RSb[ ( Y2       ) & 0xFF ]       ) ^
00974             ( (uint32_t) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
00975             ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
00976             ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
00977 
00978     X3 = *RK++ ^ \
00979             ( (uint32_t) RSb[ ( Y3       ) & 0xFF ]       ) ^
00980             ( (uint32_t) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
00981             ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
00982             ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
00983 
00984     PUT_UINT32_LE( X0, output,  0 );
00985     PUT_UINT32_LE( X1, output,  4 );
00986     PUT_UINT32_LE( X2, output,  8 );
00987     PUT_UINT32_LE( X3, output, 12 );
00988 
00989     return( 0 );
00990 }
00991 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
00992 
00993 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
00994 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
00995                           const unsigned char input[16],
00996                           unsigned char output[16] )
00997 {
00998     mbedtls_internal_aes_decrypt( ctx, input, output );
00999 }
01000 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
01001 
01002 /*
01003  * AES-ECB block encryption/decryption
01004  */
01005 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
01006                            int mode,
01007                            const unsigned char input[16],
01008                            unsigned char output[16] )
01009 {
01010     AES_VALIDATE_RET( ctx != NULL );
01011     AES_VALIDATE_RET( input != NULL );
01012     AES_VALIDATE_RET( output != NULL );
01013     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
01014                       mode == MBEDTLS_AES_DECRYPT );
01015 
01016 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
01017     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
01018         return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
01019 #endif
01020 
01021 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
01022     if( aes_padlock_ace )
01023     {
01024         if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
01025             return( 0 );
01026 
01027         // If padlock data misaligned, we just fall back to
01028         // unaccelerated mode
01029         //
01030     }
01031 #endif
01032 
01033     if( mode == MBEDTLS_AES_ENCRYPT )
01034         return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
01035     else
01036         return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
01037 }
01038 
01039 #if defined(MBEDTLS_CIPHER_MODE_CBC)
01040 /*
01041  * AES-CBC buffer encryption/decryption
01042  */
01043 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
01044                     int mode,
01045                     size_t length,
01046                     unsigned char iv[16],
01047                     const unsigned char *input,
01048                     unsigned char *output )
01049 {
01050     int i;
01051     unsigned char temp[16];
01052 
01053     AES_VALIDATE_RET( ctx != NULL );
01054     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
01055                       mode == MBEDTLS_AES_DECRYPT );
01056     AES_VALIDATE_RET( iv != NULL );
01057     AES_VALIDATE_RET( input != NULL );
01058     AES_VALIDATE_RET( output != NULL );
01059 
01060     if( length % 16 )
01061         return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
01062 
01063 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
01064     if( aes_padlock_ace )
01065     {
01066         if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
01067             return( 0 );
01068 
01069         // If padlock data misaligned, we just fall back to
01070         // unaccelerated mode
01071         //
01072     }
01073 #endif
01074 
01075     if( mode == MBEDTLS_AES_DECRYPT )
01076     {
01077         while( length > 0 )
01078         {
01079             memcpy( temp, input, 16 );
01080             mbedtls_aes_crypt_ecb( ctx, mode, input, output );
01081 
01082             for( i = 0; i < 16; i++ )
01083                 output[i] = (unsigned char)( output[i] ^ iv[i] );
01084 
01085             memcpy( iv, temp, 16 );
01086 
01087             input  += 16;
01088             output += 16;
01089             length -= 16;
01090         }
01091     }
01092     else
01093     {
01094         while( length > 0 )
01095         {
01096             for( i = 0; i < 16; i++ )
01097                 output[i] = (unsigned char)( input[i] ^ iv[i] );
01098 
01099             mbedtls_aes_crypt_ecb( ctx, mode, output, output );
01100             memcpy( iv, output, 16 );
01101 
01102             input  += 16;
01103             output += 16;
01104             length -= 16;
01105         }
01106     }
01107 
01108     return( 0 );
01109 }
01110 #endif /* MBEDTLS_CIPHER_MODE_CBC */
01111 
01112 #if defined(MBEDTLS_CIPHER_MODE_XTS)
01113 
01114 /* Endianess with 64 bits values */
01115 #ifndef GET_UINT64_LE
01116 #define GET_UINT64_LE(n,b,i)                            \
01117 {                                                       \
01118     (n) = ( (uint64_t) (b)[(i) + 7] << 56 )             \
01119         | ( (uint64_t) (b)[(i) + 6] << 48 )             \
01120         | ( (uint64_t) (b)[(i) + 5] << 40 )             \
01121         | ( (uint64_t) (b)[(i) + 4] << 32 )             \
01122         | ( (uint64_t) (b)[(i) + 3] << 24 )             \
01123         | ( (uint64_t) (b)[(i) + 2] << 16 )             \
01124         | ( (uint64_t) (b)[(i) + 1] <<  8 )             \
01125         | ( (uint64_t) (b)[(i)    ]       );            \
01126 }
01127 #endif
01128 
01129 #ifndef PUT_UINT64_LE
01130 #define PUT_UINT64_LE(n,b,i)                            \
01131 {                                                       \
01132     (b)[(i) + 7] = (unsigned char) ( (n) >> 56 );       \
01133     (b)[(i) + 6] = (unsigned char) ( (n) >> 48 );       \
01134     (b)[(i) + 5] = (unsigned char) ( (n) >> 40 );       \
01135     (b)[(i) + 4] = (unsigned char) ( (n) >> 32 );       \
01136     (b)[(i) + 3] = (unsigned char) ( (n) >> 24 );       \
01137     (b)[(i) + 2] = (unsigned char) ( (n) >> 16 );       \
01138     (b)[(i) + 1] = (unsigned char) ( (n) >>  8 );       \
01139     (b)[(i)    ] = (unsigned char) ( (n)       );       \
01140 }
01141 #endif
01142 
01143 typedef unsigned char mbedtls_be128[16];
01144 
01145 /*
01146  * GF(2^128) multiplication function
01147  *
01148  * This function multiplies a field element by x in the polynomial field
01149  * representation. It uses 64-bit word operations to gain speed but compensates
01150  * for machine endianess and hence works correctly on both big and little
01151  * endian machines.
01152  */
01153 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
01154                                     const unsigned char x[16] )
01155 {
01156     uint64_t a, b, ra, rb;
01157 
01158     GET_UINT64_LE( a, x, 0 );
01159     GET_UINT64_LE( b, x, 8 );
01160 
01161     ra = ( a << 1 )  ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
01162     rb = ( a >> 63 ) | ( b << 1 );
01163 
01164     PUT_UINT64_LE( ra, r, 0 );
01165     PUT_UINT64_LE( rb, r, 8 );
01166 }
01167 
01168 /*
01169  * AES-XTS buffer encryption/decryption
01170  */
01171 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
01172                            int mode,
01173                            size_t length,
01174                            const unsigned char data_unit[16],
01175                            const unsigned char *input,
01176                            unsigned char *output )
01177 {
01178     int ret;
01179     size_t blocks = length / 16;
01180     size_t leftover = length % 16;
01181     unsigned char tweak[16];
01182     unsigned char prev_tweak[16];
01183     unsigned char tmp[16];
01184 
01185     AES_VALIDATE_RET( ctx != NULL );
01186     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
01187                       mode == MBEDTLS_AES_DECRYPT );
01188     AES_VALIDATE_RET( data_unit != NULL );
01189     AES_VALIDATE_RET( input != NULL );
01190     AES_VALIDATE_RET( output != NULL );
01191 
01192     /* Data units must be at least 16 bytes long. */
01193     if( length < 16 )
01194         return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
01195 
01196     /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
01197     if( length > ( 1 << 20 ) * 16 )
01198         return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
01199 
01200     /* Compute the tweak. */
01201     ret = mbedtls_aes_crypt_ecb( &ctx->tweak , MBEDTLS_AES_ENCRYPT,
01202                                  data_unit, tweak );
01203     if( ret != 0 )
01204         return( ret );
01205 
01206     while( blocks-- )
01207     {
01208         size_t i;
01209 
01210         if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
01211         {
01212             /* We are on the last block in a decrypt operation that has
01213              * leftover bytes, so we need to use the next tweak for this block,
01214              * and this tweak for the lefover bytes. Save the current tweak for
01215              * the leftovers and then update the current tweak for use on this,
01216              * the last full block. */
01217             memcpy( prev_tweak, tweak, sizeof( tweak ) );
01218             mbedtls_gf128mul_x_ble( tweak, tweak );
01219         }
01220 
01221         for( i = 0; i < 16; i++ )
01222             tmp[i] = input[i] ^ tweak[i];
01223 
01224         ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp );
01225         if( ret != 0 )
01226             return( ret );
01227 
01228         for( i = 0; i < 16; i++ )
01229             output[i] = tmp[i] ^ tweak[i];
01230 
01231         /* Update the tweak for the next block. */
01232         mbedtls_gf128mul_x_ble( tweak, tweak );
01233 
01234         output += 16;
01235         input += 16;
01236     }
01237 
01238     if( leftover )
01239     {
01240         /* If we are on the leftover bytes in a decrypt operation, we need to
01241          * use the previous tweak for these bytes (as saved in prev_tweak). */
01242         unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
01243 
01244         /* We are now on the final part of the data unit, which doesn't divide
01245          * evenly by 16. It's time for ciphertext stealing. */
01246         size_t i;
01247         unsigned char *prev_output = output - 16;
01248 
01249         /* Copy ciphertext bytes from the previous block to our output for each
01250          * byte of cyphertext we won't steal. At the same time, copy the
01251          * remainder of the input for this final round (since the loop bounds
01252          * are the same). */
01253         for( i = 0; i < leftover; i++ )
01254         {
01255             output[i] = prev_output[i];
01256             tmp[i] = input[i] ^ t[i];
01257         }
01258 
01259         /* Copy ciphertext bytes from the previous block for input in this
01260          * round. */
01261         for( ; i < 16; i++ )
01262             tmp[i] = prev_output[i] ^ t[i];
01263 
01264         ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp );
01265         if( ret != 0 )
01266             return ret;
01267 
01268         /* Write the result back to the previous block, overriding the previous
01269          * output we copied. */
01270         for( i = 0; i < 16; i++ )
01271             prev_output[i] = tmp[i] ^ t[i];
01272     }
01273 
01274     return( 0 );
01275 }
01276 #endif /* MBEDTLS_CIPHER_MODE_XTS */
01277 
01278 #if defined(MBEDTLS_CIPHER_MODE_CFB)
01279 /*
01280  * AES-CFB128 buffer encryption/decryption
01281  */
01282 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
01283                        int mode,
01284                        size_t length,
01285                        size_t *iv_off,
01286                        unsigned char iv[16],
01287                        const unsigned char *input,
01288                        unsigned char *output )
01289 {
01290     int c;
01291     size_t n;
01292 
01293     AES_VALIDATE_RET( ctx != NULL );
01294     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
01295                       mode == MBEDTLS_AES_DECRYPT );
01296     AES_VALIDATE_RET( iv_off != NULL );
01297     AES_VALIDATE_RET( iv != NULL );
01298     AES_VALIDATE_RET( input != NULL );
01299     AES_VALIDATE_RET( output != NULL );
01300 
01301     n = *iv_off;
01302 
01303     if( n > 15 )
01304         return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
01305 
01306     if( mode == MBEDTLS_AES_DECRYPT )
01307     {
01308         while( length-- )
01309         {
01310             if( n == 0 )
01311                 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
01312 
01313             c = *input++;
01314             *output++ = (unsigned char)( c ^ iv[n] );
01315             iv[n] = (unsigned char) c;
01316 
01317             n = ( n + 1 ) & 0x0F;
01318         }
01319     }
01320     else
01321     {
01322         while( length-- )
01323         {
01324             if( n == 0 )
01325                 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
01326 
01327             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
01328 
01329             n = ( n + 1 ) & 0x0F;
01330         }
01331     }
01332 
01333     *iv_off = n;
01334 
01335     return( 0 );
01336 }
01337 
01338 /*
01339  * AES-CFB8 buffer encryption/decryption
01340  */
01341 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
01342                             int mode,
01343                             size_t length,
01344                             unsigned char iv[16],
01345                             const unsigned char *input,
01346                             unsigned char *output )
01347 {
01348     unsigned char c;
01349     unsigned char ov[17];
01350 
01351     AES_VALIDATE_RET( ctx != NULL );
01352     AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
01353                       mode == MBEDTLS_AES_DECRYPT );
01354     AES_VALIDATE_RET( iv != NULL );
01355     AES_VALIDATE_RET( input != NULL );
01356     AES_VALIDATE_RET( output != NULL );
01357     while( length-- )
01358     {
01359         memcpy( ov, iv, 16 );
01360         mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
01361 
01362         if( mode == MBEDTLS_AES_DECRYPT )
01363             ov[16] = *input;
01364 
01365         c = *output++ = (unsigned char)( iv[0] ^ *input++ );
01366 
01367         if( mode == MBEDTLS_AES_ENCRYPT )
01368             ov[16] = c;
01369 
01370         memcpy( iv, ov + 1, 16 );
01371     }
01372 
01373     return( 0 );
01374 }
01375 #endif /* MBEDTLS_CIPHER_MODE_CFB */
01376 
01377 #if defined(MBEDTLS_CIPHER_MODE_OFB)
01378 /*
01379  * AES-OFB (Output Feedback Mode) buffer encryption/decryption
01380  */
01381 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
01382                            size_t length,
01383                            size_t *iv_off,
01384                            unsigned char iv[16],
01385                            const unsigned char *input,
01386                            unsigned char *output )
01387 {
01388     int ret = 0;
01389     size_t n;
01390 
01391     AES_VALIDATE_RET( ctx != NULL );
01392     AES_VALIDATE_RET( iv_off != NULL );
01393     AES_VALIDATE_RET( iv != NULL );
01394     AES_VALIDATE_RET( input != NULL );
01395     AES_VALIDATE_RET( output != NULL );
01396 
01397     n = *iv_off;
01398 
01399     if( n > 15 )
01400         return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
01401 
01402     while( length-- )
01403     {
01404         if( n == 0 )
01405         {
01406             ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
01407             if( ret != 0 )
01408                 goto exit;
01409         }
01410         *output++ =  *input++ ^ iv[n];
01411 
01412         n = ( n + 1 ) & 0x0F;
01413     }
01414 
01415     *iv_off = n;
01416 
01417 exit:
01418     return( ret );
01419 }
01420 #endif /* MBEDTLS_CIPHER_MODE_OFB */
01421 
01422 #if defined(MBEDTLS_CIPHER_MODE_CTR)
01423 /*
01424  * AES-CTR buffer encryption/decryption
01425  */
01426 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
01427                        size_t length,
01428                        size_t *nc_off,
01429                        unsigned char nonce_counter[16],
01430                        unsigned char stream_block[16],
01431                        const unsigned char *input,
01432                        unsigned char *output )
01433 {
01434     int c, i;
01435     size_t n;
01436 
01437     AES_VALIDATE_RET( ctx != NULL );
01438     AES_VALIDATE_RET( nc_off != NULL );
01439     AES_VALIDATE_RET( nonce_counter != NULL );
01440     AES_VALIDATE_RET( stream_block != NULL );
01441     AES_VALIDATE_RET( input != NULL );
01442     AES_VALIDATE_RET( output != NULL );
01443 
01444     n = *nc_off;
01445 
01446     if ( n > 0x0F )
01447         return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
01448 
01449     while( length-- )
01450     {
01451         if( n == 0 ) {
01452             mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
01453 
01454             for( i = 16; i > 0; i-- )
01455                 if( ++nonce_counter[i - 1] != 0 )
01456                     break;
01457         }
01458         c = *input++;
01459         *output++ = (unsigned char)( c ^ stream_block[n] );
01460 
01461         n = ( n + 1 ) & 0x0F;
01462     }
01463 
01464     *nc_off = n;
01465 
01466     return( 0 );
01467 }
01468 #endif /* MBEDTLS_CIPHER_MODE_CTR */
01469 
01470 #endif /* !MBEDTLS_AES_ALT */
01471 
01472 #if defined(MBEDTLS_SELF_TEST)
01473 /*
01474  * AES test vectors from:
01475  *
01476  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
01477  */
01478 static const unsigned char aes_test_ecb_dec[3][16] =
01479 {
01480     { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
01481       0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
01482     { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
01483       0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
01484     { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
01485       0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
01486 };
01487 
01488 static const unsigned char aes_test_ecb_enc[3][16] =
01489 {
01490     { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
01491       0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
01492     { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
01493       0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
01494     { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
01495       0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
01496 };
01497 
01498 #if defined(MBEDTLS_CIPHER_MODE_CBC)
01499 static const unsigned char aes_test_cbc_dec[3][16] =
01500 {
01501     { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
01502       0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
01503     { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
01504       0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
01505     { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
01506       0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
01507 };
01508 
01509 static const unsigned char aes_test_cbc_enc[3][16] =
01510 {
01511     { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
01512       0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
01513     { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
01514       0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
01515     { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
01516       0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
01517 };
01518 #endif /* MBEDTLS_CIPHER_MODE_CBC */
01519 
01520 #if defined(MBEDTLS_CIPHER_MODE_CFB)
01521 /*
01522  * AES-CFB128 test vectors from:
01523  *
01524  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
01525  */
01526 static const unsigned char aes_test_cfb128_key[3][32] =
01527 {
01528     { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
01529       0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
01530     { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
01531       0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
01532       0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
01533     { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
01534       0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
01535       0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
01536       0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
01537 };
01538 
01539 static const unsigned char aes_test_cfb128_iv[16] =
01540 {
01541     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01542     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
01543 };
01544 
01545 static const unsigned char aes_test_cfb128_pt[64] =
01546 {
01547     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
01548     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
01549     0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
01550     0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
01551     0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
01552     0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
01553     0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
01554     0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
01555 };
01556 
01557 static const unsigned char aes_test_cfb128_ct[3][64] =
01558 {
01559     { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
01560       0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
01561       0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
01562       0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
01563       0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
01564       0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
01565       0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
01566       0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
01567     { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
01568       0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
01569       0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
01570       0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
01571       0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
01572       0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
01573       0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
01574       0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
01575     { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
01576       0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
01577       0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
01578       0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
01579       0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
01580       0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
01581       0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
01582       0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
01583 };
01584 #endif /* MBEDTLS_CIPHER_MODE_CFB */
01585 
01586 #if defined(MBEDTLS_CIPHER_MODE_OFB)
01587 /*
01588  * AES-OFB test vectors from:
01589  *
01590  * https://csrc.nist.gov/publications/detail/sp/800-38a/final
01591  */
01592 static const unsigned char aes_test_ofb_key[3][32] =
01593 {
01594     { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
01595       0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
01596     { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
01597       0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
01598       0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
01599     { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
01600       0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
01601       0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
01602       0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
01603 };
01604 
01605 static const unsigned char aes_test_ofb_iv[16] =
01606 {
01607     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01608     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
01609 };
01610 
01611 static const unsigned char aes_test_ofb_pt[64] =
01612 {
01613     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
01614     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
01615     0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
01616     0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
01617     0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
01618     0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
01619     0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
01620     0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
01621 };
01622 
01623 static const unsigned char aes_test_ofb_ct[3][64] =
01624 {
01625     { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
01626       0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
01627       0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
01628       0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
01629       0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
01630       0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
01631       0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
01632       0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
01633     { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
01634       0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
01635       0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
01636       0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
01637       0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
01638       0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
01639       0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
01640       0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
01641     { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
01642       0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
01643       0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
01644       0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
01645       0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
01646       0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
01647       0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
01648       0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
01649 };
01650 #endif /* MBEDTLS_CIPHER_MODE_OFB */
01651 
01652 #if defined(MBEDTLS_CIPHER_MODE_CTR)
01653 /*
01654  * AES-CTR test vectors from:
01655  *
01656  * http://www.faqs.org/rfcs/rfc3686.html
01657  */
01658 
01659 static const unsigned char aes_test_ctr_key[3][16] =
01660 {
01661     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
01662       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
01663     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
01664       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
01665     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
01666       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
01667 };
01668 
01669 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
01670 {
01671     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
01672       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
01673     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
01674       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
01675     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
01676       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
01677 };
01678 
01679 static const unsigned char aes_test_ctr_pt[3][48] =
01680 {
01681     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
01682       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
01683 
01684     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01685       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01686       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01687       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
01688 
01689     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
01690       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
01691       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
01692       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
01693       0x20, 0x21, 0x22, 0x23 }
01694 };
01695 
01696 static const unsigned char aes_test_ctr_ct[3][48] =
01697 {
01698     { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
01699       0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
01700     { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
01701       0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
01702       0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
01703       0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
01704     { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
01705       0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
01706       0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
01707       0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
01708       0x25, 0xB2, 0x07, 0x2F }
01709 };
01710 
01711 static const int aes_test_ctr_len[3] =
01712     { 16, 32, 36 };
01713 #endif /* MBEDTLS_CIPHER_MODE_CTR */
01714 
01715 #if defined(MBEDTLS_CIPHER_MODE_XTS)
01716 /*
01717  * AES-XTS test vectors from:
01718  *
01719  * IEEE P1619/D16 Annex B
01720  * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
01721  * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
01722  */
01723 static const unsigned char aes_test_xts_key[][32] =
01724 {
01725     { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01726       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01727       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01728       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
01729     { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
01730       0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
01731       0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
01732       0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
01733     { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
01734       0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
01735       0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
01736       0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
01737 };
01738 
01739 static const unsigned char aes_test_xts_pt32[][32] =
01740 {
01741     { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01742       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01743       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01744       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
01745     { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01746       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01747       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01748       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
01749     { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01750       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01751       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
01752       0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
01753 };
01754 
01755 static const unsigned char aes_test_xts_ct32[][32] =
01756 {
01757     { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
01758       0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
01759       0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
01760       0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
01761     { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
01762       0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
01763       0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
01764       0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
01765     { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
01766       0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
01767       0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
01768       0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
01769 };
01770 
01771 static const unsigned char aes_test_xts_data_unit[][16] =
01772 {
01773    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
01774      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
01775    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
01776      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
01777    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
01778      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
01779 };
01780 
01781 #endif /* MBEDTLS_CIPHER_MODE_XTS */
01782 
01783 /*
01784  * Checkup routine
01785  */
01786 int mbedtls_aes_self_test( int verbose )
01787 {
01788     int ret = 0, i, j, u, mode;
01789     unsigned int keybits;
01790     unsigned char key[32];
01791     unsigned char buf[64];
01792     const unsigned char *aes_tests;
01793 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
01794     unsigned char iv[16];
01795 #endif
01796 #if defined(MBEDTLS_CIPHER_MODE_CBC)
01797     unsigned char prv[16];
01798 #endif
01799 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
01800     defined(MBEDTLS_CIPHER_MODE_OFB)
01801     size_t offset;
01802 #endif
01803 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
01804     int len;
01805 #endif
01806 #if defined(MBEDTLS_CIPHER_MODE_CTR)
01807     unsigned char nonce_counter[16];
01808     unsigned char stream_block[16];
01809 #endif
01810     mbedtls_aes_context ctx;
01811 
01812     memset( key, 0, 32 );
01813     mbedtls_aes_init( &ctx );
01814 
01815     /*
01816      * ECB mode
01817      */
01818     for( i = 0; i < 6; i++ )
01819     {
01820         u = i >> 1;
01821         keybits = 128 + u * 64;
01822         mode = i & 1;
01823 
01824         if( verbose != 0 )
01825             mbedtls_printf( "  AES-ECB-%3d (%s): ", keybits,
01826                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
01827 
01828         memset( buf, 0, 16 );
01829 
01830         if( mode == MBEDTLS_AES_DECRYPT )
01831         {
01832             ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
01833             aes_tests = aes_test_ecb_dec[u];
01834         }
01835         else
01836         {
01837             ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
01838             aes_tests = aes_test_ecb_enc[u];
01839         }
01840 
01841         /*
01842          * AES-192 is an optional feature that may be unavailable when
01843          * there is an alternative underlying implementation i.e. when
01844          * MBEDTLS_AES_ALT is defined.
01845          */
01846         if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
01847         {
01848             mbedtls_printf( "skipped\n" );
01849             continue;
01850         }
01851         else if( ret != 0 )
01852         {
01853             goto exit;
01854         }
01855 
01856         for( j = 0; j < 10000; j++ )
01857         {
01858             ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
01859             if( ret != 0 )
01860                 goto exit;
01861         }
01862 
01863         if( memcmp( buf, aes_tests, 16 ) != 0 )
01864         {
01865             ret = 1;
01866             goto exit;
01867         }
01868 
01869         if( verbose != 0 )
01870             mbedtls_printf( "passed\n" );
01871     }
01872 
01873     if( verbose != 0 )
01874         mbedtls_printf( "\n" );
01875 
01876 #if defined(MBEDTLS_CIPHER_MODE_CBC)
01877     /*
01878      * CBC mode
01879      */
01880     for( i = 0; i < 6; i++ )
01881     {
01882         u = i >> 1;
01883         keybits = 128 + u * 64;
01884         mode = i & 1;
01885 
01886         if( verbose != 0 )
01887             mbedtls_printf( "  AES-CBC-%3d (%s): ", keybits,
01888                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
01889 
01890         memset( iv , 0, 16 );
01891         memset( prv, 0, 16 );
01892         memset( buf, 0, 16 );
01893 
01894         if( mode == MBEDTLS_AES_DECRYPT )
01895         {
01896             ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
01897             aes_tests = aes_test_cbc_dec[u];
01898         }
01899         else
01900         {
01901             ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
01902             aes_tests = aes_test_cbc_enc[u];
01903         }
01904 
01905         /*
01906          * AES-192 is an optional feature that may be unavailable when
01907          * there is an alternative underlying implementation i.e. when
01908          * MBEDTLS_AES_ALT is defined.
01909          */
01910         if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
01911         {
01912             mbedtls_printf( "skipped\n" );
01913             continue;
01914         }
01915         else if( ret != 0 )
01916         {
01917             goto exit;
01918         }
01919 
01920         for( j = 0; j < 10000; j++ )
01921         {
01922             if( mode == MBEDTLS_AES_ENCRYPT )
01923             {
01924                 unsigned char tmp[16];
01925 
01926                 memcpy( tmp, prv, 16 );
01927                 memcpy( prv, buf, 16 );
01928                 memcpy( buf, tmp, 16 );
01929             }
01930 
01931             ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
01932             if( ret != 0 )
01933                 goto exit;
01934 
01935         }
01936 
01937         if( memcmp( buf, aes_tests, 16 ) != 0 )
01938         {
01939             ret = 1;
01940             goto exit;
01941         }
01942 
01943         if( verbose != 0 )
01944             mbedtls_printf( "passed\n" );
01945     }
01946 
01947     if( verbose != 0 )
01948         mbedtls_printf( "\n" );
01949 #endif /* MBEDTLS_CIPHER_MODE_CBC */
01950 
01951 #if defined(MBEDTLS_CIPHER_MODE_CFB)
01952     /*
01953      * CFB128 mode
01954      */
01955     for( i = 0; i < 6; i++ )
01956     {
01957         u = i >> 1;
01958         keybits = 128 + u * 64;
01959         mode = i & 1;
01960 
01961         if( verbose != 0 )
01962             mbedtls_printf( "  AES-CFB128-%3d (%s): ", keybits,
01963                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
01964 
01965         memcpy( iv,  aes_test_cfb128_iv, 16 );
01966         memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
01967 
01968         offset = 0;
01969         ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
01970         /*
01971          * AES-192 is an optional feature that may be unavailable when
01972          * there is an alternative underlying implementation i.e. when
01973          * MBEDTLS_AES_ALT is defined.
01974          */
01975         if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
01976         {
01977             mbedtls_printf( "skipped\n" );
01978             continue;
01979         }
01980         else if( ret != 0 )
01981         {
01982             goto exit;
01983         }
01984 
01985         if( mode == MBEDTLS_AES_DECRYPT )
01986         {
01987             memcpy( buf, aes_test_cfb128_ct[u], 64 );
01988             aes_tests = aes_test_cfb128_pt;
01989         }
01990         else
01991         {
01992             memcpy( buf, aes_test_cfb128_pt, 64 );
01993             aes_tests = aes_test_cfb128_ct[u];
01994         }
01995 
01996         ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
01997         if( ret != 0 )
01998             goto exit;
01999 
02000         if( memcmp( buf, aes_tests, 64 ) != 0 )
02001         {
02002             ret = 1;
02003             goto exit;
02004         }
02005 
02006         if( verbose != 0 )
02007             mbedtls_printf( "passed\n" );
02008     }
02009 
02010     if( verbose != 0 )
02011         mbedtls_printf( "\n" );
02012 #endif /* MBEDTLS_CIPHER_MODE_CFB */
02013 
02014 #if defined(MBEDTLS_CIPHER_MODE_OFB)
02015     /*
02016      * OFB mode
02017      */
02018     for( i = 0; i < 6; i++ )
02019     {
02020         u = i >> 1;
02021         keybits = 128 + u * 64;
02022         mode = i & 1;
02023 
02024         if( verbose != 0 )
02025             mbedtls_printf( "  AES-OFB-%3d (%s): ", keybits,
02026                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
02027 
02028         memcpy( iv,  aes_test_ofb_iv, 16 );
02029         memcpy( key, aes_test_ofb_key[u], keybits / 8 );
02030 
02031         offset = 0;
02032         ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
02033         /*
02034          * AES-192 is an optional feature that may be unavailable when
02035          * there is an alternative underlying implementation i.e. when
02036          * MBEDTLS_AES_ALT is defined.
02037          */
02038         if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
02039         {
02040             mbedtls_printf( "skipped\n" );
02041             continue;
02042         }
02043         else if( ret != 0 )
02044         {
02045             goto exit;
02046         }
02047 
02048         if( mode == MBEDTLS_AES_DECRYPT )
02049         {
02050             memcpy( buf, aes_test_ofb_ct[u], 64 );
02051             aes_tests = aes_test_ofb_pt;
02052         }
02053         else
02054         {
02055             memcpy( buf, aes_test_ofb_pt, 64 );
02056             aes_tests = aes_test_ofb_ct[u];
02057         }
02058 
02059         ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
02060         if( ret != 0 )
02061             goto exit;
02062 
02063         if( memcmp( buf, aes_tests, 64 ) != 0 )
02064         {
02065             ret = 1;
02066             goto exit;
02067         }
02068 
02069         if( verbose != 0 )
02070             mbedtls_printf( "passed\n" );
02071     }
02072 
02073     if( verbose != 0 )
02074         mbedtls_printf( "\n" );
02075 #endif /* MBEDTLS_CIPHER_MODE_OFB */
02076 
02077 #if defined(MBEDTLS_CIPHER_MODE_CTR)
02078     /*
02079      * CTR mode
02080      */
02081     for( i = 0; i < 6; i++ )
02082     {
02083         u = i >> 1;
02084         mode = i & 1;
02085 
02086         if( verbose != 0 )
02087             mbedtls_printf( "  AES-CTR-128 (%s): ",
02088                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
02089 
02090         memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
02091         memcpy( key, aes_test_ctr_key[u], 16 );
02092 
02093         offset = 0;
02094         if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
02095             goto exit;
02096 
02097         len = aes_test_ctr_len[u];
02098 
02099         if( mode == MBEDTLS_AES_DECRYPT )
02100         {
02101             memcpy( buf, aes_test_ctr_ct[u], len );
02102             aes_tests = aes_test_ctr_pt[u];
02103         }
02104         else
02105         {
02106             memcpy( buf, aes_test_ctr_pt[u], len );
02107             aes_tests = aes_test_ctr_ct[u];
02108         }
02109 
02110         ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
02111                                      stream_block, buf, buf );
02112         if( ret != 0 )
02113             goto exit;
02114 
02115         if( memcmp( buf, aes_tests, len ) != 0 )
02116         {
02117             ret = 1;
02118             goto exit;
02119         }
02120 
02121         if( verbose != 0 )
02122             mbedtls_printf( "passed\n" );
02123     }
02124 
02125     if( verbose != 0 )
02126         mbedtls_printf( "\n" );
02127 #endif /* MBEDTLS_CIPHER_MODE_CTR */
02128 
02129 #if defined(MBEDTLS_CIPHER_MODE_XTS)
02130     {
02131     static const int num_tests =
02132         sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
02133     mbedtls_aes_xts_context ctx_xts;
02134 
02135     /*
02136      * XTS mode
02137      */
02138     mbedtls_aes_xts_init( &ctx_xts );
02139 
02140     for( i = 0; i < num_tests << 1; i++ )
02141     {
02142         const unsigned char *data_unit;
02143         u = i >> 1;
02144         mode = i & 1;
02145 
02146         if( verbose != 0 )
02147             mbedtls_printf( "  AES-XTS-128 (%s): ",
02148                             ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
02149 
02150         memset( key, 0, sizeof( key ) );
02151         memcpy( key, aes_test_xts_key[u], 32 );
02152         data_unit = aes_test_xts_data_unit[u];
02153 
02154         len = sizeof( *aes_test_xts_ct32 );
02155 
02156         if( mode == MBEDTLS_AES_DECRYPT )
02157         {
02158             ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
02159             if( ret != 0)
02160                 goto exit;
02161             memcpy( buf, aes_test_xts_ct32[u], len );
02162             aes_tests = aes_test_xts_pt32[u];
02163         }
02164         else
02165         {
02166             ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
02167             if( ret != 0)
02168                 goto exit;
02169             memcpy( buf, aes_test_xts_pt32[u], len );
02170             aes_tests = aes_test_xts_ct32[u];
02171         }
02172 
02173 
02174         ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
02175                                      buf, buf );
02176         if( ret != 0 )
02177             goto exit;
02178 
02179         if( memcmp( buf, aes_tests, len ) != 0 )
02180         {
02181             ret = 1;
02182             goto exit;
02183         }
02184 
02185         if( verbose != 0 )
02186             mbedtls_printf( "passed\n" );
02187     }
02188 
02189     if( verbose != 0 )
02190         mbedtls_printf( "\n" );
02191 
02192     mbedtls_aes_xts_free( &ctx_xts );
02193     }
02194 #endif /* MBEDTLS_CIPHER_MODE_XTS */
02195 
02196     ret = 0;
02197 
02198 exit:
02199     if( ret != 0 && verbose != 0 )
02200         mbedtls_printf( "failed\n" );
02201 
02202     mbedtls_aes_free( &ctx );
02203 
02204     return( ret );
02205 }
02206 
02207 #endif /* MBEDTLS_SELF_TEST */
02208 
02209 #endif /* MBEDTLS_AES_C */