1 /*
2  *  FIPS-197 compliant AES implementation
3  *
4  *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  *
19  *  This file is part of mbed TLS (https://tls.mbed.org)
20  */
21 /*
22  *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23  *
24  *  http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25  *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26  */
27 
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33 
34 #if defined(MBEDTLS_AES_C)
35 
36 #include <string.h>
37 
38 #include "mbedtls/aes.h"
39 #if defined(MBEDTLS_PADLOCK_C)
40 #include "mbedtls/padlock.h"
41 #endif
42 #if defined(MBEDTLS_AESNI_C)
43 #include "mbedtls/aesni.h"
44 #endif
45 
46 #if defined(MBEDTLS_SELF_TEST)
47 #if defined(MBEDTLS_PLATFORM_C)
48 #include "mbedtls/platform.h"
49 #else
50 #include <stdio.h>
51 #define mbedtls_printf printf
52 #endif /* MBEDTLS_PLATFORM_C */
53 #endif /* MBEDTLS_SELF_TEST */
54 
55 #if !defined(MBEDTLS_AES_ALT)
56 
57 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)58 static void mbedtls_zeroize( void *v, size_t n ) {
59     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
60 }
61 
62 /*
63  * 32-bit integer manipulation macros (little endian)
64  */
65 #ifndef GET_UINT32_LE
66 #define GET_UINT32_LE(n,b,i)                            \
67 {                                                       \
68     (n) = ( (uint32_t) (b)[(i)    ]       )             \
69         | ( (uint32_t) (b)[(i) + 1] <<  8 )             \
70         | ( (uint32_t) (b)[(i) + 2] << 16 )             \
71         | ( (uint32_t) (b)[(i) + 3] << 24 );            \
72 }
73 #endif
74 
75 #ifndef PUT_UINT32_LE
76 #define PUT_UINT32_LE(n,b,i)                                    \
77 {                                                               \
78     (b)[(i)    ] = (unsigned char) ( ( (n)       ) & 0xFF );    \
79     (b)[(i) + 1] = (unsigned char) ( ( (n) >>  8 ) & 0xFF );    \
80     (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF );    \
81     (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF );    \
82 }
83 #endif
84 
85 #if defined(MBEDTLS_PADLOCK_C) &&                      \
86     ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
87 static int aes_padlock_ace = -1;
88 #endif
89 
90 #if defined(MBEDTLS_AES_ROM_TABLES)
91 /*
92  * Forward S-box
93  */
94 static const unsigned char FSb[256] =
95 {
96     0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97     0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98     0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99     0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100     0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101     0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102     0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103     0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104     0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105     0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106     0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107     0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108     0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109     0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110     0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111     0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112     0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113     0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114     0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115     0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116     0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117     0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118     0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119     0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120     0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121     0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122     0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123     0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124     0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125     0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126     0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127     0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128 };
129 
130 /*
131  * Forward tables
132  */
133 #define FT \
134 \
135     V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136     V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137     V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138     V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139     V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140     V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141     V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142     V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143     V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144     V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145     V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146     V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147     V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148     V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149     V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150     V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151     V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152     V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153     V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154     V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155     V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156     V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157     V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158     V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159     V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160     V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161     V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162     V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163     V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164     V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165     V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166     V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167     V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168     V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169     V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170     V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171     V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172     V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173     V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174     V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175     V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176     V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177     V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178     V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179     V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180     V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181     V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182     V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183     V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184     V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185     V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186     V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187     V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188     V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189     V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190     V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191     V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192     V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193     V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194     V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195     V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196     V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197     V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198     V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199 
200 #define V(a,b,c,d) 0x##a##b##c##d
201 static const uint32_t FT0[256] = { FT };
202 #undef V
203 
204 #define V(a,b,c,d) 0x##b##c##d##a
205 static const uint32_t FT1[256] = { FT };
206 #undef V
207 
208 #define V(a,b,c,d) 0x##c##d##a##b
209 static const uint32_t FT2[256] = { FT };
210 #undef V
211 
212 #define V(a,b,c,d) 0x##d##a##b##c
213 static const uint32_t FT3[256] = { FT };
214 #undef V
215 
216 #undef FT
217 
218 /*
219  * Reverse S-box
220  */
221 static const unsigned char RSb[256] =
222 {
223     0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224     0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225     0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226     0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227     0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228     0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229     0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230     0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231     0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232     0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233     0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234     0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235     0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236     0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237     0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238     0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239     0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240     0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241     0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242     0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243     0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244     0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245     0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246     0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247     0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248     0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249     0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250     0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251     0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252     0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253     0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254     0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255 };
256 
257 /*
258  * Reverse tables
259  */
260 #define RT \
261 \
262     V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263     V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264     V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265     V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266     V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267     V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268     V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269     V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270     V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271     V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272     V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273     V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274     V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275     V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276     V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277     V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278     V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279     V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280     V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281     V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282     V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283     V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284     V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285     V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286     V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287     V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288     V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289     V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290     V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291     V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292     V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293     V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294     V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295     V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296     V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297     V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298     V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299     V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300     V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301     V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302     V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303     V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304     V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305     V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306     V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307     V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308     V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309     V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310     V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311     V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312     V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313     V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314     V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315     V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316     V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317     V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318     V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319     V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320     V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321     V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322     V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323     V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324     V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325     V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326 
327 #define V(a,b,c,d) 0x##a##b##c##d
328 static const uint32_t RT0[256] = { RT };
329 #undef V
330 
331 #define V(a,b,c,d) 0x##b##c##d##a
332 static const uint32_t RT1[256] = { RT };
333 #undef V
334 
335 #define V(a,b,c,d) 0x##c##d##a##b
336 static const uint32_t RT2[256] = { RT };
337 #undef V
338 
339 #define V(a,b,c,d) 0x##d##a##b##c
340 static const uint32_t RT3[256] = { RT };
341 #undef V
342 
343 #undef RT
344 
345 /*
346  * Round constants
347  */
348 static const uint32_t RCON[10] =
349 {
350     0x00000001, 0x00000002, 0x00000004, 0x00000008,
351     0x00000010, 0x00000020, 0x00000040, 0x00000080,
352     0x0000001B, 0x00000036
353 };
354 
355 #else /* MBEDTLS_AES_ROM_TABLES */
356 
357 /*
358  * Forward S-box & tables
359  */
360 static unsigned char FSb[256];
361 static uint32_t FT0[256];
362 static uint32_t FT1[256];
363 static uint32_t FT2[256];
364 static uint32_t FT3[256];
365 
366 /*
367  * Reverse S-box & tables
368  */
369 static unsigned char RSb[256];
370 static uint32_t RT0[256];
371 static uint32_t RT1[256];
372 static uint32_t RT2[256];
373 static uint32_t RT3[256];
374 
375 /*
376  * Round constants
377  */
378 static uint32_t RCON[10];
379 
380 /*
381  * Tables generation code
382  */
383 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
384 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
385 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
386 
387 static int aes_init_done = 0;
388 
aes_gen_tables(void)389 static void aes_gen_tables( void )
390 {
391     int i, x, y, z;
392     int pow[256];
393     int log[256];
394 
395     /*
396      * compute pow and log tables over GF(2^8)
397      */
398     for( i = 0, x = 1; i < 256; i++ )
399     {
400         pow[i] = x;
401         log[x] = i;
402         x = ( x ^ XTIME( x ) ) & 0xFF;
403     }
404 
405     /*
406      * calculate the round constants
407      */
408     for( i = 0, x = 1; i < 10; i++ )
409     {
410         RCON[i] = (uint32_t) x;
411         x = XTIME( x ) & 0xFF;
412     }
413 
414     /*
415      * generate the forward and reverse S-boxes
416      */
417     FSb[0x00] = 0x63;
418     RSb[0x63] = 0x00;
419 
420     for( i = 1; i < 256; i++ )
421     {
422         x = pow[255 - log[i]];
423 
424         y  = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
425         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
427         x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
428         x ^= y ^ 0x63;
429 
430         FSb[i] = (unsigned char) x;
431         RSb[x] = (unsigned char) i;
432     }
433 
434     /*
435      * generate the forward and reverse tables
436      */
437     for( i = 0; i < 256; i++ )
438     {
439         x = FSb[i];
440         y = XTIME( x ) & 0xFF;
441         z =  ( y ^ x ) & 0xFF;
442 
443         FT0[i] = ( (uint32_t) y       ) ^
444                  ( (uint32_t) x <<  8 ) ^
445                  ( (uint32_t) x << 16 ) ^
446                  ( (uint32_t) z << 24 );
447 
448         FT1[i] = ROTL8( FT0[i] );
449         FT2[i] = ROTL8( FT1[i] );
450         FT3[i] = ROTL8( FT2[i] );
451 
452         x = RSb[i];
453 
454         RT0[i] = ( (uint32_t) MUL( 0x0E, x )       ) ^
455                  ( (uint32_t) MUL( 0x09, x ) <<  8 ) ^
456                  ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
457                  ( (uint32_t) MUL( 0x0B, x ) << 24 );
458 
459         RT1[i] = ROTL8( RT0[i] );
460         RT2[i] = ROTL8( RT1[i] );
461         RT3[i] = ROTL8( RT2[i] );
462     }
463 }
464 
465 #endif /* MBEDTLS_AES_ROM_TABLES */
466 
mbedtls_aes_init(mbedtls_aes_context * ctx)467 void mbedtls_aes_init( mbedtls_aes_context *ctx )
468 {
469     memset( ctx, 0, sizeof( mbedtls_aes_context ) );
470 }
471 
mbedtls_aes_free(mbedtls_aes_context * ctx)472 void mbedtls_aes_free( mbedtls_aes_context *ctx )
473 {
474     if( ctx == NULL )
475         return;
476 
477     mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
478 }
479 
480 /*
481  * AES key schedule (encryption)
482  */
483 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)484 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
485                     unsigned int keybits )
486 {
487     unsigned int i;
488     uint32_t *RK;
489 
490 #if !defined(MBEDTLS_AES_ROM_TABLES)
491     if( aes_init_done == 0 )
492     {
493         aes_gen_tables();
494         aes_init_done = 1;
495 
496     }
497 #endif
498 
499     switch( keybits )
500     {
501         case 128: ctx->nr = 10; break;
502         case 192: ctx->nr = 12; break;
503         case 256: ctx->nr = 14; break;
504         default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
505     }
506 
507 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
508     if( aes_padlock_ace == -1 )
509         aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
510 
511     if( aes_padlock_ace )
512         ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
513     else
514 #endif
515     ctx->rk = RK = ctx->buf;
516 
517 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
518     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
519         return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
520 #endif
521 
522     for( i = 0; i < ( keybits >> 5 ); i++ )
523     {
524         GET_UINT32_LE( RK[i], key, i << 2 );
525     }
526 
527     switch( ctx->nr )
528     {
529         case 10:
530 
531             for( i = 0; i < 10; i++, RK += 4 )
532             {
533                 RK[4]  = RK[0] ^ RCON[i] ^
534                 ( (uint32_t) FSb[ ( RK[3] >>  8 ) & 0xFF ]       ) ^
535                 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] <<  8 ) ^
536                 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
537                 ( (uint32_t) FSb[ ( RK[3]       ) & 0xFF ] << 24 );
538 
539                 RK[5]  = RK[1] ^ RK[4];
540                 RK[6]  = RK[2] ^ RK[5];
541                 RK[7]  = RK[3] ^ RK[6];
542             }
543             break;
544 
545         case 12:
546 
547             for( i = 0; i < 8; i++, RK += 6 )
548             {
549                 RK[6]  = RK[0] ^ RCON[i] ^
550                 ( (uint32_t) FSb[ ( RK[5] >>  8 ) & 0xFF ]       ) ^
551                 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] <<  8 ) ^
552                 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
553                 ( (uint32_t) FSb[ ( RK[5]       ) & 0xFF ] << 24 );
554 
555                 RK[7]  = RK[1] ^ RK[6];
556                 RK[8]  = RK[2] ^ RK[7];
557                 RK[9]  = RK[3] ^ RK[8];
558                 RK[10] = RK[4] ^ RK[9];
559                 RK[11] = RK[5] ^ RK[10];
560             }
561             break;
562 
563         case 14:
564 
565             for( i = 0; i < 7; i++, RK += 8 )
566             {
567                 RK[8]  = RK[0] ^ RCON[i] ^
568                 ( (uint32_t) FSb[ ( RK[7] >>  8 ) & 0xFF ]       ) ^
569                 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] <<  8 ) ^
570                 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
571                 ( (uint32_t) FSb[ ( RK[7]       ) & 0xFF ] << 24 );
572 
573                 RK[9]  = RK[1] ^ RK[8];
574                 RK[10] = RK[2] ^ RK[9];
575                 RK[11] = RK[3] ^ RK[10];
576 
577                 RK[12] = RK[4] ^
578                 ( (uint32_t) FSb[ ( RK[11]       ) & 0xFF ]       ) ^
579                 ( (uint32_t) FSb[ ( RK[11] >>  8 ) & 0xFF ] <<  8 ) ^
580                 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
581                 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
582 
583                 RK[13] = RK[5] ^ RK[12];
584                 RK[14] = RK[6] ^ RK[13];
585                 RK[15] = RK[7] ^ RK[14];
586             }
587             break;
588     }
589 
590     return( 0 );
591 }
592 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
593 
594 /*
595  * AES key schedule (decryption)
596  */
597 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)598 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
599                     unsigned int keybits )
600 {
601     int i, j, ret;
602     mbedtls_aes_context cty;
603     uint32_t *RK;
604     uint32_t *SK;
605 
606     mbedtls_aes_init( &cty );
607 
608 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
609     if( aes_padlock_ace == -1 )
610         aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
611 
612     if( aes_padlock_ace )
613         ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
614     else
615 #endif
616     ctx->rk = RK = ctx->buf;
617 
618     /* Also checks keybits */
619     if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
620         goto exit;
621 
622     ctx->nr = cty.nr;
623 
624 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
625     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
626     {
627         mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
628                            (const unsigned char *) cty.rk, ctx->nr );
629         goto exit;
630     }
631 #endif
632 
633     SK = cty.rk + cty.nr * 4;
634 
635     *RK++ = *SK++;
636     *RK++ = *SK++;
637     *RK++ = *SK++;
638     *RK++ = *SK++;
639 
640     for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
641     {
642         for( j = 0; j < 4; j++, SK++ )
643         {
644             *RK++ = RT0[ FSb[ ( *SK       ) & 0xFF ] ] ^
645                     RT1[ FSb[ ( *SK >>  8 ) & 0xFF ] ] ^
646                     RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
647                     RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
648         }
649     }
650 
651     *RK++ = *SK++;
652     *RK++ = *SK++;
653     *RK++ = *SK++;
654     *RK++ = *SK++;
655 
656 exit:
657     mbedtls_aes_free( &cty );
658 
659     return( ret );
660 }
661 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
662 
663 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
664 {                                               \
665     X0 = *RK++ ^ FT0[ ( Y0       ) & 0xFF ] ^   \
666                  FT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
667                  FT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
668                  FT3[ ( Y3 >> 24 ) & 0xFF ];    \
669                                                 \
670     X1 = *RK++ ^ FT0[ ( Y1       ) & 0xFF ] ^   \
671                  FT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
672                  FT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
673                  FT3[ ( Y0 >> 24 ) & 0xFF ];    \
674                                                 \
675     X2 = *RK++ ^ FT0[ ( Y2       ) & 0xFF ] ^   \
676                  FT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
677                  FT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
678                  FT3[ ( Y1 >> 24 ) & 0xFF ];    \
679                                                 \
680     X3 = *RK++ ^ FT0[ ( Y3       ) & 0xFF ] ^   \
681                  FT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
682                  FT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
683                  FT3[ ( Y2 >> 24 ) & 0xFF ];    \
684 }
685 
686 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3)     \
687 {                                               \
688     X0 = *RK++ ^ RT0[ ( Y0       ) & 0xFF ] ^   \
689                  RT1[ ( Y3 >>  8 ) & 0xFF ] ^   \
690                  RT2[ ( Y2 >> 16 ) & 0xFF ] ^   \
691                  RT3[ ( Y1 >> 24 ) & 0xFF ];    \
692                                                 \
693     X1 = *RK++ ^ RT0[ ( Y1       ) & 0xFF ] ^   \
694                  RT1[ ( Y0 >>  8 ) & 0xFF ] ^   \
695                  RT2[ ( Y3 >> 16 ) & 0xFF ] ^   \
696                  RT3[ ( Y2 >> 24 ) & 0xFF ];    \
697                                                 \
698     X2 = *RK++ ^ RT0[ ( Y2       ) & 0xFF ] ^   \
699                  RT1[ ( Y1 >>  8 ) & 0xFF ] ^   \
700                  RT2[ ( Y0 >> 16 ) & 0xFF ] ^   \
701                  RT3[ ( Y3 >> 24 ) & 0xFF ];    \
702                                                 \
703     X3 = *RK++ ^ RT0[ ( Y3       ) & 0xFF ] ^   \
704                  RT1[ ( Y2 >>  8 ) & 0xFF ] ^   \
705                  RT2[ ( Y1 >> 16 ) & 0xFF ] ^   \
706                  RT3[ ( Y0 >> 24 ) & 0xFF ];    \
707 }
708 
709 /*
710  * AES-ECB block encryption
711  */
712 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])713 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
714                           const unsigned char input[16],
715                           unsigned char output[16] )
716 {
717     int i;
718     uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
719 
720     RK = ctx->rk;
721 
722     GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
723     GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
724     GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
725     GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
726 
727     for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
728     {
729         AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
730         AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
731     }
732 
733     AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734 
735     X0 = *RK++ ^ \
736             ( (uint32_t) FSb[ ( Y0       ) & 0xFF ]       ) ^
737             ( (uint32_t) FSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
738             ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
739             ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
740 
741     X1 = *RK++ ^ \
742             ( (uint32_t) FSb[ ( Y1       ) & 0xFF ]       ) ^
743             ( (uint32_t) FSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
744             ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
745             ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
746 
747     X2 = *RK++ ^ \
748             ( (uint32_t) FSb[ ( Y2       ) & 0xFF ]       ) ^
749             ( (uint32_t) FSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
750             ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
751             ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
752 
753     X3 = *RK++ ^ \
754             ( (uint32_t) FSb[ ( Y3       ) & 0xFF ]       ) ^
755             ( (uint32_t) FSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
756             ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
757             ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
758 
759     PUT_UINT32_LE( X0, output,  0 );
760     PUT_UINT32_LE( X1, output,  4 );
761     PUT_UINT32_LE( X2, output,  8 );
762     PUT_UINT32_LE( X3, output, 12 );
763 }
764 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
765 
766 /*
767  * AES-ECB block decryption
768  */
769 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])770 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
771                           const unsigned char input[16],
772                           unsigned char output[16] )
773 {
774     int i;
775     uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
776 
777     RK = ctx->rk;
778 
779     GET_UINT32_LE( X0, input,  0 ); X0 ^= *RK++;
780     GET_UINT32_LE( X1, input,  4 ); X1 ^= *RK++;
781     GET_UINT32_LE( X2, input,  8 ); X2 ^= *RK++;
782     GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
783 
784     for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
785     {
786         AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
787         AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
788     }
789 
790     AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
791 
792     X0 = *RK++ ^ \
793             ( (uint32_t) RSb[ ( Y0       ) & 0xFF ]       ) ^
794             ( (uint32_t) RSb[ ( Y3 >>  8 ) & 0xFF ] <<  8 ) ^
795             ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
796             ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
797 
798     X1 = *RK++ ^ \
799             ( (uint32_t) RSb[ ( Y1       ) & 0xFF ]       ) ^
800             ( (uint32_t) RSb[ ( Y0 >>  8 ) & 0xFF ] <<  8 ) ^
801             ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
802             ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
803 
804     X2 = *RK++ ^ \
805             ( (uint32_t) RSb[ ( Y2       ) & 0xFF ]       ) ^
806             ( (uint32_t) RSb[ ( Y1 >>  8 ) & 0xFF ] <<  8 ) ^
807             ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
808             ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
809 
810     X3 = *RK++ ^ \
811             ( (uint32_t) RSb[ ( Y3       ) & 0xFF ]       ) ^
812             ( (uint32_t) RSb[ ( Y2 >>  8 ) & 0xFF ] <<  8 ) ^
813             ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
814             ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
815 
816     PUT_UINT32_LE( X0, output,  0 );
817     PUT_UINT32_LE( X1, output,  4 );
818     PUT_UINT32_LE( X2, output,  8 );
819     PUT_UINT32_LE( X3, output, 12 );
820 }
821 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
822 
823 /*
824  * AES-ECB block encryption/decryption
825  */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])826 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
827                     int mode,
828                     const unsigned char input[16],
829                     unsigned char output[16] )
830 {
831 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
832     if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
833         return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
834 #endif
835 
836 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
837     if( aes_padlock_ace )
838     {
839         if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
840             return( 0 );
841 
842         // If padlock data misaligned, we just fall back to
843         // unaccelerated mode
844         //
845     }
846 #endif
847 
848     if( mode == MBEDTLS_AES_ENCRYPT )
849         mbedtls_aes_encrypt( ctx, input, output );
850     else
851         mbedtls_aes_decrypt( ctx, input, output );
852 
853     return( 0 );
854 }
855 
856 #if defined(MBEDTLS_CIPHER_MODE_CBC)
857 /*
858  * AES-CBC buffer encryption/decryption
859  */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)860 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
861                     int mode,
862                     size_t length,
863                     unsigned char iv[16],
864                     const unsigned char *input,
865                     unsigned char *output )
866 {
867     int i;
868     unsigned char temp[16];
869 
870     if( length % 16 )
871         return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
872 
873 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
874     if( aes_padlock_ace )
875     {
876         if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
877             return( 0 );
878 
879         // If padlock data misaligned, we just fall back to
880         // unaccelerated mode
881         //
882     }
883 #endif
884 
885     if( mode == MBEDTLS_AES_DECRYPT )
886     {
887         while( length > 0 )
888         {
889             memcpy( temp, input, 16 );
890             mbedtls_aes_crypt_ecb( ctx, mode, input, output );
891 
892             for( i = 0; i < 16; i++ )
893                 output[i] = (unsigned char)( output[i] ^ iv[i] );
894 
895             memcpy( iv, temp, 16 );
896 
897             input  += 16;
898             output += 16;
899             length -= 16;
900         }
901     }
902     else
903     {
904         while( length > 0 )
905         {
906             for( i = 0; i < 16; i++ )
907                 output[i] = (unsigned char)( input[i] ^ iv[i] );
908 
909             mbedtls_aes_crypt_ecb( ctx, mode, output, output );
910             memcpy( iv, output, 16 );
911 
912             input  += 16;
913             output += 16;
914             length -= 16;
915         }
916     }
917 
918     return( 0 );
919 }
920 #endif /* MBEDTLS_CIPHER_MODE_CBC */
921 
922 #if defined(MBEDTLS_CIPHER_MODE_CFB)
923 /*
924  * AES-CFB128 buffer encryption/decryption
925  */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)926 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
927                        int mode,
928                        size_t length,
929                        size_t *iv_off,
930                        unsigned char iv[16],
931                        const unsigned char *input,
932                        unsigned char *output )
933 {
934     int c;
935     size_t n = *iv_off;
936 
937     if( mode == MBEDTLS_AES_DECRYPT )
938     {
939         while( length-- )
940         {
941             if( n == 0 )
942                 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
943 
944             c = *input++;
945             *output++ = (unsigned char)( c ^ iv[n] );
946             iv[n] = (unsigned char) c;
947 
948             n = ( n + 1 ) & 0x0F;
949         }
950     }
951     else
952     {
953         while( length-- )
954         {
955             if( n == 0 )
956                 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
957 
958             iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
959 
960             n = ( n + 1 ) & 0x0F;
961         }
962     }
963 
964     *iv_off = n;
965 
966     return( 0 );
967 }
968 
969 /*
970  * AES-CFB8 buffer encryption/decryption
971  */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)972 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
973                        int mode,
974                        size_t length,
975                        unsigned char iv[16],
976                        const unsigned char *input,
977                        unsigned char *output )
978 {
979     unsigned char c;
980     unsigned char ov[17];
981 
982     while( length-- )
983     {
984         memcpy( ov, iv, 16 );
985         mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
986 
987         if( mode == MBEDTLS_AES_DECRYPT )
988             ov[16] = *input;
989 
990         c = *output++ = (unsigned char)( iv[0] ^ *input++ );
991 
992         if( mode == MBEDTLS_AES_ENCRYPT )
993             ov[16] = c;
994 
995         memcpy( iv, ov + 1, 16 );
996     }
997 
998     return( 0 );
999 }
1000 #endif /*MBEDTLS_CIPHER_MODE_CFB */
1001 
1002 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1003 /*
1004  * AES-CTR buffer encryption/decryption
1005  */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1006 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1007                        size_t length,
1008                        size_t *nc_off,
1009                        unsigned char nonce_counter[16],
1010                        unsigned char stream_block[16],
1011                        const unsigned char *input,
1012                        unsigned char *output )
1013 {
1014     int c, i;
1015     size_t n = *nc_off;
1016 
1017     while( length-- )
1018     {
1019         if( n == 0 ) {
1020             mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1021 
1022             for( i = 16; i > 0; i-- )
1023                 if( ++nonce_counter[i - 1] != 0 )
1024                     break;
1025         }
1026         c = *input++;
1027         *output++ = (unsigned char)( c ^ stream_block[n] );
1028 
1029         n = ( n + 1 ) & 0x0F;
1030     }
1031 
1032     *nc_off = n;
1033 
1034     return( 0 );
1035 }
1036 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1037 
1038 #endif /* !MBEDTLS_AES_ALT */
1039 
1040 #if defined(MBEDTLS_SELF_TEST)
1041 /*
1042  * AES test vectors from:
1043  *
1044  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1045  */
1046 static const unsigned char aes_test_ecb_dec[3][16] =
1047 {
1048     { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1049       0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1050     { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1051       0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1052     { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1053       0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1054 };
1055 
1056 static const unsigned char aes_test_ecb_enc[3][16] =
1057 {
1058     { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1059       0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1060     { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1061       0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1062     { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1063       0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1064 };
1065 
1066 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1067 static const unsigned char aes_test_cbc_dec[3][16] =
1068 {
1069     { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1070       0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1071     { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1072       0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1073     { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1074       0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1075 };
1076 
1077 static const unsigned char aes_test_cbc_enc[3][16] =
1078 {
1079     { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1080       0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1081     { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1082       0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1083     { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1084       0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1085 };
1086 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1087 
1088 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1089 /*
1090  * AES-CFB128 test vectors from:
1091  *
1092  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1093  */
1094 static const unsigned char aes_test_cfb128_key[3][32] =
1095 {
1096     { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1097       0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1098     { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1099       0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1100       0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1101     { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1102       0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1103       0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1104       0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1105 };
1106 
1107 static const unsigned char aes_test_cfb128_iv[16] =
1108 {
1109     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1110     0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1111 };
1112 
1113 static const unsigned char aes_test_cfb128_pt[64] =
1114 {
1115     0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1116     0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1117     0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1118     0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1119     0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1120     0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1121     0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1122     0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1123 };
1124 
1125 static const unsigned char aes_test_cfb128_ct[3][64] =
1126 {
1127     { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1128       0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1129       0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1130       0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1131       0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1132       0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1133       0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1134       0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1135     { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1136       0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1137       0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1138       0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1139       0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1140       0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1141       0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1142       0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1143     { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1144       0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1145       0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1146       0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1147       0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1148       0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1149       0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1150       0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1151 };
1152 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1153 
1154 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1155 /*
1156  * AES-CTR test vectors from:
1157  *
1158  * http://www.faqs.org/rfcs/rfc3686.html
1159  */
1160 
1161 static const unsigned char aes_test_ctr_key[3][16] =
1162 {
1163     { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1164       0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1165     { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1166       0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1167     { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1168       0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1169 };
1170 
1171 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1172 {
1173     { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1174       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1175     { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1176       0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1177     { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1178       0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1179 };
1180 
1181 static const unsigned char aes_test_ctr_pt[3][48] =
1182 {
1183     { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1184       0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1185 
1186     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1187       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1188       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1189       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1190 
1191     { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1192       0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1193       0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1194       0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1195       0x20, 0x21, 0x22, 0x23 }
1196 };
1197 
1198 static const unsigned char aes_test_ctr_ct[3][48] =
1199 {
1200     { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1201       0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1202     { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1203       0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1204       0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1205       0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1206     { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1207       0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1208       0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1209       0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1210       0x25, 0xB2, 0x07, 0x2F }
1211 };
1212 
1213 static const int aes_test_ctr_len[3] =
1214     { 16, 32, 36 };
1215 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1216 
1217 /*
1218  * Checkup routine
1219  */
mbedtls_aes_self_test(int verbose)1220 int mbedtls_aes_self_test( int verbose )
1221 {
1222     int ret = 0, i, j, u, v;
1223     unsigned char key[32];
1224     unsigned char buf[64];
1225 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1226     unsigned char iv[16];
1227 #endif
1228 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1229     unsigned char prv[16];
1230 #endif
1231 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
1232     size_t offset;
1233 #endif
1234 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1235     int len;
1236     unsigned char nonce_counter[16];
1237     unsigned char stream_block[16];
1238 #endif
1239     mbedtls_aes_context ctx;
1240 
1241     memset( key, 0, 32 );
1242     mbedtls_aes_init( &ctx );
1243 
1244     /*
1245      * ECB mode
1246      */
1247     for( i = 0; i < 6; i++ )
1248     {
1249         u = i >> 1;
1250         v = i  & 1;
1251 
1252         if( verbose != 0 )
1253             mbedtls_printf( "  AES-ECB-%3d (%s): ", 128 + u * 64,
1254                              ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1255 
1256         memset( buf, 0, 16 );
1257 
1258         if( v == MBEDTLS_AES_DECRYPT )
1259         {
1260             mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1261 
1262             for( j = 0; j < 10000; j++ )
1263                 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1264 
1265             if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 )
1266             {
1267                 if( verbose != 0 )
1268                     mbedtls_printf( "failed\n" );
1269 
1270                 ret = 1;
1271                 goto exit;
1272             }
1273         }
1274         else
1275         {
1276             mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1277 
1278             for( j = 0; j < 10000; j++ )
1279                 mbedtls_aes_crypt_ecb( &ctx, v, buf, buf );
1280 
1281             if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 )
1282             {
1283                 if( verbose != 0 )
1284                     mbedtls_printf( "failed\n" );
1285 
1286                 ret = 1;
1287                 goto exit;
1288             }
1289         }
1290 
1291         if( verbose != 0 )
1292             mbedtls_printf( "passed\n" );
1293     }
1294 
1295     if( verbose != 0 )
1296         mbedtls_printf( "\n" );
1297 
1298 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1299     /*
1300      * CBC mode
1301      */
1302     for( i = 0; i < 6; i++ )
1303     {
1304         u = i >> 1;
1305         v = i  & 1;
1306 
1307         if( verbose != 0 )
1308             mbedtls_printf( "  AES-CBC-%3d (%s): ", 128 + u * 64,
1309                              ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1310 
1311         memset( iv , 0, 16 );
1312         memset( prv, 0, 16 );
1313         memset( buf, 0, 16 );
1314 
1315         if( v == MBEDTLS_AES_DECRYPT )
1316         {
1317             mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 );
1318 
1319             for( j = 0; j < 10000; j++ )
1320                 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1321 
1322             if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 )
1323             {
1324                 if( verbose != 0 )
1325                     mbedtls_printf( "failed\n" );
1326 
1327                 ret = 1;
1328                 goto exit;
1329             }
1330         }
1331         else
1332         {
1333             mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1334 
1335             for( j = 0; j < 10000; j++ )
1336             {
1337                 unsigned char tmp[16];
1338 
1339                 mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf );
1340 
1341                 memcpy( tmp, prv, 16 );
1342                 memcpy( prv, buf, 16 );
1343                 memcpy( buf, tmp, 16 );
1344             }
1345 
1346             if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 )
1347             {
1348                 if( verbose != 0 )
1349                     mbedtls_printf( "failed\n" );
1350 
1351                 ret = 1;
1352                 goto exit;
1353             }
1354         }
1355 
1356         if( verbose != 0 )
1357             mbedtls_printf( "passed\n" );
1358     }
1359 
1360     if( verbose != 0 )
1361         mbedtls_printf( "\n" );
1362 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1363 
1364 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1365     /*
1366      * CFB128 mode
1367      */
1368     for( i = 0; i < 6; i++ )
1369     {
1370         u = i >> 1;
1371         v = i  & 1;
1372 
1373         if( verbose != 0 )
1374             mbedtls_printf( "  AES-CFB128-%3d (%s): ", 128 + u * 64,
1375                              ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1376 
1377         memcpy( iv,  aes_test_cfb128_iv, 16 );
1378         memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 );
1379 
1380         offset = 0;
1381         mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 );
1382 
1383         if( v == MBEDTLS_AES_DECRYPT )
1384         {
1385             memcpy( buf, aes_test_cfb128_ct[u], 64 );
1386             mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1387 
1388             if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 )
1389             {
1390                 if( verbose != 0 )
1391                     mbedtls_printf( "failed\n" );
1392 
1393                 ret = 1;
1394                 goto exit;
1395             }
1396         }
1397         else
1398         {
1399             memcpy( buf, aes_test_cfb128_pt, 64 );
1400             mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf );
1401 
1402             if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 )
1403             {
1404                 if( verbose != 0 )
1405                     mbedtls_printf( "failed\n" );
1406 
1407                 ret = 1;
1408                 goto exit;
1409             }
1410         }
1411 
1412         if( verbose != 0 )
1413             mbedtls_printf( "passed\n" );
1414     }
1415 
1416     if( verbose != 0 )
1417         mbedtls_printf( "\n" );
1418 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1419 
1420 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1421     /*
1422      * CTR mode
1423      */
1424     for( i = 0; i < 6; i++ )
1425     {
1426         u = i >> 1;
1427         v = i  & 1;
1428 
1429         if( verbose != 0 )
1430             mbedtls_printf( "  AES-CTR-128 (%s): ",
1431                              ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1432 
1433         memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1434         memcpy( key, aes_test_ctr_key[u], 16 );
1435 
1436         offset = 0;
1437         mbedtls_aes_setkey_enc( &ctx, key, 128 );
1438 
1439         if( v == MBEDTLS_AES_DECRYPT )
1440         {
1441             len = aes_test_ctr_len[u];
1442             memcpy( buf, aes_test_ctr_ct[u], len );
1443 
1444             mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1445                            buf, buf );
1446 
1447             if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 )
1448             {
1449                 if( verbose != 0 )
1450                     mbedtls_printf( "failed\n" );
1451 
1452                 ret = 1;
1453                 goto exit;
1454             }
1455         }
1456         else
1457         {
1458             len = aes_test_ctr_len[u];
1459             memcpy( buf, aes_test_ctr_pt[u], len );
1460 
1461             mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block,
1462                            buf, buf );
1463 
1464             if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 )
1465             {
1466                 if( verbose != 0 )
1467                     mbedtls_printf( "failed\n" );
1468 
1469                 ret = 1;
1470                 goto exit;
1471             }
1472         }
1473 
1474         if( verbose != 0 )
1475             mbedtls_printf( "passed\n" );
1476     }
1477 
1478     if( verbose != 0 )
1479         mbedtls_printf( "\n" );
1480 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1481 
1482     ret = 0;
1483 
1484 exit:
1485     mbedtls_aes_free( &ctx );
1486 
1487     return( ret );
1488 }
1489 
1490 #endif /* MBEDTLS_SELF_TEST */
1491 
1492 #endif /* MBEDTLS_AES_C */
1493