/* $NetBSD: aes_selftest.c,v 1.7 2021/12/05 04:48:35 msaitoh Exp $ */

/* $NetBSD: aes_selftest.c,v 1.7 2021/12/05 04:48:35 msaitoh Exp $ */

/*-
* Copyright (c) 2020 The NetBSD Foundation, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: aes_selftest.c,v 1.7 2021/12/05 04:48:35 msaitoh Exp $");

#ifdef _KERNEL

#include <sys/types.h>
#include <sys/systm.h>

#include <lib/libkern/libkern.h>

#else /* !_KERNEL */

#include <stdint.h>
#include <stdio.h>
#include <string.h>

static void
hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix,
const void *buf, size_t len)
{
const uint8_t *p = buf;
size_t i;

(*prf)("%s (%zu bytes)\n", prefix, len);
for (i = 0; i < len; i++) {
if (i % 16 == 8)
(*prf)(" ");
else
(*prf)(" ");
(*prf)("%02hhx", p[i]);
if ((i + 1) % 16 == 0)
(*prf)("\n");
}
if (i % 16)
(*prf)("\n");
}

#endif /* _KERNEL */

#include <crypto/aes/aes.h>
#include <crypto/aes/aes_impl.h>

static const unsigned aes_keybytes[] __unused = { 16, 24, 32 };
static const unsigned aes_keybits[] __unused = { 128, 192, 256 };
static const unsigned aes_nrounds[] = { 10, 12, 14 };

#define aes_selftest_fail(impl, actual, expected, nbytes, fmt, args...) \
({ \
printf("%s "fmt": self-test failed\n", (impl)->ai_name, ##args); \
hexdump(printf, "was", (actual), (nbytes)); \
hexdump(printf, "expected", (expected), (nbytes)); \
-1; \
})

static int
aes_selftest_encdec(const struct aes_impl *impl)
{
/*
* head -c 16 < /dev/zero | openssl enc -aes-{128,192,256}-ecb
* -nopad -K 000102030405060708090a0b0c0d... | hexdump -C
*/
static const uint8_t expected[3][16] = {
[0] = {
0xc6,0xa1,0x3b,0x37,0x87,0x8f,0x5b,0x82,
0x6f,0x4f,0x81,0x62,0xa1,0xc8,0xd8,0x79,
},
[1] = {
0x91,0x62,0x51,0x82,0x1c,0x73,0xa5,0x22,
0xc3,0x96,0xd6,0x27,0x38,0x01,0x96,0x07,
},
[2] = {
0xf2,0x90,0x00,0xb6,0x2a,0x49,0x9f,0xd0,
0xa9,0xf3,0x9a,0x6a,0xdd,0x2e,0x77,0x80,
},
};
struct aesenc enc;
struct aesdec dec;
uint8_t key[32];
uint8_t in[16];
uint8_t outbuf[18] = { [0] = 0x1a, [17] = 0x1a }, *out = outbuf + 1;
unsigned i;

for (i = 0; i < 32; i++)
key[i] = i;
for (i = 0; i < 16; i++)
in[i] = 0;

for (i = 0; i < 3; i++) {
impl->ai_setenckey(&enc, key, aes_nrounds[i]);
impl->ai_setdeckey(&dec, key, aes_nrounds[i]);
impl->ai_enc(&enc, in, out, aes_nrounds[i]);
if (memcmp(out, expected[i], 16))
return aes_selftest_fail(impl, out, expected[i], 16,
"AES-%u enc", aes_keybits[i]);
impl->ai_dec(&dec, out, out, aes_nrounds[i]);
if (memcmp(out, in, 16))
return aes_selftest_fail(impl, out, in, 16,
"AES-%u dec", aes_keybits[i]);
}

if (outbuf[0] != 0x1a)
return aes_selftest_fail(impl, outbuf,
(const uint8_t[1]){0x1a}, 1,
"AES overrun preceding");
if (outbuf[17] != 0x1a)
return aes_selftest_fail(impl, outbuf + 17,
(const uint8_t[1]){0x1a}, 1,
"AES overrun following");

/* Success! */
return 0;
}

static int
aes_selftest_encdec_cbc(const struct aes_impl *impl)
{
static const uint8_t expected[3][144] = {
[0] = {
0xfe,0xf1,0xa8,0xb6,0x25,0xf0,0xc4,0x3a,
0x71,0x08,0xb6,0x23,0xa6,0xfb,0x90,0xca,
0x9e,0x64,0x6d,0x95,0xb5,0xf5,0x41,0x24,
0xd2,0xe6,0x60,0xda,0x6c,0x69,0xc4,0xa0,
0x4d,0xaa,0x94,0xf6,0x66,0x1e,0xaa,0x85,
0x68,0xc5,0x6b,0x2e,0x77,0x7a,0x68,0xff,
0x45,0x15,0x45,0xc5,0x9c,0xbb,0x3a,0x23,
0x08,0x3a,0x06,0xdd,0xc0,0x52,0xd2,0xb7,
0x47,0xaa,0x1c,0xc7,0xb5,0xa9,0x7d,0x04,
0x60,0x67,0x78,0xf6,0xb9,0xba,0x26,0x84,
0x45,0x72,0x44,0xed,0xa3,0xd3,0xa0,0x3f,
0x19,0xee,0x3f,0x94,0x59,0x52,0x4b,0x13,
0xfd,0x81,0xcc,0xf9,0xf2,0x29,0xd7,0xec,
0xde,0x03,0x56,0x01,0x4a,0x19,0x86,0xc0,
0x87,0xce,0xe1,0xcc,0x13,0xf1,0x2e,0xda,
0x3f,0xfe,0xa4,0x64,0xe7,0x48,0xb4,0x7b,
0x73,0x62,0x5a,0x80,0x5e,0x01,0x20,0xa5,
0x0a,0xd7,0x98,0xa7,0xd9,0x8b,0xff,0xc2,
},
[1] = {
0xa6,0x87,0xf0,0x92,0x68,0xc8,0xd6,0x42,
0xa8,0x83,0x1c,0x92,0x65,0x8c,0xd9,0xfe,
0x0b,0x1a,0xc6,0x96,0x27,0x44,0xd4,0x14,
0xfc,0xe7,0x85,0xb2,0x71,0xc7,0x11,0x39,
0xed,0x36,0xd3,0x5c,0xa7,0xf7,0x3d,0xc9,
0xa2,0x54,0x8b,0xb4,0xfa,0xe8,0x21,0xf9,
0xfd,0x6a,0x42,0x85,0xde,0x66,0xd4,0xc0,
0xa7,0xd3,0x5b,0xe1,0xe6,0xac,0xea,0xf9,
0xa3,0x15,0x68,0xf4,0x66,0x4c,0x23,0x75,
0x58,0xba,0x7f,0xca,0xbf,0x40,0x56,0x79,
0x2f,0xbf,0xdf,0x5f,0x56,0xcb,0xa0,0xe4,
0x22,0x65,0x6a,0x8f,0x4f,0xff,0x11,0x6b,
0x57,0xeb,0x45,0xeb,0x9d,0x7f,0xfe,0x9c,
0x8b,0x30,0xa8,0xb0,0x7e,0x27,0xf8,0xbc,
0x1f,0xf8,0x15,0x34,0x36,0x4f,0x46,0x73,
0x81,0x90,0x4b,0x4b,0x46,0x4d,0x01,0x45,
0xa1,0xc3,0x0b,0xa8,0x5a,0xab,0xc1,0x88,
0x66,0xc8,0x1a,0x94,0x17,0x64,0x6f,0xf4,
},
[2] = {
0x22,0x4c,0x27,0xf4,0xba,0x37,0x8b,0x27,
0xd3,0xd6,0x88,0x8a,0xdc,0xed,0x64,0x42,
0x19,0x60,0x31,0x09,0xf3,0x72,0xd2,0xc2,
0xd3,0xe3,0xff,0xce,0xc5,0x03,0x9f,0xce,
0x99,0x49,0x8a,0xf2,0xe1,0xba,0xe2,0xa8,
0xd7,0x32,0x07,0x2d,0xb0,0xb3,0xbc,0x67,
0x32,0x9a,0x3e,0x7d,0x16,0x23,0xe7,0x24,
0x84,0xe1,0x15,0x03,0x9c,0xa2,0x7a,0x95,
0x34,0xa8,0x04,0x4e,0x79,0x31,0x50,0x26,
0x76,0xd1,0x10,0xce,0xec,0x13,0xf7,0xfb,
0x94,0x6b,0x76,0x50,0x5f,0xb2,0x3e,0x7c,
0xbe,0x97,0xe7,0x13,0x06,0x9e,0x2d,0xc4,
0x46,0x65,0xa7,0x69,0x37,0x07,0x25,0x37,
0xe5,0x48,0x51,0xa8,0x58,0xe8,0x4d,0x7c,
0xb5,0xbe,0x25,0x13,0xbc,0x11,0xc2,0xde,
0xdb,0x00,0xef,0x1c,0x1d,0xeb,0xe3,0x49,
0x1c,0xc0,0x78,0x29,0x76,0xc0,0xde,0x3a,
0x0e,0x96,0x8f,0xea,0xd7,0x42,0x4e,0xb4,
},
};
struct aesenc enc;
struct aesdec dec;
uint8_t key[32];
uint8_t in[144];
uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1;
uint8_t iv0[16], iv[16];
unsigned i, j;

for (i = 0; i < 32; i++)
key[i] = i;
for (i = 0; i < 16; i++)
iv0[i] = 0x20 ^ i;
for (i = 0; i < 144; i++)
in[i] = 0x80 ^ i;

for (i = 0; i < 3; i++) {
impl->ai_setenckey(&enc, key, aes_nrounds[i]);
impl->ai_setdeckey(&dec, key, aes_nrounds[i]);

/* Try one swell foop. */
memcpy(iv, iv0, 16);
impl->ai_cbc_enc(&enc, in, out, 144, iv, aes_nrounds[i]);
if (memcmp(out, expected[i], 144))
return aes_selftest_fail(impl, out, expected[i], 144,
"AES-%u-CBC enc", aes_keybits[i]);

memcpy(iv, iv0, 16);
impl->ai_cbc_dec(&dec, out, out, 144, iv, aes_nrounds[i]);
if (memcmp(out, in, 144))
return aes_selftest_fail(impl, out, in, 144,
"AES-%u-CBC dec", aes_keybits[i]);

/* Try incrementally, with IV update. */
for (j = 0; j < 144; j += 16) {
memcpy(iv, iv0, 16);
impl->ai_cbc_enc(&enc, in, out, j, iv, aes_nrounds[i]);
impl->ai_cbc_enc(&enc, in + j, out + j, 144 - j, iv,
aes_nrounds[i]);
if (memcmp(out, expected[i], 144))
return aes_selftest_fail(impl, out,
expected[i], 144, "AES-%u-CBC enc inc %u",
aes_keybits[i], j);

memcpy(iv, iv0, 16);
impl->ai_cbc_dec(&dec, out, out, j, iv,
aes_nrounds[i]);
impl->ai_cbc_dec(&dec, out + j, out + j, 144 - j, iv,
aes_nrounds[i]);
if (memcmp(out, in, 144))
return aes_selftest_fail(impl, out,
in, 144, "AES-%u-CBC dec inc %u",
aes_keybits[i], j);
}
}

if (outbuf[0] != 0x1a)
return aes_selftest_fail(impl, outbuf,
(const uint8_t[1]){0x1a}, 1,
"AES-CBC overrun preceding");
if (outbuf[145] != 0x1a)
return aes_selftest_fail(impl, outbuf + 145,
(const uint8_t[1]){0x1a}, 1,
"AES-CBC overrun following");

/* Success! */
return 0;
}

static int
aes_selftest_encdec_xts(const struct aes_impl *impl)
{
uint64_t blkno[3] = { 0, 1, 0xff };
static const uint8_t expected[3][144] = {
[0] = {
/* IEEE P1619-D16, XTS-AES-128, Vector 4, truncated */
0x27,0xa7,0x47,0x9b,0xef,0xa1,0xd4,0x76,
0x48,0x9f,0x30,0x8c,0xd4,0xcf,0xa6,0xe2,
0xa9,0x6e,0x4b,0xbe,0x32,0x08,0xff,0x25,
0x28,0x7d,0xd3,0x81,0x96,0x16,0xe8,0x9c,
0xc7,0x8c,0xf7,0xf5,0xe5,0x43,0x44,0x5f,
0x83,0x33,0xd8,0xfa,0x7f,0x56,0x00,0x00,
0x05,0x27,0x9f,0xa5,0xd8,0xb5,0xe4,0xad,
0x40,0xe7,0x36,0xdd,0xb4,0xd3,0x54,0x12,
0x32,0x80,0x63,0xfd,0x2a,0xab,0x53,0xe5,
0xea,0x1e,0x0a,0x9f,0x33,0x25,0x00,0xa5,
0xdf,0x94,0x87,0xd0,0x7a,0x5c,0x92,0xcc,
0x51,0x2c,0x88,0x66,0xc7,0xe8,0x60,0xce,
0x93,0xfd,0xf1,0x66,0xa2,0x49,0x12,0xb4,
0x22,0x97,0x61,0x46,0xae,0x20,0xce,0x84,
0x6b,0xb7,0xdc,0x9b,0xa9,0x4a,0x76,0x7a,
0xae,0xf2,0x0c,0x0d,0x61,0xad,0x02,0x65,
0x5e,0xa9,0x2d,0xc4,0xc4,0xe4,0x1a,0x89,
0x52,0xc6,0x51,0xd3,0x31,0x74,0xbe,0x51,
},
[1] = {
},
[2] = {
/* IEEE P1619-D16, XTS-AES-256, Vector 10, truncated */
0x1c,0x3b,0x3a,0x10,0x2f,0x77,0x03,0x86,
0xe4,0x83,0x6c,0x99,0xe3,0x70,0xcf,0x9b,
0xea,0x00,0x80,0x3f,0x5e,0x48,0x23,0x57,
0xa4,0xae,0x12,0xd4,0x14,0xa3,0xe6,0x3b,
0x5d,0x31,0xe2,0x76,0xf8,0xfe,0x4a,0x8d,
0x66,0xb3,0x17,0xf9,0xac,0x68,0x3f,0x44,
0x68,0x0a,0x86,0xac,0x35,0xad,0xfc,0x33,
0x45,0xbe,0xfe,0xcb,0x4b,0xb1,0x88,0xfd,
0x57,0x76,0x92,0x6c,0x49,0xa3,0x09,0x5e,
0xb1,0x08,0xfd,0x10,0x98,0xba,0xec,0x70,
0xaa,0xa6,0x69,0x99,0xa7,0x2a,0x82,0xf2,
0x7d,0x84,0x8b,0x21,0xd4,0xa7,0x41,0xb0,
0xc5,0xcd,0x4d,0x5f,0xff,0x9d,0xac,0x89,
0xae,0xba,0x12,0x29,0x61,0xd0,0x3a,0x75,
0x71,0x23,0xe9,0x87,0x0f,0x8a,0xcf,0x10,
0x00,0x02,0x08,0x87,0x89,0x14,0x29,0xca,
0x2a,0x3e,0x7a,0x7d,0x7d,0xf7,0xb1,0x03,
0x55,0x16,0x5c,0x8b,0x9a,0x6d,0x0a,0x7d,
},
};
static const uint8_t key1[32] = {
0x27,0x18,0x28,0x18,0x28,0x45,0x90,0x45,
0x23,0x53,0x60,0x28,0x74,0x71,0x35,0x26,
0x62,0x49,0x77,0x57,0x24,0x70,0x93,0x69,
0x99,0x59,0x57,0x49,0x66,0x96,0x76,0x27,
};
static const uint8_t key2[32] = {
0x31,0x41,0x59,0x26,0x53,0x58,0x97,0x93,
0x23,0x84,0x62,0x64,0x33,0x83,0x27,0x95,
0x02,0x88,0x41,0x97,0x16,0x93,0x99,0x37,
0x51,0x05,0x82,0x09,0x74,0x94,0x45,0x92,
};
struct aesenc enc;
struct aesdec dec;
uint8_t in[144];
uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1;
uint8_t blkno_buf[16];
uint8_t iv0[16], iv[16];
unsigned i;

for (i = 0; i < 144; i++)
in[i] = i;

for (i = 0; i < 3; i++) {
if (i == 1) /* XXX missing AES-192 test vector */
continue;

/* Format the data unit sequence number. */
memset(blkno_buf, 0, sizeof blkno_buf);
le64enc(blkno_buf, blkno[i]);

/* Generate the tweak. */
impl->ai_setenckey(&enc, key2, aes_nrounds[i]);
impl->ai_enc(&enc, blkno_buf, iv0, aes_nrounds[i]);

/* Load the data encryption key. */
impl->ai_setenckey(&enc, key1, aes_nrounds[i]);
impl->ai_setdeckey(&dec, key1, aes_nrounds[i]);

/* Try one swell foop. */
memcpy(iv, iv0, 16);
impl->ai_xts_enc(&enc, in, out, 144, iv, aes_nrounds[i]);
if (memcmp(out, expected[i], 144))
return aes_selftest_fail(impl, out, expected[i], 144,
"AES-%u-XTS enc", aes_keybits[i]);

memcpy(iv, iv0, 16);
impl->ai_xts_dec(&dec, out, out, 144, iv, aes_nrounds[i]);
if (memcmp(out, in, 144))
return aes_selftest_fail(impl, out, in, 144,
"AES-%u-XTS dec", aes_keybits[i]);

/* Try incrementally, with IV update. */
memcpy(iv, iv0, 16);
impl->ai_xts_enc(&enc, in, out, 16, iv, aes_nrounds[i]);
impl->ai_xts_enc(&enc, in + 16, out + 16, 128, iv,
aes_nrounds[i]);
if (memcmp(out, expected[i], 144))
return aes_selftest_fail(impl, out, expected[i], 144,
"AES-%u-XTS enc incremental", aes_keybits[i]);

memcpy(iv, iv0, 16);
impl->ai_xts_dec(&dec, out, out, 128, iv, aes_nrounds[i]);
impl->ai_xts_dec(&dec, out + 128, out + 128, 16, iv,
aes_nrounds[i]);
if (memcmp(out, in, 144))
return aes_selftest_fail(impl, out, in, 144,
"AES-%u-XTS dec incremental", aes_keybits[i]);
}

if (outbuf[0] != 0x1a)
return aes_selftest_fail(impl, outbuf,
(const uint8_t[1]){0x1a}, 1,
"AES-XTS overrun preceding");
if (outbuf[145] != 0x1a)
return aes_selftest_fail(impl, outbuf + 145,
(const uint8_t[1]){0x1a}, 1,
"AES-XTS overrun following");

/* Success! */
return 0;
}

static int
aes_selftest_cbcmac(const struct aes_impl *impl)
{
static const uint8_t m[48] = {
0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27,
0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f,
};
static uint8_t auth16[16] = {
0x7a,0xca,0x0f,0xd9, 0xbc,0xd6,0xec,0x7c,
0x9f,0x97,0x46,0x66, 0x16,0xe6,0xa2,0x82,
};
static uint8_t auth48[16] = {
0x26,0x9a,0xe5,0xfc, 0x8c,0x53,0x0f,0xf7,
0x6b,0xd9,0xec,0x05, 0x40,0xf7,0x35,0x13,
};
static const uint8_t key[16];
struct aesenc enc;
uint8_t auth[16];
const unsigned nr = AES_128_NROUNDS;

memset(auth, 0, sizeof auth);

impl->ai_setenckey(&enc, key, nr);
impl->ai_cbcmac_update1(&enc, m, 16, auth, nr);
if (memcmp(auth, auth16, 16))
return aes_selftest_fail(impl, auth, auth16, 16,
"AES-128 CBC-MAC (16)");
impl->ai_cbcmac_update1(&enc, m + 16, 32, auth, nr);
if (memcmp(auth, auth48, 16))
return aes_selftest_fail(impl, auth, auth48, 16,
"AES-128 CBC-MAC (48)");

return 0;
}

static int
aes_selftest_ccm(const struct aes_impl *impl)
{
static const uint8_t ptxt[48] = {
0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f,
0x20,0x21,0x22,0x23, 0x24,0x25,0x26,0x27,
0x28,0x29,0x2a,0x2b, 0x2c,0x2d,0x2e,0x2f,
};
static uint8_t ctr0[16] = {
/* L - 1, #octets in counter */
[0] = 0x01,
/* nonce */
[1] = 0,1,2,3,4,5,6,7,8,9,10,11,12,
[14] = 0,
[15] = 254,
};
static uint8_t authctr16[32] = {
/* authentication tag */
0x7a,0xca,0x0f,0xd9, 0xbc,0xd6,0xec,0x7c,
0x9f,0x97,0x46,0x66, 0x16,0xe6,0xa2,0x82,

/* L - 1, #octets in counter */
[16 + 0] = 0x01,
/* nonce */
[16 + 1] = 0,1,2,3,4,5,6,7,8,9,10,11,12,
[16 + 14] = 0,
[16 + 15] = 255,
};
static uint8_t authctr48[32] = {
/* authentication tag */
0x26,0x9a,0xe5,0xfc, 0x8c,0x53,0x0f,0xf7,
0x6b,0xd9,0xec,0x05, 0x40,0xf7,0x35,0x13,

/* L - 1, #octets in counter */
[16 + 0] = 0x01,
/* nonce */
[16 + 1] = 0,1,2,3,4,5,6,7,8,9,10,11,12,
[16 + 14] = 1,
[16 + 15] = 1,
};
static uint8_t ctxt[48] = {
0xa4,0x35,0x07,0x5c, 0xdf,0x2d,0x67,0xd3,
0xbf,0x1f,0x36,0x93, 0xe4,0x43,0xcb,0x1e,
0xa0,0x82,0x9c,0x2a, 0x0b,0x66,0x46,0x05,
0x80,0x17,0x71,0xa1, 0x7b,0x09,0xa7,0xd5,
0x91,0x0b,0xb3,0x96, 0xd1,0x5e,0x29,0x3e,
0x74,0x94,0x74,0x6d, 0x6b,0x25,0x43,0x8c,
};
static const uint8_t key[16];
struct aesenc enc;
uint8_t authctr[32];
uint8_t buf[48];
const unsigned nr = AES_128_NROUNDS;
int result = 0;

impl->ai_setenckey(&enc, key, nr);

memset(authctr, 0, 16);
memcpy(authctr + 16, ctr0, 16);

impl->ai_ccm_enc1(&enc, ptxt, buf, 16, authctr, nr);
if (memcmp(authctr, authctr16, 32))
result |= aes_selftest_fail(impl, authctr, authctr16, 32,
"AES-128 CCM encrypt auth/ctr (16)");
impl->ai_ccm_enc1(&enc, ptxt + 16, buf + 16, 32, authctr, nr);
if (memcmp(authctr, authctr48, 32))
result |= aes_selftest_fail(impl, authctr, authctr48, 32,
"AES-128 CCM encrypt auth/ctr (48)");

if (memcmp(buf, ctxt, 32))
result |= aes_selftest_fail(impl, buf, ctxt, 48,
"AES-128 CCM ciphertext");

memset(authctr, 0, 16);
memcpy(authctr + 16, ctr0, 16);

impl->ai_ccm_dec1(&enc, ctxt, buf, 16, authctr, nr);
if (memcmp(authctr, authctr16, 32))
result |= aes_selftest_fail(impl, authctr, authctr16, 32,
"AES-128 CCM decrypt auth/ctr (16)");
impl->ai_ccm_dec1(&enc, ctxt + 16, buf + 16, 32, authctr, nr);
if (memcmp(authctr, authctr48, 32))
result |= aes_selftest_fail(impl, authctr, authctr48, 32,
"AES-128 CCM decrypt auth/ctr (48)");

if (memcmp(buf, ptxt, 32))
result |= aes_selftest_fail(impl, buf, ptxt, 48,
"AES-128 CCM plaintext");

return result;
}

int
aes_selftest(const struct aes_impl *impl)
{
int result = 0;

if (impl->ai_probe())
return -1;

if (aes_selftest_encdec(impl))
result = -1;
if (aes_selftest_encdec_cbc(impl))
result = -1;
if (aes_selftest_encdec_xts(impl))
result = -1;
if (aes_selftest_cbcmac(impl))
result = -1;
if (aes_selftest_ccm(impl))
result = -1;

return result;
}