TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 0e9cddbf1af8b92912e45a0a356a7a75ea4f972f / . / library / aes.c
blob: 6ff39d74c43884969e45710294520ca95d6d4e2e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA)
62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
398#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
399#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
400#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]544 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]545
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]546 mbedtls_aes_free( &ctx->crypt );
547 mbedtls_aes_free( &ctx->tweak );
548}
549#endif /* MBEDTLS_CIPHER_MODE_XTS */
550
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551/*
552 * AES key schedule (encryption)
553 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]554#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]555int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]556 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]557{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]558 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]559 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]561 AES_VALIDATE_RET( ctx != NULL && key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]563 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564 {
565 case 128: ctx->nr = 10; break;
566 case 192: ctx->nr = 12; break;
567 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]569 }
570
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571#if !defined(MBEDTLS_AES_ROM_TABLES)
572 if( aes_init_done == 0 )
573 {
574 aes_gen_tables();
575 aes_init_done = 1;
576
577 }
578#endif
579
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]580#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]581 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]582 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583
584 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]585 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]586 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]590#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]591 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]592 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]593#endif
594
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]595 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]597 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 }
599
600 switch( ctx->nr )
601 {
602 case 10:
603
604 for( i = 0; i < 10; i++, RK += 4 )
605 {
606 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]607 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
608 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
610 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611
612 RK[5] = RK[1] ^ RK[4];
613 RK[6] = RK[2] ^ RK[5];
614 RK[7] = RK[3] ^ RK[6];
615 }
616 break;
617
618 case 12:
619
620 for( i = 0; i < 8; i++, RK += 6 )
621 {
622 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
624 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
626 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
628 RK[7] = RK[1] ^ RK[6];
629 RK[8] = RK[2] ^ RK[7];
630 RK[9] = RK[3] ^ RK[8];
631 RK[10] = RK[4] ^ RK[9];
632 RK[11] = RK[5] ^ RK[10];
633 }
634 break;
635
636 case 14:
637
638 for( i = 0; i < 7; i++, RK += 8 )
639 {
640 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]641 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
642 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
644 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]645
646 RK[9] = RK[1] ^ RK[8];
647 RK[10] = RK[2] ^ RK[9];
648 RK[11] = RK[3] ^ RK[10];
649
650 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]651 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
652 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
656 RK[13] = RK[5] ^ RK[12];
657 RK[14] = RK[6] ^ RK[13];
658 RK[15] = RK[7] ^ RK[14];
659 }
660 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]662
663 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]665#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
667/*
668 * AES key schedule (decryption)
669 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]670#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]672 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]675 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]676 uint32_t *RK;
677 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]678
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame^]679 AES_VALIDATE_RET( ctx != NULL && key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]681 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]684 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]685 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686
687 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]688 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]693 /* Also checks keybits */
694 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]695 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]696
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]697 ctx->nr = cty.nr;
698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]700 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]701 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]703 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]705 }
706#endif
707
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708 SK = cty.rk + cty.nr * 4;
709
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714
715 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
716 {
717 for( j = 0; j < 4; j++, SK++ )
718 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]719 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
720 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
721 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
722 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]723 }
724 }
725
726 *RK++ = *SK++;
727 *RK++ = *SK++;
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]732 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]736
737#if defined(MBEDTLS_CIPHER_MODE_XTS)
738static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
739 unsigned int keybits,
740 const unsigned char **key1,
741 unsigned int *key1bits,
742 const unsigned char **key2,
743 unsigned int *key2bits )
744{
745 const unsigned int half_keybits = keybits / 2;
746 const unsigned int half_keybytes = half_keybits / 8;
747
748 switch( keybits )
749 {
750 case 256: break;
751 case 512: break;
752 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
753 }
754
755 *key1bits = half_keybits;
756 *key2bits = half_keybits;
757 *key1 = &key[0];
758 *key2 = &key[half_keybytes];
759
760 return 0;
761}
762
763int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
764 const unsigned char *key,
765 unsigned int keybits)
766{
767 int ret;
768 const unsigned char *key1, *key2;
769 unsigned int key1bits, key2bits;
770
771 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
772 &key2, &key2bits );
773 if( ret != 0 )
774 return( ret );
775
776 /* Set the tweak key. Always set tweak key for the encryption mode. */
777 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set crypt key for encryption. */
782 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
783}
784
785int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
786 const unsigned char *key,
787 unsigned int keybits)
788{
789 int ret;
790 const unsigned char *key1, *key2;
791 unsigned int key1bits, key2bits;
792
793 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
794 &key2, &key2bits );
795 if( ret != 0 )
796 return( ret );
797
798 /* Set the tweak key. Always set tweak key for encryption. */
799 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
800 if( ret != 0 )
801 return( ret );
802
803 /* Set crypt key for decryption. */
804 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
805}
806#endif /* MBEDTLS_CIPHER_MODE_XTS */
807
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]808#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]809
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]810#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
811{ \
812 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
813 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
814 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
815 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
816 \
817 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
818 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
819 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
820 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
821 \
822 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
823 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
824 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
825 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
826 \
827 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
828 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
829 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
830 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]831}
832
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]833#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
834{ \
835 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
836 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
837 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
838 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
839 \
840 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
841 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
842 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
843 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
844 \
845 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
846 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
849 \
850 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
851 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]854}
855
856/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]857 * AES-ECB block encryption
858 */
859#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]860int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
861 const unsigned char input[16],
862 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]863{
864 int i;
865 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
866
867 RK = ctx->rk;
868
869 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
870 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
871 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
872 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
873
874 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
875 {
876 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
877 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
878 }
879
880 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
881
882 X0 = *RK++ ^ \
883 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
884 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
885 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
886 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
887
888 X1 = *RK++ ^ \
889 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
890 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
891 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
892 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
893
894 X2 = *RK++ ^ \
895 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
897 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
898 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
899
900 X3 = *RK++ ^ \
901 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
903 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
904 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
905
906 PUT_UINT32_LE( X0, output, 0 );
907 PUT_UINT32_LE( X1, output, 4 );
908 PUT_UINT32_LE( X2, output, 8 );
909 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]910
911 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]912}
913#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
914
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]915#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]916void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
917 const unsigned char input[16],
918 unsigned char output[16] )
919{
920 mbedtls_internal_aes_encrypt( ctx, input, output );
921}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]922#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]923
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924/*
925 * AES-ECB block decryption
926 */
927#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]928int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
929 const unsigned char input[16],
930 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931{
932 int i;
933 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
934
935 RK = ctx->rk;
936
937 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
938 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
939 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
940 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
941
942 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
943 {
944 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
945 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
946 }
947
948 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
949
950 X0 = *RK++ ^ \
951 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
952 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
953 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
954 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
955
956 X1 = *RK++ ^ \
957 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
958 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
959 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
960 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
961
962 X2 = *RK++ ^ \
963 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
964 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
965 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
966 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
967
968 X3 = *RK++ ^ \
969 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
970 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
971 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
972 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
973
974 PUT_UINT32_LE( X0, output, 0 );
975 PUT_UINT32_LE( X1, output, 4 );
976 PUT_UINT32_LE( X2, output, 8 );
977 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]978
979 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]980}
981#endif /* !MBEDTLS_AES_DECRYPT_ALT */
982
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]983#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]984void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
985 const unsigned char input[16],
986 unsigned char output[16] )
987{
988 mbedtls_internal_aes_decrypt( ctx, input, output );
989}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]990#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]991
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]992/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993 * AES-ECB block encryption/decryption
994 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]995int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]997 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]998 unsigned char output[16] )
999{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1000#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1001 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1003#endif
1004
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1006 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1009 return( 0 );
1010
1011 // If padlock data misaligned, we just fall back to
1012 // unaccelerated mode
1013 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014 }
1015#endif
1016
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1017 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1018 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1019 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1020 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021}
1022
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024/*
1025 * AES-CBC buffer encryption/decryption
1026 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1029 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1031 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 unsigned char *output )
1033{
1034 int i;
1035 unsigned char temp[16];
1036
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1037 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1038 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1041 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1044 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1045
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1046 // If padlock data misaligned, we just fall back to
1047 // unaccelerated mode
1048 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 }
1050#endif
1051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 {
1054 while( length > 0 )
1055 {
1056 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058
1059 for( i = 0; i < 16; i++ )
1060 output[i] = (unsigned char)( output[i] ^ iv[i] );
1061
1062 memcpy( iv, temp, 16 );
1063
1064 input += 16;
1065 output += 16;
1066 length -= 16;
1067 }
1068 }
1069 else
1070 {
1071 while( length > 0 )
1072 {
1073 for( i = 0; i < 16; i++ )
1074 output[i] = (unsigned char)( input[i] ^ iv[i] );
1075
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1076 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 memcpy( iv, output, 16 );
1078
1079 input += 16;
1080 output += 16;
1081 length -= 16;
1082 }
1083 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1084
1085 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1089#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1090
1091/* Endianess with 64 bits values */
1092#ifndef GET_UINT64_LE
1093#define GET_UINT64_LE(n,b,i) \
1094{ \
1095 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1096 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1097 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1098 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1099 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1100 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1101 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1102 | ( (uint64_t) (b)[(i) ] ); \
1103}
1104#endif
1105
1106#ifndef PUT_UINT64_LE
1107#define PUT_UINT64_LE(n,b,i) \
1108{ \
1109 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1110 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1111 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1112 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1113 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1114 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1115 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1116 (b)[(i) ] = (unsigned char) ( (n) ); \
1117}
1118#endif
1119
1120typedef unsigned char mbedtls_be128[16];
1121
1122/*
1123 * GF(2^128) multiplication function
1124 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1125 * This function multiplies a field element by x in the polynomial field
1126 * representation. It uses 64-bit word operations to gain speed but compensates
1127 * for machine endianess and hence works correctly on both big and little
1128 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1129 */
1130static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1131 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1132{
1133 uint64_t a, b, ra, rb;
1134
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1135 GET_UINT64_LE( a, x, 0 );
1136 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1137
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1138 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1139 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1140
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1141 PUT_UINT64_LE( ra, r, 0 );
1142 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1143}
1144
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1145/*
1146 * AES-XTS buffer encryption/decryption
1147 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1148int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1149 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1150 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1151 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1152 const unsigned char *input,
1153 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1154{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1155 int ret;
1156 size_t blocks = length / 16;
1157 size_t leftover = length % 16;
1158 unsigned char tweak[16];
1159 unsigned char prev_tweak[16];
1160 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1161
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1162 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1163 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1164 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1165
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1166 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1167 if( length > ( 1 << 20 ) * 16 )
1168 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1169
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1170 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1171 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1172 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1173 if( ret != 0 )
1174 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1175
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1176 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1177 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1178 size_t i;
1179
1180 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1181 {
1182 /* We are on the last block in a decrypt operation that has
1183 * leftover bytes, so we need to use the next tweak for this block,
1184 * and this tweak for the lefover bytes. Save the current tweak for
1185 * the leftovers and then update the current tweak for use on this,
1186 * the last full block. */
1187 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1188 mbedtls_gf128mul_x_ble( tweak, tweak );
1189 }
1190
1191 for( i = 0; i < 16; i++ )
1192 tmp[i] = input[i] ^ tweak[i];
1193
1194 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1195 if( ret != 0 )
1196 return( ret );
1197
1198 for( i = 0; i < 16; i++ )
1199 output[i] = tmp[i] ^ tweak[i];
1200
1201 /* Update the tweak for the next block. */
1202 mbedtls_gf128mul_x_ble( tweak, tweak );
1203
1204 output += 16;
1205 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206 }
1207
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1208 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1209 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1210 /* If we are on the leftover bytes in a decrypt operation, we need to
1211 * use the previous tweak for these bytes (as saved in prev_tweak). */
1212 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1213
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1214 /* We are now on the final part of the data unit, which doesn't divide
1215 * evenly by 16. It's time for ciphertext stealing. */
1216 size_t i;
1217 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 /* Copy ciphertext bytes from the previous block to our output for each
1220 * byte of cyphertext we won't steal. At the same time, copy the
1221 * remainder of the input for this final round (since the loop bounds
1222 * are the same). */
1223 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1224 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1225 output[i] = prev_output[i];
1226 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1227 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 /* Copy ciphertext bytes from the previous block for input in this
1230 * round. */
1231 for( ; i < 16; i++ )
1232 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1233
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1234 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1235 if( ret != 0 )
1236 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1237
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 /* Write the result back to the previous block, overriding the previous
1239 * output we copied. */
1240 for( i = 0; i < 16; i++ )
1241 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242 }
1243
1244 return( 0 );
1245}
1246#endif /* MBEDTLS_CIPHER_MODE_XTS */
1247
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1248#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1249/*
1250 * AES-CFB128 buffer encryption/decryption
1251 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1252int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1253 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1254 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1255 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1256 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1257 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 unsigned char *output )
1259{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1260 int c;
1261 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1263 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1264 {
1265 while( length-- )
1266 {
1267 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269
1270 c = *input++;
1271 *output++ = (unsigned char)( c ^ iv[n] );
1272 iv[n] = (unsigned char) c;
1273
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1274 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275 }
1276 }
1277 else
1278 {
1279 while( length-- )
1280 {
1281 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1282 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1283
1284 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1285
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1286 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1287 }
1288 }
1289
1290 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1291
1292 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1294
1295/*
1296 * AES-CFB8 buffer encryption/decryption
1297 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1298int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1299 int mode,
1300 size_t length,
1301 unsigned char iv[16],
1302 const unsigned char *input,
1303 unsigned char *output )
1304{
1305 unsigned char c;
1306 unsigned char ov[17];
1307
1308 while( length-- )
1309 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1310 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1314 ov[16] = *input;
1315
1316 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1318 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1319 ov[16] = c;
1320
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1321 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1322 }
1323
1324 return( 0 );
1325}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1326#endif /* MBEDTLS_CIPHER_MODE_CFB */
1327
1328#if defined(MBEDTLS_CIPHER_MODE_OFB)
1329/*
1330 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1331 */
1332int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1333 size_t length,
1334 size_t *iv_off,
1335 unsigned char iv[16],
1336 const unsigned char *input,
1337 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1338{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1339 int ret = 0;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1340 size_t n = *iv_off;
1341
1342 while( length-- )
1343 {
1344 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1345 {
1346 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1347 if( ret != 0 )
1348 goto exit;
1349 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1350 *output++ = *input++ ^ iv[n];
1351
1352 n = ( n + 1 ) & 0x0F;
1353 }
1354
1355 *iv_off = n;
1356
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1357exit:
1358 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1359}
1360#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1363/*
1364 * AES-CTR buffer encryption/decryption
1365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1366int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1367 size_t length,
1368 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1369 unsigned char nonce_counter[16],
1370 unsigned char stream_block[16],
1371 const unsigned char *input,
1372 unsigned char *output )
1373{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1374 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1375 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1376
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1377 if ( n > 0x0F )
1378 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1379
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1380 while( length-- )
1381 {
1382 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1384
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1385 for( i = 16; i > 0; i-- )
1386 if( ++nonce_counter[i - 1] != 0 )
1387 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1388 }
1389 c = *input++;
1390 *output++ = (unsigned char)( c ^ stream_block[n] );
1391
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1392 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1393 }
1394
1395 *nc_off = n;
1396
1397 return( 0 );
1398}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1400
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1401#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1402
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1403#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404/*
1405 * AES test vectors from:
1406 *
1407 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1408 */
1409static const unsigned char aes_test_ecb_dec[3][16] =
1410{
1411 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1412 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1413 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1414 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1415 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1416 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1417};
1418
1419static const unsigned char aes_test_ecb_enc[3][16] =
1420{
1421 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1422 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1423 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1424 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1425 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1426 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1427};
1428
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1430static const unsigned char aes_test_cbc_dec[3][16] =
1431{
1432 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1433 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1434 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1435 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1436 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1437 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1438};
1439
1440static const unsigned char aes_test_cbc_enc[3][16] =
1441{
1442 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1443 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1444 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1445 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1446 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1447 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1448};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452/*
1453 * AES-CFB128 test vectors from:
1454 *
1455 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1456 */
1457static const unsigned char aes_test_cfb128_key[3][32] =
1458{
1459 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1460 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1461 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1462 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1463 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1464 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1465 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1466 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1467 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1468};
1469
1470static const unsigned char aes_test_cfb128_iv[16] =
1471{
1472 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1473 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1474};
1475
1476static const unsigned char aes_test_cfb128_pt[64] =
1477{
1478 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1479 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1480 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1481 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1482 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1483 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1484 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1485 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1486};
1487
1488static const unsigned char aes_test_cfb128_ct[3][64] =
1489{
1490 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1491 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1492 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1493 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1494 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1495 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1496 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1497 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1498 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1499 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1500 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1501 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1502 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1503 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1504 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1505 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1506 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1507 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1508 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1509 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1510 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1511 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1512 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1513 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1514};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1516
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1517#if defined(MBEDTLS_CIPHER_MODE_OFB)
1518/*
1519 * AES-OFB test vectors from:
1520 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1521 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1522 */
1523static const unsigned char aes_test_ofb_key[3][32] =
1524{
1525 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1526 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1527 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1528 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1529 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1530 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1531 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1532 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1533 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1534};
1535
1536static const unsigned char aes_test_ofb_iv[16] =
1537{
1538 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1539 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1540};
1541
1542static const unsigned char aes_test_ofb_pt[64] =
1543{
1544 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1545 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1546 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1547 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1548 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1549 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1550 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1551 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1552};
1553
1554static const unsigned char aes_test_ofb_ct[3][64] =
1555{
1556 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1557 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1558 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1559 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1560 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1561 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1562 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1563 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1564 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1565 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1566 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1567 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1568 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1569 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1570 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1571 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1572 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1573 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1574 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1575 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1576 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1577 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1578 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1579 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1580};
1581#endif /* MBEDTLS_CIPHER_MODE_OFB */
1582
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1583#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1584/*
1585 * AES-CTR test vectors from:
1586 *
1587 * http://www.faqs.org/rfcs/rfc3686.html
1588 */
1589
1590static const unsigned char aes_test_ctr_key[3][16] =
1591{
1592 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1593 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1594 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1595 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1596 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1597 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1598};
1599
1600static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1601{
1602 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1603 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1604 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1605 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1606 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1607 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1608};
1609
1610static const unsigned char aes_test_ctr_pt[3][48] =
1611{
1612 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1613 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1614
1615 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1616 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1617 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1618 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1619
1620 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1621 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1622 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1623 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1624 0x20, 0x21, 0x22, 0x23 }
1625};
1626
1627static const unsigned char aes_test_ctr_ct[3][48] =
1628{
1629 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1630 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1631 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1632 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1633 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1634 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1635 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1636 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1637 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1638 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1639 0x25, 0xB2, 0x07, 0x2F }
1640};
1641
1642static const int aes_test_ctr_len[3] =
1643 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1645
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1646#if defined(MBEDTLS_CIPHER_MODE_XTS)
1647/*
1648 * AES-XTS test vectors from:
1649 *
1650 * IEEE P1619/D16 Annex B
1651 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1652 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1653 */
1654static const unsigned char aes_test_xts_key[][32] =
1655{
1656 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1660 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1661 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1662 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1663 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1664 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1665 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1666 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1667 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1668};
1669
1670static const unsigned char aes_test_xts_pt32[][32] =
1671{
1672 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1676 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1677 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1678 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1679 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1680 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1681 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1682 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1683 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1684};
1685
1686static const unsigned char aes_test_xts_ct32[][32] =
1687{
1688 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1689 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1690 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1691 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1692 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1693 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1694 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1695 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1696 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1697 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1698 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1699 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1700};
1701
1702static const unsigned char aes_test_xts_data_unit[][16] =
1703{
1704 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1706 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1708 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1710};
1711
1712#endif /* MBEDTLS_CIPHER_MODE_XTS */
1713
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1714/*
1715 * Checkup routine
1716 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1717int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1719 int ret = 0, i, j, u, mode;
1720 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721 unsigned char key[32];
1722 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1723 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1724#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1725 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1726#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1727#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1728 unsigned char prv[16];
1729#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1730#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1731 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1732 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1733#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1734#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1735 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1736#endif
1737#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1738 unsigned char nonce_counter[16];
1739 unsigned char stream_block[16];
1740#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742
1743 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1744 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745
1746 /*
1747 * ECB mode
1748 */
1749 for( i = 0; i < 6; i++ )
1750 {
1751 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1752 keybits = 128 + u * 64;
1753 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
1755 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1756 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1757 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758
1759 memset( buf, 0, 16 );
1760
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1761 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1763 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1764 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1765 }
1766 else
1767 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1768 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1769 aes_tests = aes_test_ecb_enc[u];
1770 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1772 /*
1773 * AES-192 is an optional feature that may be unavailable when
1774 * there is an alternative underlying implementation i.e. when
1775 * MBEDTLS_AES_ALT is defined.
1776 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1777 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1778 {
1779 mbedtls_printf( "skipped\n" );
1780 continue;
1781 }
1782 else if( ret != 0 )
1783 {
1784 goto exit;
1785 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1787 for( j = 0; j < 10000; j++ )
1788 {
1789 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1790 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1791 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1792 }
1793
1794 if( memcmp( buf, aes_tests, 16 ) != 0 )
1795 {
1796 ret = 1;
1797 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 }
1799
1800 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802 }
1803
1804 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808 /*
1809 * CBC mode
1810 */
1811 for( i = 0; i < 6; i++ )
1812 {
1813 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1814 keybits = 128 + u * 64;
1815 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816
1817 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1819 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820
1821 memset( iv , 0, 16 );
1822 memset( prv, 0, 16 );
1823 memset( buf, 0, 16 );
1824
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1827 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1828 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829 }
1830 else
1831 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1832 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1833 aes_tests = aes_test_cbc_enc[u];
1834 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1836 /*
1837 * AES-192 is an optional feature that may be unavailable when
1838 * there is an alternative underlying implementation i.e. when
1839 * MBEDTLS_AES_ALT is defined.
1840 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1841 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1842 {
1843 mbedtls_printf( "skipped\n" );
1844 continue;
1845 }
1846 else if( ret != 0 )
1847 {
1848 goto exit;
1849 }
1850
1851 for( j = 0; j < 10000; j++ )
1852 {
1853 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854 {
1855 unsigned char tmp[16];
1856
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 memcpy( tmp, prv, 16 );
1858 memcpy( prv, buf, 16 );
1859 memcpy( buf, tmp, 16 );
1860 }
1861
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1863 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1864 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865
1866 }
1867
1868 if( memcmp( buf, aes_tests, 16 ) != 0 )
1869 {
1870 ret = 1;
1871 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872 }
1873
1874 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876 }
1877
1878 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 mbedtls_printf( "\n" );
1880#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1882#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1883 /*
1884 * CFB128 mode
1885 */
1886 for( i = 0; i < 6; i++ )
1887 {
1888 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1889 keybits = 128 + u * 64;
1890 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891
1892 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1894 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895
1896 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1897 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
1899 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1901 /*
1902 * AES-192 is an optional feature that may be unavailable when
1903 * there is an alternative underlying implementation i.e. when
1904 * MBEDTLS_AES_ALT is defined.
1905 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1906 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 {
1908 mbedtls_printf( "skipped\n" );
1909 continue;
1910 }
1911 else if( ret != 0 )
1912 {
1913 goto exit;
1914 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1916 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917 {
1918 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 }
1921 else
1922 {
1923 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1924 aes_tests = aes_test_cfb128_ct[u];
1925 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1927 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1928 if( ret != 0 )
1929 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1931 if( memcmp( buf, aes_tests, 64 ) != 0 )
1932 {
1933 ret = 1;
1934 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1935 }
1936
1937 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1939 }
1940
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1941 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1942 mbedtls_printf( "\n" );
1943#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1944
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1945#if defined(MBEDTLS_CIPHER_MODE_OFB)
1946 /*
1947 * OFB mode
1948 */
1949 for( i = 0; i < 6; i++ )
1950 {
1951 u = i >> 1;
1952 keybits = 128 + u * 64;
1953 mode = i & 1;
1954
1955 if( verbose != 0 )
1956 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1957 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1958
1959 memcpy( iv, aes_test_ofb_iv, 16 );
1960 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1961
1962 offset = 0;
1963 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1964 /*
1965 * AES-192 is an optional feature that may be unavailable when
1966 * there is an alternative underlying implementation i.e. when
1967 * MBEDTLS_AES_ALT is defined.
1968 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1969 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1970 {
1971 mbedtls_printf( "skipped\n" );
1972 continue;
1973 }
1974 else if( ret != 0 )
1975 {
1976 goto exit;
1977 }
1978
1979 if( mode == MBEDTLS_AES_DECRYPT )
1980 {
1981 memcpy( buf, aes_test_ofb_ct[u], 64 );
1982 aes_tests = aes_test_ofb_pt;
1983 }
1984 else
1985 {
1986 memcpy( buf, aes_test_ofb_pt, 64 );
1987 aes_tests = aes_test_ofb_ct[u];
1988 }
1989
1990 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1991 if( ret != 0 )
1992 goto exit;
1993
1994 if( memcmp( buf, aes_tests, 64 ) != 0 )
1995 {
1996 ret = 1;
1997 goto exit;
1998 }
1999
2000 if( verbose != 0 )
2001 mbedtls_printf( "passed\n" );
2002 }
2003
2004 if( verbose != 0 )
2005 mbedtls_printf( "\n" );
2006#endif /* MBEDTLS_CIPHER_MODE_OFB */
2007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2009 /*
2010 * CTR mode
2011 */
2012 for( i = 0; i < 6; i++ )
2013 {
2014 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2016
2017 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2018 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2020
2021 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2022 memcpy( key, aes_test_ctr_key[u], 16 );
2023
2024 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2025 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2026 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2027
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 len = aes_test_ctr_len[u];
2029
2030 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2031 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2032 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2033 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2034 }
2035 else
2036 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2037 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2038 aes_tests = aes_test_ctr_ct[u];
2039 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2040
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2041 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2042 stream_block, buf, buf );
2043 if( ret != 0 )
2044 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2045
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2046 if( memcmp( buf, aes_tests, len ) != 0 )
2047 {
2048 ret = 1;
2049 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2050 }
2051
2052 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2054 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055
2056 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2057 mbedtls_printf( "\n" );
2058#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2060#if defined(MBEDTLS_CIPHER_MODE_XTS)
2061 {
2062 static const int num_tests =
2063 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2064 mbedtls_aes_xts_context ctx_xts;
2065
2066 /*
2067 * XTS mode
2068 */
2069 mbedtls_aes_xts_init( &ctx_xts );
2070
2071 for( i = 0; i < num_tests << 1; i++ )
2072 {
2073 const unsigned char *data_unit;
2074 u = i >> 1;
2075 mode = i & 1;
2076
2077 if( verbose != 0 )
2078 mbedtls_printf( " AES-XTS-128 (%s): ",
2079 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2080
2081 memset( key, 0, sizeof( key ) );
2082 memcpy( key, aes_test_xts_key[u], 32 );
2083 data_unit = aes_test_xts_data_unit[u];
2084
2085 len = sizeof( *aes_test_xts_ct32 );
2086
2087 if( mode == MBEDTLS_AES_DECRYPT )
2088 {
2089 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2090 if( ret != 0)
2091 goto exit;
2092 memcpy( buf, aes_test_xts_ct32[u], len );
2093 aes_tests = aes_test_xts_pt32[u];
2094 }
2095 else
2096 {
2097 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2098 if( ret != 0)
2099 goto exit;
2100 memcpy( buf, aes_test_xts_pt32[u], len );
2101 aes_tests = aes_test_xts_ct32[u];
2102 }
2103
2104
2105 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2106 buf, buf );
2107 if( ret != 0 )
2108 goto exit;
2109
2110 if( memcmp( buf, aes_tests, len ) != 0 )
2111 {
2112 ret = 1;
2113 goto exit;
2114 }
2115
2116 if( verbose != 0 )
2117 mbedtls_printf( "passed\n" );
2118 }
2119
2120 if( verbose != 0 )
2121 mbedtls_printf( "\n" );
2122
2123 mbedtls_aes_xts_free( &ctx_xts );
2124 }
2125#endif /* MBEDTLS_CIPHER_MODE_XTS */
2126
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2127 ret = 0;
2128
2129exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2130 if( ret != 0 && verbose != 0 )
2131 mbedtls_printf( "failed\n" );
2132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2133 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2134
2135 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2136}
2137
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2138#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2140#endif /* MBEDTLS_AES_C */