TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / a74faba27a4a490e06d4de48dc606e4f339f41b2 / . / library / aes.c
blob: fce32ce84575e4c05e869359dc65c300f4248e9a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]39#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SELF_TEST)
48#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]49#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#define mbedtls_printf printf
53#endif /* MBEDTLS_PLATFORM_C */
54#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef GET_UINT32_LE
62#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68}
69#endif
70
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]72#define PUT_UINT32_LE(n,b,i) \
73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78}
79#endif
80
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]81#if defined(MBEDTLS_PADLOCK_C) && \
82 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]83static int aes_padlock_ace = -1;
84#endif
85
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]86#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * Forward S-box
89 */
90static const unsigned char FSb[256] =
91{
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
93 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
94 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
95 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
96 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
97 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
98 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
99 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
124};
125
126/*
127 * Forward tables
128 */
129#define FT \
130\
131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
195
196#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]200#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]201
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]214#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]215
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]328static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329#undef V
330
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]331#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]332
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]345#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]346
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef RT
348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353{
354 0x00000001, 0x00000002, 0x00000004, 0x00000008,
355 0x00000010, 0x00000020, 0x00000040, 0x00000080,
356 0x0000001B, 0x00000036
357};
358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]359#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Forward S-box & tables
363 */
364static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]365static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]366#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT1[256];
368static uint32_t FT2[256];
369static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Reverse S-box & tables
374 */
375static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]376static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT1[256];
379static uint32_t RT2[256];
380static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Round constants
385 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387
388/*
389 * Tables generation code
390 */
391#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
392#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
393#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
394
395static int aes_init_done = 0;
396
397static void aes_gen_tables( void )
398{
399 int i, x, y, z;
400 int pow[256];
401 int log[256];
402
403 /*
404 * compute pow and log tables over GF(2^8)
405 */
406 for( i = 0, x = 1; i < 256; i++ )
407 {
408 pow[i] = x;
409 log[x] = i;
410 x = ( x ^ XTIME( x ) ) & 0xFF;
411 }
412
413 /*
414 * calculate the round constants
415 */
416 for( i = 0, x = 1; i < 10; i++ )
417 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419 x = XTIME( x ) & 0xFF;
420 }
421
422 /*
423 * generate the forward and reverse S-boxes
424 */
425 FSb[0x00] = 0x63;
426 RSb[0x63] = 0x00;
427
428 for( i = 1; i < 256; i++ )
429 {
430 x = pow[255 - log[i]];
431
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x ^= y ^ 0x63;
437
438 FSb[i] = (unsigned char) x;
439 RSb[x] = (unsigned char) i;
440 }
441
442 /*
443 * generate the forward and reverse tables
444 */
445 for( i = 0; i < 256; i++ )
446 {
447 x = FSb[i];
448 y = XTIME( x ) & 0xFF;
449 z = ( y ^ x ) & 0xFF;
450
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]451 FT0[i] = ( (uint32_t) y ) ^
452 ( (uint32_t) x << 8 ) ^
453 ( (uint32_t) x << 16 ) ^
454 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]456#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 FT1[i] = ROTL8( FT0[i] );
458 FT2[i] = ROTL8( FT1[i] );
459 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]460#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461
462 x = RSb[i];
463
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
467 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]469#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RT1[i] = ROTL8( RT0[i] );
471 RT2[i] = ROTL8( RT1[i] );
472 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]473#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475}
476
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477#undef ROTL8
478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]481#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]482
483#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
484#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
485#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
486
487#define AES_RT0(idx) RT0[idx]
488#define AES_RT1(idx) ROTL8( RT0[idx] )
489#define AES_RT2(idx) ROTL16( RT0[idx] )
490#define AES_RT3(idx) ROTL24( RT0[idx] )
491
492#define AES_FT0(idx) FT0[idx]
493#define AES_FT1(idx) ROTL8( FT0[idx] )
494#define AES_FT2(idx) ROTL16( FT0[idx] )
495#define AES_FT3(idx) ROTL24( FT0[idx] )
496
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]497#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]498
499#define AES_RT0(idx) RT0[idx]
500#define AES_RT1(idx) RT1[idx]
501#define AES_RT2(idx) RT2[idx]
502#define AES_RT3(idx) RT3[idx]
503
504#define AES_FT0(idx) FT0[idx]
505#define AES_FT1(idx) FT1[idx]
506#define AES_FT2(idx) FT2[idx]
507#define AES_FT3(idx) FT3[idx]
508
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]509#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]512{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514}
515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]516void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]517{
518 if( ctx == NULL )
519 return;
520
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]522}
523
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]524#if defined(MBEDTLS_CIPHER_MODE_XTS)
525void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
526{
527 mbedtls_aes_init( &ctx->crypt );
528 mbedtls_aes_init( &ctx->tweak );
529}
530
531void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
532{
533 mbedtls_aes_free( &ctx->crypt );
534 mbedtls_aes_free( &ctx->tweak );
535}
536#endif /* MBEDTLS_CIPHER_MODE_XTS */
537
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538/*
539 * AES key schedule (encryption)
540 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]541#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]543 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]545 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]546 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]548#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549 if( aes_init_done == 0 )
550 {
551 aes_gen_tables();
552 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]553
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 }
555#endif
556
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558 {
559 case 128: ctx->nr = 10; break;
560 case 192: ctx->nr = 12; break;
561 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]562 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 }
564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]566 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]567 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]568
569 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]571 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]573 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]575#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]576 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]577 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]578#endif
579
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]580 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]582 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 }
584
585 switch( ctx->nr )
586 {
587 case 10:
588
589 for( i = 0; i < 10; i++, RK += 4 )
590 {
591 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]592 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
593 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
594 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
595 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596
597 RK[5] = RK[1] ^ RK[4];
598 RK[6] = RK[2] ^ RK[5];
599 RK[7] = RK[3] ^ RK[6];
600 }
601 break;
602
603 case 12:
604
605 for( i = 0; i < 8; i++, RK += 6 )
606 {
607 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[7] = RK[1] ^ RK[6];
614 RK[8] = RK[2] ^ RK[7];
615 RK[9] = RK[3] ^ RK[8];
616 RK[10] = RK[4] ^ RK[9];
617 RK[11] = RK[5] ^ RK[10];
618 }
619 break;
620
621 case 14:
622
623 for( i = 0; i < 7; i++, RK += 8 )
624 {
625 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]626 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
627 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
628 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
629 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630
631 RK[9] = RK[1] ^ RK[8];
632 RK[10] = RK[2] ^ RK[9];
633 RK[11] = RK[3] ^ RK[10];
634
635 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]636 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
637 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
638 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
639 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640
641 RK[13] = RK[5] ^ RK[12];
642 RK[14] = RK[6] ^ RK[13];
643 RK[15] = RK[7] ^ RK[14];
644 }
645 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]647
648 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]650#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652/*
653 * AES key schedule (decryption)
654 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]655#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]657 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]659 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]660 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]661 uint32_t *RK;
662 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]667 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]668 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]669
670 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]672 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]674 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]676 /* Also checks keybits */
677 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]678 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]679
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]680 ctx->nr = cty.nr;
681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]683 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]684 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]686 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]687 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]688 }
689#endif
690
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 SK = cty.rk + cty.nr * 4;
692
693 *RK++ = *SK++;
694 *RK++ = *SK++;
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697
698 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
699 {
700 for( j = 0; j < 4; j++, SK++ )
701 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]702 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
703 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
704 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
705 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706 }
707 }
708
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]714exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]716
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]717 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]719
720#if defined(MBEDTLS_CIPHER_MODE_XTS)
721static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
722 unsigned int keybits,
723 const unsigned char **key1,
724 unsigned int *key1bits,
725 const unsigned char **key2,
726 unsigned int *key2bits )
727{
728 const unsigned int half_keybits = keybits / 2;
729 const unsigned int half_keybytes = half_keybits / 8;
730
731 switch( keybits )
732 {
733 case 256: break;
734 case 512: break;
735 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
736 }
737
738 *key1bits = half_keybits;
739 *key2bits = half_keybits;
740 *key1 = &key[0];
741 *key2 = &key[half_keybytes];
742
743 return 0;
744}
745
746int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
747 const unsigned char *key,
748 unsigned int keybits)
749{
750 int ret;
751 const unsigned char *key1, *key2;
752 unsigned int key1bits, key2bits;
753
754 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
755 &key2, &key2bits );
756 if( ret != 0 )
757 return( ret );
758
759 /* Set the tweak key. Always set tweak key for the encryption mode. */
760 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
761 if( ret != 0 )
762 return( ret );
763
764 /* Set crypt key for encryption. */
765 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
766}
767
768int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
769 const unsigned char *key,
770 unsigned int keybits)
771{
772 int ret;
773 const unsigned char *key1, *key2;
774 unsigned int key1bits, key2bits;
775
776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for encryption. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for decryption. */
787 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
788}
789#endif /* MBEDTLS_CIPHER_MODE_XTS */
790
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]791#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]793#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
794{ \
795 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
796 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
797 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
798 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
799 \
800 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
801 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
802 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
803 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
804 \
805 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
806 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
807 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
808 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
809 \
810 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
811 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
812 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
813 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814}
815
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]816#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
817{ \
818 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
819 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
820 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
821 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
822 \
823 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
824 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
825 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
826 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
827 \
828 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
829 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
830 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
831 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
832 \
833 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
834 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
835 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
836 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837}
838
839/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]840 * AES-ECB block encryption
841 */
842#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]843int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
844 const unsigned char input[16],
845 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]846{
847 int i;
848 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
849
850 RK = ctx->rk;
851
852 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
853 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
854 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
855 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
856
857 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
858 {
859 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
860 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
861 }
862
863 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
864
865 X0 = *RK++ ^ \
866 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
867 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
868 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
869 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
870
871 X1 = *RK++ ^ \
872 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
873 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
874 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
875 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
876
877 X2 = *RK++ ^ \
878 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
879 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
880 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
881 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
882
883 X3 = *RK++ ^ \
884 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
885 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
886 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
887 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
888
889 PUT_UINT32_LE( X0, output, 0 );
890 PUT_UINT32_LE( X1, output, 4 );
891 PUT_UINT32_LE( X2, output, 8 );
892 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]893
894 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]895}
896#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
897
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]898#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]899void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
900 const unsigned char input[16],
901 unsigned char output[16] )
902{
903 mbedtls_internal_aes_encrypt( ctx, input, output );
904}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]905#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]906
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]907/*
908 * AES-ECB block decryption
909 */
910#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]911int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
912 const unsigned char input[16],
913 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]914{
915 int i;
916 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
917
918 RK = ctx->rk;
919
920 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
921 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
922 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
923 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
924
925 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
926 {
927 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
928 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
929 }
930
931 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
932
933 X0 = *RK++ ^ \
934 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
935 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
936 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
937 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
938
939 X1 = *RK++ ^ \
940 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
941 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
942 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
943 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
944
945 X2 = *RK++ ^ \
946 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
947 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
948 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
949 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
950
951 X3 = *RK++ ^ \
952 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
953 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
954 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
955 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
956
957 PUT_UINT32_LE( X0, output, 0 );
958 PUT_UINT32_LE( X1, output, 4 );
959 PUT_UINT32_LE( X2, output, 8 );
960 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]961
962 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]963}
964#endif /* !MBEDTLS_AES_DECRYPT_ALT */
965
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]966#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]967void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
968 const unsigned char input[16],
969 unsigned char output[16] )
970{
971 mbedtls_internal_aes_decrypt( ctx, input, output );
972}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]973#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]974
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]975/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976 * AES-ECB block encryption/decryption
977 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]979 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]980 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981 unsigned char output[16] )
982{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]984 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]985 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]986#endif
987
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]988#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]989 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]992 return( 0 );
993
994 // If padlock data misaligned, we just fall back to
995 // unaccelerated mode
996 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997 }
998#endif
999
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1000 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1001 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1002 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1003 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004}
1005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007/*
1008 * AES-CBC buffer encryption/decryption
1009 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1010int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1012 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1014 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1015 unsigned char *output )
1016{
1017 int i;
1018 unsigned char temp[16];
1019
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1020 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1022
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1024 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1025 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1027 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1028
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1029 // If padlock data misaligned, we just fall back to
1030 // unaccelerated mode
1031 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 }
1033#endif
1034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1035 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036 {
1037 while( length > 0 )
1038 {
1039 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041
1042 for( i = 0; i < 16; i++ )
1043 output[i] = (unsigned char)( output[i] ^ iv[i] );
1044
1045 memcpy( iv, temp, 16 );
1046
1047 input += 16;
1048 output += 16;
1049 length -= 16;
1050 }
1051 }
1052 else
1053 {
1054 while( length > 0 )
1055 {
1056 for( i = 0; i < 16; i++ )
1057 output[i] = (unsigned char)( input[i] ^ iv[i] );
1058
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1059 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060 memcpy( iv, output, 16 );
1061
1062 input += 16;
1063 output += 16;
1064 length -= 16;
1065 }
1066 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067
1068 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1070#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1072#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1073
1074/* Endianess with 64 bits values */
1075#ifndef GET_UINT64_LE
1076#define GET_UINT64_LE(n,b,i) \
1077{ \
1078 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1079 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1080 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1081 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1082 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1083 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1084 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1085 | ( (uint64_t) (b)[(i) ] ); \
1086}
1087#endif
1088
1089#ifndef PUT_UINT64_LE
1090#define PUT_UINT64_LE(n,b,i) \
1091{ \
1092 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1093 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1094 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1095 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1096 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1097 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1098 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1099 (b)[(i) ] = (unsigned char) ( (n) ); \
1100}
1101#endif
1102
1103typedef unsigned char mbedtls_be128[16];
1104
1105/*
1106 * GF(2^128) multiplication function
1107 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1108 * This function multiplies a field element by x in the polynomial field
1109 * representation. It uses 64-bit word operations to gain speed but compensates
1110 * for machine endianess and hence works correctly on both big and little
1111 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1112 */
1113static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1114 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1115{
1116 uint64_t a, b, ra, rb;
1117
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1118 GET_UINT64_LE( a, x, 0 );
1119 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1120
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1121 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1122 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1123
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1124 PUT_UINT64_LE( ra, r, 0 );
1125 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1126}
1127
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1128/*
1129 * AES-XTS buffer encryption/decryption
1130 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1131int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1132 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1133 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1134 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1135 const unsigned char *input,
1136 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1137{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1138 int ret;
1139 size_t blocks = length / 16;
1140 size_t leftover = length % 16;
1141 unsigned char tweak[16];
1142 unsigned char prev_tweak[16];
1143 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1144
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1145 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1146 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1147 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1148
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame^]1149 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1150 if( length > ( 1 << 20 ) * 16 )
1151 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1152
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1153 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1154 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1155 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1156 if( ret != 0 )
1157 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1158
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1159 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1160 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1161 size_t i;
1162
1163 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1164 {
1165 /* We are on the last block in a decrypt operation that has
1166 * leftover bytes, so we need to use the next tweak for this block,
1167 * and this tweak for the lefover bytes. Save the current tweak for
1168 * the leftovers and then update the current tweak for use on this,
1169 * the last full block. */
1170 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1171 mbedtls_gf128mul_x_ble( tweak, tweak );
1172 }
1173
1174 for( i = 0; i < 16; i++ )
1175 tmp[i] = input[i] ^ tweak[i];
1176
1177 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1178 if( ret != 0 )
1179 return( ret );
1180
1181 for( i = 0; i < 16; i++ )
1182 output[i] = tmp[i] ^ tweak[i];
1183
1184 /* Update the tweak for the next block. */
1185 mbedtls_gf128mul_x_ble( tweak, tweak );
1186
1187 output += 16;
1188 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1189 }
1190
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1191 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1192 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1193 /* If we are on the leftover bytes in a decrypt operation, we need to
1194 * use the previous tweak for these bytes (as saved in prev_tweak). */
1195 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1196
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1197 /* We are now on the final part of the data unit, which doesn't divide
1198 * evenly by 16. It's time for ciphertext stealing. */
1199 size_t i;
1200 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1201
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 /* Copy ciphertext bytes from the previous block to our output for each
1203 * byte of cyphertext we won't steal. At the same time, copy the
1204 * remainder of the input for this final round (since the loop bounds
1205 * are the same). */
1206 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1207 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1208 output[i] = prev_output[i];
1209 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1211
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1212 /* Copy ciphertext bytes from the previous block for input in this
1213 * round. */
1214 for( ; i < 16; i++ )
1215 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1218 if( ret != 0 )
1219 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1221 /* Write the result back to the previous block, overriding the previous
1222 * output we copied. */
1223 for( i = 0; i < 16; i++ )
1224 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225 }
1226
1227 return( 0 );
1228}
1229#endif /* MBEDTLS_CIPHER_MODE_XTS */
1230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232/*
1233 * AES-CFB128 buffer encryption/decryption
1234 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1237 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1238 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1240 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1241 unsigned char *output )
1242{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1243 int c;
1244 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1247 {
1248 while( length-- )
1249 {
1250 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252
1253 c = *input++;
1254 *output++ = (unsigned char)( c ^ iv[n] );
1255 iv[n] = (unsigned char) c;
1256
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1257 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 }
1259 }
1260 else
1261 {
1262 while( length-- )
1263 {
1264 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1265 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266
1267 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1268
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1269 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270 }
1271 }
1272
1273 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1274
1275 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1277
1278/*
1279 * AES-CFB8 buffer encryption/decryption
1280 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1282 int mode,
1283 size_t length,
1284 unsigned char iv[16],
1285 const unsigned char *input,
1286 unsigned char *output )
1287{
1288 unsigned char c;
1289 unsigned char ov[17];
1290
1291 while( length-- )
1292 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1293 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1294 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1296 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1297 ov[16] = *input;
1298
1299 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1302 ov[16] = c;
1303
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1304 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1305 }
1306
1307 return( 0 );
1308}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1309#endif /* MBEDTLS_CIPHER_MODE_CFB */
1310
1311#if defined(MBEDTLS_CIPHER_MODE_OFB)
1312/*
1313 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1314 */
1315int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1316 size_t length,
1317 size_t *iv_off,
1318 unsigned char iv[16],
1319 const unsigned char *input,
1320 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1321{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1322 int ret = 0;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1323 size_t n = *iv_off;
1324
1325 while( length-- )
1326 {
1327 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1328 {
1329 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1330 if( ret != 0 )
1331 goto exit;
1332 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1333 *output++ = *input++ ^ iv[n];
1334
1335 n = ( n + 1 ) & 0x0F;
1336 }
1337
1338 *iv_off = n;
1339
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1340exit:
1341 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1342}
1343#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1346/*
1347 * AES-CTR buffer encryption/decryption
1348 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1350 size_t length,
1351 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1352 unsigned char nonce_counter[16],
1353 unsigned char stream_block[16],
1354 const unsigned char *input,
1355 unsigned char *output )
1356{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1357 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1358 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1359
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1360 if ( n > 0x0F )
1361 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1362
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1363 while( length-- )
1364 {
1365 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1366 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1367
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1368 for( i = 16; i > 0; i-- )
1369 if( ++nonce_counter[i - 1] != 0 )
1370 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1371 }
1372 c = *input++;
1373 *output++ = (unsigned char)( c ^ stream_block[n] );
1374
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1375 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1376 }
1377
1378 *nc_off = n;
1379
1380 return( 0 );
1381}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1382#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1383
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387/*
1388 * AES test vectors from:
1389 *
1390 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1391 */
1392static const unsigned char aes_test_ecb_dec[3][16] =
1393{
1394 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1395 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1396 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1397 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1398 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1399 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1400};
1401
1402static const unsigned char aes_test_ecb_enc[3][16] =
1403{
1404 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1405 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1406 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1407 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1408 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1409 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1410};
1411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413static const unsigned char aes_test_cbc_dec[3][16] =
1414{
1415 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1416 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1417 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1418 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1419 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1420 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1421};
1422
1423static const unsigned char aes_test_cbc_enc[3][16] =
1424{
1425 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1426 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1427 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1428 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1429 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1430 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1431};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1434#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435/*
1436 * AES-CFB128 test vectors from:
1437 *
1438 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1439 */
1440static const unsigned char aes_test_cfb128_key[3][32] =
1441{
1442 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1443 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1444 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1445 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1446 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1447 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1448 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1449 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1450 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1451};
1452
1453static const unsigned char aes_test_cfb128_iv[16] =
1454{
1455 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1456 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1457};
1458
1459static const unsigned char aes_test_cfb128_pt[64] =
1460{
1461 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1462 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1463 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1464 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1465 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1466 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1467 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1468 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1469};
1470
1471static const unsigned char aes_test_cfb128_ct[3][64] =
1472{
1473 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1474 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1475 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1476 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1477 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1478 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1479 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1480 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1481 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1482 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1483 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1484 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1485 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1486 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1487 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1488 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1489 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1490 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1491 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1492 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1493 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1494 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1495 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1496 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1497};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1499
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1500#if defined(MBEDTLS_CIPHER_MODE_OFB)
1501/*
1502 * AES-OFB test vectors from:
1503 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1504 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1505 */
1506static const unsigned char aes_test_ofb_key[3][32] =
1507{
1508 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1509 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1510 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1511 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1512 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1513 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1514 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1515 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1516 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1517};
1518
1519static const unsigned char aes_test_ofb_iv[16] =
1520{
1521 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1522 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1523};
1524
1525static const unsigned char aes_test_ofb_pt[64] =
1526{
1527 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1528 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1529 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1530 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1531 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1532 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1533 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1534 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1535};
1536
1537static const unsigned char aes_test_ofb_ct[3][64] =
1538{
1539 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1540 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1541 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1542 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1543 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1544 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1545 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1546 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1547 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1548 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1549 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1550 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1551 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1552 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1553 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1554 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1555 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1556 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1557 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1558 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1559 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1560 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1561 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1562 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1563};
1564#endif /* MBEDTLS_CIPHER_MODE_OFB */
1565
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1566#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1567/*
1568 * AES-CTR test vectors from:
1569 *
1570 * http://www.faqs.org/rfcs/rfc3686.html
1571 */
1572
1573static const unsigned char aes_test_ctr_key[3][16] =
1574{
1575 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1576 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1577 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1578 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1579 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1580 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1581};
1582
1583static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1584{
1585 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1587 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1588 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1589 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1590 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1591};
1592
1593static const unsigned char aes_test_ctr_pt[3][48] =
1594{
1595 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1596 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1597
1598 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1599 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1600 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1601 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1602
1603 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1604 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1605 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1606 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1607 0x20, 0x21, 0x22, 0x23 }
1608};
1609
1610static const unsigned char aes_test_ctr_ct[3][48] =
1611{
1612 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1613 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1614 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1615 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1616 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1617 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1618 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1619 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1620 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1621 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1622 0x25, 0xB2, 0x07, 0x2F }
1623};
1624
1625static const int aes_test_ctr_len[3] =
1626 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1627#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1628
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1629#if defined(MBEDTLS_CIPHER_MODE_XTS)
1630/*
1631 * AES-XTS test vectors from:
1632 *
1633 * IEEE P1619/D16 Annex B
1634 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1635 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1636 */
1637static const unsigned char aes_test_xts_key[][32] =
1638{
1639 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1643 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1644 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1645 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1646 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1647 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1648 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1649 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1650 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1651};
1652
1653static const unsigned char aes_test_xts_pt32[][32] =
1654{
1655 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1659 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1660 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1661 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1662 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1663 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1664 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1665 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1666 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1667};
1668
1669static const unsigned char aes_test_xts_ct32[][32] =
1670{
1671 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1672 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1673 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1674 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1675 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1676 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1677 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1678 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1679 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1680 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1681 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1682 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1683};
1684
1685static const unsigned char aes_test_xts_data_unit[][16] =
1686{
1687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1689 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1691 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1693};
1694
1695#endif /* MBEDTLS_CIPHER_MODE_XTS */
1696
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1697/*
1698 * Checkup routine
1699 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1700int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1701{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1702 int ret = 0, i, j, u, mode;
1703 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1704 unsigned char key[32];
1705 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1706 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1707#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1708 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1709#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1710#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1711 unsigned char prv[16];
1712#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1713#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1714 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1715 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1716#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1717#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1718 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1719#endif
1720#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1721 unsigned char nonce_counter[16];
1722 unsigned char stream_block[16];
1723#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1724 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1725
1726 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1727 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1728
1729 /*
1730 * ECB mode
1731 */
1732 for( i = 0; i < 6; i++ )
1733 {
1734 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1735 keybits = 128 + u * 64;
1736 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737
1738 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1739 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1740 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741
1742 memset( buf, 0, 16 );
1743
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1744 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1746 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1747 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1748 }
1749 else
1750 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1751 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1752 aes_tests = aes_test_ecb_enc[u];
1753 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1755 /*
1756 * AES-192 is an optional feature that may be unavailable when
1757 * there is an alternative underlying implementation i.e. when
1758 * MBEDTLS_AES_ALT is defined.
1759 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1760 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1761 {
1762 mbedtls_printf( "skipped\n" );
1763 continue;
1764 }
1765 else if( ret != 0 )
1766 {
1767 goto exit;
1768 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1770 for( j = 0; j < 10000; j++ )
1771 {
1772 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1773 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1774 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1775 }
1776
1777 if( memcmp( buf, aes_tests, 16 ) != 0 )
1778 {
1779 ret = 1;
1780 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1781 }
1782
1783 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1784 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1785 }
1786
1787 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1788 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1790#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1791 /*
1792 * CBC mode
1793 */
1794 for( i = 0; i < 6; i++ )
1795 {
1796 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1797 keybits = 128 + u * 64;
1798 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1799
1800 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1801 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1802 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803
1804 memset( iv , 0, 16 );
1805 memset( prv, 0, 16 );
1806 memset( buf, 0, 16 );
1807
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1808 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1810 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1811 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812 }
1813 else
1814 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1815 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1816 aes_tests = aes_test_cbc_enc[u];
1817 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1819 /*
1820 * AES-192 is an optional feature that may be unavailable when
1821 * there is an alternative underlying implementation i.e. when
1822 * MBEDTLS_AES_ALT is defined.
1823 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1825 {
1826 mbedtls_printf( "skipped\n" );
1827 continue;
1828 }
1829 else if( ret != 0 )
1830 {
1831 goto exit;
1832 }
1833
1834 for( j = 0; j < 10000; j++ )
1835 {
1836 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837 {
1838 unsigned char tmp[16];
1839
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840 memcpy( tmp, prv, 16 );
1841 memcpy( prv, buf, 16 );
1842 memcpy( buf, tmp, 16 );
1843 }
1844
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1846 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1847 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848
1849 }
1850
1851 if( memcmp( buf, aes_tests, 16 ) != 0 )
1852 {
1853 ret = 1;
1854 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 }
1856
1857 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 }
1860
1861 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862 mbedtls_printf( "\n" );
1863#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1865#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866 /*
1867 * CFB128 mode
1868 */
1869 for( i = 0; i < 6; i++ )
1870 {
1871 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1872 keybits = 128 + u * 64;
1873 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
1875 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1877 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878
1879 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881
1882 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1884 /*
1885 * AES-192 is an optional feature that may be unavailable when
1886 * there is an alternative underlying implementation i.e. when
1887 * MBEDTLS_AES_ALT is defined.
1888 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1889 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1890 {
1891 mbedtls_printf( "skipped\n" );
1892 continue;
1893 }
1894 else if( ret != 0 )
1895 {
1896 goto exit;
1897 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1899 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900 {
1901 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1902 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 }
1904 else
1905 {
1906 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 aes_tests = aes_test_cfb128_ct[u];
1908 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1910 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1911 if( ret != 0 )
1912 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1914 if( memcmp( buf, aes_tests, 64 ) != 0 )
1915 {
1916 ret = 1;
1917 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 }
1919
1920 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1921 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 }
1923
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1924 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1925 mbedtls_printf( "\n" );
1926#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1927
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1928#if defined(MBEDTLS_CIPHER_MODE_OFB)
1929 /*
1930 * OFB mode
1931 */
1932 for( i = 0; i < 6; i++ )
1933 {
1934 u = i >> 1;
1935 keybits = 128 + u * 64;
1936 mode = i & 1;
1937
1938 if( verbose != 0 )
1939 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1940 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1941
1942 memcpy( iv, aes_test_ofb_iv, 16 );
1943 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1944
1945 offset = 0;
1946 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1947 /*
1948 * AES-192 is an optional feature that may be unavailable when
1949 * there is an alternative underlying implementation i.e. when
1950 * MBEDTLS_AES_ALT is defined.
1951 */
1952 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1953 {
1954 mbedtls_printf( "skipped\n" );
1955 continue;
1956 }
1957 else if( ret != 0 )
1958 {
1959 goto exit;
1960 }
1961
1962 if( mode == MBEDTLS_AES_DECRYPT )
1963 {
1964 memcpy( buf, aes_test_ofb_ct[u], 64 );
1965 aes_tests = aes_test_ofb_pt;
1966 }
1967 else
1968 {
1969 memcpy( buf, aes_test_ofb_pt, 64 );
1970 aes_tests = aes_test_ofb_ct[u];
1971 }
1972
1973 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1974 if( ret != 0 )
1975 goto exit;
1976
1977 if( memcmp( buf, aes_tests, 64 ) != 0 )
1978 {
1979 ret = 1;
1980 goto exit;
1981 }
1982
1983 if( verbose != 0 )
1984 mbedtls_printf( "passed\n" );
1985 }
1986
1987 if( verbose != 0 )
1988 mbedtls_printf( "\n" );
1989#endif /* MBEDTLS_CIPHER_MODE_OFB */
1990
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1991#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1992 /*
1993 * CTR mode
1994 */
1995 for( i = 0; i < 6; i++ )
1996 {
1997 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1998 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1999
2000 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2001 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2003
2004 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2005 memcpy( key, aes_test_ctr_key[u], 16 );
2006
2007 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2008 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2009 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2010
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 len = aes_test_ctr_len[u];
2012
2013 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2014 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2015 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2016 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2017 }
2018 else
2019 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2020 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2021 aes_tests = aes_test_ctr_ct[u];
2022 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2023
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2024 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2025 stream_block, buf, buf );
2026 if( ret != 0 )
2027 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2028
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2029 if( memcmp( buf, aes_tests, len ) != 0 )
2030 {
2031 ret = 1;
2032 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2033 }
2034
2035 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2036 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2037 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038
2039 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2040 mbedtls_printf( "\n" );
2041#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2043#if defined(MBEDTLS_CIPHER_MODE_XTS)
2044 {
2045 static const int num_tests =
2046 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2047 mbedtls_aes_xts_context ctx_xts;
2048
2049 /*
2050 * XTS mode
2051 */
2052 mbedtls_aes_xts_init( &ctx_xts );
2053
2054 for( i = 0; i < num_tests << 1; i++ )
2055 {
2056 const unsigned char *data_unit;
2057 u = i >> 1;
2058 mode = i & 1;
2059
2060 if( verbose != 0 )
2061 mbedtls_printf( " AES-XTS-128 (%s): ",
2062 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2063
2064 memset( key, 0, sizeof( key ) );
2065 memcpy( key, aes_test_xts_key[u], 32 );
2066 data_unit = aes_test_xts_data_unit[u];
2067
2068 len = sizeof( *aes_test_xts_ct32 );
2069
2070 if( mode == MBEDTLS_AES_DECRYPT )
2071 {
2072 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2073 if( ret != 0)
2074 goto exit;
2075 memcpy( buf, aes_test_xts_ct32[u], len );
2076 aes_tests = aes_test_xts_pt32[u];
2077 }
2078 else
2079 {
2080 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2081 if( ret != 0)
2082 goto exit;
2083 memcpy( buf, aes_test_xts_pt32[u], len );
2084 aes_tests = aes_test_xts_ct32[u];
2085 }
2086
2087
2088 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2089 buf, buf );
2090 if( ret != 0 )
2091 goto exit;
2092
2093 if( memcmp( buf, aes_tests, len ) != 0 )
2094 {
2095 ret = 1;
2096 goto exit;
2097 }
2098
2099 if( verbose != 0 )
2100 mbedtls_printf( "passed\n" );
2101 }
2102
2103 if( verbose != 0 )
2104 mbedtls_printf( "\n" );
2105
2106 mbedtls_aes_xts_free( &ctx_xts );
2107 }
2108#endif /* MBEDTLS_CIPHER_MODE_XTS */
2109
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2110 ret = 0;
2111
2112exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2113 if( ret != 0 && verbose != 0 )
2114 mbedtls_printf( "failed\n" );
2115
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2116 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2117
2118 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2119}
2120
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123#endif /* MBEDTLS_AES_C */