TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 13b8a267303af716bb05ab20c900c90677c7fa7c / . / library / aes.c
blob: 2e5c302f94d8de9e2e26f0e400ac10c10427c8ba [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]398#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
399#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]400#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]578 }
579#endif
580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584
585 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]587 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]594#endif
595
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]596 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]598 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 }
600
601 switch( ctx->nr )
602 {
603 case 10:
604
605 for( i = 0; i < 10; i++, RK += 4 )
606 {
607 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
616 }
617 break;
618
619 case 12:
620
621 for( i = 0; i < 8; i++, RK += 6 )
622 {
623 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
634 }
635 break;
636
637 case 14:
638
639 for( i = 0; i < 7; i++, RK += 8 )
640 {
641 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
650
651 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
660 }
661 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]663
664 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
668/*
669 * AES key schedule (decryption)
670 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]671#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]673 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]675 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 uint32_t *RK;
678 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]679
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]697 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]698
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]699 ctx->nr = cty.nr;
700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]703 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]705 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]706 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]707 }
708#endif
709
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 SK = cty.rk + cty.nr * 4;
711
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
718 {
719 for( j = 0; j < 4; j++, SK++ )
720 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726 }
727
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]735
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]736 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737}
gabor-mezei-arm13b8a262020-10-26 11:35:23 +0100[diff] [blame^]738#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
770 int ret;
771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]774 AES_VALIDATE_RET( ctx != NULL );
775 AES_VALIDATE_RET( key != NULL );
776
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
778 &key2, &key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set the tweak key. Always set tweak key for the encryption mode. */
783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
784 if( ret != 0 )
785 return( ret );
786
787 /* Set crypt key for encryption. */
788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
789}
790
791int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
795 int ret;
796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for encryption. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for decryption. */
813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814}
815#endif /* MBEDTLS_CIPHER_MODE_XTS */
816
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]817#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
818 do \
819 { \
820 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
821 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
824 \
825 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
826 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
829 \
830 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
831 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
834 \
835 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
836 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
837 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
838 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
839 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]841#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
842 do \
843 { \
844 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
845 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
846 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
847 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
848 \
849 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
850 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
851 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
852 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
853 \
854 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
855 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
856 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
857 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
858 \
859 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
860 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
861 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
862 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
863 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864
865/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]866 * AES-ECB block encryption
867 */
868#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]869int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
870 const unsigned char input[16],
871 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]872{
873 int i;
874 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
875
876 RK = ctx->rk;
877
878 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
879 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
880 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
881 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
882
883 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
884 {
885 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
886 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
887 }
888
889 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
890
891 X0 = *RK++ ^ \
892 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
893 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
894 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
895 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
896
897 X1 = *RK++ ^ \
898 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
899 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
900 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
901 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
902
903 X2 = *RK++ ^ \
904 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
905 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
906 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
907 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
908
909 X3 = *RK++ ^ \
910 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
911 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
912 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
913 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
914
915 PUT_UINT32_LE( X0, output, 0 );
916 PUT_UINT32_LE( X1, output, 4 );
917 PUT_UINT32_LE( X2, output, 8 );
918 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]919
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]920 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
921 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
922 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
923 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
924
925 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
926 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
927 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
928 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
929
930 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
931
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]932 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933}
934#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
935
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]936#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]937void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
938 const unsigned char input[16],
939 unsigned char output[16] )
940{
941 mbedtls_internal_aes_encrypt( ctx, input, output );
942}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]943#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]944
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]945/*
946 * AES-ECB block decryption
947 */
948#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]949int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
950 const unsigned char input[16],
951 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]952{
953 int i;
954 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
955
956 RK = ctx->rk;
957
958 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
959 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
960 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
961 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
962
963 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
964 {
965 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
966 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
967 }
968
969 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
970
971 X0 = *RK++ ^ \
972 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
973 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
976
977 X1 = *RK++ ^ \
978 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
979 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
980 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
981 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
982
983 X2 = *RK++ ^ \
984 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
985 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
986 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
987 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
988
989 X3 = *RK++ ^ \
990 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
991 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
992 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
993 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
994
995 PUT_UINT32_LE( X0, output, 0 );
996 PUT_UINT32_LE( X1, output, 4 );
997 PUT_UINT32_LE( X2, output, 8 );
998 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]999
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1000 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1001 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1002 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1003 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1004
1005 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1006 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1007 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1008 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1009
1010 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1011
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1012 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1013}
1014#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1015
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1016#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1017void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1018 const unsigned char input[16],
1019 unsigned char output[16] )
1020{
1021 mbedtls_internal_aes_decrypt( ctx, input, output );
1022}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1023#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1024
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1025/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026 * AES-ECB block encryption/decryption
1027 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1028int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1029 int mode,
1030 const unsigned char input[16],
1031 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1033 AES_VALIDATE_RET( ctx != NULL );
1034 AES_VALIDATE_RET( input != NULL );
1035 AES_VALIDATE_RET( output != NULL );
1036 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1037 mode == MBEDTLS_AES_DECRYPT );
1038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1040 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1042#endif
1043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1045 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1047 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1048 return( 0 );
1049
1050 // If padlock data misaligned, we just fall back to
1051 // unaccelerated mode
1052 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 }
1054#endif
1055
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1056 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1057 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1058 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1059 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060}
1061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063/*
1064 * AES-CBC buffer encryption/decryption
1065 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1068 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1070 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071 unsigned char *output )
1072{
1073 int i;
1074 unsigned char temp[16];
1075
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1076 AES_VALIDATE_RET( ctx != NULL );
1077 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1078 mode == MBEDTLS_AES_DECRYPT );
1079 AES_VALIDATE_RET( iv != NULL );
1080 AES_VALIDATE_RET( input != NULL );
1081 AES_VALIDATE_RET( output != NULL );
1082
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1083 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1085
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1086#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1087 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1090 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1091
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1092 // If padlock data misaligned, we just fall back to
1093 // unaccelerated mode
1094 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 }
1096#endif
1097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 {
1100 while( length > 0 )
1101 {
1102 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1103 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104
1105 for( i = 0; i < 16; i++ )
1106 output[i] = (unsigned char)( output[i] ^ iv[i] );
1107
1108 memcpy( iv, temp, 16 );
1109
1110 input += 16;
1111 output += 16;
1112 length -= 16;
1113 }
1114 }
1115 else
1116 {
1117 while( length > 0 )
1118 {
1119 for( i = 0; i < 16; i++ )
1120 output[i] = (unsigned char)( input[i] ^ iv[i] );
1121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1122 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123 memcpy( iv, output, 16 );
1124
1125 input += 16;
1126 output += 16;
1127 length -= 16;
1128 }
1129 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1130
1131 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1133#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1135#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1136
1137/* Endianess with 64 bits values */
1138#ifndef GET_UINT64_LE
1139#define GET_UINT64_LE(n,b,i) \
1140{ \
1141 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1142 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1143 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1144 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1145 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1146 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1147 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1148 | ( (uint64_t) (b)[(i) ] ); \
1149}
1150#endif
1151
1152#ifndef PUT_UINT64_LE
1153#define PUT_UINT64_LE(n,b,i) \
1154{ \
1155 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1156 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1157 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1158 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1159 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1160 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1161 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1162 (b)[(i) ] = (unsigned char) ( (n) ); \
1163}
1164#endif
1165
1166typedef unsigned char mbedtls_be128[16];
1167
1168/*
1169 * GF(2^128) multiplication function
1170 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1171 * This function multiplies a field element by x in the polynomial field
1172 * representation. It uses 64-bit word operations to gain speed but compensates
1173 * for machine endianess and hence works correctly on both big and little
1174 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1175 */
1176static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1177 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1178{
1179 uint64_t a, b, ra, rb;
1180
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1181 GET_UINT64_LE( a, x, 0 );
1182 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1183
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1184 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1185 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1186
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1187 PUT_UINT64_LE( ra, r, 0 );
1188 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1189}
1190
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191/*
1192 * AES-XTS buffer encryption/decryption
1193 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1194int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1195 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1196 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1197 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1198 const unsigned char *input,
1199 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1200{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1201 int ret;
1202 size_t blocks = length / 16;
1203 size_t leftover = length % 16;
1204 unsigned char tweak[16];
1205 unsigned char prev_tweak[16];
1206 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1207
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1208 AES_VALIDATE_RET( ctx != NULL );
1209 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1210 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1211 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1212 AES_VALIDATE_RET( input != NULL );
1213 AES_VALIDATE_RET( output != NULL );
1214
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1215 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1219 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1220 if( length > ( 1 << 20 ) * 16 )
1221 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1224 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1225 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1226 if( ret != 0 )
1227 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1231 size_t i;
1232
1233 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1234 {
1235 /* We are on the last block in a decrypt operation that has
1236 * leftover bytes, so we need to use the next tweak for this block,
1237 * and this tweak for the lefover bytes. Save the current tweak for
1238 * the leftovers and then update the current tweak for use on this,
1239 * the last full block. */
1240 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1241 mbedtls_gf128mul_x_ble( tweak, tweak );
1242 }
1243
1244 for( i = 0; i < 16; i++ )
1245 tmp[i] = input[i] ^ tweak[i];
1246
1247 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1248 if( ret != 0 )
1249 return( ret );
1250
1251 for( i = 0; i < 16; i++ )
1252 output[i] = tmp[i] ^ tweak[i];
1253
1254 /* Update the tweak for the next block. */
1255 mbedtls_gf128mul_x_ble( tweak, tweak );
1256
1257 output += 16;
1258 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1259 }
1260
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1261 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1263 /* If we are on the leftover bytes in a decrypt operation, we need to
1264 * use the previous tweak for these bytes (as saved in prev_tweak). */
1265 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 /* We are now on the final part of the data unit, which doesn't divide
1268 * evenly by 16. It's time for ciphertext stealing. */
1269 size_t i;
1270 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1271
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1272 /* Copy ciphertext bytes from the previous block to our output for each
1273 * byte of cyphertext we won't steal. At the same time, copy the
1274 * remainder of the input for this final round (since the loop bounds
1275 * are the same). */
1276 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1278 output[i] = prev_output[i];
1279 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1280 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1281
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1282 /* Copy ciphertext bytes from the previous block for input in this
1283 * round. */
1284 for( ; i < 16; i++ )
1285 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1286
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1287 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1288 if( ret != 0 )
1289 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1290
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1291 /* Write the result back to the previous block, overriding the previous
1292 * output we copied. */
1293 for( i = 0; i < 16; i++ )
1294 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1295 }
1296
1297 return( 0 );
1298}
1299#endif /* MBEDTLS_CIPHER_MODE_XTS */
1300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302/*
1303 * AES-CFB128 buffer encryption/decryption
1304 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1305int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1307 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1308 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1310 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311 unsigned char *output )
1312{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1313 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1314 size_t n;
1315
1316 AES_VALIDATE_RET( ctx != NULL );
1317 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1318 mode == MBEDTLS_AES_DECRYPT );
1319 AES_VALIDATE_RET( iv_off != NULL );
1320 AES_VALIDATE_RET( iv != NULL );
1321 AES_VALIDATE_RET( input != NULL );
1322 AES_VALIDATE_RET( output != NULL );
1323
1324 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1326 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1327 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1329 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330 {
1331 while( length-- )
1332 {
1333 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1334 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335
1336 c = *input++;
1337 *output++ = (unsigned char)( c ^ iv[n] );
1338 iv[n] = (unsigned char) c;
1339
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1340 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341 }
1342 }
1343 else
1344 {
1345 while( length-- )
1346 {
1347 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349
1350 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1351
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1352 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1353 }
1354 }
1355
1356 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1357
1358 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1360
1361/*
1362 * AES-CFB8 buffer encryption/decryption
1363 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1364int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1365 int mode,
1366 size_t length,
1367 unsigned char iv[16],
1368 const unsigned char *input,
1369 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1370{
1371 unsigned char c;
1372 unsigned char ov[17];
1373
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1374 AES_VALIDATE_RET( ctx != NULL );
1375 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1376 mode == MBEDTLS_AES_DECRYPT );
1377 AES_VALIDATE_RET( iv != NULL );
1378 AES_VALIDATE_RET( input != NULL );
1379 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1380 while( length-- )
1381 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1382 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386 ov[16] = *input;
1387
1388 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1389
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1390 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1391 ov[16] = c;
1392
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1393 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1394 }
1395
1396 return( 0 );
1397}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1398#endif /* MBEDTLS_CIPHER_MODE_CFB */
1399
1400#if defined(MBEDTLS_CIPHER_MODE_OFB)
1401/*
1402 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1403 */
1404int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1405 size_t length,
1406 size_t *iv_off,
1407 unsigned char iv[16],
1408 const unsigned char *input,
1409 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1410{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1411 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1412 size_t n;
1413
1414 AES_VALIDATE_RET( ctx != NULL );
1415 AES_VALIDATE_RET( iv_off != NULL );
1416 AES_VALIDATE_RET( iv != NULL );
1417 AES_VALIDATE_RET( input != NULL );
1418 AES_VALIDATE_RET( output != NULL );
1419
1420 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1421
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1422 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1423 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1424
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1425 while( length-- )
1426 {
1427 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1428 {
1429 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1430 if( ret != 0 )
1431 goto exit;
1432 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1433 *output++ = *input++ ^ iv[n];
1434
1435 n = ( n + 1 ) & 0x0F;
1436 }
1437
1438 *iv_off = n;
1439
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1440exit:
1441 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1442}
1443#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1445#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1446/*
1447 * AES-CTR buffer encryption/decryption
1448 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1450 size_t length,
1451 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1452 unsigned char nonce_counter[16],
1453 unsigned char stream_block[16],
1454 const unsigned char *input,
1455 unsigned char *output )
1456{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1457 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1458 size_t n;
1459
1460 AES_VALIDATE_RET( ctx != NULL );
1461 AES_VALIDATE_RET( nc_off != NULL );
1462 AES_VALIDATE_RET( nonce_counter != NULL );
1463 AES_VALIDATE_RET( stream_block != NULL );
1464 AES_VALIDATE_RET( input != NULL );
1465 AES_VALIDATE_RET( output != NULL );
1466
1467 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1468
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1469 if ( n > 0x0F )
1470 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1471
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1472 while( length-- )
1473 {
1474 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1476
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1477 for( i = 16; i > 0; i-- )
1478 if( ++nonce_counter[i - 1] != 0 )
1479 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1480 }
1481 c = *input++;
1482 *output++ = (unsigned char)( c ^ stream_block[n] );
1483
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1484 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1485 }
1486
1487 *nc_off = n;
1488
1489 return( 0 );
1490}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1495#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496/*
1497 * AES test vectors from:
1498 *
1499 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1500 */
1501static const unsigned char aes_test_ecb_dec[3][16] =
1502{
1503 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1504 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1505 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1506 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1507 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1508 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1509};
1510
1511static const unsigned char aes_test_ecb_enc[3][16] =
1512{
1513 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1514 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1515 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1516 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1517 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1518 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1519};
1520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522static const unsigned char aes_test_cbc_dec[3][16] =
1523{
1524 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1525 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1526 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1527 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1528 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1529 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1530};
1531
1532static const unsigned char aes_test_cbc_enc[3][16] =
1533{
1534 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1535 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1536 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1537 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1538 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1539 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1540};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544/*
1545 * AES-CFB128 test vectors from:
1546 *
1547 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1548 */
1549static const unsigned char aes_test_cfb128_key[3][32] =
1550{
1551 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1552 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1553 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1554 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1555 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1556 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1557 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1558 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1559 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1560};
1561
1562static const unsigned char aes_test_cfb128_iv[16] =
1563{
1564 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1565 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1566};
1567
1568static const unsigned char aes_test_cfb128_pt[64] =
1569{
1570 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1571 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1572 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1573 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1574 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1575 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1576 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1577 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1578};
1579
1580static const unsigned char aes_test_cfb128_ct[3][64] =
1581{
1582 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1583 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1584 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1585 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1586 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1587 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1588 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1589 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1590 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1591 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1592 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1593 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1594 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1595 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1596 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1597 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1598 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1599 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1600 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1601 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1602 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1603 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1604 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1605 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1606};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1607#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1608
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1609#if defined(MBEDTLS_CIPHER_MODE_OFB)
1610/*
1611 * AES-OFB test vectors from:
1612 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1613 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1614 */
1615static const unsigned char aes_test_ofb_key[3][32] =
1616{
1617 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1618 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1619 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1620 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1621 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1622 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1623 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1624 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1625 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1626};
1627
1628static const unsigned char aes_test_ofb_iv[16] =
1629{
1630 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1631 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1632};
1633
1634static const unsigned char aes_test_ofb_pt[64] =
1635{
1636 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1637 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1638 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1639 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1640 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1641 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1642 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1643 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1644};
1645
1646static const unsigned char aes_test_ofb_ct[3][64] =
1647{
1648 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1649 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1650 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1651 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1652 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1653 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1654 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1655 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1656 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1657 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1658 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1659 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1660 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1661 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1662 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1663 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1664 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1665 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1666 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1667 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1668 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1669 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1670 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1671 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1672};
1673#endif /* MBEDTLS_CIPHER_MODE_OFB */
1674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1675#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1676/*
1677 * AES-CTR test vectors from:
1678 *
1679 * http://www.faqs.org/rfcs/rfc3686.html
1680 */
1681
1682static const unsigned char aes_test_ctr_key[3][16] =
1683{
1684 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1685 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1686 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1687 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1688 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1689 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1690};
1691
1692static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1693{
1694 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1695 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1696 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1697 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1698 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1699 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1700};
1701
1702static const unsigned char aes_test_ctr_pt[3][48] =
1703{
1704 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1705 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1706
1707 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1708 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1709 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1710 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1711
1712 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1713 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1714 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1715 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1716 0x20, 0x21, 0x22, 0x23 }
1717};
1718
1719static const unsigned char aes_test_ctr_ct[3][48] =
1720{
1721 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1722 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1723 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1724 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1725 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1726 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1727 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1728 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1729 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1730 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1731 0x25, 0xB2, 0x07, 0x2F }
1732};
1733
1734static const int aes_test_ctr_len[3] =
1735 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1736#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1738#if defined(MBEDTLS_CIPHER_MODE_XTS)
1739/*
1740 * AES-XTS test vectors from:
1741 *
1742 * IEEE P1619/D16 Annex B
1743 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1744 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1745 */
1746static const unsigned char aes_test_xts_key[][32] =
1747{
1748 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1752 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1753 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1754 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1755 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1756 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1757 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1758 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1759 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1760};
1761
1762static const unsigned char aes_test_xts_pt32[][32] =
1763{
1764 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1768 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1769 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1772 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1774 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1776};
1777
1778static const unsigned char aes_test_xts_ct32[][32] =
1779{
1780 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1781 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1782 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1783 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1784 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1785 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1786 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1787 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1788 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1789 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1790 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1791 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1792};
1793
1794static const unsigned char aes_test_xts_data_unit[][16] =
1795{
1796 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1798 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1800 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1802};
1803
1804#endif /* MBEDTLS_CIPHER_MODE_XTS */
1805
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806/*
1807 * Checkup routine
1808 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1810{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1811 int ret = 0, i, j, u, mode;
1812 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813 unsigned char key[32];
1814 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1815 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1816#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1818#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1819#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1820 unsigned char prv[16];
1821#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1822#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1823 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1824 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1825#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1826#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1827 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1828#endif
1829#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1830 unsigned char nonce_counter[16];
1831 unsigned char stream_block[16];
1832#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834
1835 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1836 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837
1838 /*
1839 * ECB mode
1840 */
1841 for( i = 0; i < 6; i++ )
1842 {
1843 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1844 keybits = 128 + u * 64;
1845 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846
1847 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1849 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1850
1851 memset( buf, 0, 16 );
1852
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1853 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1855 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1856 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 }
1858 else
1859 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1860 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1861 aes_tests = aes_test_ecb_enc[u];
1862 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1864 /*
1865 * AES-192 is an optional feature that may be unavailable when
1866 * there is an alternative underlying implementation i.e. when
1867 * MBEDTLS_AES_ALT is defined.
1868 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1869 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1870 {
1871 mbedtls_printf( "skipped\n" );
1872 continue;
1873 }
1874 else if( ret != 0 )
1875 {
1876 goto exit;
1877 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 for( j = 0; j < 10000; j++ )
1880 {
1881 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1882 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1883 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1884 }
1885
1886 if( memcmp( buf, aes_tests, 16 ) != 0 )
1887 {
1888 ret = 1;
1889 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890 }
1891
1892 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1893 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894 }
1895
1896 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1897 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1899#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900 /*
1901 * CBC mode
1902 */
1903 for( i = 0; i < 6; i++ )
1904 {
1905 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1906 keybits = 128 + u * 64;
1907 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908
1909 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1910 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1911 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
1913 memset( iv , 0, 16 );
1914 memset( prv, 0, 16 );
1915 memset( buf, 0, 16 );
1916
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1917 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1920 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921 }
1922 else
1923 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1924 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1925 aes_tests = aes_test_cbc_enc[u];
1926 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1928 /*
1929 * AES-192 is an optional feature that may be unavailable when
1930 * there is an alternative underlying implementation i.e. when
1931 * MBEDTLS_AES_ALT is defined.
1932 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1933 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1934 {
1935 mbedtls_printf( "skipped\n" );
1936 continue;
1937 }
1938 else if( ret != 0 )
1939 {
1940 goto exit;
1941 }
1942
1943 for( j = 0; j < 10000; j++ )
1944 {
1945 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 {
1947 unsigned char tmp[16];
1948
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949 memcpy( tmp, prv, 16 );
1950 memcpy( prv, buf, 16 );
1951 memcpy( buf, tmp, 16 );
1952 }
1953
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1954 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1955 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1956 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1957
1958 }
1959
1960 if( memcmp( buf, aes_tests, 16 ) != 0 )
1961 {
1962 ret = 1;
1963 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964 }
1965
1966 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968 }
1969
1970 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971 mbedtls_printf( "\n" );
1972#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1973
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975 /*
1976 * CFB128 mode
1977 */
1978 for( i = 0; i < 6; i++ )
1979 {
1980 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 keybits = 128 + u * 64;
1982 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983
1984 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1985 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1986 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987
1988 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1989 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990
1991 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1992 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1993 /*
1994 * AES-192 is an optional feature that may be unavailable when
1995 * there is an alternative underlying implementation i.e. when
1996 * MBEDTLS_AES_ALT is defined.
1997 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1998 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1999 {
2000 mbedtls_printf( "skipped\n" );
2001 continue;
2002 }
2003 else if( ret != 0 )
2004 {
2005 goto exit;
2006 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2008 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009 {
2010 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2012 }
2013 else
2014 {
2015 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2016 aes_tests = aes_test_cfb128_ct[u];
2017 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2020 if( ret != 0 )
2021 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 if( memcmp( buf, aes_tests, 64 ) != 0 )
2024 {
2025 ret = 1;
2026 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027 }
2028
2029 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2030 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031 }
2032
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2033 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034 mbedtls_printf( "\n" );
2035#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2036
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2037#if defined(MBEDTLS_CIPHER_MODE_OFB)
2038 /*
2039 * OFB mode
2040 */
2041 for( i = 0; i < 6; i++ )
2042 {
2043 u = i >> 1;
2044 keybits = 128 + u * 64;
2045 mode = i & 1;
2046
2047 if( verbose != 0 )
2048 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2049 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2050
2051 memcpy( iv, aes_test_ofb_iv, 16 );
2052 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2053
2054 offset = 0;
2055 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2056 /*
2057 * AES-192 is an optional feature that may be unavailable when
2058 * there is an alternative underlying implementation i.e. when
2059 * MBEDTLS_AES_ALT is defined.
2060 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2061 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2062 {
2063 mbedtls_printf( "skipped\n" );
2064 continue;
2065 }
2066 else if( ret != 0 )
2067 {
2068 goto exit;
2069 }
2070
2071 if( mode == MBEDTLS_AES_DECRYPT )
2072 {
2073 memcpy( buf, aes_test_ofb_ct[u], 64 );
2074 aes_tests = aes_test_ofb_pt;
2075 }
2076 else
2077 {
2078 memcpy( buf, aes_test_ofb_pt, 64 );
2079 aes_tests = aes_test_ofb_ct[u];
2080 }
2081
2082 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2083 if( ret != 0 )
2084 goto exit;
2085
2086 if( memcmp( buf, aes_tests, 64 ) != 0 )
2087 {
2088 ret = 1;
2089 goto exit;
2090 }
2091
2092 if( verbose != 0 )
2093 mbedtls_printf( "passed\n" );
2094 }
2095
2096 if( verbose != 0 )
2097 mbedtls_printf( "\n" );
2098#endif /* MBEDTLS_CIPHER_MODE_OFB */
2099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2100#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2101 /*
2102 * CTR mode
2103 */
2104 for( i = 0; i < 6; i++ )
2105 {
2106 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2107 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2108
2109 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2110 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2111 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2112
2113 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2114 memcpy( key, aes_test_ctr_key[u], 16 );
2115
2116 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2117 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2118 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 len = aes_test_ctr_len[u];
2121
2122 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2123 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2125 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2126 }
2127 else
2128 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2129 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2130 aes_tests = aes_test_ctr_ct[u];
2131 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2132
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2134 stream_block, buf, buf );
2135 if( ret != 0 )
2136 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2137
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2138 if( memcmp( buf, aes_tests, len ) != 0 )
2139 {
2140 ret = 1;
2141 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2142 }
2143
2144 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2145 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2146 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2147
2148 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2149 mbedtls_printf( "\n" );
2150#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2151
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2152#if defined(MBEDTLS_CIPHER_MODE_XTS)
2153 {
2154 static const int num_tests =
2155 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2156 mbedtls_aes_xts_context ctx_xts;
2157
2158 /*
2159 * XTS mode
2160 */
2161 mbedtls_aes_xts_init( &ctx_xts );
2162
2163 for( i = 0; i < num_tests << 1; i++ )
2164 {
2165 const unsigned char *data_unit;
2166 u = i >> 1;
2167 mode = i & 1;
2168
2169 if( verbose != 0 )
2170 mbedtls_printf( " AES-XTS-128 (%s): ",
2171 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2172
2173 memset( key, 0, sizeof( key ) );
2174 memcpy( key, aes_test_xts_key[u], 32 );
2175 data_unit = aes_test_xts_data_unit[u];
2176
2177 len = sizeof( *aes_test_xts_ct32 );
2178
2179 if( mode == MBEDTLS_AES_DECRYPT )
2180 {
2181 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2182 if( ret != 0)
2183 goto exit;
2184 memcpy( buf, aes_test_xts_ct32[u], len );
2185 aes_tests = aes_test_xts_pt32[u];
2186 }
2187 else
2188 {
2189 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2190 if( ret != 0)
2191 goto exit;
2192 memcpy( buf, aes_test_xts_pt32[u], len );
2193 aes_tests = aes_test_xts_ct32[u];
2194 }
2195
2196
2197 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2198 buf, buf );
2199 if( ret != 0 )
2200 goto exit;
2201
2202 if( memcmp( buf, aes_tests, len ) != 0 )
2203 {
2204 ret = 1;
2205 goto exit;
2206 }
2207
2208 if( verbose != 0 )
2209 mbedtls_printf( "passed\n" );
2210 }
2211
2212 if( verbose != 0 )
2213 mbedtls_printf( "\n" );
2214
2215 mbedtls_aes_xts_free( &ctx_xts );
2216 }
2217#endif /* MBEDTLS_CIPHER_MODE_XTS */
2218
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2219 ret = 0;
2220
2221exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2222 if( ret != 0 && verbose != 0 )
2223 mbedtls_printf( "failed\n" );
2224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2225 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2226
2227 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2228}
2229
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2230#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232#endif /* MBEDTLS_AES_C */