TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 15a7420d3c317604a937c3fe954f69ef73e10cc1 / . / library / aes.c
blob: 609f852d51f6dfc11be70655588c17a35dfd551b [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
659 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]733#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]734
735#if defined(MBEDTLS_CIPHER_MODE_XTS)
736static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
737 unsigned int keybits,
738 const unsigned char **key1,
739 unsigned int *key1bits,
740 const unsigned char **key2,
741 unsigned int *key2bits )
742{
743 const unsigned int half_keybits = keybits / 2;
744 const unsigned int half_keybytes = half_keybits / 8;
745
746 switch( keybits )
747 {
748 case 256: break;
749 case 512: break;
750 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
751 }
752
753 *key1bits = half_keybits;
754 *key2bits = half_keybits;
755 *key1 = &key[0];
756 *key2 = &key[half_keybytes];
757
758 return 0;
759}
760
761int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
762 const unsigned char *key,
763 unsigned int keybits)
764{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]765 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]766 const unsigned char *key1, *key2;
767 unsigned int key1bits, key2bits;
768
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]769 AES_VALIDATE_RET( ctx != NULL );
770 AES_VALIDATE_RET( key != NULL );
771
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]772 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
773 &key2, &key2bits );
774 if( ret != 0 )
775 return( ret );
776
777 /* Set the tweak key. Always set tweak key for the encryption mode. */
778 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set crypt key for encryption. */
783 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
784}
785
786int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
787 const unsigned char *key,
788 unsigned int keybits)
789{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]790 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]791 const unsigned char *key1, *key2;
792 unsigned int key1bits, key2bits;
793
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]794 AES_VALIDATE_RET( ctx != NULL );
795 AES_VALIDATE_RET( key != NULL );
796
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]797 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
798 &key2, &key2bits );
799 if( ret != 0 )
800 return( ret );
801
802 /* Set the tweak key. Always set tweak key for encryption. */
803 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set crypt key for decryption. */
808 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
809}
810#endif /* MBEDTLS_CIPHER_MODE_XTS */
811
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]812#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
813 do \
814 { \
815 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
816 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
817 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
818 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
819 \
820 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
821 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
824 \
825 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
826 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
829 \
830 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
831 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
834 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]836#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
837 do \
838 { \
839 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
840 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
841 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
842 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
843 \
844 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
845 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
846 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
847 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
848 \
849 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
850 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
851 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
852 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
853 \
854 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
855 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
856 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
857 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
858 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859
860/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]861 * AES-ECB block encryption
862 */
863#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]864int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
865 const unsigned char input[16],
866 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867{
868 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]869 uint32_t *RK = ctx->rk;
870 struct
871 {
872 uint32_t X[4];
873 uint32_t Y[4];
874 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]875
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]876 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
877 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
878 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
879 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]880
881 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
882 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]883 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
884 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]885 }
886
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]887 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]888
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]889 t.X[0] = *RK++ ^ \
890 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
891 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
892 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
893 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 t.X[1] = *RK++ ^ \
896 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
897 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
898 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
899 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]901 t.X[2] = *RK++ ^ \
902 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
903 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
904 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
905 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]906
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]907 t.X[3] = *RK++ ^ \
908 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]912
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]913 PUT_UINT32_LE( t.X[0], output, 0 );
914 PUT_UINT32_LE( t.X[1], output, 4 );
915 PUT_UINT32_LE( t.X[2], output, 8 );
916 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]917
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]918 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]919
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]920 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921}
922#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
923
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]924#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]925void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
926 const unsigned char input[16],
927 unsigned char output[16] )
928{
Mateusz Starzyk15a74202021-08-05 13:56:48 +0200[diff] [blame^]929 MBEDTLS_IGNORE_RETURN( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]930}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]931#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]932
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933/*
934 * AES-ECB block decryption
935 */
936#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]937int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
938 const unsigned char input[16],
939 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]940{
941 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]942 uint32_t *RK = ctx->rk;
943 struct
944 {
945 uint32_t X[4];
946 uint32_t Y[4];
947 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]948
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]949 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
950 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
951 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
952 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]953
954 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
955 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]956 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
957 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]958 }
959
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]960 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]961
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]962 t.X[0] = *RK++ ^ \
963 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
964 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
965 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
966 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]967
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]968 t.X[1] = *RK++ ^ \
969 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
970 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
971 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
972 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]973
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]974 t.X[2] = *RK++ ^ \
975 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
976 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
977 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
978 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]979
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]980 t.X[3] = *RK++ ^ \
981 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
982 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
983 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
984 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]985
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]986 PUT_UINT32_LE( t.X[0], output, 0 );
987 PUT_UINT32_LE( t.X[1], output, 4 );
988 PUT_UINT32_LE( t.X[2], output, 8 );
989 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]990
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]991 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]992
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]993 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]994}
995#endif /* !MBEDTLS_AES_DECRYPT_ALT */
996
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]997#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]998void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
999 const unsigned char input[16],
1000 unsigned char output[16] )
1001{
Mateusz Starzyk15a74202021-08-05 13:56:48 +0200[diff] [blame^]1002 MBEDTLS_IGNORE_RETURN( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1003}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1004#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1005
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1006/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 * AES-ECB block encryption/decryption
1008 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1009int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1010 int mode,
1011 const unsigned char input[16],
1012 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1014 AES_VALIDATE_RET( ctx != NULL );
1015 AES_VALIDATE_RET( input != NULL );
1016 AES_VALIDATE_RET( output != NULL );
1017 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1018 mode == MBEDTLS_AES_DECRYPT );
1019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1021 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1023#endif
1024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1026 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1028 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1029 return( 0 );
1030
1031 // If padlock data misaligned, we just fall back to
1032 // unaccelerated mode
1033 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034 }
1035#endif
1036
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1037 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1038 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1039 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1040 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041}
1042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044/*
1045 * AES-CBC buffer encryption/decryption
1046 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1047int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1049 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1050 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1051 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052 unsigned char *output )
1053{
1054 int i;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1055 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056 unsigned char temp[16];
1057
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1058 AES_VALIDATE_RET( ctx != NULL );
1059 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1060 mode == MBEDTLS_AES_DECRYPT );
1061 AES_VALIDATE_RET( iv != NULL );
1062 AES_VALIDATE_RET( input != NULL );
1063 AES_VALIDATE_RET( output != NULL );
1064
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1065 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1069 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1072 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1073
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1074 // If padlock data misaligned, we just fall back to
1075 // unaccelerated mode
1076 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 }
1078#endif
1079
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081 {
1082 while( length > 0 )
1083 {
1084 memcpy( temp, input, 16 );
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1085 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1086 if( ret != 0 )
1087 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088
1089 for( i = 0; i < 16; i++ )
1090 output[i] = (unsigned char)( output[i] ^ iv[i] );
1091
1092 memcpy( iv, temp, 16 );
1093
1094 input += 16;
1095 output += 16;
1096 length -= 16;
1097 }
1098 }
1099 else
1100 {
1101 while( length > 0 )
1102 {
1103 for( i = 0; i < 16; i++ )
1104 output[i] = (unsigned char)( input[i] ^ iv[i] );
1105
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1106 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1107 if( ret != 0 )
1108 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 memcpy( iv, output, 16 );
1110
1111 input += 16;
1112 output += 16;
1113 length -= 16;
1114 }
1115 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1116 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1117
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1118exit:
1119 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1120}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1121#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1122
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1123#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1124
1125/* Endianess with 64 bits values */
1126#ifndef GET_UINT64_LE
1127#define GET_UINT64_LE(n,b,i) \
1128{ \
1129 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1130 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1131 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1132 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1133 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1134 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1135 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1136 | ( (uint64_t) (b)[(i) ] ); \
1137}
1138#endif
1139
1140#ifndef PUT_UINT64_LE
1141#define PUT_UINT64_LE(n,b,i) \
1142{ \
1143 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1144 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1145 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1146 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1147 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1148 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1149 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1150 (b)[(i) ] = (unsigned char) ( (n) ); \
1151}
1152#endif
1153
1154typedef unsigned char mbedtls_be128[16];
1155
1156/*
1157 * GF(2^128) multiplication function
1158 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1159 * This function multiplies a field element by x in the polynomial field
1160 * representation. It uses 64-bit word operations to gain speed but compensates
1161 * for machine endianess and hence works correctly on both big and little
1162 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1163 */
1164static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1165 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1166{
1167 uint64_t a, b, ra, rb;
1168
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1169 GET_UINT64_LE( a, x, 0 );
1170 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1171
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1172 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1173 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1174
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1175 PUT_UINT64_LE( ra, r, 0 );
1176 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1177}
1178
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1179/*
1180 * AES-XTS buffer encryption/decryption
1181 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1182int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1183 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1184 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1185 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1186 const unsigned char *input,
1187 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1188{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1189 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1190 size_t blocks = length / 16;
1191 size_t leftover = length % 16;
1192 unsigned char tweak[16];
1193 unsigned char prev_tweak[16];
1194 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1195
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1196 AES_VALIDATE_RET( ctx != NULL );
1197 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1198 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1199 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1200 AES_VALIDATE_RET( input != NULL );
1201 AES_VALIDATE_RET( output != NULL );
1202
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1203 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1204 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1205 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1207 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1208 if( length > ( 1 << 20 ) * 16 )
1209 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1211 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1212 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1213 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1214 if( ret != 0 )
1215 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 size_t i;
1220
1221 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1222 {
1223 /* We are on the last block in a decrypt operation that has
1224 * leftover bytes, so we need to use the next tweak for this block,
1225 * and this tweak for the lefover bytes. Save the current tweak for
1226 * the leftovers and then update the current tweak for use on this,
1227 * the last full block. */
1228 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1229 mbedtls_gf128mul_x_ble( tweak, tweak );
1230 }
1231
1232 for( i = 0; i < 16; i++ )
1233 tmp[i] = input[i] ^ tweak[i];
1234
1235 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1236 if( ret != 0 )
1237 return( ret );
1238
1239 for( i = 0; i < 16; i++ )
1240 output[i] = tmp[i] ^ tweak[i];
1241
1242 /* Update the tweak for the next block. */
1243 mbedtls_gf128mul_x_ble( tweak, tweak );
1244
1245 output += 16;
1246 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1247 }
1248
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1250 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1251 /* If we are on the leftover bytes in a decrypt operation, we need to
1252 * use the previous tweak for these bytes (as saved in prev_tweak). */
1253 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1254
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1255 /* We are now on the final part of the data unit, which doesn't divide
1256 * evenly by 16. It's time for ciphertext stealing. */
1257 size_t i;
1258 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1259
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1260 /* Copy ciphertext bytes from the previous block to our output for each
1261 * byte of cyphertext we won't steal. At the same time, copy the
1262 * remainder of the input for this final round (since the loop bounds
1263 * are the same). */
1264 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1265 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1266 output[i] = prev_output[i];
1267 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1268 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1269
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1270 /* Copy ciphertext bytes from the previous block for input in this
1271 * round. */
1272 for( ; i < 16; i++ )
1273 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1274
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1275 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1276 if( ret != 0 )
1277 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 /* Write the result back to the previous block, overriding the previous
1280 * output we copied. */
1281 for( i = 0; i < 16; i++ )
1282 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1283 }
1284
1285 return( 0 );
1286}
1287#endif /* MBEDTLS_CIPHER_MODE_XTS */
1288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1289#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290/*
1291 * AES-CFB128 buffer encryption/decryption
1292 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1293int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1295 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1296 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1298 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299 unsigned char *output )
1300{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1301 int c;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1303 size_t n;
1304
1305 AES_VALIDATE_RET( ctx != NULL );
1306 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1307 mode == MBEDTLS_AES_DECRYPT );
1308 AES_VALIDATE_RET( iv_off != NULL );
1309 AES_VALIDATE_RET( iv != NULL );
1310 AES_VALIDATE_RET( input != NULL );
1311 AES_VALIDATE_RET( output != NULL );
1312
1313 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1315 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1316 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1317
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1318 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319 {
1320 while( length-- )
1321 {
1322 if( n == 0 )
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1323 {
1324 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1325 if( ret != 0 )
1326 goto exit;
1327 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328
1329 c = *input++;
1330 *output++ = (unsigned char)( c ^ iv[n] );
1331 iv[n] = (unsigned char) c;
1332
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1333 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334 }
1335 }
1336 else
1337 {
1338 while( length-- )
1339 {
1340 if( n == 0 )
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1341 {
1342 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1343 if( ret != 0 )
1344 goto exit;
1345 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346
1347 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1348
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1349 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350 }
1351 }
1352
1353 *iv_off = n;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1354 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1355
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1356exit:
1357 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1359
1360/*
1361 * AES-CFB8 buffer encryption/decryption
1362 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1364 int mode,
1365 size_t length,
1366 unsigned char iv[16],
1367 const unsigned char *input,
1368 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1369{
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371 unsigned char c;
1372 unsigned char ov[17];
1373
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1374 AES_VALIDATE_RET( ctx != NULL );
1375 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1376 mode == MBEDTLS_AES_DECRYPT );
1377 AES_VALIDATE_RET( iv != NULL );
1378 AES_VALIDATE_RET( input != NULL );
1379 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1380 while( length-- )
1381 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1382 memcpy( ov, iv, 16 );
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1383 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1384 if( ret != 0 )
1385 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1388 ov[16] = *input;
1389
1390 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1393 ov[16] = c;
1394
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1395 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1396 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1397 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1398
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1399exit:
1400 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1401}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1402#endif /* MBEDTLS_CIPHER_MODE_CFB */
1403
1404#if defined(MBEDTLS_CIPHER_MODE_OFB)
1405/*
1406 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1407 */
1408int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1409 size_t length,
1410 size_t *iv_off,
1411 unsigned char iv[16],
1412 const unsigned char *input,
1413 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1414{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1415 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1416 size_t n;
1417
1418 AES_VALIDATE_RET( ctx != NULL );
1419 AES_VALIDATE_RET( iv_off != NULL );
1420 AES_VALIDATE_RET( iv != NULL );
1421 AES_VALIDATE_RET( input != NULL );
1422 AES_VALIDATE_RET( output != NULL );
1423
1424 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1425
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1426 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1427 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1428
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1429 while( length-- )
1430 {
1431 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1432 {
1433 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1434 if( ret != 0 )
1435 goto exit;
1436 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1437 *output++ = *input++ ^ iv[n];
1438
1439 n = ( n + 1 ) & 0x0F;
1440 }
1441
1442 *iv_off = n;
1443
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1444exit:
1445 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1446}
1447#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1448
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450/*
1451 * AES-CTR buffer encryption/decryption
1452 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1454 size_t length,
1455 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1456 unsigned char nonce_counter[16],
1457 unsigned char stream_block[16],
1458 const unsigned char *input,
1459 unsigned char *output )
1460{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1461 int c, i;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1462 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1463 size_t n;
1464
1465 AES_VALIDATE_RET( ctx != NULL );
1466 AES_VALIDATE_RET( nc_off != NULL );
1467 AES_VALIDATE_RET( nonce_counter != NULL );
1468 AES_VALIDATE_RET( stream_block != NULL );
1469 AES_VALIDATE_RET( input != NULL );
1470 AES_VALIDATE_RET( output != NULL );
1471
1472 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1473
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1474 if ( n > 0x0F )
1475 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1476
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1477 while( length-- )
1478 {
1479 if( n == 0 ) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1480 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1481 if( ret != 0 )
1482 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1483
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1484 for( i = 16; i > 0; i-- )
1485 if( ++nonce_counter[i - 1] != 0 )
1486 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1487 }
1488 c = *input++;
1489 *output++ = (unsigned char)( c ^ stream_block[n] );
1490
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1491 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1492 }
1493
1494 *nc_off = n;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1495 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1496
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1497exit:
1498 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1499}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1500#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1502#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1504#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505/*
1506 * AES test vectors from:
1507 *
1508 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1509 */
1510static const unsigned char aes_test_ecb_dec[3][16] =
1511{
1512 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1513 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1514 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1515 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1516 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1517 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1518};
1519
1520static const unsigned char aes_test_ecb_enc[3][16] =
1521{
1522 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1523 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1524 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1525 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1526 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1527 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1528};
1529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531static const unsigned char aes_test_cbc_dec[3][16] =
1532{
1533 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1534 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1535 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1536 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1537 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1538 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1539};
1540
1541static const unsigned char aes_test_cbc_enc[3][16] =
1542{
1543 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1544 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1545 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1546 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1547 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1548 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1549};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553/*
1554 * AES-CFB128 test vectors from:
1555 *
1556 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1557 */
1558static const unsigned char aes_test_cfb128_key[3][32] =
1559{
1560 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1561 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1562 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1563 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1564 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1565 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1566 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1567 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1568 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1569};
1570
1571static const unsigned char aes_test_cfb128_iv[16] =
1572{
1573 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1574 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1575};
1576
1577static const unsigned char aes_test_cfb128_pt[64] =
1578{
1579 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1580 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1581 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1582 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1583 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1584 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1585 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1586 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1587};
1588
1589static const unsigned char aes_test_cfb128_ct[3][64] =
1590{
1591 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1592 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1593 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1594 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1595 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1596 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1597 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1598 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1599 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1600 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1601 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1602 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1603 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1604 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1605 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1606 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1607 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1608 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1609 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1610 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1611 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1612 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1613 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1614 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1615};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1616#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1617
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1618#if defined(MBEDTLS_CIPHER_MODE_OFB)
1619/*
1620 * AES-OFB test vectors from:
1621 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1622 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1623 */
1624static const unsigned char aes_test_ofb_key[3][32] =
1625{
1626 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1627 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1628 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1629 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1630 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1631 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1632 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1633 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1634 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1635};
1636
1637static const unsigned char aes_test_ofb_iv[16] =
1638{
1639 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1640 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1641};
1642
1643static const unsigned char aes_test_ofb_pt[64] =
1644{
1645 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1646 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1647 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1648 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1649 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1650 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1651 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1652 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1653};
1654
1655static const unsigned char aes_test_ofb_ct[3][64] =
1656{
1657 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1658 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1659 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1660 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1661 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1662 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1663 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1664 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1665 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1666 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1667 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1668 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1669 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1670 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1671 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1672 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1673 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1674 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1675 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1676 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1677 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1678 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1679 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1680 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1681};
1682#endif /* MBEDTLS_CIPHER_MODE_OFB */
1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1684#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1685/*
1686 * AES-CTR test vectors from:
1687 *
1688 * http://www.faqs.org/rfcs/rfc3686.html
1689 */
1690
1691static const unsigned char aes_test_ctr_key[3][16] =
1692{
1693 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1694 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1695 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1696 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1697 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1698 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1699};
1700
1701static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1702{
1703 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1705 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1706 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1707 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1708 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1709};
1710
1711static const unsigned char aes_test_ctr_pt[3][48] =
1712{
1713 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1714 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1715
1716 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1717 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1718 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1719 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1720
1721 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1722 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1723 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1724 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1725 0x20, 0x21, 0x22, 0x23 }
1726};
1727
1728static const unsigned char aes_test_ctr_ct[3][48] =
1729{
1730 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1731 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1732 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1733 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1734 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1735 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1736 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1737 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1738 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1739 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1740 0x25, 0xB2, 0x07, 0x2F }
1741};
1742
1743static const int aes_test_ctr_len[3] =
1744 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1745#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1747#if defined(MBEDTLS_CIPHER_MODE_XTS)
1748/*
1749 * AES-XTS test vectors from:
1750 *
1751 * IEEE P1619/D16 Annex B
1752 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1753 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1754 */
1755static const unsigned char aes_test_xts_key[][32] =
1756{
1757 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1761 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1762 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1763 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1764 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1765 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1766 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1767 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1768 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1769};
1770
1771static const unsigned char aes_test_xts_pt32[][32] =
1772{
1773 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1777 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1779 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1781 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1783 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1784 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1785};
1786
1787static const unsigned char aes_test_xts_ct32[][32] =
1788{
1789 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1790 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1791 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1792 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1793 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1794 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1795 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1796 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1797 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1798 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1799 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1800 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1801};
1802
1803static const unsigned char aes_test_xts_data_unit[][16] =
1804{
1805 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1807 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1809 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1811};
1812
1813#endif /* MBEDTLS_CIPHER_MODE_XTS */
1814
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815/*
1816 * Checkup routine
1817 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1818int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1820 int ret = 0, i, j, u, mode;
1821 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822 unsigned char key[32];
1823 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1825#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1827#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1828#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1829 unsigned char prv[16];
1830#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1831#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1832 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1833 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1834#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1835#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1836 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1837#endif
1838#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1839 unsigned char nonce_counter[16];
1840 unsigned char stream_block[16];
1841#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1843
1844 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846
1847 /*
1848 * ECB mode
1849 */
1850 for( i = 0; i < 6; i++ )
1851 {
1852 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1853 keybits = 128 + u * 64;
1854 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855
1856 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1857 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
1860 memset( buf, 0, 16 );
1861
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1864 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1865 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866 }
1867 else
1868 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1869 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1870 aes_tests = aes_test_ecb_enc[u];
1871 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1873 /*
1874 * AES-192 is an optional feature that may be unavailable when
1875 * there is an alternative underlying implementation i.e. when
1876 * MBEDTLS_AES_ALT is defined.
1877 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1878 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 {
1880 mbedtls_printf( "skipped\n" );
1881 continue;
1882 }
1883 else if( ret != 0 )
1884 {
1885 goto exit;
1886 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 for( j = 0; j < 10000; j++ )
1889 {
1890 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1891 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1892 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 }
1894
1895 if( memcmp( buf, aes_tests, 16 ) != 0 )
1896 {
1897 ret = 1;
1898 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899 }
1900
1901 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 }
1904
1905 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1906 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909 /*
1910 * CBC mode
1911 */
1912 for( i = 0; i < 6; i++ )
1913 {
1914 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1915 keybits = 128 + u * 64;
1916 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917
1918 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1919 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921
1922 memset( iv , 0, 16 );
1923 memset( prv, 0, 16 );
1924 memset( buf, 0, 16 );
1925
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1928 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1929 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 }
1931 else
1932 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1933 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1934 aes_tests = aes_test_cbc_enc[u];
1935 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1937 /*
1938 * AES-192 is an optional feature that may be unavailable when
1939 * there is an alternative underlying implementation i.e. when
1940 * MBEDTLS_AES_ALT is defined.
1941 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1942 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1943 {
1944 mbedtls_printf( "skipped\n" );
1945 continue;
1946 }
1947 else if( ret != 0 )
1948 {
1949 goto exit;
1950 }
1951
1952 for( j = 0; j < 10000; j++ )
1953 {
1954 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1955 {
1956 unsigned char tmp[16];
1957
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1958 memcpy( tmp, prv, 16 );
1959 memcpy( prv, buf, 16 );
1960 memcpy( buf, tmp, 16 );
1961 }
1962
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1964 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1965 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1966
1967 }
1968
1969 if( memcmp( buf, aes_tests, 16 ) != 0 )
1970 {
1971 ret = 1;
1972 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1973 }
1974
1975 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977 }
1978
1979 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1980 mbedtls_printf( "\n" );
1981#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1983#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984 /*
1985 * CFB128 mode
1986 */
1987 for( i = 0; i < 6; i++ )
1988 {
1989 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1990 keybits = 128 + u * 64;
1991 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992
1993 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1994 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1995 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996
1997 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1998 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
2000 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2002 /*
2003 * AES-192 is an optional feature that may be unavailable when
2004 * there is an alternative underlying implementation i.e. when
2005 * MBEDTLS_AES_ALT is defined.
2006 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2007 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2008 {
2009 mbedtls_printf( "skipped\n" );
2010 continue;
2011 }
2012 else if( ret != 0 )
2013 {
2014 goto exit;
2015 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2017 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018 {
2019 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021 }
2022 else
2023 {
2024 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2025 aes_tests = aes_test_cfb128_ct[u];
2026 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2029 if( ret != 0 )
2030 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2032 if( memcmp( buf, aes_tests, 64 ) != 0 )
2033 {
2034 ret = 1;
2035 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2036 }
2037
2038 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040 }
2041
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2042 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2043 mbedtls_printf( "\n" );
2044#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2045
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2046#if defined(MBEDTLS_CIPHER_MODE_OFB)
2047 /*
2048 * OFB mode
2049 */
2050 for( i = 0; i < 6; i++ )
2051 {
2052 u = i >> 1;
2053 keybits = 128 + u * 64;
2054 mode = i & 1;
2055
2056 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2057 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2058 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2059
2060 memcpy( iv, aes_test_ofb_iv, 16 );
2061 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2062
2063 offset = 0;
2064 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2065 /*
2066 * AES-192 is an optional feature that may be unavailable when
2067 * there is an alternative underlying implementation i.e. when
2068 * MBEDTLS_AES_ALT is defined.
2069 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2070 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2071 {
2072 mbedtls_printf( "skipped\n" );
2073 continue;
2074 }
2075 else if( ret != 0 )
2076 {
2077 goto exit;
2078 }
2079
2080 if( mode == MBEDTLS_AES_DECRYPT )
2081 {
2082 memcpy( buf, aes_test_ofb_ct[u], 64 );
2083 aes_tests = aes_test_ofb_pt;
2084 }
2085 else
2086 {
2087 memcpy( buf, aes_test_ofb_pt, 64 );
2088 aes_tests = aes_test_ofb_ct[u];
2089 }
2090
2091 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2092 if( ret != 0 )
2093 goto exit;
2094
2095 if( memcmp( buf, aes_tests, 64 ) != 0 )
2096 {
2097 ret = 1;
2098 goto exit;
2099 }
2100
2101 if( verbose != 0 )
2102 mbedtls_printf( "passed\n" );
2103 }
2104
2105 if( verbose != 0 )
2106 mbedtls_printf( "\n" );
2107#endif /* MBEDTLS_CIPHER_MODE_OFB */
2108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2110 /*
2111 * CTR mode
2112 */
2113 for( i = 0; i < 6; i++ )
2114 {
2115 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2116 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2117
2118 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2121
2122 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2123 memcpy( key, aes_test_ctr_key[u], 16 );
2124
2125 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2126 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2127 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2128
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2129 len = aes_test_ctr_len[u];
2130
2131 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2132 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2133 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2134 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2135 }
2136 else
2137 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2139 aes_tests = aes_test_ctr_ct[u];
2140 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2141
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2142 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2143 stream_block, buf, buf );
2144 if( ret != 0 )
2145 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2146
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2147 if( memcmp( buf, aes_tests, len ) != 0 )
2148 {
2149 ret = 1;
2150 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151 }
2152
2153 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2154 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2155 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156
2157 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2158 mbedtls_printf( "\n" );
2159#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2160
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2161#if defined(MBEDTLS_CIPHER_MODE_XTS)
2162 {
2163 static const int num_tests =
2164 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2165 mbedtls_aes_xts_context ctx_xts;
2166
2167 /*
2168 * XTS mode
2169 */
2170 mbedtls_aes_xts_init( &ctx_xts );
2171
2172 for( i = 0; i < num_tests << 1; i++ )
2173 {
2174 const unsigned char *data_unit;
2175 u = i >> 1;
2176 mode = i & 1;
2177
2178 if( verbose != 0 )
2179 mbedtls_printf( " AES-XTS-128 (%s): ",
2180 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2181
2182 memset( key, 0, sizeof( key ) );
2183 memcpy( key, aes_test_xts_key[u], 32 );
2184 data_unit = aes_test_xts_data_unit[u];
2185
2186 len = sizeof( *aes_test_xts_ct32 );
2187
2188 if( mode == MBEDTLS_AES_DECRYPT )
2189 {
2190 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2191 if( ret != 0)
2192 goto exit;
2193 memcpy( buf, aes_test_xts_ct32[u], len );
2194 aes_tests = aes_test_xts_pt32[u];
2195 }
2196 else
2197 {
2198 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2199 if( ret != 0)
2200 goto exit;
2201 memcpy( buf, aes_test_xts_pt32[u], len );
2202 aes_tests = aes_test_xts_ct32[u];
2203 }
2204
2205
2206 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2207 buf, buf );
2208 if( ret != 0 )
2209 goto exit;
2210
2211 if( memcmp( buf, aes_tests, len ) != 0 )
2212 {
2213 ret = 1;
2214 goto exit;
2215 }
2216
2217 if( verbose != 0 )
2218 mbedtls_printf( "passed\n" );
2219 }
2220
2221 if( verbose != 0 )
2222 mbedtls_printf( "\n" );
2223
2224 mbedtls_aes_xts_free( &ctx_xts );
2225 }
2226#endif /* MBEDTLS_CIPHER_MODE_XTS */
2227
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2228 ret = 0;
2229
2230exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2231 if( ret != 0 && verbose != 0 )
2232 mbedtls_printf( "failed\n" );
2233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2234 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2235
2236 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2237}
2238
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2239#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2241#endif /* MBEDTLS_AES_C */