TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 24eed8d2d2df4423a63c8761edd0d65a43ff03a3 / . / library / aes.c
blob: 6e8699022b6a6f799dd67f7bff7170dbd82a7295 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame^]41#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]42#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]44#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]47#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]49#if defined(MBEDTLS_SELF_TEST)
50#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]51#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#define mbedtls_printf printf
55#endif /* MBEDTLS_PLATFORM_C */
56#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]57
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]59
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]60/* Parameter validation macros based on platform_util.h */
61#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]62 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]63#define AES_VALIDATE( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE( cond )
65
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * 32-bit integer manipulation macros (little endian)
68 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69#ifndef GET_UINT32_LE
70#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]72 (n) = ( (uint32_t) (b)[(i) ] ) \
73 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
74 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
75 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76}
77#endif
78
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]79#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]80#define PUT_UINT32_LE(n,b,i) \
81{ \
82 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
83 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
84 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
85 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86}
87#endif
88
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#if defined(MBEDTLS_PADLOCK_C) && \
90 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]91static int aes_padlock_ace = -1;
92#endif
93
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]94#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95/*
96 * Forward S-box
97 */
98static const unsigned char FSb[256] =
99{
100 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
101 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
102 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
103 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
104 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
105 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
106 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
107 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
108 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
109 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
110 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
111 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
112 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
113 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
114 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
115 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
116 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
117 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
118 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
119 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
120 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
121 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
122 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
123 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
124 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
125 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
126 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
127 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
128 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
129 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
130 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
131 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
132};
133
134/*
135 * Forward tables
136 */
137#define FT \
138\
139 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
140 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
141 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
142 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
143 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
144 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
145 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
146 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
147 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
148 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
149 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
150 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
151 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
152 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
153 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
154 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
155 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
156 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
157 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
158 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
159 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
160 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
161 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
162 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
163 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
164 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
165 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
166 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
167 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
168 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
169 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
170 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
171 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
172 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
173 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
174 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
175 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
176 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
177 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
178 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
179 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
180 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
181 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
182 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
183 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
184 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
185 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
186 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
187 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
188 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
189 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
190 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
191 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
192 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
193 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
194 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
195 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
196 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
197 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
198 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
199 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
200 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
201 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
202 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
203
204#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]208#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]209
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
218#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]222#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#undef FT
225
226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
264
265/*
266 * Reverse tables
267 */
268#define RT \
269\
270 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
271 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
272 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
273 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
274 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
275 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
276 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
277 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
278 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
279 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
280 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
281 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
282 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
283 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
284 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
285 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
286 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
287 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
288 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
289 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
290 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
291 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
292 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
293 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
294 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
295 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
296 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
297 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
298 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
299 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
300 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
301 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
302 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
303 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
304 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
305 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
306 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
307 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
308 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
309 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
310 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
311 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
312 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
313 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
314 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
315 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
316 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
317 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
318 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
319 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
320 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
321 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
322 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
323 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
324 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
325 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
326 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
327 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
328 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
329 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
330 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
331 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
332 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
333 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
334
335#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]339#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]340
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
349#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]350static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef V
352
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]353#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]354
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355#undef RT
356
357/*
358 * Round constants
359 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361{
362 0x00000001, 0x00000002, 0x00000004, 0x00000008,
363 0x00000010, 0x00000020, 0x00000040, 0x00000080,
364 0x0000001B, 0x00000036
365};
366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]367#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368
369/*
370 * Forward S-box & tables
371 */
372static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]373static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]374#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]375static uint32_t FT1[256];
376static uint32_t FT2[256];
377static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]378#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379
380/*
381 * Reverse S-box & tables
382 */
383static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]385#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RT1[256];
387static uint32_t RT2[256];
388static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]389#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390
391/*
392 * Round constants
393 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Tables generation code
398 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]399#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
400#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]401#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402
403static int aes_init_done = 0;
404
405static void aes_gen_tables( void )
406{
407 int i, x, y, z;
408 int pow[256];
409 int log[256];
410
411 /*
412 * compute pow and log tables over GF(2^8)
413 */
414 for( i = 0, x = 1; i < 256; i++ )
415 {
416 pow[i] = x;
417 log[x] = i;
418 x = ( x ^ XTIME( x ) ) & 0xFF;
419 }
420
421 /*
422 * calculate the round constants
423 */
424 for( i = 0, x = 1; i < 10; i++ )
425 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]426 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427 x = XTIME( x ) & 0xFF;
428 }
429
430 /*
431 * generate the forward and reverse S-boxes
432 */
433 FSb[0x00] = 0x63;
434 RSb[0x63] = 0x00;
435
436 for( i = 1; i < 256; i++ )
437 {
438 x = pow[255 - log[i]];
439
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]440 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
443 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444 x ^= y ^ 0x63;
445
446 FSb[i] = (unsigned char) x;
447 RSb[x] = (unsigned char) i;
448 }
449
450 /*
451 * generate the forward and reverse tables
452 */
453 for( i = 0; i < 256; i++ )
454 {
455 x = FSb[i];
456 y = XTIME( x ) & 0xFF;
457 z = ( y ^ x ) & 0xFF;
458
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]459 FT0[i] = ( (uint32_t) y ) ^
460 ( (uint32_t) x << 8 ) ^
461 ( (uint32_t) x << 16 ) ^
462 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]464#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 FT1[i] = ROTL8( FT0[i] );
466 FT2[i] = ROTL8( FT1[i] );
467 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]468#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
470 x = RSb[i];
471
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]472 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
473 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
474 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
475 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]477#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 RT1[i] = ROTL8( RT0[i] );
479 RT2[i] = ROTL8( RT1[i] );
480 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]481#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 }
483}
484
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]485#undef ROTL8
486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]487#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]489#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]490
491#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
492#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
493#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
494
495#define AES_RT0(idx) RT0[idx]
496#define AES_RT1(idx) ROTL8( RT0[idx] )
497#define AES_RT2(idx) ROTL16( RT0[idx] )
498#define AES_RT3(idx) ROTL24( RT0[idx] )
499
500#define AES_FT0(idx) FT0[idx]
501#define AES_FT1(idx) ROTL8( FT0[idx] )
502#define AES_FT2(idx) ROTL16( FT0[idx] )
503#define AES_FT3(idx) ROTL24( FT0[idx] )
504
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]506
507#define AES_RT0(idx) RT0[idx]
508#define AES_RT1(idx) RT1[idx]
509#define AES_RT2(idx) RT2[idx]
510#define AES_RT3(idx) RT3[idx]
511
512#define AES_FT0(idx) FT0[idx]
513#define AES_FT1(idx) FT1[idx]
514#define AES_FT2(idx) FT2[idx]
515#define AES_FT3(idx) FT3[idx]
516
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]517#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]520{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]521 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]523 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]524}
525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]526void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]527{
528 if( ctx == NULL )
529 return;
530
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]531 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]532}
533
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]534#if defined(MBEDTLS_CIPHER_MODE_XTS)
535void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
536{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]537 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]538
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]539 mbedtls_aes_init( &ctx->crypt );
540 mbedtls_aes_init( &ctx->tweak );
541}
542
543void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
544{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]545 if( ctx == NULL )
546 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]547
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]548 mbedtls_aes_free( &ctx->crypt );
549 mbedtls_aes_free( &ctx->tweak );
550}
551#endif /* MBEDTLS_CIPHER_MODE_XTS */
552
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553/*
554 * AES key schedule (encryption)
555 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]556#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]557int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]558 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]560 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]561 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]563 AES_VALIDATE_RET( ctx != NULL );
564 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]566 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 {
568 case 128: ctx->nr = 10; break;
569 case 192: ctx->nr = 12; break;
570 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]571 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 }
573
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]574#if !defined(MBEDTLS_AES_ROM_TABLES)
575 if( aes_init_done == 0 )
576 {
577 aes_gen_tables();
578 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]579 }
580#endif
581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]582#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585
586 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]595#endif
596
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]597 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]599 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601
602 switch( ctx->nr )
603 {
604 case 10:
605
606 for( i = 0; i < 10; i++, RK += 4 )
607 {
608 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 RK[5] = RK[1] ^ RK[4];
615 RK[6] = RK[2] ^ RK[5];
616 RK[7] = RK[3] ^ RK[6];
617 }
618 break;
619
620 case 12:
621
622 for( i = 0; i < 8; i++, RK += 6 )
623 {
624 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[7] = RK[1] ^ RK[6];
631 RK[8] = RK[2] ^ RK[7];
632 RK[9] = RK[3] ^ RK[8];
633 RK[10] = RK[4] ^ RK[9];
634 RK[11] = RK[5] ^ RK[10];
635 }
636 break;
637
638 case 14:
639
640 for( i = 0; i < 7; i++, RK += 8 )
641 {
642 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 RK[9] = RK[1] ^ RK[8];
649 RK[10] = RK[2] ^ RK[9];
650 RK[11] = RK[3] ^ RK[10];
651
652 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
658 RK[13] = RK[5] ^ RK[12];
659 RK[14] = RK[6] ^ RK[13];
660 RK[15] = RK[7] ^ RK[14];
661 }
662 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]664
665 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]667#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669/*
670 * AES key schedule (decryption)
671 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]672#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]674 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]678 uint32_t *RK;
679 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]681 AES_VALIDATE_RET( ctx != NULL );
682 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]687 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689
690 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]692 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]696 /* Also checks keybits */
697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]699
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]700 ctx->nr = cty.nr;
701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 }
709#endif
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 SK = cty.rk + cty.nr * 4;
712
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717
718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 {
720 for( j = 0; j < 4; j++, SK++ )
721 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 }
728
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]735 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]736
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame^]770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]774 AES_VALIDATE_RET( ctx != NULL );
775 AES_VALIDATE_RET( key != NULL );
776
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
778 &key2, &key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set the tweak key. Always set tweak key for the encryption mode. */
783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
784 if( ret != 0 )
785 return( ret );
786
787 /* Set crypt key for encryption. */
788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
789}
790
791int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame^]795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for encryption. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for decryption. */
813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814}
815#endif /* MBEDTLS_CIPHER_MODE_XTS */
816
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]817#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]819#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
820 do \
821 { \
822 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
823 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
824 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
825 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
826 \
827 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
828 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
829 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
830 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
831 \
832 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
833 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
834 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
835 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
836 \
837 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
838 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
839 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
840 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
841 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]843#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
848 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
853 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
858 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
863 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
867/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868 * AES-ECB block encryption
869 */
870#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]871int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
872 const unsigned char input[16],
873 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]874{
875 int i;
876 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
877
878 RK = ctx->rk;
879
880 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
881 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
882 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
883 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
884
885 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
886 {
887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
888 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
889 }
890
891 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
892
893 X0 = *RK++ ^ \
894 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
895 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
896 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
897 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
898
899 X1 = *RK++ ^ \
900 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
901 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
902 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
903 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
904
905 X2 = *RK++ ^ \
906 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
907 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
908 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
909 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
910
911 X3 = *RK++ ^ \
912 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
913 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
914 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
915 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
916
917 PUT_UINT32_LE( X0, output, 0 );
918 PUT_UINT32_LE( X1, output, 4 );
919 PUT_UINT32_LE( X2, output, 8 );
920 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]921
922 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]923}
924#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
925
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]926#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]927void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
928 const unsigned char input[16],
929 unsigned char output[16] )
930{
931 mbedtls_internal_aes_encrypt( ctx, input, output );
932}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]933#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]934
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]935/*
936 * AES-ECB block decryption
937 */
938#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]939int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
940 const unsigned char input[16],
941 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]942{
943 int i;
944 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
945
946 RK = ctx->rk;
947
948 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
949 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
950 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
951 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
952
953 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
954 {
955 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
956 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
957 }
958
959 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
960
961 X0 = *RK++ ^ \
962 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
963 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
964 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
965 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
966
967 X1 = *RK++ ^ \
968 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
969 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
970 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
971 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
972
973 X2 = *RK++ ^ \
974 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
975 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
976 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
977 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
978
979 X3 = *RK++ ^ \
980 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
981 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
982 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
983 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
984
985 PUT_UINT32_LE( X0, output, 0 );
986 PUT_UINT32_LE( X1, output, 4 );
987 PUT_UINT32_LE( X2, output, 8 );
988 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]989
990 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991}
992#endif /* !MBEDTLS_AES_DECRYPT_ALT */
993
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]994#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]995void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
996 const unsigned char input[16],
997 unsigned char output[16] )
998{
999 mbedtls_internal_aes_decrypt( ctx, input, output );
1000}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1001#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1002
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1003/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004 * AES-ECB block encryption/decryption
1005 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1007 int mode,
1008 const unsigned char input[16],
1009 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1011 AES_VALIDATE_RET( ctx != NULL );
1012 AES_VALIDATE_RET( input != NULL );
1013 AES_VALIDATE_RET( output != NULL );
1014 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1015 mode == MBEDTLS_AES_DECRYPT );
1016
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1017#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1018 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1019 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1020#endif
1021
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1023 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1026 return( 0 );
1027
1028 // If padlock data misaligned, we just fall back to
1029 // unaccelerated mode
1030 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031 }
1032#endif
1033
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1034 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1035 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1036 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1037 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038}
1039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041/*
1042 * AES-CBC buffer encryption/decryption
1043 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1046 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1048 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 unsigned char *output )
1050{
1051 int i;
1052 unsigned char temp[16];
1053
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1054 AES_VALIDATE_RET( ctx != NULL );
1055 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1056 mode == MBEDTLS_AES_DECRYPT );
1057 AES_VALIDATE_RET( iv != NULL );
1058 AES_VALIDATE_RET( input != NULL );
1059 AES_VALIDATE_RET( output != NULL );
1060
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1061 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1065 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1068 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1069
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1070 // If padlock data misaligned, we just fall back to
1071 // unaccelerated mode
1072 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 }
1074#endif
1075
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1076 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 {
1078 while( length > 0 )
1079 {
1080 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082
1083 for( i = 0; i < 16; i++ )
1084 output[i] = (unsigned char)( output[i] ^ iv[i] );
1085
1086 memcpy( iv, temp, 16 );
1087
1088 input += 16;
1089 output += 16;
1090 length -= 16;
1091 }
1092 }
1093 else
1094 {
1095 while( length > 0 )
1096 {
1097 for( i = 0; i < 16; i++ )
1098 output[i] = (unsigned char)( input[i] ^ iv[i] );
1099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 memcpy( iv, output, 16 );
1102
1103 input += 16;
1104 output += 16;
1105 length -= 16;
1106 }
1107 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1108
1109 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1112
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1113#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1114
1115/* Endianess with 64 bits values */
1116#ifndef GET_UINT64_LE
1117#define GET_UINT64_LE(n,b,i) \
1118{ \
1119 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1120 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1121 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1122 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1123 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1124 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1125 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1126 | ( (uint64_t) (b)[(i) ] ); \
1127}
1128#endif
1129
1130#ifndef PUT_UINT64_LE
1131#define PUT_UINT64_LE(n,b,i) \
1132{ \
1133 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1134 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1135 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1136 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1137 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1138 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1139 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1140 (b)[(i) ] = (unsigned char) ( (n) ); \
1141}
1142#endif
1143
1144typedef unsigned char mbedtls_be128[16];
1145
1146/*
1147 * GF(2^128) multiplication function
1148 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1149 * This function multiplies a field element by x in the polynomial field
1150 * representation. It uses 64-bit word operations to gain speed but compensates
1151 * for machine endianess and hence works correctly on both big and little
1152 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1153 */
1154static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1155 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1156{
1157 uint64_t a, b, ra, rb;
1158
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1159 GET_UINT64_LE( a, x, 0 );
1160 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1161
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1162 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1163 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1164
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1165 PUT_UINT64_LE( ra, r, 0 );
1166 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1167}
1168
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1169/*
1170 * AES-XTS buffer encryption/decryption
1171 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1172int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1173 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1174 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1175 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1176 const unsigned char *input,
1177 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1178{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame^]1179 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1180 size_t blocks = length / 16;
1181 size_t leftover = length % 16;
1182 unsigned char tweak[16];
1183 unsigned char prev_tweak[16];
1184 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1185
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1186 AES_VALIDATE_RET( ctx != NULL );
1187 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1188 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1189 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1190 AES_VALIDATE_RET( input != NULL );
1191 AES_VALIDATE_RET( output != NULL );
1192
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1193 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1194 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1195 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1196
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1197 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1198 if( length > ( 1 << 20 ) * 16 )
1199 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1200
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1201 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1202 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1203 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1204 if( ret != 0 )
1205 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1207 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1208 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 size_t i;
1210
1211 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1212 {
1213 /* We are on the last block in a decrypt operation that has
1214 * leftover bytes, so we need to use the next tweak for this block,
1215 * and this tweak for the lefover bytes. Save the current tweak for
1216 * the leftovers and then update the current tweak for use on this,
1217 * the last full block. */
1218 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1219 mbedtls_gf128mul_x_ble( tweak, tweak );
1220 }
1221
1222 for( i = 0; i < 16; i++ )
1223 tmp[i] = input[i] ^ tweak[i];
1224
1225 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1226 if( ret != 0 )
1227 return( ret );
1228
1229 for( i = 0; i < 16; i++ )
1230 output[i] = tmp[i] ^ tweak[i];
1231
1232 /* Update the tweak for the next block. */
1233 mbedtls_gf128mul_x_ble( tweak, tweak );
1234
1235 output += 16;
1236 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1237 }
1238
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1239 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 /* If we are on the leftover bytes in a decrypt operation, we need to
1242 * use the previous tweak for these bytes (as saved in prev_tweak). */
1243 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 /* We are now on the final part of the data unit, which doesn't divide
1246 * evenly by 16. It's time for ciphertext stealing. */
1247 size_t i;
1248 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1249
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1250 /* Copy ciphertext bytes from the previous block to our output for each
1251 * byte of cyphertext we won't steal. At the same time, copy the
1252 * remainder of the input for this final round (since the loop bounds
1253 * are the same). */
1254 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1255 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1256 output[i] = prev_output[i];
1257 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1259
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1260 /* Copy ciphertext bytes from the previous block for input in this
1261 * round. */
1262 for( ; i < 16; i++ )
1263 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1264
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1265 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1266 if( ret != 0 )
1267 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1268
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1269 /* Write the result back to the previous block, overriding the previous
1270 * output we copied. */
1271 for( i = 0; i < 16; i++ )
1272 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273 }
1274
1275 return( 0 );
1276}
1277#endif /* MBEDTLS_CIPHER_MODE_XTS */
1278
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1279#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1280/*
1281 * AES-CFB128 buffer encryption/decryption
1282 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1283int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1285 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1286 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1287 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1288 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 unsigned char *output )
1290{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1291 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1292 size_t n;
1293
1294 AES_VALIDATE_RET( ctx != NULL );
1295 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1296 mode == MBEDTLS_AES_DECRYPT );
1297 AES_VALIDATE_RET( iv_off != NULL );
1298 AES_VALIDATE_RET( iv != NULL );
1299 AES_VALIDATE_RET( input != NULL );
1300 AES_VALIDATE_RET( output != NULL );
1301
1302 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1304 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1305 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1306
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 {
1309 while( length-- )
1310 {
1311 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1312 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313
1314 c = *input++;
1315 *output++ = (unsigned char)( c ^ iv[n] );
1316 iv[n] = (unsigned char) c;
1317
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1318 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319 }
1320 }
1321 else
1322 {
1323 while( length-- )
1324 {
1325 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1326 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
1328 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1329
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1330 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 }
1332 }
1333
1334 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1335
1336 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1338
1339/*
1340 * AES-CFB8 buffer encryption/decryption
1341 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1342int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1343 int mode,
1344 size_t length,
1345 unsigned char iv[16],
1346 const unsigned char *input,
1347 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1348{
1349 unsigned char c;
1350 unsigned char ov[17];
1351
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1352 AES_VALIDATE_RET( ctx != NULL );
1353 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1354 mode == MBEDTLS_AES_DECRYPT );
1355 AES_VALIDATE_RET( iv != NULL );
1356 AES_VALIDATE_RET( input != NULL );
1357 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1358 while( length-- )
1359 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1360 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1361 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1364 ov[16] = *input;
1365
1366 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1367
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1368 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1369 ov[16] = c;
1370
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1371 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1372 }
1373
1374 return( 0 );
1375}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1376#endif /* MBEDTLS_CIPHER_MODE_CFB */
1377
1378#if defined(MBEDTLS_CIPHER_MODE_OFB)
1379/*
1380 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1381 */
1382int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1383 size_t length,
1384 size_t *iv_off,
1385 unsigned char iv[16],
1386 const unsigned char *input,
1387 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1388{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1389 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1390 size_t n;
1391
1392 AES_VALIDATE_RET( ctx != NULL );
1393 AES_VALIDATE_RET( iv_off != NULL );
1394 AES_VALIDATE_RET( iv != NULL );
1395 AES_VALIDATE_RET( input != NULL );
1396 AES_VALIDATE_RET( output != NULL );
1397
1398 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1399
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1400 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1401 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1402
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1403 while( length-- )
1404 {
1405 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1406 {
1407 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1408 if( ret != 0 )
1409 goto exit;
1410 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1411 *output++ = *input++ ^ iv[n];
1412
1413 n = ( n + 1 ) & 0x0F;
1414 }
1415
1416 *iv_off = n;
1417
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1418exit:
1419 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1420}
1421#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1422
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1423#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1424/*
1425 * AES-CTR buffer encryption/decryption
1426 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1427int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1428 size_t length,
1429 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1430 unsigned char nonce_counter[16],
1431 unsigned char stream_block[16],
1432 const unsigned char *input,
1433 unsigned char *output )
1434{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1435 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1436 size_t n;
1437
1438 AES_VALIDATE_RET( ctx != NULL );
1439 AES_VALIDATE_RET( nc_off != NULL );
1440 AES_VALIDATE_RET( nonce_counter != NULL );
1441 AES_VALIDATE_RET( stream_block != NULL );
1442 AES_VALIDATE_RET( input != NULL );
1443 AES_VALIDATE_RET( output != NULL );
1444
1445 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1446
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1447 if ( n > 0x0F )
1448 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1449
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450 while( length-- )
1451 {
1452 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1454
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1455 for( i = 16; i > 0; i-- )
1456 if( ++nonce_counter[i - 1] != 0 )
1457 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458 }
1459 c = *input++;
1460 *output++ = (unsigned char)( c ^ stream_block[n] );
1461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1462 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1463 }
1464
1465 *nc_off = n;
1466
1467 return( 0 );
1468}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1469#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474/*
1475 * AES test vectors from:
1476 *
1477 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1478 */
1479static const unsigned char aes_test_ecb_dec[3][16] =
1480{
1481 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1482 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1483 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1484 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1485 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1486 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1487};
1488
1489static const unsigned char aes_test_ecb_enc[3][16] =
1490{
1491 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1492 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1493 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1494 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1495 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1496 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1497};
1498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500static const unsigned char aes_test_cbc_dec[3][16] =
1501{
1502 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1503 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1504 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1505 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1506 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1507 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1508};
1509
1510static const unsigned char aes_test_cbc_enc[3][16] =
1511{
1512 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1513 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1514 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1515 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1516 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1517 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1518};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522/*
1523 * AES-CFB128 test vectors from:
1524 *
1525 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1526 */
1527static const unsigned char aes_test_cfb128_key[3][32] =
1528{
1529 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1530 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1531 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1532 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1533 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1534 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1535 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1536 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1537 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1538};
1539
1540static const unsigned char aes_test_cfb128_iv[16] =
1541{
1542 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1543 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1544};
1545
1546static const unsigned char aes_test_cfb128_pt[64] =
1547{
1548 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1549 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1550 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1551 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1552 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1553 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1554 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1555 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1556};
1557
1558static const unsigned char aes_test_cfb128_ct[3][64] =
1559{
1560 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1561 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1562 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1563 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1564 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1565 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1566 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1567 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1568 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1569 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1570 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1571 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1572 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1573 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1574 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1575 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1576 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1577 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1578 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1579 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1580 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1581 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1582 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1583 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1584};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1585#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1586
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1587#if defined(MBEDTLS_CIPHER_MODE_OFB)
1588/*
1589 * AES-OFB test vectors from:
1590 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1591 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1592 */
1593static const unsigned char aes_test_ofb_key[3][32] =
1594{
1595 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1596 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1597 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1598 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1599 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1600 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1601 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1602 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1603 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1604};
1605
1606static const unsigned char aes_test_ofb_iv[16] =
1607{
1608 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1609 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1610};
1611
1612static const unsigned char aes_test_ofb_pt[64] =
1613{
1614 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1615 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1616 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1617 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1618 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1619 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1620 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1621 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1622};
1623
1624static const unsigned char aes_test_ofb_ct[3][64] =
1625{
1626 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1627 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1628 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1629 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1630 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1631 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1632 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1633 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1634 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1635 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1636 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1637 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1638 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1639 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1640 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1641 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1642 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1643 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1644 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1645 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1646 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1647 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1648 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1649 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1650};
1651#endif /* MBEDTLS_CIPHER_MODE_OFB */
1652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1653#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1654/*
1655 * AES-CTR test vectors from:
1656 *
1657 * http://www.faqs.org/rfcs/rfc3686.html
1658 */
1659
1660static const unsigned char aes_test_ctr_key[3][16] =
1661{
1662 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1663 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1664 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1665 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1666 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1667 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1668};
1669
1670static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1671{
1672 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1674 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1675 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1676 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1677 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1678};
1679
1680static const unsigned char aes_test_ctr_pt[3][48] =
1681{
1682 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1683 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1684
1685 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1686 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1687 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1688 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1689
1690 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1691 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1692 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1693 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1694 0x20, 0x21, 0x22, 0x23 }
1695};
1696
1697static const unsigned char aes_test_ctr_ct[3][48] =
1698{
1699 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1700 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1701 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1702 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1703 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1704 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1705 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1706 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1707 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1708 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1709 0x25, 0xB2, 0x07, 0x2F }
1710};
1711
1712static const int aes_test_ctr_len[3] =
1713 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1716#if defined(MBEDTLS_CIPHER_MODE_XTS)
1717/*
1718 * AES-XTS test vectors from:
1719 *
1720 * IEEE P1619/D16 Annex B
1721 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1722 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1723 */
1724static const unsigned char aes_test_xts_key[][32] =
1725{
1726 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1730 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1731 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1732 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1733 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1734 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1735 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1737 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1738};
1739
1740static const unsigned char aes_test_xts_pt32[][32] =
1741{
1742 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1746 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1747 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1749 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1750 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1753 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1754};
1755
1756static const unsigned char aes_test_xts_ct32[][32] =
1757{
1758 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1759 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1760 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1761 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1762 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1763 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1764 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1765 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1766 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1767 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1768 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1769 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1770};
1771
1772static const unsigned char aes_test_xts_data_unit[][16] =
1773{
1774 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1776 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1778 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1780};
1781
1782#endif /* MBEDTLS_CIPHER_MODE_XTS */
1783
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784/*
1785 * Checkup routine
1786 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1789 int ret = 0, i, j, u, mode;
1790 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1791 unsigned char key[32];
1792 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1793 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1794#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1796#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1797#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1798 unsigned char prv[16];
1799#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1800#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1801 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1802 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1803#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1804#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1805 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1806#endif
1807#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1808 unsigned char nonce_counter[16];
1809 unsigned char stream_block[16];
1810#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812
1813 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1814 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815
1816 /*
1817 * ECB mode
1818 */
1819 for( i = 0; i < 6; i++ )
1820 {
1821 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1822 keybits = 128 + u * 64;
1823 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824
1825 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1826 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1827 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828
1829 memset( buf, 0, 16 );
1830
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1831 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1833 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1834 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835 }
1836 else
1837 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1838 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1839 aes_tests = aes_test_ecb_enc[u];
1840 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1842 /*
1843 * AES-192 is an optional feature that may be unavailable when
1844 * there is an alternative underlying implementation i.e. when
1845 * MBEDTLS_AES_ALT is defined.
1846 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1847 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848 {
1849 mbedtls_printf( "skipped\n" );
1850 continue;
1851 }
1852 else if( ret != 0 )
1853 {
1854 goto exit;
1855 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1857 for( j = 0; j < 10000; j++ )
1858 {
1859 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1860 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1861 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 }
1863
1864 if( memcmp( buf, aes_tests, 16 ) != 0 )
1865 {
1866 ret = 1;
1867 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868 }
1869
1870 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1871 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872 }
1873
1874 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1877#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878 /*
1879 * CBC mode
1880 */
1881 for( i = 0; i < 6; i++ )
1882 {
1883 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1884 keybits = 128 + u * 64;
1885 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886
1887 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1889 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
1891 memset( iv , 0, 16 );
1892 memset( prv, 0, 16 );
1893 memset( buf, 0, 16 );
1894
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1895 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1897 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1898 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899 }
1900 else
1901 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1902 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1903 aes_tests = aes_test_cbc_enc[u];
1904 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1906 /*
1907 * AES-192 is an optional feature that may be unavailable when
1908 * there is an alternative underlying implementation i.e. when
1909 * MBEDTLS_AES_ALT is defined.
1910 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1911 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1912 {
1913 mbedtls_printf( "skipped\n" );
1914 continue;
1915 }
1916 else if( ret != 0 )
1917 {
1918 goto exit;
1919 }
1920
1921 for( j = 0; j < 10000; j++ )
1922 {
1923 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924 {
1925 unsigned char tmp[16];
1926
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927 memcpy( tmp, prv, 16 );
1928 memcpy( prv, buf, 16 );
1929 memcpy( buf, tmp, 16 );
1930 }
1931
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1932 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1933 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1934 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1935
1936 }
1937
1938 if( memcmp( buf, aes_tests, 16 ) != 0 )
1939 {
1940 ret = 1;
1941 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942 }
1943
1944 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1945 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 }
1947
1948 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1949 mbedtls_printf( "\n" );
1950#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1952#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 /*
1954 * CFB128 mode
1955 */
1956 for( i = 0; i < 6; i++ )
1957 {
1958 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1959 keybits = 128 + u * 64;
1960 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1961
1962 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1964 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1965
1966 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1967 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968
1969 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1970 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1971 /*
1972 * AES-192 is an optional feature that may be unavailable when
1973 * there is an alternative underlying implementation i.e. when
1974 * MBEDTLS_AES_ALT is defined.
1975 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1976 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1977 {
1978 mbedtls_printf( "skipped\n" );
1979 continue;
1980 }
1981 else if( ret != 0 )
1982 {
1983 goto exit;
1984 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987 {
1988 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1989 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990 }
1991 else
1992 {
1993 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1994 aes_tests = aes_test_cfb128_ct[u];
1995 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1997 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1998 if( ret != 0 )
1999 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 if( memcmp( buf, aes_tests, 64 ) != 0 )
2002 {
2003 ret = 1;
2004 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005 }
2006
2007 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2008 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009 }
2010
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2011 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2012 mbedtls_printf( "\n" );
2013#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2014
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2015#if defined(MBEDTLS_CIPHER_MODE_OFB)
2016 /*
2017 * OFB mode
2018 */
2019 for( i = 0; i < 6; i++ )
2020 {
2021 u = i >> 1;
2022 keybits = 128 + u * 64;
2023 mode = i & 1;
2024
2025 if( verbose != 0 )
2026 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2027 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2028
2029 memcpy( iv, aes_test_ofb_iv, 16 );
2030 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2031
2032 offset = 0;
2033 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2034 /*
2035 * AES-192 is an optional feature that may be unavailable when
2036 * there is an alternative underlying implementation i.e. when
2037 * MBEDTLS_AES_ALT is defined.
2038 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2039 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2040 {
2041 mbedtls_printf( "skipped\n" );
2042 continue;
2043 }
2044 else if( ret != 0 )
2045 {
2046 goto exit;
2047 }
2048
2049 if( mode == MBEDTLS_AES_DECRYPT )
2050 {
2051 memcpy( buf, aes_test_ofb_ct[u], 64 );
2052 aes_tests = aes_test_ofb_pt;
2053 }
2054 else
2055 {
2056 memcpy( buf, aes_test_ofb_pt, 64 );
2057 aes_tests = aes_test_ofb_ct[u];
2058 }
2059
2060 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2061 if( ret != 0 )
2062 goto exit;
2063
2064 if( memcmp( buf, aes_tests, 64 ) != 0 )
2065 {
2066 ret = 1;
2067 goto exit;
2068 }
2069
2070 if( verbose != 0 )
2071 mbedtls_printf( "passed\n" );
2072 }
2073
2074 if( verbose != 0 )
2075 mbedtls_printf( "\n" );
2076#endif /* MBEDTLS_CIPHER_MODE_OFB */
2077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2078#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2079 /*
2080 * CTR mode
2081 */
2082 for( i = 0; i < 6; i++ )
2083 {
2084 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2085 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2086
2087 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2088 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2089 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2090
2091 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2092 memcpy( key, aes_test_ctr_key[u], 16 );
2093
2094 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2095 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2096 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2097
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2098 len = aes_test_ctr_len[u];
2099
2100 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2101 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2102 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2104 }
2105 else
2106 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2107 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2108 aes_tests = aes_test_ctr_ct[u];
2109 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2110
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2111 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2112 stream_block, buf, buf );
2113 if( ret != 0 )
2114 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2116 if( memcmp( buf, aes_tests, len ) != 0 )
2117 {
2118 ret = 1;
2119 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2120 }
2121
2122 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2125
2126 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2127 mbedtls_printf( "\n" );
2128#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2129
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2130#if defined(MBEDTLS_CIPHER_MODE_XTS)
2131 {
2132 static const int num_tests =
2133 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2134 mbedtls_aes_xts_context ctx_xts;
2135
2136 /*
2137 * XTS mode
2138 */
2139 mbedtls_aes_xts_init( &ctx_xts );
2140
2141 for( i = 0; i < num_tests << 1; i++ )
2142 {
2143 const unsigned char *data_unit;
2144 u = i >> 1;
2145 mode = i & 1;
2146
2147 if( verbose != 0 )
2148 mbedtls_printf( " AES-XTS-128 (%s): ",
2149 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2150
2151 memset( key, 0, sizeof( key ) );
2152 memcpy( key, aes_test_xts_key[u], 32 );
2153 data_unit = aes_test_xts_data_unit[u];
2154
2155 len = sizeof( *aes_test_xts_ct32 );
2156
2157 if( mode == MBEDTLS_AES_DECRYPT )
2158 {
2159 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2160 if( ret != 0)
2161 goto exit;
2162 memcpy( buf, aes_test_xts_ct32[u], len );
2163 aes_tests = aes_test_xts_pt32[u];
2164 }
2165 else
2166 {
2167 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2168 if( ret != 0)
2169 goto exit;
2170 memcpy( buf, aes_test_xts_pt32[u], len );
2171 aes_tests = aes_test_xts_ct32[u];
2172 }
2173
2174
2175 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2176 buf, buf );
2177 if( ret != 0 )
2178 goto exit;
2179
2180 if( memcmp( buf, aes_tests, len ) != 0 )
2181 {
2182 ret = 1;
2183 goto exit;
2184 }
2185
2186 if( verbose != 0 )
2187 mbedtls_printf( "passed\n" );
2188 }
2189
2190 if( verbose != 0 )
2191 mbedtls_printf( "\n" );
2192
2193 mbedtls_aes_xts_free( &ctx_xts );
2194 }
2195#endif /* MBEDTLS_CIPHER_MODE_XTS */
2196
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2197 ret = 0;
2198
2199exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2200 if( ret != 0 && verbose != 0 )
2201 mbedtls_printf( "failed\n" );
2202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2203 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2204
2205 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206}
2207
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2210#endif /* MBEDTLS_AES_C */