TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2ff0e52087d14c4d45b5e1b4db066f878106b350 / . / library / aes.c
blob: 4f3351faf5c34a0d7cbff02fded955b1fcf3ccae [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]39#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SELF_TEST)
48#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]49#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#define mbedtls_printf printf
53#endif /* MBEDTLS_PLATFORM_C */
54#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef GET_UINT32_LE
62#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68}
69#endif
70
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]72#define PUT_UINT32_LE(n,b,i) \
73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78}
79#endif
80
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]81#if defined(MBEDTLS_PADLOCK_C) && \
82 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]83static int aes_padlock_ace = -1;
84#endif
85
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]86#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * Forward S-box
89 */
90static const unsigned char FSb[256] =
91{
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
93 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
94 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
95 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
96 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
97 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
98 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
99 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
124};
125
126/*
127 * Forward tables
128 */
129#define FT \
130\
131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
195
196#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]200#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]201
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]214#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]215
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]328static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329#undef V
330
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]331#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]332
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]345#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]346
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef RT
348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353{
354 0x00000001, 0x00000002, 0x00000004, 0x00000008,
355 0x00000010, 0x00000020, 0x00000040, 0x00000080,
356 0x0000001B, 0x00000036
357};
358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]359#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Forward S-box & tables
363 */
364static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]365static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]366#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT1[256];
368static uint32_t FT2[256];
369static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Reverse S-box & tables
374 */
375static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]376static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT1[256];
379static uint32_t RT2[256];
380static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Round constants
385 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387
388/*
389 * Tables generation code
390 */
391#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
392#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
393#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
394
395static int aes_init_done = 0;
396
397static void aes_gen_tables( void )
398{
399 int i, x, y, z;
400 int pow[256];
401 int log[256];
402
403 /*
404 * compute pow and log tables over GF(2^8)
405 */
406 for( i = 0, x = 1; i < 256; i++ )
407 {
408 pow[i] = x;
409 log[x] = i;
410 x = ( x ^ XTIME( x ) ) & 0xFF;
411 }
412
413 /*
414 * calculate the round constants
415 */
416 for( i = 0, x = 1; i < 10; i++ )
417 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419 x = XTIME( x ) & 0xFF;
420 }
421
422 /*
423 * generate the forward and reverse S-boxes
424 */
425 FSb[0x00] = 0x63;
426 RSb[0x63] = 0x00;
427
428 for( i = 1; i < 256; i++ )
429 {
430 x = pow[255 - log[i]];
431
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x ^= y ^ 0x63;
437
438 FSb[i] = (unsigned char) x;
439 RSb[x] = (unsigned char) i;
440 }
441
442 /*
443 * generate the forward and reverse tables
444 */
445 for( i = 0; i < 256; i++ )
446 {
447 x = FSb[i];
448 y = XTIME( x ) & 0xFF;
449 z = ( y ^ x ) & 0xFF;
450
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]451 FT0[i] = ( (uint32_t) y ) ^
452 ( (uint32_t) x << 8 ) ^
453 ( (uint32_t) x << 16 ) ^
454 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]456#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 FT1[i] = ROTL8( FT0[i] );
458 FT2[i] = ROTL8( FT1[i] );
459 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]460#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461
462 x = RSb[i];
463
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
467 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]469#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RT1[i] = ROTL8( RT0[i] );
471 RT2[i] = ROTL8( RT1[i] );
472 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]473#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475}
476
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477#undef ROTL8
478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]481#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]482
483#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
484#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
485#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
486
487#define AES_RT0(idx) RT0[idx]
488#define AES_RT1(idx) ROTL8( RT0[idx] )
489#define AES_RT2(idx) ROTL16( RT0[idx] )
490#define AES_RT3(idx) ROTL24( RT0[idx] )
491
492#define AES_FT0(idx) FT0[idx]
493#define AES_FT1(idx) ROTL8( FT0[idx] )
494#define AES_FT2(idx) ROTL16( FT0[idx] )
495#define AES_FT3(idx) ROTL24( FT0[idx] )
496
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]497#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]498
499#define AES_RT0(idx) RT0[idx]
500#define AES_RT1(idx) RT1[idx]
501#define AES_RT2(idx) RT2[idx]
502#define AES_RT3(idx) RT3[idx]
503
504#define AES_FT0(idx) FT0[idx]
505#define AES_FT1(idx) FT1[idx]
506#define AES_FT2(idx) FT2[idx]
507#define AES_FT3(idx) FT3[idx]
508
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]509#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]512{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514}
515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]516void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]517{
518 if( ctx == NULL )
519 return;
520
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]522}
523
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524/*
525 * AES key schedule (encryption)
526 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]527#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]528int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]529 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]531 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]532 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]534#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]535 if( aes_init_done == 0 )
536 {
537 aes_gen_tables();
538 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]539
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540 }
541#endif
542
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]543 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544 {
545 case 128: ctx->nr = 10; break;
546 case 192: ctx->nr = 12; break;
547 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]548 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549 }
550
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]552 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]553 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]554
555 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]557 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]559 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]561#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]562 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]563 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]564#endif
565
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]566 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]568 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]569 }
570
571 switch( ctx->nr )
572 {
573 case 10:
574
575 for( i = 0; i < 10; i++, RK += 4 )
576 {
577 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]578 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582
583 RK[5] = RK[1] ^ RK[4];
584 RK[6] = RK[2] ^ RK[5];
585 RK[7] = RK[3] ^ RK[6];
586 }
587 break;
588
589 case 12:
590
591 for( i = 0; i < 8; i++, RK += 6 )
592 {
593 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]594 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
595 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
596 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
597 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
599 RK[7] = RK[1] ^ RK[6];
600 RK[8] = RK[2] ^ RK[7];
601 RK[9] = RK[3] ^ RK[8];
602 RK[10] = RK[4] ^ RK[9];
603 RK[11] = RK[5] ^ RK[10];
604 }
605 break;
606
607 case 14:
608
609 for( i = 0; i < 7; i++, RK += 8 )
610 {
611 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]612 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
613 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
614 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
615 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616
617 RK[9] = RK[1] ^ RK[8];
618 RK[10] = RK[2] ^ RK[9];
619 RK[11] = RK[3] ^ RK[10];
620
621 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]622 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
623 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
624 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
625 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626
627 RK[13] = RK[5] ^ RK[12];
628 RK[14] = RK[6] ^ RK[13];
629 RK[15] = RK[7] ^ RK[14];
630 }
631 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]633
634 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]636#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638/*
639 * AES key schedule (decryption)
640 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]641#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]642int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]643 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]645 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 uint32_t *RK;
648 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]653 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]654 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]655
656 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]658 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]660 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]661
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]662 /* Also checks keybits */
663 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]664 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]665
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]666 ctx->nr = cty.nr;
667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]669 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]670 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]672 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]673 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]674 }
675#endif
676
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677 SK = cty.rk + cty.nr * 4;
678
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681 *RK++ = *SK++;
682 *RK++ = *SK++;
683
684 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
685 {
686 for( j = 0; j < 4; j++, SK++ )
687 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]688 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
689 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
690 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
691 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692 }
693 }
694
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697 *RK++ = *SK++;
698 *RK++ = *SK++;
699
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]702
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]703 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]705#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]707#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
708{ \
709 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
710 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
711 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
712 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
713 \
714 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
715 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
716 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
717 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
718 \
719 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
720 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
721 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
722 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
723 \
724 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
725 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
726 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
727 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728}
729
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]730#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
731{ \
732 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
733 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
734 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
735 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
736 \
737 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
738 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
739 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
740 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
741 \
742 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
743 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
744 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
745 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
746 \
747 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
748 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
749 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
750 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]751}
752
753/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]754 * AES-ECB block encryption
755 */
756#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]757int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
758 const unsigned char input[16],
759 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]760{
761 int i;
762 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
763
764 RK = ctx->rk;
765
766 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
767 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
768 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
769 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
770
771 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
772 {
773 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
774 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
775 }
776
777 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
778
779 X0 = *RK++ ^ \
780 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
781 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
782 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
783 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
784
785 X1 = *RK++ ^ \
786 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
787 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
788 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
789 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
790
791 X2 = *RK++ ^ \
792 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
793 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
794 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
795 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
796
797 X3 = *RK++ ^ \
798 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
799 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
800 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
801 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
802
803 PUT_UINT32_LE( X0, output, 0 );
804 PUT_UINT32_LE( X1, output, 4 );
805 PUT_UINT32_LE( X2, output, 8 );
806 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]807
808 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]809}
810#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
811
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]812#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]813void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
814 const unsigned char input[16],
815 unsigned char output[16] )
816{
817 mbedtls_internal_aes_encrypt( ctx, input, output );
818}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]819#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]820
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]821/*
822 * AES-ECB block decryption
823 */
824#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]825int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
826 const unsigned char input[16],
827 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]828{
829 int i;
830 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
831
832 RK = ctx->rk;
833
834 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
835 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
836 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
837 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
838
839 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
840 {
841 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
842 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
843 }
844
845 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
846
847 X0 = *RK++ ^ \
848 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
849 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
850 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
851 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
852
853 X1 = *RK++ ^ \
854 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
855 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
856 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
857 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
858
859 X2 = *RK++ ^ \
860 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
861 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
862 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
863 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
864
865 X3 = *RK++ ^ \
866 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
867 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
868 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
869 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
870
871 PUT_UINT32_LE( X0, output, 0 );
872 PUT_UINT32_LE( X1, output, 4 );
873 PUT_UINT32_LE( X2, output, 8 );
874 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]875
876 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]877}
878#endif /* !MBEDTLS_AES_DECRYPT_ALT */
879
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]880#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]881void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
882 const unsigned char input[16],
883 unsigned char output[16] )
884{
885 mbedtls_internal_aes_decrypt( ctx, input, output );
886}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]887#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]888
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]889/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890 * AES-ECB block encryption/decryption
891 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]892int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]893 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]894 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]895 unsigned char output[16] )
896{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]898 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]899 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]900#endif
901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]903 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]904 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]905 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]906 return( 0 );
907
908 // If padlock data misaligned, we just fall back to
909 // unaccelerated mode
910 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911 }
912#endif
913
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]914 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]915 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]916 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]917 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918}
919
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]920#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]921/*
922 * AES-CBC buffer encryption/decryption
923 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]924int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]925 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]926 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]927 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]928 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929 unsigned char *output )
930{
931 int i;
932 unsigned char temp[16];
933
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]934 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]935 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]937#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]938 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]939 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]940 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]941 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]942
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]943 // If padlock data misaligned, we just fall back to
944 // unaccelerated mode
945 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946 }
947#endif
948
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]949 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950 {
951 while( length > 0 )
952 {
953 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955
956 for( i = 0; i < 16; i++ )
957 output[i] = (unsigned char)( output[i] ^ iv[i] );
958
959 memcpy( iv, temp, 16 );
960
961 input += 16;
962 output += 16;
963 length -= 16;
964 }
965 }
966 else
967 {
968 while( length > 0 )
969 {
970 for( i = 0; i < 16; i++ )
971 output[i] = (unsigned char)( input[i] ^ iv[i] );
972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]973 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974 memcpy( iv, output, 16 );
975
976 input += 16;
977 output += 16;
978 length -= 16;
979 }
980 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]981
982 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]983}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]984#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]985
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]986#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987/*
988 * AES-CFB128 buffer encryption/decryption
989 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]991 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]992 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]993 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]994 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]995 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 unsigned char *output )
997{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]998 int c;
999 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1001 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002 {
1003 while( length-- )
1004 {
1005 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007
1008 c = *input++;
1009 *output++ = (unsigned char)( c ^ iv[n] );
1010 iv[n] = (unsigned char) c;
1011
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1012 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013 }
1014 }
1015 else
1016 {
1017 while( length-- )
1018 {
1019 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021
1022 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1023
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1024 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1025 }
1026 }
1027
1028 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1029
1030 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1032
1033/*
1034 * AES-CFB8 buffer encryption/decryption
1035 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1037 int mode,
1038 size_t length,
1039 unsigned char iv[16],
1040 const unsigned char *input,
1041 unsigned char *output )
1042{
1043 unsigned char c;
1044 unsigned char ov[17];
1045
1046 while( length-- )
1047 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1048 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1049 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1052 ov[16] = *input;
1053
1054 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1057 ov[16] = c;
1058
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1059 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1060 }
1061
1062 return( 0 );
1063}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1064#endif /* MBEDTLS_CIPHER_MODE_CFB */
1065
1066#if defined(MBEDTLS_CIPHER_MODE_OFB)
1067/*
1068 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1069 */
1070int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1071 size_t length,
1072 size_t *iv_off,
1073 unsigned char iv[16],
1074 const unsigned char *input,
1075 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1076{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1077 int ret = 0;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1078 size_t n = *iv_off;
1079
1080 while( length-- )
1081 {
1082 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1083 {
1084 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1085 if( ret != 0 )
1086 goto exit;
1087 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1088 *output++ = *input++ ^ iv[n];
1089
1090 n = ( n + 1 ) & 0x0F;
1091 }
1092
1093 *iv_off = n;
1094
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1095exit:
1096 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1097}
1098#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1101/*
1102 * AES-CTR buffer encryption/decryption
1103 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1105 size_t length,
1106 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1107 unsigned char nonce_counter[16],
1108 unsigned char stream_block[16],
1109 const unsigned char *input,
1110 unsigned char *output )
1111{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1112 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1113 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1114
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1115 if ( n > 0x0F )
1116 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1117
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1118 while( length-- )
1119 {
1120 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1121 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1122
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1123 for( i = 16; i > 0; i-- )
1124 if( ++nonce_counter[i - 1] != 0 )
1125 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1126 }
1127 c = *input++;
1128 *output++ = (unsigned char)( c ^ stream_block[n] );
1129
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1130 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1131 }
1132
1133 *nc_off = n;
1134
1135 return( 0 );
1136}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1137#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1139#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1141#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1142/*
1143 * AES test vectors from:
1144 *
1145 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1146 */
1147static const unsigned char aes_test_ecb_dec[3][16] =
1148{
1149 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1150 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1151 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1152 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1153 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1154 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1155};
1156
1157static const unsigned char aes_test_ecb_enc[3][16] =
1158{
1159 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1160 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1161 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1162 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1163 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1164 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1165};
1166
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1167#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1168static const unsigned char aes_test_cbc_dec[3][16] =
1169{
1170 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1171 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1172 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1173 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1174 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1175 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1176};
1177
1178static const unsigned char aes_test_cbc_enc[3][16] =
1179{
1180 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1181 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1182 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1183 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1184 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1185 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1186};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1187#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1188
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1189#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1190/*
1191 * AES-CFB128 test vectors from:
1192 *
1193 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1194 */
1195static const unsigned char aes_test_cfb128_key[3][32] =
1196{
1197 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1198 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1199 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1200 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1201 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1202 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1203 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1204 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1205 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1206};
1207
1208static const unsigned char aes_test_cfb128_iv[16] =
1209{
1210 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1211 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1212};
1213
1214static const unsigned char aes_test_cfb128_pt[64] =
1215{
1216 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1217 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1218 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1219 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1220 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1221 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1222 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1223 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1224};
1225
1226static const unsigned char aes_test_cfb128_ct[3][64] =
1227{
1228 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1229 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1230 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1231 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1232 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1233 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1234 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1235 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1236 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1237 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1238 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1239 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1240 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1241 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1242 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1243 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1244 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1245 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1246 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1247 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1248 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1249 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1250 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1251 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1252};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1253#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1254
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1255#if defined(MBEDTLS_CIPHER_MODE_OFB)
1256/*
1257 * AES-OFB test vectors from:
1258 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1259 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1260 */
1261static const unsigned char aes_test_ofb_key[3][32] =
1262{
1263 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1264 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1265 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1266 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1267 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1268 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1269 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1270 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1271 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1272};
1273
1274static const unsigned char aes_test_ofb_iv[16] =
1275{
1276 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1277 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1278};
1279
1280static const unsigned char aes_test_ofb_pt[64] =
1281{
1282 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1283 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1284 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1285 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1286 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1287 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1288 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1289 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1290};
1291
1292static const unsigned char aes_test_ofb_ct[3][64] =
1293{
1294 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1295 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1296 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1297 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1298 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1299 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1300 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1301 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1302 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1303 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1304 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1305 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1306 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1307 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1308 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1309 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1310 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1311 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1312 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1313 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1314 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1315 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1316 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1317 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1318};
1319#endif /* MBEDTLS_CIPHER_MODE_OFB */
1320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1322/*
1323 * AES-CTR test vectors from:
1324 *
1325 * http://www.faqs.org/rfcs/rfc3686.html
1326 */
1327
1328static const unsigned char aes_test_ctr_key[3][16] =
1329{
1330 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1331 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1332 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1333 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1334 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1335 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1336};
1337
1338static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1339{
1340 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1341 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1342 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1343 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1344 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1345 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1346};
1347
1348static const unsigned char aes_test_ctr_pt[3][48] =
1349{
1350 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1351 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1352
1353 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1354 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1355 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1356 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1357
1358 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1359 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1360 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1361 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1362 0x20, 0x21, 0x22, 0x23 }
1363};
1364
1365static const unsigned char aes_test_ctr_ct[3][48] =
1366{
1367 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1368 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1369 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1370 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1371 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1372 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1373 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1374 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1375 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1376 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1377 0x25, 0xB2, 0x07, 0x2F }
1378};
1379
1380static const int aes_test_ctr_len[3] =
1381 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1382#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1383
1384/*
1385 * Checkup routine
1386 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1389 int ret = 0, i, j, u, mode;
1390 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1391 unsigned char key[32];
1392 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1393 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1394#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1395 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1396#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1397#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1398 unsigned char prv[16];
1399#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame^]1400#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1401 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1402 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1403#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1404#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1405 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1406 unsigned char nonce_counter[16];
1407 unsigned char stream_block[16];
1408#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1410
1411 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1413
1414 /*
1415 * ECB mode
1416 */
1417 for( i = 0; i < 6; i++ )
1418 {
1419 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1420 keybits = 128 + u * 64;
1421 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422
1423 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1424 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1425 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1426
1427 memset( buf, 0, 16 );
1428
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1429 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1430 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1431 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1432 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433 }
1434 else
1435 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1436 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1437 aes_tests = aes_test_ecb_enc[u];
1438 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1439
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1440 /*
1441 * AES-192 is an optional feature that may be unavailable when
1442 * there is an alternative underlying implementation i.e. when
1443 * MBEDTLS_AES_ALT is defined.
1444 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1445 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1446 {
1447 mbedtls_printf( "skipped\n" );
1448 continue;
1449 }
1450 else if( ret != 0 )
1451 {
1452 goto exit;
1453 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1454
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1455 for( j = 0; j < 10000; j++ )
1456 {
1457 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1458 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1459 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1460 }
1461
1462 if( memcmp( buf, aes_tests, 16 ) != 0 )
1463 {
1464 ret = 1;
1465 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466 }
1467
1468 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1469 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1470 }
1471
1472 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1476 /*
1477 * CBC mode
1478 */
1479 for( i = 0; i < 6; i++ )
1480 {
1481 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1482 keybits = 128 + u * 64;
1483 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484
1485 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1486 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1487 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488
1489 memset( iv , 0, 16 );
1490 memset( prv, 0, 16 );
1491 memset( buf, 0, 16 );
1492
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1493 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1494 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1495 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1496 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497 }
1498 else
1499 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1500 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1501 aes_tests = aes_test_cbc_enc[u];
1502 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1504 /*
1505 * AES-192 is an optional feature that may be unavailable when
1506 * there is an alternative underlying implementation i.e. when
1507 * MBEDTLS_AES_ALT is defined.
1508 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1509 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1510 {
1511 mbedtls_printf( "skipped\n" );
1512 continue;
1513 }
1514 else if( ret != 0 )
1515 {
1516 goto exit;
1517 }
1518
1519 for( j = 0; j < 10000; j++ )
1520 {
1521 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522 {
1523 unsigned char tmp[16];
1524
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1525 memcpy( tmp, prv, 16 );
1526 memcpy( prv, buf, 16 );
1527 memcpy( buf, tmp, 16 );
1528 }
1529
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1530 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1531 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1532 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1533
1534 }
1535
1536 if( memcmp( buf, aes_tests, 16 ) != 0 )
1537 {
1538 ret = 1;
1539 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540 }
1541
1542 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544 }
1545
1546 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547 mbedtls_printf( "\n" );
1548#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551 /*
1552 * CFB128 mode
1553 */
1554 for( i = 0; i < 6; i++ )
1555 {
1556 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1557 keybits = 128 + u * 64;
1558 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1559
1560 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1561 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1562 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1563
1564 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1565 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1566
1567 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1568 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1569 /*
1570 * AES-192 is an optional feature that may be unavailable when
1571 * there is an alternative underlying implementation i.e. when
1572 * MBEDTLS_AES_ALT is defined.
1573 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1574 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1575 {
1576 mbedtls_printf( "skipped\n" );
1577 continue;
1578 }
1579 else if( ret != 0 )
1580 {
1581 goto exit;
1582 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1584 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1585 {
1586 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1587 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1588 }
1589 else
1590 {
1591 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1592 aes_tests = aes_test_cfb128_ct[u];
1593 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1595 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1596 if( ret != 0 )
1597 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1598
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1599 if( memcmp( buf, aes_tests, 64 ) != 0 )
1600 {
1601 ret = 1;
1602 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1603 }
1604
1605 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1606 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1607 }
1608
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1609 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1610 mbedtls_printf( "\n" );
1611#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1612
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1613#if defined(MBEDTLS_CIPHER_MODE_OFB)
1614 /*
1615 * OFB mode
1616 */
1617 for( i = 0; i < 6; i++ )
1618 {
1619 u = i >> 1;
1620 keybits = 128 + u * 64;
1621 mode = i & 1;
1622
1623 if( verbose != 0 )
1624 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1625 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1626
1627 memcpy( iv, aes_test_ofb_iv, 16 );
1628 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1629
1630 offset = 0;
1631 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1632 /*
1633 * AES-192 is an optional feature that may be unavailable when
1634 * there is an alternative underlying implementation i.e. when
1635 * MBEDTLS_AES_ALT is defined.
1636 */
1637 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1638 {
1639 mbedtls_printf( "skipped\n" );
1640 continue;
1641 }
1642 else if( ret != 0 )
1643 {
1644 goto exit;
1645 }
1646
1647 if( mode == MBEDTLS_AES_DECRYPT )
1648 {
1649 memcpy( buf, aes_test_ofb_ct[u], 64 );
1650 aes_tests = aes_test_ofb_pt;
1651 }
1652 else
1653 {
1654 memcpy( buf, aes_test_ofb_pt, 64 );
1655 aes_tests = aes_test_ofb_ct[u];
1656 }
1657
1658 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1659 if( ret != 0 )
1660 goto exit;
1661
1662 if( memcmp( buf, aes_tests, 64 ) != 0 )
1663 {
1664 ret = 1;
1665 goto exit;
1666 }
1667
1668 if( verbose != 0 )
1669 mbedtls_printf( "passed\n" );
1670 }
1671
1672 if( verbose != 0 )
1673 mbedtls_printf( "\n" );
1674#endif /* MBEDTLS_CIPHER_MODE_OFB */
1675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1677 /*
1678 * CTR mode
1679 */
1680 for( i = 0; i < 6; i++ )
1681 {
1682 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1683 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1684
1685 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1687 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1688
1689 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1690 memcpy( key, aes_test_ctr_key[u], 16 );
1691
1692 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1693 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1694 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1695
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1696 len = aes_test_ctr_len[u];
1697
1698 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1699 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1700 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1701 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1702 }
1703 else
1704 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1705 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1706 aes_tests = aes_test_ctr_ct[u];
1707 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1708
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1709 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1710 stream_block, buf, buf );
1711 if( ret != 0 )
1712 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1713
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1714 if( memcmp( buf, aes_tests, len ) != 0 )
1715 {
1716 ret = 1;
1717 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1718 }
1719
1720 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1721 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1722 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723
1724 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1725 mbedtls_printf( "\n" );
1726#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1728 ret = 0;
1729
1730exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1731 if( ret != 0 && verbose != 0 )
1732 mbedtls_printf( "failed\n" );
1733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1734 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1735
1736 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737}
1738
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1739#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741#endif /* MBEDTLS_AES_C */