TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fd13a0f85195cc5cf7e0d650713935b88a28ac52 / . / library / aes.c
blob: 56dc5cf25599d57969645387a0a4f876f57dc75e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_PADLOCK_C) && \
48 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]49static int aes_padlock_ace = -1;
50#endif
51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Forward S-box
55 */
56static const unsigned char FSb[256] =
57{
58 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
59 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
60 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
61 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
62 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
63 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
64 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
65 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
66 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
67 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
68 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
69 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
70 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
71 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
72 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
73 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
74 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
75 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
76 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
77 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
78 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
79 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
80 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
81 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
82 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
83 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
84 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
85 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
86 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
87 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
88 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
89 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
90};
91
92/*
93 * Forward tables
94 */
95#define FT \
96\
97 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
98 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
99 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
100 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
101 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
102 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
103 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
104 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
105 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
106 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
107 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
108 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
109 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
110 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
111 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
112 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
113 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
114 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
115 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
116 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
117 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
118 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
119 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
120 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
121 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
122 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
123 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
124 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
125 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
126 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
127 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
128 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
129 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
130 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
131 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
132 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
133 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
134 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
135 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
136 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
137 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
138 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
139 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
140 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
141 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
142 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
143 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
144 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
145 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
146 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
147 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
148 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
149 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
150 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
151 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
152 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
153 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
154 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
155 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
156 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
157 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
158 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
159 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
160 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
161
162#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]163static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164#undef V
165
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]166#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]167
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]168#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]169static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]170#undef V
171
172#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]173static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]174#undef V
175
176#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]177static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]178#undef V
179
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]180#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]181
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]182#undef FT
183
184/*
185 * Reverse S-box
186 */
187static const unsigned char RSb[256] =
188{
189 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
190 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
191 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
192 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
193 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
194 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
195 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
196 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
197 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
198 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
199 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
200 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
201 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
202 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
203 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
204 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
205 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
206 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
207 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
208 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
209 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
210 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
211 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
212 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
213 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
214 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
215 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
216 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
217 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
218 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
219 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
220 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
221};
222
223/*
224 * Reverse tables
225 */
226#define RT \
227\
228 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
229 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
230 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
231 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
232 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
233 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
234 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
235 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
236 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
237 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
238 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
239 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
240 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
241 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
242 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
243 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
244 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
245 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
246 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
247 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
248 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
249 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
250 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
251 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
252 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
253 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
254 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
255 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
256 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
257 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
258 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
259 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
260 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
261 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
262 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
263 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
264 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
265 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
266 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
267 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
268 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
269 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
270 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
271 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
272 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
273 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
274 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
275 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
276 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
277 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
278 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
279 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
280 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
281 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
282 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
283 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
284 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
285 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
286 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
287 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
288 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
289 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
290 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
291 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
292
293#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]294static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295#undef V
296
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]297#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]298
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]299#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]300static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]301#undef V
302
303#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]304static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305#undef V
306
307#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]308static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]309#undef V
310
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]311#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]312
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef RT
314
315/*
316 * Round constants
317 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]318static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319{
320 0x00000001, 0x00000002, 0x00000004, 0x00000008,
321 0x00000010, 0x00000020, 0x00000040, 0x00000080,
322 0x0000001B, 0x00000036
323};
324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]325#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326
327/*
328 * Forward S-box & tables
329 */
330static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]331static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]332#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]333static uint32_t FT1[256];
334static uint32_t FT2[256];
335static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]336#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]343#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static uint32_t RT1[256];
345static uint32_t RT2[256];
346static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353
354/*
355 * Tables generation code
356 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]357#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
358#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]359#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361static int aes_init_done = 0;
362
363static void aes_gen_tables( void )
364{
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]376 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384 RCON[i] = (uint32_t) x;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]385 x = MBEDTLS_BYTE_0( XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]398 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
399 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
400 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
401 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]414 y = MBEDTLS_BYTE_0( XTIME( x ) );
415 z = MBEDTLS_BYTE_0( y ^ x );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]417 FT0[i] = ( (uint32_t) y ) ^
418 ( (uint32_t) x << 8 ) ^
419 ( (uint32_t) x << 16 ) ^
420 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]422#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 FT1[i] = ROTL8( FT0[i] );
424 FT2[i] = ROTL8( FT1[i] );
425 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]426#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427
428 x = RSb[i];
429
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]430 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
431 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
432 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
433 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]435#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 RT1[i] = ROTL8( RT0[i] );
437 RT2[i] = ROTL8( RT1[i] );
438 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]439#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 }
441}
442
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]443#undef ROTL8
444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]445#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]447#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]448
449#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
450#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
451#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
452
453#define AES_RT0(idx) RT0[idx]
454#define AES_RT1(idx) ROTL8( RT0[idx] )
455#define AES_RT2(idx) ROTL16( RT0[idx] )
456#define AES_RT3(idx) ROTL24( RT0[idx] )
457
458#define AES_FT0(idx) FT0[idx]
459#define AES_FT1(idx) ROTL8( FT0[idx] )
460#define AES_FT2(idx) ROTL16( FT0[idx] )
461#define AES_FT3(idx) ROTL24( FT0[idx] )
462
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]463#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]464
465#define AES_RT0(idx) RT0[idx]
466#define AES_RT1(idx) RT1[idx]
467#define AES_RT2(idx) RT2[idx]
468#define AES_RT3(idx) RT3[idx]
469
470#define AES_FT0(idx) FT0[idx]
471#define AES_FT1(idx) FT1[idx]
472#define AES_FT2(idx) FT2[idx]
473#define AES_FT3(idx) FT3[idx]
474
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]478{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]480}
481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]482void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]483{
484 if( ctx == NULL )
485 return;
486
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]487 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]488}
489
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]490#if defined(MBEDTLS_CIPHER_MODE_XTS)
491void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
492{
493 mbedtls_aes_init( &ctx->crypt );
494 mbedtls_aes_init( &ctx->tweak );
495}
496
497void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
498{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]499 if( ctx == NULL )
500 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]501
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]502 mbedtls_aes_free( &ctx->crypt );
503 mbedtls_aes_free( &ctx->tweak );
504}
505#endif /* MBEDTLS_CIPHER_MODE_XTS */
506
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507/*
508 * AES key schedule (encryption)
509 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]510#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]512 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]514 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]515 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]517 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518 {
519 case 128: ctx->nr = 10; break;
520 case 192: ctx->nr = 12; break;
521 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 }
524
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]525#if !defined(MBEDTLS_AES_ROM_TABLES)
526 if( aes_init_done == 0 )
527 {
528 aes_gen_tables();
529 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]530 }
531#endif
532
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]533 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]534#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]535 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]536 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]537
538 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]539 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]541 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]544 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]545 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]546#endif
547
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]548 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]550 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551 }
552
553 switch( ctx->nr )
554 {
555 case 10:
556
557 for( i = 0; i < 10; i++, RK += 4 )
558 {
559 RK[4] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]560 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
561 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
562 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
563 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
565 RK[5] = RK[1] ^ RK[4];
566 RK[6] = RK[2] ^ RK[5];
567 RK[7] = RK[3] ^ RK[6];
568 }
569 break;
570
571 case 12:
572
573 for( i = 0; i < 8; i++, RK += 6 )
574 {
575 RK[6] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]576 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
577 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
578 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
579 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580
581 RK[7] = RK[1] ^ RK[6];
582 RK[8] = RK[2] ^ RK[7];
583 RK[9] = RK[3] ^ RK[8];
584 RK[10] = RK[4] ^ RK[9];
585 RK[11] = RK[5] ^ RK[10];
586 }
587 break;
588
589 case 14:
590
591 for( i = 0; i < 7; i++, RK += 8 )
592 {
593 RK[8] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]594 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
595 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
596 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
597 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
599 RK[9] = RK[1] ^ RK[8];
600 RK[10] = RK[2] ^ RK[9];
601 RK[11] = RK[3] ^ RK[10];
602
603 RK[12] = RK[4] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]604 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
605 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
606 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
607 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608
609 RK[13] = RK[5] ^ RK[12];
610 RK[14] = RK[6] ^ RK[13];
611 RK[15] = RK[7] ^ RK[14];
612 }
613 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]615
616 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]618#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619
620/*
621 * AES key schedule (decryption)
622 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]623#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]625 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]627 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]629 uint32_t *RK;
630 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]631
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]632 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]634 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]636 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]637 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]638
639 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]640 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]642 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]644 /* Also checks keybits */
645 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]646 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]647
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]648 ctx->nr = cty.nr;
649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]651 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]652 {
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]653 mbedtls_aesni_inverse_key( (unsigned char *) RK,
654 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]655 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]656 }
657#endif
658
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]659 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664 *RK++ = *SK++;
665
666 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
667 {
668 for( j = 0; j < 4; j++, SK++ )
669 {
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]670 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
671 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
672 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
673 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674 }
675 }
676
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]682exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]684
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]685 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]686}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]687#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]688
689#if defined(MBEDTLS_CIPHER_MODE_XTS)
690static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
691 unsigned int keybits,
692 const unsigned char **key1,
693 unsigned int *key1bits,
694 const unsigned char **key2,
695 unsigned int *key2bits )
696{
697 const unsigned int half_keybits = keybits / 2;
698 const unsigned int half_keybytes = half_keybits / 8;
699
700 switch( keybits )
701 {
702 case 256: break;
703 case 512: break;
704 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
705 }
706
707 *key1bits = half_keybits;
708 *key2bits = half_keybits;
709 *key1 = &key[0];
710 *key2 = &key[half_keybytes];
711
712 return 0;
713}
714
715int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
716 const unsigned char *key,
717 unsigned int keybits)
718{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]719 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]720 const unsigned char *key1, *key2;
721 unsigned int key1bits, key2bits;
722
723 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
724 &key2, &key2bits );
725 if( ret != 0 )
726 return( ret );
727
728 /* Set the tweak key. Always set tweak key for the encryption mode. */
729 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
730 if( ret != 0 )
731 return( ret );
732
733 /* Set crypt key for encryption. */
734 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
735}
736
737int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
738 const unsigned char *key,
739 unsigned int keybits)
740{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]741 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]742 const unsigned char *key1, *key2;
743 unsigned int key1bits, key2bits;
744
745 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
746 &key2, &key2bits );
747 if( ret != 0 )
748 return( ret );
749
750 /* Set the tweak key. Always set tweak key for encryption. */
751 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
752 if( ret != 0 )
753 return( ret );
754
755 /* Set crypt key for decryption. */
756 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
757}
758#endif /* MBEDTLS_CIPHER_MODE_XTS */
759
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]760#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
761 do \
762 { \
763 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
764 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
765 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
766 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
767 \
768 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
769 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
770 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
771 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
772 \
773 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
774 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
775 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
776 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
777 \
778 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
779 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
780 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
781 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]782 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]784#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
785 do \
786 { \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]787 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
788 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
789 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
790 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]791 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]792 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
793 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
794 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
795 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]796 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]797 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
798 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
799 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
800 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]801 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]802 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
803 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
804 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
805 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]806 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807
808/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]809 * AES-ECB block encryption
810 */
811#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]812int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
813 const unsigned char input[16],
814 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]815{
816 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]817 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]818 struct
819 {
820 uint32_t X[4];
821 uint32_t Y[4];
822 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]823
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]824 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
825 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
826 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
827 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]828
829 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
830 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]831 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
832 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]833 }
834
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]835 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]836
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]837 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]838 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
839 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
840 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
841 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]842
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]843 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]844 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
845 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
846 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
847 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]848
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]849 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]850 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
851 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
852 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
853 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]854
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]855 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]856 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
857 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
858 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
859 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]860
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]861 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
862 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
863 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
864 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]865
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]866 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]867
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]868 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]869}
870#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
871
872/*
873 * AES-ECB block decryption
874 */
875#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]876int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
877 const unsigned char input[16],
878 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]879{
880 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]881 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]882 struct
883 {
884 uint32_t X[4];
885 uint32_t Y[4];
886 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]887
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]888 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
889 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
890 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
891 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892
893 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
894 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
896 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]897 }
898
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]899 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]901 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]902 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
903 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
904 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
905 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]906
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]907 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]908 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
909 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
910 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
911 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]912
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]913 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]914 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
915 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
916 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
917 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]919 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]920 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
921 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
922 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
923 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]925 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
926 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
927 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
928 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]929
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]930 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]931
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]932 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933}
934#endif /* !MBEDTLS_AES_DECRYPT_ALT */
935
936/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]937 * AES-ECB block encryption/decryption
938 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]939int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]940 int mode,
941 const unsigned char input[16],
942 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943{
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]944 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
945 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]946
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]947#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]948 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]949 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]950#endif
951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]953 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]956 return( 0 );
957
958 // If padlock data misaligned, we just fall back to
959 // unaccelerated mode
960 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]961 }
962#endif
963
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]964 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]965 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]966 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]967 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968}
969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971/*
972 * AES-CBC buffer encryption/decryption
973 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]974int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]975 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]976 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]977 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]978 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]979 unsigned char *output )
980{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]981 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 unsigned char temp[16];
983
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]984 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
985 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]986
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]987 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]988 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]991 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]994 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]995
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]996 // If padlock data misaligned, we just fall back to
997 // unaccelerated mode
998 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 }
1000#endif
1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 {
1004 while( length > 0 )
1005 {
1006 memcpy( temp, input, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1007 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1008 if( ret != 0 )
1009 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1011 mbedtls_xor( output, output, iv, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1012
1013 memcpy( iv, temp, 16 );
1014
1015 input += 16;
1016 output += 16;
1017 length -= 16;
1018 }
1019 }
1020 else
1021 {
1022 while( length > 0 )
1023 {
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1024 mbedtls_xor( output, input, iv, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1025
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1026 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1027 if( ret != 0 )
1028 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029 memcpy( iv, output, 16 );
1030
1031 input += 16;
1032 output += 16;
1033 length -= 16;
1034 }
1035 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1036 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1037
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1038exit:
1039 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1043#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1044
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1045typedef unsigned char mbedtls_be128[16];
1046
1047/*
1048 * GF(2^128) multiplication function
1049 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1050 * This function multiplies a field element by x in the polynomial field
1051 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1052 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1053 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1054 */
1055static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1056 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1057{
1058 uint64_t a, b, ra, rb;
1059
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1060 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1061 b = MBEDTLS_GET_UINT64_LE( x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1062
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1063 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1064 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1065
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1066 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1067 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1068}
1069
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1070/*
1071 * AES-XTS buffer encryption/decryption
1072 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1073int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1074 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1075 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1076 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1077 const unsigned char *input,
1078 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1079{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1080 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1081 size_t blocks = length / 16;
1082 size_t leftover = length % 16;
1083 unsigned char tweak[16];
1084 unsigned char prev_tweak[16];
1085 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1086
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1087 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1088 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1089
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1090 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1091 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1092 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1093
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1094 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1095 if( length > ( 1 << 20 ) * 16 )
1096 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1097
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1098 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1099 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1100 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1101 if( ret != 0 )
1102 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1103
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1104 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1105 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1106 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1107 {
1108 /* We are on the last block in a decrypt operation that has
1109 * leftover bytes, so we need to use the next tweak for this block,
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1110 * and this tweak for the leftover bytes. Save the current tweak for
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1111 * the leftovers and then update the current tweak for use on this,
1112 * the last full block. */
1113 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1114 mbedtls_gf128mul_x_ble( tweak, tweak );
1115 }
1116
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1117 mbedtls_xor( tmp, input, tweak, 16 );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1118
1119 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1120 if( ret != 0 )
1121 return( ret );
1122
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1123 mbedtls_xor( output, tmp, tweak, 16 );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1124
1125 /* Update the tweak for the next block. */
1126 mbedtls_gf128mul_x_ble( tweak, tweak );
1127
1128 output += 16;
1129 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1130 }
1131
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1132 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1133 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1134 /* If we are on the leftover bytes in a decrypt operation, we need to
1135 * use the previous tweak for these bytes (as saved in prev_tweak). */
1136 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1137
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1138 /* We are now on the final part of the data unit, which doesn't divide
1139 * evenly by 16. It's time for ciphertext stealing. */
1140 size_t i;
1141 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1142
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1143 /* Copy ciphertext bytes from the previous block to our output for each
Dave Rodgman069e7f42022-11-24 19:37:26 +0000[diff] [blame]1144 * byte of ciphertext we won't steal. */
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1145 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1146 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1147 output[i] = prev_output[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1148 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1149
Dave Rodgman069e7f42022-11-24 19:37:26 +0000[diff] [blame]1150 /* Copy the remainder of the input for this final round. */
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1151 mbedtls_xor( tmp, input, t, leftover );
1152
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1153 /* Copy ciphertext bytes from the previous block for input in this
1154 * round. */
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1155 mbedtls_xor( tmp + i, prev_output + i, t + i, 16 - i );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1156
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1157 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1158 if( ret != 0 )
1159 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1160
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1161 /* Write the result back to the previous block, overriding the previous
1162 * output we copied. */
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1163 mbedtls_xor( prev_output, tmp, t, 16 );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1164 }
1165
1166 return( 0 );
1167}
1168#endif /* MBEDTLS_CIPHER_MODE_XTS */
1169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1170#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1171/*
1172 * AES-CFB128 buffer encryption/decryption
1173 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1174int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1175 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1176 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1177 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1178 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1179 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180 unsigned char *output )
1181{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1182 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1183 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1184 size_t n;
1185
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1186 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1187 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1188
1189 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1190
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1191 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1192 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1194 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1195 {
1196 while( length-- )
1197 {
1198 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1199 {
1200 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1201 if( ret != 0 )
1202 goto exit;
1203 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204
1205 c = *input++;
1206 *output++ = (unsigned char)( c ^ iv[n] );
1207 iv[n] = (unsigned char) c;
1208
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1209 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1210 }
1211 }
1212 else
1213 {
1214 while( length-- )
1215 {
1216 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1217 {
1218 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1219 if( ret != 0 )
1220 goto exit;
1221 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222
1223 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1224
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1225 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 }
1227 }
1228
1229 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1230 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1231
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1232exit:
1233 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1234}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1235
1236/*
1237 * AES-CFB8 buffer encryption/decryption
1238 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1239int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1240 int mode,
1241 size_t length,
1242 unsigned char iv[16],
1243 const unsigned char *input,
1244 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1245{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1246 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1247 unsigned char c;
1248 unsigned char ov[17];
1249
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1250 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1251 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1252 while( length-- )
1253 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1254 memcpy( ov, iv, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1255 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1256 if( ret != 0 )
1257 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1258
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1259 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1260 ov[16] = *input;
1261
1262 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1263
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1264 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1265 ov[16] = c;
1266
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1267 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1268 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1269 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1270
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1271exit:
1272 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1273}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1274#endif /* MBEDTLS_CIPHER_MODE_CFB */
1275
1276#if defined(MBEDTLS_CIPHER_MODE_OFB)
1277/*
1278 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1279 */
1280int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1281 size_t length,
1282 size_t *iv_off,
1283 unsigned char iv[16],
1284 const unsigned char *input,
1285 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1286{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1287 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1288 size_t n;
1289
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1290 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1291
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1292 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1293 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1294
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1295 while( length-- )
1296 {
1297 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1298 {
1299 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1300 if( ret != 0 )
1301 goto exit;
1302 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1303 *output++ = *input++ ^ iv[n];
1304
1305 n = ( n + 1 ) & 0x0F;
1306 }
1307
1308 *iv_off = n;
1309
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1310exit:
1311 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1312}
1313#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1316/*
1317 * AES-CTR buffer encryption/decryption
1318 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1320 size_t length,
1321 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1322 unsigned char nonce_counter[16],
1323 unsigned char stream_block[16],
1324 const unsigned char *input,
1325 unsigned char *output )
1326{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1327 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1328 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1329 size_t n;
1330
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1331 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1332
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1333 if ( n > 0x0F )
1334 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1335
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1336 while( length-- )
1337 {
1338 if( n == 0 ) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1339 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1340 if( ret != 0 )
1341 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1342
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1343 for( i = 16; i > 0; i-- )
1344 if( ++nonce_counter[i - 1] != 0 )
1345 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1346 }
1347 c = *input++;
1348 *output++ = (unsigned char)( c ^ stream_block[n] );
1349
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1350 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1351 }
1352
1353 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1354 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1355
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1356exit:
1357 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1358}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1361#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364/*
1365 * AES test vectors from:
1366 *
1367 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1368 */
1369static const unsigned char aes_test_ecb_dec[3][16] =
1370{
1371 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1372 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1373 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1374 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1375 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1376 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1377};
1378
1379static const unsigned char aes_test_ecb_enc[3][16] =
1380{
1381 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1382 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1383 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1384 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1385 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1386 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1387};
1388
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1390static const unsigned char aes_test_cbc_dec[3][16] =
1391{
1392 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1393 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1394 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1395 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1396 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1397 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1398};
1399
1400static const unsigned char aes_test_cbc_enc[3][16] =
1401{
1402 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1403 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1404 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1405 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1406 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1407 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1408};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412/*
1413 * AES-CFB128 test vectors from:
1414 *
1415 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1416 */
1417static const unsigned char aes_test_cfb128_key[3][32] =
1418{
1419 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1420 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1421 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1422 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1423 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1424 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1425 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1426 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1427 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1428};
1429
1430static const unsigned char aes_test_cfb128_iv[16] =
1431{
1432 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1433 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1434};
1435
1436static const unsigned char aes_test_cfb128_pt[64] =
1437{
1438 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1439 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1440 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1441 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1442 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1443 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1444 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1445 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1446};
1447
1448static const unsigned char aes_test_cfb128_ct[3][64] =
1449{
1450 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1451 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1452 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1453 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1454 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1455 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1456 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1457 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1458 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1459 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1460 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1461 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1462 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1463 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1464 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1465 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1466 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1467 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1468 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1469 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1470 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1471 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1472 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1473 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1474};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1476
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1477#if defined(MBEDTLS_CIPHER_MODE_OFB)
1478/*
1479 * AES-OFB test vectors from:
1480 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1481 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1482 */
1483static const unsigned char aes_test_ofb_key[3][32] =
1484{
1485 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1486 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1487 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1488 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1489 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1490 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1491 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1492 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1493 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1494};
1495
1496static const unsigned char aes_test_ofb_iv[16] =
1497{
1498 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1499 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1500};
1501
1502static const unsigned char aes_test_ofb_pt[64] =
1503{
1504 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1505 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1506 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1507 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1508 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1509 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1510 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1511 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1512};
1513
1514static const unsigned char aes_test_ofb_ct[3][64] =
1515{
1516 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1517 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1518 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1519 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1520 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1521 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1522 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1523 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1524 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1525 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1526 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1527 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1528 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1529 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1530 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1531 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1532 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1533 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1534 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1535 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1536 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1537 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1538 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1539 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1540};
1541#endif /* MBEDTLS_CIPHER_MODE_OFB */
1542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1544/*
1545 * AES-CTR test vectors from:
1546 *
1547 * http://www.faqs.org/rfcs/rfc3686.html
1548 */
1549
1550static const unsigned char aes_test_ctr_key[3][16] =
1551{
1552 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1553 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1554 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1555 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1556 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1557 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1558};
1559
1560static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1561{
1562 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1564 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1565 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1566 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1567 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1568};
1569
1570static const unsigned char aes_test_ctr_pt[3][48] =
1571{
1572 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1573 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1574
1575 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1576 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1577 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1578 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1579
1580 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1581 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1582 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1583 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1584 0x20, 0x21, 0x22, 0x23 }
1585};
1586
1587static const unsigned char aes_test_ctr_ct[3][48] =
1588{
1589 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1590 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1591 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1592 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1593 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1594 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1595 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1596 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1597 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1598 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1599 0x25, 0xB2, 0x07, 0x2F }
1600};
1601
1602static const int aes_test_ctr_len[3] =
1603 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1604#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1605
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1606#if defined(MBEDTLS_CIPHER_MODE_XTS)
1607/*
1608 * AES-XTS test vectors from:
1609 *
1610 * IEEE P1619/D16 Annex B
1611 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1612 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1613 */
1614static const unsigned char aes_test_xts_key[][32] =
1615{
1616 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1617 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1620 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1621 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1622 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1623 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1624 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1625 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1626 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1627 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1628};
1629
1630static const unsigned char aes_test_xts_pt32[][32] =
1631{
1632 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1636 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1637 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1638 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1639 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1640 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1641 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1642 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1643 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1644};
1645
1646static const unsigned char aes_test_xts_ct32[][32] =
1647{
1648 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1649 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1650 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1651 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1652 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1653 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1654 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1655 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1656 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1657 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1658 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1659 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1660};
1661
1662static const unsigned char aes_test_xts_data_unit[][16] =
1663{
1664 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1665 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1666 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1667 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1668 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1670};
1671
1672#endif /* MBEDTLS_CIPHER_MODE_XTS */
1673
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674/*
1675 * Checkup routine
1676 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1679 int ret = 0, i, j, u, mode;
1680 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1681 unsigned char key[32];
1682 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1683 const unsigned char *aes_tests;
Andrzej Kurek252283f2022-09-27 07:54:16 -0400[diff] [blame]1684#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1685 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1687#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1688#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1689 unsigned char prv[16];
1690#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1691#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1692 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1693 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1694#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1695#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1696 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1697#endif
1698#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1699 unsigned char nonce_counter[16];
1700 unsigned char stream_block[16];
1701#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
1704 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1705 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706
1707 /*
1708 * ECB mode
1709 */
1710 for( i = 0; i < 6; i++ )
1711 {
1712 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1713 keybits = 128 + u * 64;
1714 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715
1716 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1717 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1718 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719
1720 memset( buf, 0, 16 );
1721
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1722 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1724 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1725 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1726 }
1727 else
1728 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1729 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1730 aes_tests = aes_test_ecb_enc[u];
1731 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1733 /*
1734 * AES-192 is an optional feature that may be unavailable when
1735 * there is an alternative underlying implementation i.e. when
1736 * MBEDTLS_AES_ALT is defined.
1737 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1738 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1739 {
1740 mbedtls_printf( "skipped\n" );
1741 continue;
1742 }
1743 else if( ret != 0 )
1744 {
1745 goto exit;
1746 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1748 for( j = 0; j < 10000; j++ )
1749 {
1750 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1751 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1752 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1753 }
1754
1755 if( memcmp( buf, aes_tests, 16 ) != 0 )
1756 {
1757 ret = 1;
1758 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759 }
1760
1761 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763 }
1764
1765 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1766 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1768#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769 /*
1770 * CBC mode
1771 */
1772 for( i = 0; i < 6; i++ )
1773 {
1774 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1775 keybits = 128 + u * 64;
1776 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1777
1778 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1779 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1780 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1781
1782 memset( iv , 0, 16 );
1783 memset( prv, 0, 16 );
1784 memset( buf, 0, 16 );
1785
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1786 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1788 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1789 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 }
1791 else
1792 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1793 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1794 aes_tests = aes_test_cbc_enc[u];
1795 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1797 /*
1798 * AES-192 is an optional feature that may be unavailable when
1799 * there is an alternative underlying implementation i.e. when
1800 * MBEDTLS_AES_ALT is defined.
1801 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1802 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1803 {
1804 mbedtls_printf( "skipped\n" );
1805 continue;
1806 }
1807 else if( ret != 0 )
1808 {
1809 goto exit;
1810 }
1811
1812 for( j = 0; j < 10000; j++ )
1813 {
1814 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815 {
1816 unsigned char tmp[16];
1817
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818 memcpy( tmp, prv, 16 );
1819 memcpy( prv, buf, 16 );
1820 memcpy( buf, tmp, 16 );
1821 }
1822
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1823 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1824 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1825 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1826
1827 }
1828
1829 if( memcmp( buf, aes_tests, 16 ) != 0 )
1830 {
1831 ret = 1;
1832 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833 }
1834
1835 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1836 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837 }
1838
1839 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1840 mbedtls_printf( "\n" );
1841#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1843#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844 /*
1845 * CFB128 mode
1846 */
1847 for( i = 0; i < 6; i++ )
1848 {
1849 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 keybits = 128 + u * 64;
1851 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
1853 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1854 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1855 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
1857 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
1860 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1861 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1862 /*
1863 * AES-192 is an optional feature that may be unavailable when
1864 * there is an alternative underlying implementation i.e. when
1865 * MBEDTLS_AES_ALT is defined.
1866 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1867 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1868 {
1869 mbedtls_printf( "skipped\n" );
1870 continue;
1871 }
1872 else if( ret != 0 )
1873 {
1874 goto exit;
1875 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1877 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878 {
1879 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881 }
1882 else
1883 {
1884 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1885 aes_tests = aes_test_cfb128_ct[u];
1886 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1889 if( ret != 0 )
1890 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 if( memcmp( buf, aes_tests, 64 ) != 0 )
1893 {
1894 ret = 1;
1895 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 }
1897
1898 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1899 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900 }
1901
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1902 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1903 mbedtls_printf( "\n" );
1904#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1905
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1906#if defined(MBEDTLS_CIPHER_MODE_OFB)
1907 /*
1908 * OFB mode
1909 */
1910 for( i = 0; i < 6; i++ )
1911 {
1912 u = i >> 1;
1913 keybits = 128 + u * 64;
1914 mode = i & 1;
1915
1916 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1917 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1918 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1919
1920 memcpy( iv, aes_test_ofb_iv, 16 );
1921 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1922
1923 offset = 0;
1924 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1925 /*
1926 * AES-192 is an optional feature that may be unavailable when
1927 * there is an alternative underlying implementation i.e. when
1928 * MBEDTLS_AES_ALT is defined.
1929 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1930 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1931 {
1932 mbedtls_printf( "skipped\n" );
1933 continue;
1934 }
1935 else if( ret != 0 )
1936 {
1937 goto exit;
1938 }
1939
1940 if( mode == MBEDTLS_AES_DECRYPT )
1941 {
1942 memcpy( buf, aes_test_ofb_ct[u], 64 );
1943 aes_tests = aes_test_ofb_pt;
1944 }
1945 else
1946 {
1947 memcpy( buf, aes_test_ofb_pt, 64 );
1948 aes_tests = aes_test_ofb_ct[u];
1949 }
1950
1951 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1952 if( ret != 0 )
1953 goto exit;
1954
1955 if( memcmp( buf, aes_tests, 64 ) != 0 )
1956 {
1957 ret = 1;
1958 goto exit;
1959 }
1960
1961 if( verbose != 0 )
1962 mbedtls_printf( "passed\n" );
1963 }
1964
1965 if( verbose != 0 )
1966 mbedtls_printf( "\n" );
1967#endif /* MBEDTLS_CIPHER_MODE_OFB */
1968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1970 /*
1971 * CTR mode
1972 */
1973 for( i = 0; i < 6; i++ )
1974 {
1975 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1977
1978 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1979 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1980 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1981
1982 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1983 memcpy( key, aes_test_ctr_key[u], 16 );
1984
1985 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1987 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1988
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1989 len = aes_test_ctr_len[u];
1990
1991 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1992 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1993 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1994 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1995 }
1996 else
1997 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1998 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1999 aes_tests = aes_test_ctr_ct[u];
2000 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2001
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2003 stream_block, buf, buf );
2004 if( ret != 0 )
2005 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2006
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 if( memcmp( buf, aes_tests, len ) != 0 )
2008 {
2009 ret = 1;
2010 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2011 }
2012
2013 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2014 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2015 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
2017 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2018 mbedtls_printf( "\n" );
2019#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2021#if defined(MBEDTLS_CIPHER_MODE_XTS)
2022 {
2023 static const int num_tests =
2024 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2025 mbedtls_aes_xts_context ctx_xts;
2026
2027 /*
2028 * XTS mode
2029 */
2030 mbedtls_aes_xts_init( &ctx_xts );
2031
2032 for( i = 0; i < num_tests << 1; i++ )
2033 {
2034 const unsigned char *data_unit;
2035 u = i >> 1;
2036 mode = i & 1;
2037
2038 if( verbose != 0 )
2039 mbedtls_printf( " AES-XTS-128 (%s): ",
2040 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2041
2042 memset( key, 0, sizeof( key ) );
2043 memcpy( key, aes_test_xts_key[u], 32 );
2044 data_unit = aes_test_xts_data_unit[u];
2045
2046 len = sizeof( *aes_test_xts_ct32 );
2047
2048 if( mode == MBEDTLS_AES_DECRYPT )
2049 {
2050 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2051 if( ret != 0)
2052 goto exit;
2053 memcpy( buf, aes_test_xts_ct32[u], len );
2054 aes_tests = aes_test_xts_pt32[u];
2055 }
2056 else
2057 {
2058 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2059 if( ret != 0)
2060 goto exit;
2061 memcpy( buf, aes_test_xts_pt32[u], len );
2062 aes_tests = aes_test_xts_ct32[u];
2063 }
2064
2065
2066 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2067 buf, buf );
2068 if( ret != 0 )
2069 goto exit;
2070
2071 if( memcmp( buf, aes_tests, len ) != 0 )
2072 {
2073 ret = 1;
2074 goto exit;
2075 }
2076
2077 if( verbose != 0 )
2078 mbedtls_printf( "passed\n" );
2079 }
2080
2081 if( verbose != 0 )
2082 mbedtls_printf( "\n" );
2083
2084 mbedtls_aes_xts_free( &ctx_xts );
2085 }
2086#endif /* MBEDTLS_CIPHER_MODE_XTS */
2087
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2088 ret = 0;
2089
2090exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2091 if( ret != 0 && verbose != 0 )
2092 mbedtls_printf( "failed\n" );
2093
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2094 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2095
2096 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2097}
2098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2099#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2101#endif /* MBEDTLS_AES_C */