TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 44bfbe3b951e4358c423190ec668019153a03232 / . / library / aes.c
blob: e0c7a11c38e44aa17fe5f6146420a8923098caeb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti44bfbe32020-08-19 16:54:51 +0200[diff] [blame^]4 * Copyright The Mbed TLS Contributors
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]64#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]65#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]66#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]67#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]68#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]69#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]71#if defined(MBEDTLS_SELF_TEST)
72#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]73#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]74#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]75#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]76#define mbedtls_printf printf
77#endif /* MBEDTLS_PLATFORM_C */
78#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]79
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]81
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]82/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83static void mbedtls_zeroize( void *v, size_t n ) {
Simon Butcher88ffc082016-05-20 00:00:37 +0100[diff] [blame]84 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]85}
86
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * 32-bit integer manipulation macros (little endian)
89 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]90#ifndef GET_UINT32_LE
91#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]92{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93 (n) = ( (uint32_t) (b)[(i) ] ) \
94 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
95 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
96 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97}
98#endif
99
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]100#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]101#define PUT_UINT32_LE(n,b,i) \
102{ \
103 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
104 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
105 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
106 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]107}
108#endif
109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110#if defined(MBEDTLS_PADLOCK_C) && \
111 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]112static int aes_padlock_ace = -1;
113#endif
114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]115#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]116/*
117 * Forward S-box
118 */
119static const unsigned char FSb[256] =
120{
121 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
122 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
123 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
124 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
125 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
126 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
127 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
128 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
129 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
130 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
131 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
132 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
133 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
134 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
135 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
136 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
137 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
138 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
139 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
140 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
141 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
142 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
143 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
144 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
145 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
146 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
147 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
148 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
149 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
150 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
151 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
152 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
153};
154
155/*
156 * Forward tables
157 */
158#define FT \
159\
160 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
161 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
162 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
163 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
164 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
165 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
166 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
167 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
168 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
169 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
170 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
171 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
172 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
173 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
174 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
175 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
176 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
177 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
178 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
179 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
180 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
181 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
182 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
183 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
184 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
185 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
186 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
187 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
188 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
189 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
190 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
191 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
192 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
193 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
194 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
195 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
196 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
197 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
198 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
199 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
200 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
201 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
202 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
203 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
204 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
205 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
206 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
207 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
208 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
209 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
210 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
211 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
212 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
213 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
214 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
215 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
216 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
217 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
218 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
219 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
220 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
221 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
222 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
223 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
224
225#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]226static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227#undef V
228
229#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]230static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231#undef V
232
233#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]234static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235#undef V
236
237#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]238static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239#undef V
240
241#undef FT
242
243/*
244 * Reverse S-box
245 */
246static const unsigned char RSb[256] =
247{
248 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
249 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
250 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
251 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
252 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
253 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
254 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
255 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
256 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
257 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
258 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
259 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
260 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
261 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
262 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
263 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
264 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
265 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
266 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
267 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
268 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
269 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
270 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
271 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
272 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
273 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
274 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
275 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
276 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
277 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
278 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
279 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
280};
281
282/*
283 * Reverse tables
284 */
285#define RT \
286\
287 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
288 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
289 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
290 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
291 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
292 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
293 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
294 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
295 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
296 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
297 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
298 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
299 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
300 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
301 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
302 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
303 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
304 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
305 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
306 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
307 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
308 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
309 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
310 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
311 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
312 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
313 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
314 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
315 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
316 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
317 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
318 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
319 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
320 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
321 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
322 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
323 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
324 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
325 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
326 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
327 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
328 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
329 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
330 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
331 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
332 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
333 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
334 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
335 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
336 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
337 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
338 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
339 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
340 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
341 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
342 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
343 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
344 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
345 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
346 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
347 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
348 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
349 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
350 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
351
352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
356#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef V
359
360#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]361static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362#undef V
363
364#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366#undef V
367
368#undef RT
369
370/*
371 * Round constants
372 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]373static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374{
375 0x00000001, 0x00000002, 0x00000004, 0x00000008,
376 0x00000010, 0x00000020, 0x00000040, 0x00000080,
377 0x0000001B, 0x00000036
378};
379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]380#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381
382/*
383 * Forward S-box & tables
384 */
385static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]386static uint32_t FT0[256];
387static uint32_t FT1[256];
388static uint32_t FT2[256];
389static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390
391/*
392 * Reverse S-box & tables
393 */
394static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]395static uint32_t RT0[256];
396static uint32_t RT1[256];
397static uint32_t RT2[256];
398static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399
400/*
401 * Round constants
402 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]404
405/*
406 * Tables generation code
407 */
408#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
409#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
410#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
411
412static int aes_init_done = 0;
413
414static void aes_gen_tables( void )
415{
416 int i, x, y, z;
417 int pow[256];
418 int log[256];
419
420 /*
421 * compute pow and log tables over GF(2^8)
422 */
423 for( i = 0, x = 1; i < 256; i++ )
424 {
425 pow[i] = x;
426 log[x] = i;
427 x = ( x ^ XTIME( x ) ) & 0xFF;
428 }
429
430 /*
431 * calculate the round constants
432 */
433 for( i = 0, x = 1; i < 10; i++ )
434 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]435 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x = XTIME( x ) & 0xFF;
437 }
438
439 /*
440 * generate the forward and reverse S-boxes
441 */
442 FSb[0x00] = 0x63;
443 RSb[0x63] = 0x00;
444
445 for( i = 1; i < 256; i++ )
446 {
447 x = pow[255 - log[i]];
448
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]449 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
450 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
451 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
452 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 x ^= y ^ 0x63;
454
455 FSb[i] = (unsigned char) x;
456 RSb[x] = (unsigned char) i;
457 }
458
459 /*
460 * generate the forward and reverse tables
461 */
462 for( i = 0; i < 256; i++ )
463 {
464 x = FSb[i];
465 y = XTIME( x ) & 0xFF;
466 z = ( y ^ x ) & 0xFF;
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 FT0[i] = ( (uint32_t) y ) ^
469 ( (uint32_t) x << 8 ) ^
470 ( (uint32_t) x << 16 ) ^
471 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
473 FT1[i] = ROTL8( FT0[i] );
474 FT2[i] = ROTL8( FT1[i] );
475 FT3[i] = ROTL8( FT2[i] );
476
477 x = RSb[i];
478
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]479 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
480 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
481 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
482 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483
484 RT1[i] = ROTL8( RT0[i] );
485 RT2[i] = ROTL8( RT1[i] );
486 RT3[i] = ROTL8( RT2[i] );
487 }
488}
489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]492void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]493{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495}
496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]497void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]498{
499 if( ctx == NULL )
500 return;
501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]502 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]503}
504
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505/*
506 * AES key schedule (encryption)
507 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]508#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]509int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]510 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]511{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]512 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]513 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516 if( aes_init_done == 0 )
517 {
518 aes_gen_tables();
519 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]520
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 }
522#endif
523
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]524 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 {
526 case 128: ctx->nr = 10; break;
527 case 192: ctx->nr = 12; break;
528 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530 }
531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]532#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]533 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]534 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]535
536 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]537 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]538 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]540 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]543 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]544 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]545#endif
546
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]547 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]549 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550 }
551
552 switch( ctx->nr )
553 {
554 case 10:
555
556 for( i = 0; i < 10; i++, RK += 4 )
557 {
558 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]559 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
560 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
561 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
562 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563
564 RK[5] = RK[1] ^ RK[4];
565 RK[6] = RK[2] ^ RK[5];
566 RK[7] = RK[3] ^ RK[6];
567 }
568 break;
569
570 case 12:
571
572 for( i = 0; i < 8; i++, RK += 6 )
573 {
574 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]575 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
576 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
577 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
578 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579
580 RK[7] = RK[1] ^ RK[6];
581 RK[8] = RK[2] ^ RK[7];
582 RK[9] = RK[3] ^ RK[8];
583 RK[10] = RK[4] ^ RK[9];
584 RK[11] = RK[5] ^ RK[10];
585 }
586 break;
587
588 case 14:
589
590 for( i = 0; i < 7; i++, RK += 8 )
591 {
592 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
594 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
595 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
596 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597
598 RK[9] = RK[1] ^ RK[8];
599 RK[10] = RK[2] ^ RK[9];
600 RK[11] = RK[3] ^ RK[10];
601
602 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[13] = RK[5] ^ RK[12];
609 RK[14] = RK[6] ^ RK[13];
610 RK[15] = RK[7] ^ RK[14];
611 }
612 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]614
615 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]617#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618
619/*
620 * AES key schedule (decryption)
621 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]622#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]624 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]626 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]627 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]628 uint32_t *RK;
629 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]634 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]635 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]636
637 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]639 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]641 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]643 /* Also checks keybits */
644 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]645 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]646
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]647 ctx->nr = cty.nr;
648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]649#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]650 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]653 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]654 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]655 }
656#endif
657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 SK = cty.rk + cty.nr * 4;
659
660 *RK++ = *SK++;
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664
665 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
666 {
667 for( j = 0; j < 4; j++, SK++ )
668 {
669 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
670 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
671 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
672 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
673 }
674 }
675
676 *RK++ = *SK++;
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]681exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]683
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]684 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]686#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
688#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
689{ \
690 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
691 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
692 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
693 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
694 \
695 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
696 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
697 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
698 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
699 \
700 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
701 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
702 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
703 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
704 \
705 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
706 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
707 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
708 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
709}
710
711#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
712{ \
713 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
714 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
715 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
716 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
717 \
718 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
719 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
720 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
721 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
722 \
723 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
724 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
725 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
726 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
727 \
728 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
729 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
730 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
731 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
732}
733
734/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]735 * AES-ECB block encryption
736 */
737#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]738int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
739 const unsigned char input[16],
740 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]741{
742 int i;
743 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
744
745 RK = ctx->rk;
746
747 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
748 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
749 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
750 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
751
752 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
753 {
754 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
755 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
756 }
757
758 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759
760 X0 = *RK++ ^ \
761 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
762 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
763 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
764 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
765
766 X1 = *RK++ ^ \
767 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
768 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
769 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
770 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
771
772 X2 = *RK++ ^ \
773 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
774 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
775 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
776 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
777
778 X3 = *RK++ ^ \
779 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
780 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
781 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
782 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
783
784 PUT_UINT32_LE( X0, output, 0 );
785 PUT_UINT32_LE( X1, output, 4 );
786 PUT_UINT32_LE( X2, output, 8 );
787 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]788
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]789 mbedtls_zeroize( &X0, sizeof( X0 ) );
790 mbedtls_zeroize( &X1, sizeof( X1 ) );
791 mbedtls_zeroize( &X2, sizeof( X2 ) );
792 mbedtls_zeroize( &X3, sizeof( X3 ) );
793
794 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
795 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
796 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
797 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
798
799 mbedtls_zeroize( &RK, sizeof( RK ) );
800
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]801 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]802}
803#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
804
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]805#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]806void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
807 const unsigned char input[16],
808 unsigned char output[16] )
809{
810 mbedtls_internal_aes_encrypt( ctx, input, output );
811}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]812#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]813
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]814/*
815 * AES-ECB block decryption
816 */
817#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]818int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
819 const unsigned char input[16],
820 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]821{
822 int i;
823 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
824
825 RK = ctx->rk;
826
827 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
828 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
829 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
830 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
831
832 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
833 {
834 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
835 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
836 }
837
838 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
839
840 X0 = *RK++ ^ \
841 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
842 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
843 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
844 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
845
846 X1 = *RK++ ^ \
847 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
848 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
849 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
850 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
851
852 X2 = *RK++ ^ \
853 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
854 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
855 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
856 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
857
858 X3 = *RK++ ^ \
859 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
860 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
861 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
862 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
863
864 PUT_UINT32_LE( X0, output, 0 );
865 PUT_UINT32_LE( X1, output, 4 );
866 PUT_UINT32_LE( X2, output, 8 );
867 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]868
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]869 mbedtls_zeroize( &X0, sizeof( X0 ) );
870 mbedtls_zeroize( &X1, sizeof( X1 ) );
871 mbedtls_zeroize( &X2, sizeof( X2 ) );
872 mbedtls_zeroize( &X3, sizeof( X3 ) );
873
874 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
875 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
876 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
877 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
878
879 mbedtls_zeroize( &RK, sizeof( RK ) );
880
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]881 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]882}
883#endif /* !MBEDTLS_AES_DECRYPT_ALT */
884
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]885#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]886void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
887 const unsigned char input[16],
888 unsigned char output[16] )
889{
890 mbedtls_internal_aes_decrypt( ctx, input, output );
891}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]892#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]893
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]895 * AES-ECB block encryption/decryption
896 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]897int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]899 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900 unsigned char output[16] )
901{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]902#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]903 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]905#endif
906
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]907#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]908 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]910 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]911 return( 0 );
912
913 // If padlock data misaligned, we just fall back to
914 // unaccelerated mode
915 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]916 }
917#endif
918
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]920 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]922 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]923}
924
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]925#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]926/*
927 * AES-CBC buffer encryption/decryption
928 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]931 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]933 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]934 unsigned char *output )
935{
936 int i;
937 unsigned char temp[16];
938
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]939 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]940 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]941
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]943 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]945 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]946 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]947
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]948 // If padlock data misaligned, we just fall back to
949 // unaccelerated mode
950 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951 }
952#endif
953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]955 {
956 while( length > 0 )
957 {
958 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]959 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]960
961 for( i = 0; i < 16; i++ )
962 output[i] = (unsigned char)( output[i] ^ iv[i] );
963
964 memcpy( iv, temp, 16 );
965
966 input += 16;
967 output += 16;
968 length -= 16;
969 }
970 }
971 else
972 {
973 while( length > 0 )
974 {
975 for( i = 0; i < 16; i++ )
976 output[i] = (unsigned char)( input[i] ^ iv[i] );
977
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]978 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]979 memcpy( iv, output, 16 );
980
981 input += 16;
982 output += 16;
983 length -= 16;
984 }
985 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]986
987 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]989#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992/*
993 * AES-CFB128 buffer encryption/decryption
994 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]995int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]997 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]998 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1000 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 unsigned char *output )
1002{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1003 int c;
1004 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 {
1008 while( length-- )
1009 {
1010 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1012
1013 c = *input++;
1014 *output++ = (unsigned char)( c ^ iv[n] );
1015 iv[n] = (unsigned char) c;
1016
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1017 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018 }
1019 }
1020 else
1021 {
1022 while( length-- )
1023 {
1024 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026
1027 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1028
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1029 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 }
1031 }
1032
1033 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1034
1035 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1037
1038/*
1039 * AES-CFB8 buffer encryption/decryption
1040 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1042 int mode,
1043 size_t length,
1044 unsigned char iv[16],
1045 const unsigned char *input,
1046 unsigned char *output )
1047{
1048 unsigned char c;
1049 unsigned char ov[17];
1050
1051 while( length-- )
1052 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1053 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1057 ov[16] = *input;
1058
1059 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1062 ov[16] = c;
1063
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1064 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1065 }
1066
1067 return( 0 );
1068}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069#endif /*MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1070
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1072/*
1073 * AES-CTR buffer encryption/decryption
1074 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1076 size_t length,
1077 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1078 unsigned char nonce_counter[16],
1079 unsigned char stream_block[16],
1080 const unsigned char *input,
1081 unsigned char *output )
1082{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1083 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1084 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1085
1086 while( length-- )
1087 {
1088 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1090
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1091 for( i = 16; i > 0; i-- )
1092 if( ++nonce_counter[i - 1] != 0 )
1093 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1094 }
1095 c = *input++;
1096 *output++ = (unsigned char)( c ^ stream_block[n] );
1097
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1098 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1099 }
1100
1101 *nc_off = n;
1102
1103 return( 0 );
1104}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1105#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1107#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110/*
1111 * AES test vectors from:
1112 *
1113 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1114 */
1115static const unsigned char aes_test_ecb_dec[3][16] =
1116{
1117 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1118 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1119 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1120 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1121 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1122 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1123};
1124
1125static const unsigned char aes_test_ecb_enc[3][16] =
1126{
1127 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1128 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1129 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1130 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1131 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1132 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1133};
1134
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1135#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136static const unsigned char aes_test_cbc_dec[3][16] =
1137{
1138 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1139 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1140 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1141 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1142 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1143 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1144};
1145
1146static const unsigned char aes_test_cbc_enc[3][16] =
1147{
1148 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1149 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1150 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1151 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1152 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1153 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1154};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1157#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158/*
1159 * AES-CFB128 test vectors from:
1160 *
1161 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1162 */
1163static const unsigned char aes_test_cfb128_key[3][32] =
1164{
1165 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1166 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1167 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1168 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1169 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1170 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1171 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1172 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1173 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1174};
1175
1176static const unsigned char aes_test_cfb128_iv[16] =
1177{
1178 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1179 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1180};
1181
1182static const unsigned char aes_test_cfb128_pt[64] =
1183{
1184 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1185 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1186 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1187 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1188 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1189 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1190 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1191 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1192};
1193
1194static const unsigned char aes_test_cfb128_ct[3][64] =
1195{
1196 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1197 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1198 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1199 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1200 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1201 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1202 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1203 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1204 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1205 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1206 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1207 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1208 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1209 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1210 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1211 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1212 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1213 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1214 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1215 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1216 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1217 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1218 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1219 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1220};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1221#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1222
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1223#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1224/*
1225 * AES-CTR test vectors from:
1226 *
1227 * http://www.faqs.org/rfcs/rfc3686.html
1228 */
1229
1230static const unsigned char aes_test_ctr_key[3][16] =
1231{
1232 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1233 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1234 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1235 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1236 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1237 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1238};
1239
1240static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1241{
1242 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1244 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1245 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1246 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1247 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1248};
1249
1250static const unsigned char aes_test_ctr_pt[3][48] =
1251{
1252 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1253 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1254
1255 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1256 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1257 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1258 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1259
1260 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1261 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1262 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1263 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1264 0x20, 0x21, 0x22, 0x23 }
1265};
1266
1267static const unsigned char aes_test_ctr_ct[3][48] =
1268{
1269 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1270 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1271 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1272 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1273 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1274 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1275 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1276 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1277 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1278 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1279 0x25, 0xB2, 0x07, 0x2F }
1280};
1281
1282static const int aes_test_ctr_len[3] =
1283 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1284#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285
1286/*
1287 * Checkup routine
1288 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1289int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1291 int ret = 0, i, j, u, mode;
1292 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 unsigned char key[32];
1294 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1295 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1296#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1298#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1299#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1300 unsigned char prv[16];
1301#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1302#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1303 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1304#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1305#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1306 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1307 unsigned char nonce_counter[16];
1308 unsigned char stream_block[16];
1309#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311
1312 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314
1315 /*
1316 * ECB mode
1317 */
1318 for( i = 0; i < 6; i++ )
1319 {
1320 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1321 keybits = 128 + u * 64;
1322 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323
1324 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1325 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1326 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
1328 memset( buf, 0, 16 );
1329
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1330 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1332 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1333 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334 }
1335 else
1336 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1337 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1338 aes_tests = aes_test_ecb_enc[u];
1339 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1341 /*
1342 * AES-192 is an optional feature that may be unavailable when
1343 * there is an alternative underlying implementation i.e. when
1344 * MBEDTLS_AES_ALT is defined.
1345 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1346 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1347 {
1348 mbedtls_printf( "skipped\n" );
1349 continue;
1350 }
1351 else if( ret != 0 )
1352 {
1353 goto exit;
1354 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1356 for( j = 0; j < 10000; j++ )
1357 {
1358 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1359 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1360 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1361 }
1362
1363 if( memcmp( buf, aes_tests, 16 ) != 0 )
1364 {
1365 ret = 1;
1366 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367 }
1368
1369 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371 }
1372
1373 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1374 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1376#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1377 /*
1378 * CBC mode
1379 */
1380 for( i = 0; i < 6; i++ )
1381 {
1382 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1383 keybits = 128 + u * 64;
1384 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1385
1386 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1387 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1388 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1389
1390 memset( iv , 0, 16 );
1391 memset( prv, 0, 16 );
1392 memset( buf, 0, 16 );
1393
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1394 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1395 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1396 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1397 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398 }
1399 else
1400 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1401 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1402 aes_tests = aes_test_cbc_enc[u];
1403 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1404
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1405 /*
1406 * AES-192 is an optional feature that may be unavailable when
1407 * there is an alternative underlying implementation i.e. when
1408 * MBEDTLS_AES_ALT is defined.
1409 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1410 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1411 {
1412 mbedtls_printf( "skipped\n" );
1413 continue;
1414 }
1415 else if( ret != 0 )
1416 {
1417 goto exit;
1418 }
1419
1420 for( j = 0; j < 10000; j++ )
1421 {
1422 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1423 {
1424 unsigned char tmp[16];
1425
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1426 memcpy( tmp, prv, 16 );
1427 memcpy( prv, buf, 16 );
1428 memcpy( buf, tmp, 16 );
1429 }
1430
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1431 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1432 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1433 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1434
1435 }
1436
1437 if( memcmp( buf, aes_tests, 16 ) != 0 )
1438 {
1439 ret = 1;
1440 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1441 }
1442
1443 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445 }
1446
1447 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1448 mbedtls_printf( "\n" );
1449#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452 /*
1453 * CFB128 mode
1454 */
1455 for( i = 0; i < 6; i++ )
1456 {
1457 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1458 keybits = 128 + u * 64;
1459 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460
1461 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1462 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1463 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464
1465 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1466 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1467
1468 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1469 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1470 /*
1471 * AES-192 is an optional feature that may be unavailable when
1472 * there is an alternative underlying implementation i.e. when
1473 * MBEDTLS_AES_ALT is defined.
1474 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1475 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1476 {
1477 mbedtls_printf( "skipped\n" );
1478 continue;
1479 }
1480 else if( ret != 0 )
1481 {
1482 goto exit;
1483 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1485 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486 {
1487 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1488 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1489 }
1490 else
1491 {
1492 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1493 aes_tests = aes_test_cfb128_ct[u];
1494 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1496 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1497 if( ret != 0 )
1498 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1499
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1500 if( memcmp( buf, aes_tests, 64 ) != 0 )
1501 {
1502 ret = 1;
1503 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1504 }
1505
1506 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1507 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508 }
1509
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1510 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511 mbedtls_printf( "\n" );
1512#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1513
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1514#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1515 /*
1516 * CTR mode
1517 */
1518 for( i = 0; i < 6; i++ )
1519 {
1520 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1521 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1522
1523 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1525 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1526
1527 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1528 memcpy( key, aes_test_ctr_key[u], 16 );
1529
1530 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1531 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1532 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1533
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1534 len = aes_test_ctr_len[u];
1535
1536 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1537 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1538 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1539 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1540 }
1541 else
1542 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1543 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1544 aes_tests = aes_test_ctr_ct[u];
1545 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1546
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1547 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1548 stream_block, buf, buf );
1549 if( ret != 0 )
1550 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1551
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1552 if( memcmp( buf, aes_tests, len ) != 0 )
1553 {
1554 ret = 1;
1555 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1556 }
1557
1558 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1559 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1560 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561
1562 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1563 mbedtls_printf( "\n" );
1564#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1565
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1566 ret = 0;
1567
1568exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1569 if( ret != 0 && verbose != 0 )
1570 mbedtls_printf( "failed\n" );
1571
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1572 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1573
1574 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1575}
1576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579#endif /* MBEDTLS_AES_C */