TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 09b4f19f940833678cc918ee8d26851513d93ba5 / . / library / aes.c
blob: beeecae370cf960838c50a80f1b836a21c00be0c [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]41#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]42#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]44#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]46#if defined(MBEDTLS_SELF_TEST)
47#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]48#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]49#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]50#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#define mbedtls_printf printf
52#endif /* MBEDTLS_PLATFORM_C */
53#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]56
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]57/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58static void mbedtls_zeroize( void *v, size_t n ) {
Simon Butcher88ffc082016-05-20 00:00:37 +0100[diff] [blame]59 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]60}
61
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * 32-bit integer manipulation macros (little endian)
64 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef GET_UINT32_LE
66#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72}
73#endif
74
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]75#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]76#define PUT_UINT32_LE(n,b,i) \
77{ \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82}
83#endif
84
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85#if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]87static int aes_padlock_ace = -1;
88#endif
89
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91/*
92 * Forward S-box
93 */
94static const unsigned char FSb[256] =
95{
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128};
129
130/*
131 * Forward tables
132 */
133#define FT \
134\
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199
200#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]201static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#undef V
203
204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]328static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329#undef V
330
331#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#undef V
334
335#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#undef RT
344
345/*
346 * Round constants
347 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]348static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349{
350 0x00000001, 0x00000002, 0x00000004, 0x00000008,
351 0x00000010, 0x00000020, 0x00000040, 0x00000080,
352 0x0000001B, 0x00000036
353};
354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]355#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]356
357/*
358 * Forward S-box & tables
359 */
360static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]361static uint32_t FT0[256];
362static uint32_t FT1[256];
363static uint32_t FT2[256];
364static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365
366/*
367 * Reverse S-box & tables
368 */
369static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static uint32_t RT0[256];
371static uint32_t RT1[256];
372static uint32_t RT2[256];
373static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379
380/*
381 * Tables generation code
382 */
383#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
384#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
385#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
386
387static int aes_init_done = 0;
388
389static void aes_gen_tables( void )
390{
391 int i, x, y, z;
392 int pow[256];
393 int log[256];
394
395 /*
396 * compute pow and log tables over GF(2^8)
397 */
398 for( i = 0, x = 1; i < 256; i++ )
399 {
400 pow[i] = x;
401 log[x] = i;
402 x = ( x ^ XTIME( x ) ) & 0xFF;
403 }
404
405 /*
406 * calculate the round constants
407 */
408 for( i = 0, x = 1; i < 10; i++ )
409 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]411 x = XTIME( x ) & 0xFF;
412 }
413
414 /*
415 * generate the forward and reverse S-boxes
416 */
417 FSb[0x00] = 0x63;
418 RSb[0x63] = 0x00;
419
420 for( i = 1; i < 256; i++ )
421 {
422 x = pow[255 - log[i]];
423
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]424 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
425 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
426 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
427 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428 x ^= y ^ 0x63;
429
430 FSb[i] = (unsigned char) x;
431 RSb[x] = (unsigned char) i;
432 }
433
434 /*
435 * generate the forward and reverse tables
436 */
437 for( i = 0; i < 256; i++ )
438 {
439 x = FSb[i];
440 y = XTIME( x ) & 0xFF;
441 z = ( y ^ x ) & 0xFF;
442
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]443 FT0[i] = ( (uint32_t) y ) ^
444 ( (uint32_t) x << 8 ) ^
445 ( (uint32_t) x << 16 ) ^
446 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447
448 FT1[i] = ROTL8( FT0[i] );
449 FT2[i] = ROTL8( FT1[i] );
450 FT3[i] = ROTL8( FT2[i] );
451
452 x = RSb[i];
453
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]454 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
455 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
456 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
457 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458
459 RT1[i] = ROTL8( RT0[i] );
460 RT2[i] = ROTL8( RT1[i] );
461 RT3[i] = ROTL8( RT2[i] );
462 }
463}
464
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]465#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]467void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]468{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]469 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]470}
471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]472void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]473{
474 if( ctx == NULL )
475 return;
476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]478}
479
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480/*
481 * AES key schedule (encryption)
482 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]483#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]484int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]485 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]487 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]488 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 if( aes_init_done == 0 )
492 {
493 aes_gen_tables();
494 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]495
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496 }
497#endif
498
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]499 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500 {
501 case 128: ctx->nr = 10; break;
502 case 192: ctx->nr = 12; break;
503 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]504 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505 }
506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]507#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]508 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]509 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]510
511 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]512 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]513 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]515 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]518 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]519 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]520#endif
521
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]522 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]524 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 }
526
527 switch( ctx->nr )
528 {
529 case 10:
530
531 for( i = 0; i < 10; i++, RK += 4 )
532 {
533 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]534 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
535 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
536 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
537 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538
539 RK[5] = RK[1] ^ RK[4];
540 RK[6] = RK[2] ^ RK[5];
541 RK[7] = RK[3] ^ RK[6];
542 }
543 break;
544
545 case 12:
546
547 for( i = 0; i < 8; i++, RK += 6 )
548 {
549 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]550 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
551 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
552 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
553 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554
555 RK[7] = RK[1] ^ RK[6];
556 RK[8] = RK[2] ^ RK[7];
557 RK[9] = RK[3] ^ RK[8];
558 RK[10] = RK[4] ^ RK[9];
559 RK[11] = RK[5] ^ RK[10];
560 }
561 break;
562
563 case 14:
564
565 for( i = 0; i < 7; i++, RK += 8 )
566 {
567 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]568 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
569 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
570 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
571 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572
573 RK[9] = RK[1] ^ RK[8];
574 RK[10] = RK[2] ^ RK[9];
575 RK[11] = RK[3] ^ RK[10];
576
577 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]578 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
579 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
580 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
581 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582
583 RK[13] = RK[5] ^ RK[12];
584 RK[14] = RK[6] ^ RK[13];
585 RK[15] = RK[7] ^ RK[14];
586 }
587 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]589
590 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]592#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]593
594/*
595 * AES key schedule (decryption)
596 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]597#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]598int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]599 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]601 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]602 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 uint32_t *RK;
604 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]608#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]610 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]611
612 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]613 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]616 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 /* Also checks keybits */
619 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]620 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]621
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]622 ctx->nr = cty.nr;
623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]625 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]626 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]627 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]628 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]629 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]630 }
631#endif
632
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633 SK = cty.rk + cty.nr * 4;
634
635 *RK++ = *SK++;
636 *RK++ = *SK++;
637 *RK++ = *SK++;
638 *RK++ = *SK++;
639
640 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
641 {
642 for( j = 0; j < 4; j++, SK++ )
643 {
644 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
645 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
646 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
647 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
648 }
649 }
650
651 *RK++ = *SK++;
652 *RK++ = *SK++;
653 *RK++ = *SK++;
654 *RK++ = *SK++;
655
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]656exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]659 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
664{ \
665 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
666 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
667 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
668 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
669 \
670 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
671 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
672 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
673 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
674 \
675 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
676 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
677 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
678 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
679 \
680 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
681 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
682 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
683 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
684}
685
686#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
687{ \
688 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
689 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
690 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
691 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
692 \
693 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
694 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
695 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
696 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
697 \
698 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
699 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
700 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
701 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
702 \
703 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
704 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
705 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
706 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
707}
708
709/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]710 * AES-ECB block encryption
711 */
712#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]713int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
714 const unsigned char input[16],
715 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]716{
717 int i;
718 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
719
720 RK = ctx->rk;
721
722 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
723 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
724 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
725 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
726
727 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
728 {
729 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
730 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
731 }
732
733 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
734
735 X0 = *RK++ ^ \
736 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
737 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
738 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
739 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
740
741 X1 = *RK++ ^ \
742 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
743 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
744 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
745 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
746
747 X2 = *RK++ ^ \
748 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
749 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
750 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
751 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
752
753 X3 = *RK++ ^ \
754 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
758
759 PUT_UINT32_LE( X0, output, 0 );
760 PUT_UINT32_LE( X1, output, 4 );
761 PUT_UINT32_LE( X2, output, 8 );
762 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]763
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]764 mbedtls_zeroize( &X0, sizeof( X0 ) );
765 mbedtls_zeroize( &X1, sizeof( X1 ) );
766 mbedtls_zeroize( &X2, sizeof( X2 ) );
767 mbedtls_zeroize( &X3, sizeof( X3 ) );
768
769 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
770 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
771 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
772 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
773
774 mbedtls_zeroize( &RK, sizeof( RK ) );
775
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]776 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]777}
778#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
779
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]780#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]781void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
782 const unsigned char input[16],
783 unsigned char output[16] )
784{
785 mbedtls_internal_aes_encrypt( ctx, input, output );
786}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]787#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]788
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]789/*
790 * AES-ECB block decryption
791 */
792#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]793int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
794 const unsigned char input[16],
795 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]796{
797 int i;
798 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
799
800 RK = ctx->rk;
801
802 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
803 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
804 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
805 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
806
807 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
808 {
809 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
810 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
811 }
812
813 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
814
815 X0 = *RK++ ^ \
816 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
817 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
818 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
819 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
820
821 X1 = *RK++ ^ \
822 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
823 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
824 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
825 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
826
827 X2 = *RK++ ^ \
828 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
829 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
830 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
831 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
832
833 X3 = *RK++ ^ \
834 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
835 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
836 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
837 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
838
839 PUT_UINT32_LE( X0, output, 0 );
840 PUT_UINT32_LE( X1, output, 4 );
841 PUT_UINT32_LE( X2, output, 8 );
842 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]843
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]844 mbedtls_zeroize( &X0, sizeof( X0 ) );
845 mbedtls_zeroize( &X1, sizeof( X1 ) );
846 mbedtls_zeroize( &X2, sizeof( X2 ) );
847 mbedtls_zeroize( &X3, sizeof( X3 ) );
848
849 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
850 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
851 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
852 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
853
854 mbedtls_zeroize( &RK, sizeof( RK ) );
855
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]856 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]857}
858#endif /* !MBEDTLS_AES_DECRYPT_ALT */
859
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]860#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]861void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
862 const unsigned char input[16],
863 unsigned char output[16] )
864{
865 mbedtls_internal_aes_decrypt( ctx, input, output );
866}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]867#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]868
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]869/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]870 * AES-ECB block encryption/decryption
871 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]872int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]873 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]874 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 unsigned char output[16] )
876{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]877#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]878 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]879 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]880#endif
881
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]882#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]883 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]884 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]885 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]886 return( 0 );
887
888 // If padlock data misaligned, we just fall back to
889 // unaccelerated mode
890 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]891 }
892#endif
893
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]895 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]896 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]897 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]898}
899
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]900#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]901/*
902 * AES-CBC buffer encryption/decryption
903 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]905 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]906 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]907 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]908 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]909 unsigned char *output )
910{
911 int i;
912 unsigned char temp[16];
913
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]914 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]915 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]916
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]917#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]918 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]920 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]921 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]922
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]923 // If padlock data misaligned, we just fall back to
924 // unaccelerated mode
925 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]926 }
927#endif
928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]929 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930 {
931 while( length > 0 )
932 {
933 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]934 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]935
936 for( i = 0; i < 16; i++ )
937 output[i] = (unsigned char)( output[i] ^ iv[i] );
938
939 memcpy( iv, temp, 16 );
940
941 input += 16;
942 output += 16;
943 length -= 16;
944 }
945 }
946 else
947 {
948 while( length > 0 )
949 {
950 for( i = 0; i < 16; i++ )
951 output[i] = (unsigned char)( input[i] ^ iv[i] );
952
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]953 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954 memcpy( iv, output, 16 );
955
956 input += 16;
957 output += 16;
958 length -= 16;
959 }
960 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]961
962 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]963}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]964#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]966#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]967/*
968 * AES-CFB128 buffer encryption/decryption
969 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]972 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]973 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]975 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976 unsigned char *output )
977{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]978 int c;
979 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 {
983 while( length-- )
984 {
985 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]986 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987
988 c = *input++;
989 *output++ = (unsigned char)( c ^ iv[n] );
990 iv[n] = (unsigned char) c;
991
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]992 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993 }
994 }
995 else
996 {
997 while( length-- )
998 {
999 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1000 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001
1002 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1003
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1004 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005 }
1006 }
1007
1008 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1009
1010 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1012
1013/*
1014 * AES-CFB8 buffer encryption/decryption
1015 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1017 int mode,
1018 size_t length,
1019 unsigned char iv[16],
1020 const unsigned char *input,
1021 unsigned char *output )
1022{
1023 unsigned char c;
1024 unsigned char ov[17];
1025
1026 while( length-- )
1027 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1028 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1031 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1032 ov[16] = *input;
1033
1034 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1037 ov[16] = c;
1038
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1039 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1040 }
1041
1042 return( 0 );
1043}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044#endif /*MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1047/*
1048 * AES-CTR buffer encryption/decryption
1049 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1051 size_t length,
1052 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1053 unsigned char nonce_counter[16],
1054 unsigned char stream_block[16],
1055 const unsigned char *input,
1056 unsigned char *output )
1057{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1058 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1059 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1060
1061 while( length-- )
1062 {
1063 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1065
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1066 for( i = 16; i > 0; i-- )
1067 if( ++nonce_counter[i - 1] != 0 )
1068 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1069 }
1070 c = *input++;
1071 *output++ = (unsigned char)( c ^ stream_block[n] );
1072
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1073 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1074 }
1075
1076 *nc_off = n;
1077
1078 return( 0 );
1079}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085/*
1086 * AES test vectors from:
1087 *
1088 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1089 */
1090static const unsigned char aes_test_ecb_dec[3][16] =
1091{
1092 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1093 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1094 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1095 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1096 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1097 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1098};
1099
1100static const unsigned char aes_test_ecb_enc[3][16] =
1101{
1102 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1103 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1104 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1105 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1106 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1107 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1108};
1109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111static const unsigned char aes_test_cbc_dec[3][16] =
1112{
1113 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1114 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1115 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1116 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1117 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1118 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1119};
1120
1121static const unsigned char aes_test_cbc_enc[3][16] =
1122{
1123 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1124 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1125 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1126 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1127 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1128 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1129};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1130#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1131
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1132#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1133/*
1134 * AES-CFB128 test vectors from:
1135 *
1136 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1137 */
1138static const unsigned char aes_test_cfb128_key[3][32] =
1139{
1140 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1141 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1142 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1143 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1144 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1145 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1146 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1147 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1148 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1149};
1150
1151static const unsigned char aes_test_cfb128_iv[16] =
1152{
1153 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1154 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1155};
1156
1157static const unsigned char aes_test_cfb128_pt[64] =
1158{
1159 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1160 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1161 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1162 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1163 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1164 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1165 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1166 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1167};
1168
1169static const unsigned char aes_test_cfb128_ct[3][64] =
1170{
1171 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1172 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1173 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1174 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1175 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1176 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1177 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1178 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1179 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1180 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1181 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1182 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1183 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1184 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1185 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1186 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1187 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1188 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1189 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1190 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1191 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1192 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1193 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1194 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1195};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1197
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1198#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1199/*
1200 * AES-CTR test vectors from:
1201 *
1202 * http://www.faqs.org/rfcs/rfc3686.html
1203 */
1204
1205static const unsigned char aes_test_ctr_key[3][16] =
1206{
1207 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1208 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1209 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1210 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1211 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1212 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1213};
1214
1215static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1216{
1217 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1219 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1220 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1221 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1222 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1223};
1224
1225static const unsigned char aes_test_ctr_pt[3][48] =
1226{
1227 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1228 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1229
1230 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1231 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1232 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1233 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1234
1235 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1236 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1237 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1238 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1239 0x20, 0x21, 0x22, 0x23 }
1240};
1241
1242static const unsigned char aes_test_ctr_ct[3][48] =
1243{
1244 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1245 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1246 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1247 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1248 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1249 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1250 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1251 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1252 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1253 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1254 0x25, 0xB2, 0x07, 0x2F }
1255};
1256
1257static const int aes_test_ctr_len[3] =
1258 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1259#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1260
1261/*
1262 * Checkup routine
1263 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1264int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1266 int ret = 0, i, j, u, mode;
1267 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1268 unsigned char key[32];
1269 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1270 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1271#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1273#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1275 unsigned char prv[16];
1276#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1278 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1279#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1281 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1282 unsigned char nonce_counter[16];
1283 unsigned char stream_block[16];
1284#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1285 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286
1287 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289
1290 /*
1291 * ECB mode
1292 */
1293 for( i = 0; i < 6; i++ )
1294 {
1295 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1296 keybits = 128 + u * 64;
1297 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298
1299 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1300 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1301 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302
1303 memset( buf, 0, 16 );
1304
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1305 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1307 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1308 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309 }
1310 else
1311 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1312 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1313 aes_tests = aes_test_ecb_enc[u];
1314 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1316 /*
1317 * AES-192 is an optional feature that may be unavailable when
1318 * there is an alternative underlying implementation i.e. when
1319 * MBEDTLS_AES_ALT is defined.
1320 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1321 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1322 {
1323 mbedtls_printf( "skipped\n" );
1324 continue;
1325 }
1326 else if( ret != 0 )
1327 {
1328 goto exit;
1329 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1331 for( j = 0; j < 10000; j++ )
1332 {
1333 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1334 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1335 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1336 }
1337
1338 if( memcmp( buf, aes_tests, 16 ) != 0 )
1339 {
1340 ret = 1;
1341 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 }
1343
1344 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346 }
1347
1348 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 /*
1353 * CBC mode
1354 */
1355 for( i = 0; i < 6; i++ )
1356 {
1357 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1358 keybits = 128 + u * 64;
1359 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1360
1361 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1362 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1363 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364
1365 memset( iv , 0, 16 );
1366 memset( prv, 0, 16 );
1367 memset( buf, 0, 16 );
1368
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1369 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1370 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1371 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1372 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 }
1374 else
1375 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1376 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1377 aes_tests = aes_test_cbc_enc[u];
1378 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1380 /*
1381 * AES-192 is an optional feature that may be unavailable when
1382 * there is an alternative underlying implementation i.e. when
1383 * MBEDTLS_AES_ALT is defined.
1384 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1385 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1386 {
1387 mbedtls_printf( "skipped\n" );
1388 continue;
1389 }
1390 else if( ret != 0 )
1391 {
1392 goto exit;
1393 }
1394
1395 for( j = 0; j < 10000; j++ )
1396 {
1397 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1398 {
1399 unsigned char tmp[16];
1400
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1401 memcpy( tmp, prv, 16 );
1402 memcpy( prv, buf, 16 );
1403 memcpy( buf, tmp, 16 );
1404 }
1405
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1406 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1407 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1408 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1409
1410 }
1411
1412 if( memcmp( buf, aes_tests, 16 ) != 0 )
1413 {
1414 ret = 1;
1415 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 }
1417
1418 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1419 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1420 }
1421
1422 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1423 mbedtls_printf( "\n" );
1424#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1425
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1426#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427 /*
1428 * CFB128 mode
1429 */
1430 for( i = 0; i < 6; i++ )
1431 {
1432 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1433 keybits = 128 + u * 64;
1434 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435
1436 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1437 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1438 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1439
1440 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1441 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1442
1443 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1444 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1445 /*
1446 * AES-192 is an optional feature that may be unavailable when
1447 * there is an alternative underlying implementation i.e. when
1448 * MBEDTLS_AES_ALT is defined.
1449 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1450 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1451 {
1452 mbedtls_printf( "skipped\n" );
1453 continue;
1454 }
1455 else if( ret != 0 )
1456 {
1457 goto exit;
1458 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1459
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1460 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1461 {
1462 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1463 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464 }
1465 else
1466 {
1467 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1468 aes_tests = aes_test_cfb128_ct[u];
1469 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1470
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1471 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1472 if( ret != 0 )
1473 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1475 if( memcmp( buf, aes_tests, 64 ) != 0 )
1476 {
1477 ret = 1;
1478 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1479 }
1480
1481 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1482 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483 }
1484
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1485 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486 mbedtls_printf( "\n" );
1487#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1489#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1490 /*
1491 * CTR mode
1492 */
1493 for( i = 0; i < 6; i++ )
1494 {
1495 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1496 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1497
1498 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1500 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1501
1502 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1503 memcpy( key, aes_test_ctr_key[u], 16 );
1504
1505 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1506 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1507 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1508
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1509 len = aes_test_ctr_len[u];
1510
1511 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1512 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1513 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1514 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1515 }
1516 else
1517 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1518 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1519 aes_tests = aes_test_ctr_ct[u];
1520 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1521
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1522 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1523 stream_block, buf, buf );
1524 if( ret != 0 )
1525 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1526
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1527 if( memcmp( buf, aes_tests, len ) != 0 )
1528 {
1529 ret = 1;
1530 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1531 }
1532
1533 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1535 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536
1537 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1538 mbedtls_printf( "\n" );
1539#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1541 ret = 0;
1542
1543exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1544 if( ret != 0 && verbose != 0 )
1545 mbedtls_printf( "failed\n" );
1546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1548
1549 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1550}
1551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1554#endif /* MBEDTLS_AES_C */