TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 4e9f71227aa3e926ff457e01152c708ae7f3adcc / . / library / aes.c
blob: cda63ef5203644104cbaaf0ce7875d4fed4bb6e1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame^]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame^]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]46 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47 */
48/*
49 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
50 *
51 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
52 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
53 */
54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]56#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]59#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]63#include <string.h>
64
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]65#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]84/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85static void mbedtls_zeroize( void *v, size_t n ) {
Simon Butcher88ffc082016-05-20 00:00:37 +0100[diff] [blame]86 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]87}
88
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * 32-bit integer manipulation macros (little endian)
91 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]92#ifndef GET_UINT32_LE
93#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]95 (n) = ( (uint32_t) (b)[(i) ] ) \
96 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
97 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
98 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]99}
100#endif
101
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]102#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]103#define PUT_UINT32_LE(n,b,i) \
104{ \
105 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
106 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
107 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
108 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109}
110#endif
111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]112#if defined(MBEDTLS_PADLOCK_C) && \
113 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]114static int aes_padlock_ace = -1;
115#endif
116
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]117#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118/*
119 * Forward S-box
120 */
121static const unsigned char FSb[256] =
122{
123 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
124 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
125 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
126 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
127 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
128 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
129 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
130 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
131 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
132 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
133 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
134 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
135 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
136 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
137 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
138 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
139 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
140 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
141 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
142 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
143 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
144 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
145 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
146 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
147 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
148 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
149 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
150 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
151 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
152 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
153 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
154 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
155};
156
157/*
158 * Forward tables
159 */
160#define FT \
161\
162 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
163 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
164 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
165 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
166 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
167 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
168 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
169 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
170 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
171 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
172 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
173 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
174 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
175 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
176 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
177 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
178 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
179 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
180 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
181 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
182 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
183 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
184 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
185 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
186 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
187 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
188 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
189 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
190 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
191 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
192 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
193 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
194 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
195 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
196 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
197 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
198 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
199 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
200 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
201 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
202 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
203 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
204 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
205 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
206 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
207 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
208 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
209 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
210 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
211 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
212 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
213 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
214 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
215 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
216 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
217 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
218 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
219 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
220 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
221 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
222 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
223 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
224 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
225 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
226
227#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]228static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]229#undef V
230
231#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]232static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]233#undef V
234
235#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]236static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]237#undef V
238
239#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]240static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241#undef V
242
243#undef FT
244
245/*
246 * Reverse S-box
247 */
248static const unsigned char RSb[256] =
249{
250 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
251 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
252 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
253 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
254 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
255 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
256 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
257 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
258 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
259 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
260 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
261 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
262 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
263 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
264 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
265 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
266 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
267 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
268 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
269 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
270 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
271 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
272 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
273 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
274 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
275 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
276 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
277 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
278 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
279 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
280 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
281 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
282};
283
284/*
285 * Reverse tables
286 */
287#define RT \
288\
289 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
290 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
291 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
292 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
293 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
294 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
295 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
296 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
297 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
298 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
299 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
300 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
301 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
302 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
303 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
304 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
305 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
306 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
307 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
308 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
309 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
310 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
311 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
312 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
313 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
314 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
315 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
316 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
317 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
318 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
319 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
320 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
321 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
322 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
323 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
324 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
325 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
326 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
327 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
328 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
329 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
330 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
331 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
332 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
333 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
334 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
335 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
336 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
337 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
338 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
339 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
340 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
341 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
342 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
343 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
344 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
345 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
346 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
347 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
348 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
349 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
350 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
351 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
352 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
353
354#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]355static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]356#undef V
357
358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
370#undef RT
371
372/*
373 * Round constants
374 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]375static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]376{
377 0x00000001, 0x00000002, 0x00000004, 0x00000008,
378 0x00000010, 0x00000020, 0x00000040, 0x00000080,
379 0x0000001B, 0x00000036
380};
381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]382#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]383
384/*
385 * Forward S-box & tables
386 */
387static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]388static uint32_t FT0[256];
389static uint32_t FT1[256];
390static uint32_t FT2[256];
391static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Reverse S-box & tables
395 */
396static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397static uint32_t RT0[256];
398static uint32_t RT1[256];
399static uint32_t RT2[256];
400static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401
402/*
403 * Round constants
404 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]406
407/*
408 * Tables generation code
409 */
410#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
411#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
412#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
413
414static int aes_init_done = 0;
415
416static void aes_gen_tables( void )
417{
418 int i, x, y, z;
419 int pow[256];
420 int log[256];
421
422 /*
423 * compute pow and log tables over GF(2^8)
424 */
425 for( i = 0, x = 1; i < 256; i++ )
426 {
427 pow[i] = x;
428 log[x] = i;
429 x = ( x ^ XTIME( x ) ) & 0xFF;
430 }
431
432 /*
433 * calculate the round constants
434 */
435 for( i = 0, x = 1; i < 10; i++ )
436 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]437 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x = XTIME( x ) & 0xFF;
439 }
440
441 /*
442 * generate the forward and reverse S-boxes
443 */
444 FSb[0x00] = 0x63;
445 RSb[0x63] = 0x00;
446
447 for( i = 1; i < 256; i++ )
448 {
449 x = pow[255 - log[i]];
450
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]451 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
452 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
453 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
454 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 x ^= y ^ 0x63;
456
457 FSb[i] = (unsigned char) x;
458 RSb[x] = (unsigned char) i;
459 }
460
461 /*
462 * generate the forward and reverse tables
463 */
464 for( i = 0; i < 256; i++ )
465 {
466 x = FSb[i];
467 y = XTIME( x ) & 0xFF;
468 z = ( y ^ x ) & 0xFF;
469
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]470 FT0[i] = ( (uint32_t) y ) ^
471 ( (uint32_t) x << 8 ) ^
472 ( (uint32_t) x << 16 ) ^
473 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474
475 FT1[i] = ROTL8( FT0[i] );
476 FT2[i] = ROTL8( FT1[i] );
477 FT3[i] = ROTL8( FT2[i] );
478
479 x = RSb[i];
480
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]481 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
482 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
483 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
484 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485
486 RT1[i] = ROTL8( RT0[i] );
487 RT2[i] = ROTL8( RT1[i] );
488 RT3[i] = ROTL8( RT2[i] );
489 }
490}
491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]492#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]496 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]497}
498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]499void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]500{
501 if( ctx == NULL )
502 return;
503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]504 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]505}
506
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507/*
508 * AES key schedule (encryption)
509 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]510#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]512 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]514 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]515 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518 if( aes_init_done == 0 )
519 {
520 aes_gen_tables();
521 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]522
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 }
524#endif
525
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]526 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527 {
528 case 128: ctx->nr = 10; break;
529 case 192: ctx->nr = 12; break;
530 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]531 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]532 }
533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]534#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]535 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]536 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]537
538 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]539 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]540 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]542 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]544#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]545 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]546 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]547#endif
548
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]549 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]551 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552 }
553
554 switch( ctx->nr )
555 {
556 case 10:
557
558 for( i = 0; i < 10; i++, RK += 4 )
559 {
560 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]561 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
562 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
563 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
564 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
566 RK[5] = RK[1] ^ RK[4];
567 RK[6] = RK[2] ^ RK[5];
568 RK[7] = RK[3] ^ RK[6];
569 }
570 break;
571
572 case 12:
573
574 for( i = 0; i < 8; i++, RK += 6 )
575 {
576 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]577 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
578 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
579 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
580 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581
582 RK[7] = RK[1] ^ RK[6];
583 RK[8] = RK[2] ^ RK[7];
584 RK[9] = RK[3] ^ RK[8];
585 RK[10] = RK[4] ^ RK[9];
586 RK[11] = RK[5] ^ RK[10];
587 }
588 break;
589
590 case 14:
591
592 for( i = 0; i < 7; i++, RK += 8 )
593 {
594 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]595 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
596 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
597 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
598 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599
600 RK[9] = RK[1] ^ RK[8];
601 RK[10] = RK[2] ^ RK[9];
602 RK[11] = RK[3] ^ RK[10];
603
604 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]605 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
606 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
607 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
608 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
610 RK[13] = RK[5] ^ RK[12];
611 RK[14] = RK[6] ^ RK[13];
612 RK[15] = RK[7] ^ RK[14];
613 }
614 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]616
617 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]619#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620
621/*
622 * AES key schedule (decryption)
623 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]624#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]625int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]626 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]628 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]629 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]630 uint32_t *RK;
631 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]636 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]637 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]638
639 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]640 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]641 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]643 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]645 /* Also checks keybits */
646 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]647 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]648
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]649 ctx->nr = cty.nr;
650
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]652 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]653 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]655 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]656 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]657 }
658#endif
659
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660 SK = cty.rk + cty.nr * 4;
661
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664 *RK++ = *SK++;
665 *RK++ = *SK++;
666
667 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
668 {
669 for( j = 0; j < 4; j++, SK++ )
670 {
671 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
672 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
673 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
674 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
675 }
676 }
677
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681 *RK++ = *SK++;
682
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]683exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]685
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]686 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]688#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
690#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
691{ \
692 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
693 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
694 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
695 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
696 \
697 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
698 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
699 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
700 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
701 \
702 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
703 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
704 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
705 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
706 \
707 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
708 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
709 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
710 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
711}
712
713#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
714{ \
715 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
716 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
717 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
718 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
719 \
720 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
721 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
722 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
723 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
724 \
725 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
726 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
727 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
728 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
729 \
730 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
731 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
732 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
733 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
734}
735
736/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]737 * AES-ECB block encryption
738 */
739#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]740int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
741 const unsigned char input[16],
742 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]743{
744 int i;
745 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
746
747 RK = ctx->rk;
748
749 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
750 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
751 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
752 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
753
754 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
755 {
756 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
757 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
758 }
759
760 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
761
762 X0 = *RK++ ^ \
763 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
764 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
765 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
766 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
767
768 X1 = *RK++ ^ \
769 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
770 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
771 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
772 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
773
774 X2 = *RK++ ^ \
775 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
776 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
777 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
778 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
779
780 X3 = *RK++ ^ \
781 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
782 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
783 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
784 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
785
786 PUT_UINT32_LE( X0, output, 0 );
787 PUT_UINT32_LE( X1, output, 4 );
788 PUT_UINT32_LE( X2, output, 8 );
789 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]790
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]791 mbedtls_zeroize( &X0, sizeof( X0 ) );
792 mbedtls_zeroize( &X1, sizeof( X1 ) );
793 mbedtls_zeroize( &X2, sizeof( X2 ) );
794 mbedtls_zeroize( &X3, sizeof( X3 ) );
795
796 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
797 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
798 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
799 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
800
801 mbedtls_zeroize( &RK, sizeof( RK ) );
802
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]803 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]804}
805#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
806
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]807#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]808void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
809 const unsigned char input[16],
810 unsigned char output[16] )
811{
812 mbedtls_internal_aes_encrypt( ctx, input, output );
813}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]814#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]815
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]816/*
817 * AES-ECB block decryption
818 */
819#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]820int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
821 const unsigned char input[16],
822 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]823{
824 int i;
825 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
826
827 RK = ctx->rk;
828
829 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
830 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
831 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
832 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
833
834 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
835 {
836 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
837 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
838 }
839
840 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
841
842 X0 = *RK++ ^ \
843 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
844 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
845 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
846 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
847
848 X1 = *RK++ ^ \
849 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
850 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
851 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
852 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
853
854 X2 = *RK++ ^ \
855 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
856 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
857 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
858 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
859
860 X3 = *RK++ ^ \
861 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
862 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
863 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
864 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
865
866 PUT_UINT32_LE( X0, output, 0 );
867 PUT_UINT32_LE( X1, output, 4 );
868 PUT_UINT32_LE( X2, output, 8 );
869 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]870
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]871 mbedtls_zeroize( &X0, sizeof( X0 ) );
872 mbedtls_zeroize( &X1, sizeof( X1 ) );
873 mbedtls_zeroize( &X2, sizeof( X2 ) );
874 mbedtls_zeroize( &X3, sizeof( X3 ) );
875
876 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
877 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
878 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
879 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
880
881 mbedtls_zeroize( &RK, sizeof( RK ) );
882
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]883 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]884}
885#endif /* !MBEDTLS_AES_DECRYPT_ALT */
886
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]887#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]888void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
889 const unsigned char input[16],
890 unsigned char output[16] )
891{
892 mbedtls_internal_aes_decrypt( ctx, input, output );
893}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]894#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]895
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]896/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]897 * AES-ECB block encryption/decryption
898 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]899int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]901 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]902 unsigned char output[16] )
903{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]905 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]906 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]907#endif
908
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]909#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]910 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]911 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]912 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]913 return( 0 );
914
915 // If padlock data misaligned, we just fall back to
916 // unaccelerated mode
917 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918 }
919#endif
920
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]922 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]923 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]924 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]925}
926
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]927#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]928/*
929 * AES-CBC buffer encryption/decryption
930 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]931int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]932 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]933 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]934 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]935 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]936 unsigned char *output )
937{
938 int i;
939 unsigned char temp[16];
940
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]941 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]942 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]944#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]945 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]947 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]948 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]949
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]950 // If padlock data misaligned, we just fall back to
951 // unaccelerated mode
952 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]953 }
954#endif
955
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]956 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957 {
958 while( length > 0 )
959 {
960 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]961 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]962
963 for( i = 0; i < 16; i++ )
964 output[i] = (unsigned char)( output[i] ^ iv[i] );
965
966 memcpy( iv, temp, 16 );
967
968 input += 16;
969 output += 16;
970 length -= 16;
971 }
972 }
973 else
974 {
975 while( length > 0 )
976 {
977 for( i = 0; i < 16; i++ )
978 output[i] = (unsigned char)( input[i] ^ iv[i] );
979
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]980 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981 memcpy( iv, output, 16 );
982
983 input += 16;
984 output += 16;
985 length -= 16;
986 }
987 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]988
989 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]994/*
995 * AES-CFB128 buffer encryption/decryption
996 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]997int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]998 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]999 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1000 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1002 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 unsigned char *output )
1004{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1005 int c;
1006 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009 {
1010 while( length-- )
1011 {
1012 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1013 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014
1015 c = *input++;
1016 *output++ = (unsigned char)( c ^ iv[n] );
1017 iv[n] = (unsigned char) c;
1018
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1019 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1020 }
1021 }
1022 else
1023 {
1024 while( length-- )
1025 {
1026 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028
1029 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1030
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1031 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 }
1033 }
1034
1035 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1036
1037 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1039
1040/*
1041 * AES-CFB8 buffer encryption/decryption
1042 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1044 int mode,
1045 size_t length,
1046 unsigned char iv[16],
1047 const unsigned char *input,
1048 unsigned char *output )
1049{
1050 unsigned char c;
1051 unsigned char ov[17];
1052
1053 while( length-- )
1054 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1055 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1059 ov[16] = *input;
1060
1061 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1064 ov[16] = c;
1065
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1066 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1067 }
1068
1069 return( 0 );
1070}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071#endif /*MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1074/*
1075 * AES-CTR buffer encryption/decryption
1076 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1078 size_t length,
1079 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1080 unsigned char nonce_counter[16],
1081 unsigned char stream_block[16],
1082 const unsigned char *input,
1083 unsigned char *output )
1084{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1085 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1086 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1087
1088 while( length-- )
1089 {
1090 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1092
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1093 for( i = 16; i > 0; i-- )
1094 if( ++nonce_counter[i - 1] != 0 )
1095 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1096 }
1097 c = *input++;
1098 *output++ = (unsigned char)( c ^ stream_block[n] );
1099
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1100 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1101 }
1102
1103 *nc_off = n;
1104
1105 return( 0 );
1106}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1107#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1112/*
1113 * AES test vectors from:
1114 *
1115 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1116 */
1117static const unsigned char aes_test_ecb_dec[3][16] =
1118{
1119 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1120 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1121 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1122 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1123 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1124 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1125};
1126
1127static const unsigned char aes_test_ecb_enc[3][16] =
1128{
1129 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1130 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1131 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1132 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1133 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1134 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1135};
1136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1137#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1138static const unsigned char aes_test_cbc_dec[3][16] =
1139{
1140 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1141 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1142 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1143 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1144 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1145 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1146};
1147
1148static const unsigned char aes_test_cbc_enc[3][16] =
1149{
1150 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1151 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1152 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1153 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1154 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1155 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1156};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1157#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1159#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160/*
1161 * AES-CFB128 test vectors from:
1162 *
1163 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1164 */
1165static const unsigned char aes_test_cfb128_key[3][32] =
1166{
1167 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1168 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1169 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1170 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1171 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1172 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1173 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1174 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1175 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1176};
1177
1178static const unsigned char aes_test_cfb128_iv[16] =
1179{
1180 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1181 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1182};
1183
1184static const unsigned char aes_test_cfb128_pt[64] =
1185{
1186 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1187 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1188 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1189 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1190 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1191 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1192 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1193 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1194};
1195
1196static const unsigned char aes_test_cfb128_ct[3][64] =
1197{
1198 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1199 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1200 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1201 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1202 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1203 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1204 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1205 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1206 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1207 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1208 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1209 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1210 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1211 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1212 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1213 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1214 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1215 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1216 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1217 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1218 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1219 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1220 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1221 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1222};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1223#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1225#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1226/*
1227 * AES-CTR test vectors from:
1228 *
1229 * http://www.faqs.org/rfcs/rfc3686.html
1230 */
1231
1232static const unsigned char aes_test_ctr_key[3][16] =
1233{
1234 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1235 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1236 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1237 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1238 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1239 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1240};
1241
1242static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1243{
1244 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1245 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1246 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1247 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1248 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1249 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1250};
1251
1252static const unsigned char aes_test_ctr_pt[3][48] =
1253{
1254 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1255 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1256
1257 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1258 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1259 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1260 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1261
1262 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1263 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1264 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1265 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1266 0x20, 0x21, 0x22, 0x23 }
1267};
1268
1269static const unsigned char aes_test_ctr_ct[3][48] =
1270{
1271 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1272 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1273 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1274 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1275 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1276 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1277 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1278 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1279 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1280 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1281 0x25, 0xB2, 0x07, 0x2F }
1282};
1283
1284static const int aes_test_ctr_len[3] =
1285 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1287
1288/*
1289 * Checkup routine
1290 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1291int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1292{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1293 int ret = 0, i, j, u, mode;
1294 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295 unsigned char key[32];
1296 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1297 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1298#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1300#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1302 unsigned char prv[16];
1303#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1304#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1305 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1306#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1308 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1309 unsigned char nonce_counter[16];
1310 unsigned char stream_block[16];
1311#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1312 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313
1314 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316
1317 /*
1318 * ECB mode
1319 */
1320 for( i = 0; i < 6; i++ )
1321 {
1322 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1323 keybits = 128 + u * 64;
1324 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325
1326 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1327 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1328 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329
1330 memset( buf, 0, 16 );
1331
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1332 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1334 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1335 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 }
1337 else
1338 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1339 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1340 aes_tests = aes_test_ecb_enc[u];
1341 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1343 /*
1344 * AES-192 is an optional feature that may be unavailable when
1345 * there is an alternative underlying implementation i.e. when
1346 * MBEDTLS_AES_ALT is defined.
1347 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1348 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1349 {
1350 mbedtls_printf( "skipped\n" );
1351 continue;
1352 }
1353 else if( ret != 0 )
1354 {
1355 goto exit;
1356 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1358 for( j = 0; j < 10000; j++ )
1359 {
1360 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1361 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1362 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1363 }
1364
1365 if( memcmp( buf, aes_tests, 16 ) != 0 )
1366 {
1367 ret = 1;
1368 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369 }
1370
1371 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 }
1374
1375 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1376 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1377
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379 /*
1380 * CBC mode
1381 */
1382 for( i = 0; i < 6; i++ )
1383 {
1384 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1385 keybits = 128 + u * 64;
1386 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387
1388 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1389 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1390 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1391
1392 memset( iv , 0, 16 );
1393 memset( prv, 0, 16 );
1394 memset( buf, 0, 16 );
1395
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1396 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1397 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1398 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1399 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400 }
1401 else
1402 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1403 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1404 aes_tests = aes_test_cbc_enc[u];
1405 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1406
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1407 /*
1408 * AES-192 is an optional feature that may be unavailable when
1409 * there is an alternative underlying implementation i.e. when
1410 * MBEDTLS_AES_ALT is defined.
1411 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1412 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1413 {
1414 mbedtls_printf( "skipped\n" );
1415 continue;
1416 }
1417 else if( ret != 0 )
1418 {
1419 goto exit;
1420 }
1421
1422 for( j = 0; j < 10000; j++ )
1423 {
1424 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1425 {
1426 unsigned char tmp[16];
1427
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428 memcpy( tmp, prv, 16 );
1429 memcpy( prv, buf, 16 );
1430 memcpy( buf, tmp, 16 );
1431 }
1432
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1433 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1434 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1435 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1436
1437 }
1438
1439 if( memcmp( buf, aes_tests, 16 ) != 0 )
1440 {
1441 ret = 1;
1442 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1443 }
1444
1445 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1446 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1447 }
1448
1449 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1450 mbedtls_printf( "\n" );
1451#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1452
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1453#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1454 /*
1455 * CFB128 mode
1456 */
1457 for( i = 0; i < 6; i++ )
1458 {
1459 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1460 keybits = 128 + u * 64;
1461 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1462
1463 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1464 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1465 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466
1467 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1468 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1469
1470 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1471 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1472 /*
1473 * AES-192 is an optional feature that may be unavailable when
1474 * there is an alternative underlying implementation i.e. when
1475 * MBEDTLS_AES_ALT is defined.
1476 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1477 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1478 {
1479 mbedtls_printf( "skipped\n" );
1480 continue;
1481 }
1482 else if( ret != 0 )
1483 {
1484 goto exit;
1485 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1487 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488 {
1489 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1490 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491 }
1492 else
1493 {
1494 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1495 aes_tests = aes_test_cfb128_ct[u];
1496 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1498 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1499 if( ret != 0 )
1500 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1501
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1502 if( memcmp( buf, aes_tests, 64 ) != 0 )
1503 {
1504 ret = 1;
1505 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 }
1507
1508 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510 }
1511
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1512 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513 mbedtls_printf( "\n" );
1514#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1516#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1517 /*
1518 * CTR mode
1519 */
1520 for( i = 0; i < 6; i++ )
1521 {
1522 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1523 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1524
1525 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1526 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1527 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1528
1529 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1530 memcpy( key, aes_test_ctr_key[u], 16 );
1531
1532 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1533 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1534 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1535
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1536 len = aes_test_ctr_len[u];
1537
1538 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1539 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1540 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1541 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1542 }
1543 else
1544 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1545 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1546 aes_tests = aes_test_ctr_ct[u];
1547 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1548
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1549 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1550 stream_block, buf, buf );
1551 if( ret != 0 )
1552 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1553
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1554 if( memcmp( buf, aes_tests, len ) != 0 )
1555 {
1556 ret = 1;
1557 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1558 }
1559
1560 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1561 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1562 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1563
1564 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1565 mbedtls_printf( "\n" );
1566#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1568 ret = 0;
1569
1570exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1571 if( ret != 0 && verbose != 0 )
1572 mbedtls_printf( "failed\n" );
1573
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1575
1576 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577}
1578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581#endif /* MBEDTLS_AES_C */