TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ee4d4eb6259a297a40f27805dfe1ae6bad0c7ac4 / . / library / aes.c
blob: 1d65607492bb8feea6e9df3a76c2484fb4c6b183 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
659 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]733
734#if defined(MBEDTLS_CIPHER_MODE_XTS)
735static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
736 unsigned int keybits,
737 const unsigned char **key1,
738 unsigned int *key1bits,
739 const unsigned char **key2,
740 unsigned int *key2bits )
741{
742 const unsigned int half_keybits = keybits / 2;
743 const unsigned int half_keybytes = half_keybits / 8;
744
745 switch( keybits )
746 {
747 case 256: break;
748 case 512: break;
749 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
750 }
751
752 *key1bits = half_keybits;
753 *key2bits = half_keybits;
754 *key1 = &key[0];
755 *key2 = &key[half_keybytes];
756
757 return 0;
758}
759
760int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
761 const unsigned char *key,
762 unsigned int keybits)
763{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]764 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765 const unsigned char *key1, *key2;
766 unsigned int key1bits, key2bits;
767
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]768 AES_VALIDATE_RET( ctx != NULL );
769 AES_VALIDATE_RET( key != NULL );
770
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
772 &key2, &key2bits );
773 if( ret != 0 )
774 return( ret );
775
776 /* Set the tweak key. Always set tweak key for the encryption mode. */
777 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set crypt key for encryption. */
782 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
783}
784
785int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
786 const unsigned char *key,
787 unsigned int keybits)
788{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]789 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]790 const unsigned char *key1, *key2;
791 unsigned int key1bits, key2bits;
792
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]793 AES_VALIDATE_RET( ctx != NULL );
794 AES_VALIDATE_RET( key != NULL );
795
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
797 &key2, &key2bits );
798 if( ret != 0 )
799 return( ret );
800
801 /* Set the tweak key. Always set tweak key for encryption. */
802 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set crypt key for decryption. */
807 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
808}
809#endif /* MBEDTLS_CIPHER_MODE_XTS */
810
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]811#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
814 do \
815 { \
816 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
817 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
818 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
819 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
820 \
821 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
825 \
826 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
830 \
831 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
835 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]837#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
838 do \
839 { \
840 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
841 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
842 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
843 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
844 \
845 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
849 \
850 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
854 \
855 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
859 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
861/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]862 * AES-ECB block encryption
863 */
864#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]865int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
866 const unsigned char input[16],
867 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868{
869 int i;
870 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
871
872 RK = ctx->rk;
873
874 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
875 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
876 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
877 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
878
879 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
880 {
881 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
882 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
883 }
884
885 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
886
887 X0 = *RK++ ^ \
888 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
889 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
890 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
891 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
892
893 X1 = *RK++ ^ \
894 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
895 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
897 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
898
899 X2 = *RK++ ^ \
900 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
901 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
903 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
904
905 X3 = *RK++ ^ \
906 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
907 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
908 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
909 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
910
911 PUT_UINT32_LE( X0, output, 0 );
912 PUT_UINT32_LE( X1, output, 4 );
913 PUT_UINT32_LE( X2, output, 8 );
914 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]915
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]916 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
917 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
918 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
919 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
920
921 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
922 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
923 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
924 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
925
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]926 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]927}
928#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
929
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]930#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]931void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
932 const unsigned char input[16],
933 unsigned char output[16] )
934{
935 mbedtls_internal_aes_encrypt( ctx, input, output );
936}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]937#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]938
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]939/*
940 * AES-ECB block decryption
941 */
942#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]943int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
944 const unsigned char input[16],
945 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]946{
947 int i;
948 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
949
950 RK = ctx->rk;
951
952 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
953 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
954 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
955 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
956
957 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
958 {
959 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
960 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
961 }
962
963 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
964
965 X0 = *RK++ ^ \
966 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
967 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
968 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
969 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
970
971 X1 = *RK++ ^ \
972 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
973 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
976
977 X2 = *RK++ ^ \
978 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
979 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
980 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
981 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
982
983 X3 = *RK++ ^ \
984 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
985 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
986 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
987 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
988
989 PUT_UINT32_LE( X0, output, 0 );
990 PUT_UINT32_LE( X1, output, 4 );
991 PUT_UINT32_LE( X2, output, 8 );
992 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]993
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]994 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
995 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
996 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
997 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
998
999 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1000 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1001 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1002 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1003
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1004 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1005}
1006#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1007
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1008#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1009void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1010 const unsigned char input[16],
1011 unsigned char output[16] )
1012{
1013 mbedtls_internal_aes_decrypt( ctx, input, output );
1014}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1015#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1016
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1017/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018 * AES-ECB block encryption/decryption
1019 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1021 int mode,
1022 const unsigned char input[16],
1023 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1025 AES_VALIDATE_RET( ctx != NULL );
1026 AES_VALIDATE_RET( input != NULL );
1027 AES_VALIDATE_RET( output != NULL );
1028 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1029 mode == MBEDTLS_AES_DECRYPT );
1030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1031#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1032 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1033 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1034#endif
1035
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1037 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1040 return( 0 );
1041
1042 // If padlock data misaligned, we just fall back to
1043 // unaccelerated mode
1044 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 }
1046#endif
1047
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1048 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1049 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1050 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1051 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052}
1053
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055/*
1056 * AES-CBC buffer encryption/decryption
1057 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1059 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1060 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1062 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 unsigned char *output )
1064{
1065 int i;
1066 unsigned char temp[16];
1067
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1068 AES_VALIDATE_RET( ctx != NULL );
1069 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1070 mode == MBEDTLS_AES_DECRYPT );
1071 AES_VALIDATE_RET( iv != NULL );
1072 AES_VALIDATE_RET( input != NULL );
1073 AES_VALIDATE_RET( output != NULL );
1074
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1075 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1076 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1079 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1082 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1083
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1084 // If padlock data misaligned, we just fall back to
1085 // unaccelerated mode
1086 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 }
1088#endif
1089
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091 {
1092 while( length > 0 )
1093 {
1094 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1095 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1096
1097 for( i = 0; i < 16; i++ )
1098 output[i] = (unsigned char)( output[i] ^ iv[i] );
1099
1100 memcpy( iv, temp, 16 );
1101
1102 input += 16;
1103 output += 16;
1104 length -= 16;
1105 }
1106 }
1107 else
1108 {
1109 while( length > 0 )
1110 {
1111 for( i = 0; i < 16; i++ )
1112 output[i] = (unsigned char)( input[i] ^ iv[i] );
1113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1114 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1115 memcpy( iv, output, 16 );
1116
1117 input += 16;
1118 output += 16;
1119 length -= 16;
1120 }
1121 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1122
1123 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1124}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1127#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1128
1129/* Endianess with 64 bits values */
1130#ifndef GET_UINT64_LE
1131#define GET_UINT64_LE(n,b,i) \
1132{ \
1133 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1134 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1135 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1136 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1137 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1138 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1139 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1140 | ( (uint64_t) (b)[(i) ] ); \
1141}
1142#endif
1143
1144#ifndef PUT_UINT64_LE
1145#define PUT_UINT64_LE(n,b,i) \
1146{ \
1147 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1148 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1149 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1150 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1151 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1152 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1153 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1154 (b)[(i) ] = (unsigned char) ( (n) ); \
1155}
1156#endif
1157
1158typedef unsigned char mbedtls_be128[16];
1159
1160/*
1161 * GF(2^128) multiplication function
1162 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1163 * This function multiplies a field element by x in the polynomial field
1164 * representation. It uses 64-bit word operations to gain speed but compensates
1165 * for machine endianess and hence works correctly on both big and little
1166 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1167 */
1168static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1169 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1170{
1171 uint64_t a, b, ra, rb;
1172
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1173 GET_UINT64_LE( a, x, 0 );
1174 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1175
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1176 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1177 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1178
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1179 PUT_UINT64_LE( ra, r, 0 );
1180 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1181}
1182
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1183/*
1184 * AES-XTS buffer encryption/decryption
1185 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1186int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1187 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1188 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1189 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1190 const unsigned char *input,
1191 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1192{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1193 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1194 size_t blocks = length / 16;
1195 size_t leftover = length % 16;
1196 unsigned char tweak[16];
1197 unsigned char prev_tweak[16];
1198 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1199
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1200 AES_VALIDATE_RET( ctx != NULL );
1201 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1202 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1203 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1204 AES_VALIDATE_RET( input != NULL );
1205 AES_VALIDATE_RET( output != NULL );
1206
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1207 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1208 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1211 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1212 if( length > ( 1 << 20 ) * 16 )
1213 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1214
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1215 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1216 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1217 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1218 if( ret != 0 )
1219 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1221 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223 size_t i;
1224
1225 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1226 {
1227 /* We are on the last block in a decrypt operation that has
1228 * leftover bytes, so we need to use the next tweak for this block,
1229 * and this tweak for the lefover bytes. Save the current tweak for
1230 * the leftovers and then update the current tweak for use on this,
1231 * the last full block. */
1232 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1233 mbedtls_gf128mul_x_ble( tweak, tweak );
1234 }
1235
1236 for( i = 0; i < 16; i++ )
1237 tmp[i] = input[i] ^ tweak[i];
1238
1239 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1240 if( ret != 0 )
1241 return( ret );
1242
1243 for( i = 0; i < 16; i++ )
1244 output[i] = tmp[i] ^ tweak[i];
1245
1246 /* Update the tweak for the next block. */
1247 mbedtls_gf128mul_x_ble( tweak, tweak );
1248
1249 output += 16;
1250 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1251 }
1252
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1253 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1254 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1255 /* If we are on the leftover bytes in a decrypt operation, we need to
1256 * use the previous tweak for these bytes (as saved in prev_tweak). */
1257 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 /* We are now on the final part of the data unit, which doesn't divide
1260 * evenly by 16. It's time for ciphertext stealing. */
1261 size_t i;
1262 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1264 /* Copy ciphertext bytes from the previous block to our output for each
1265 * byte of cyphertext we won't steal. At the same time, copy the
1266 * remainder of the input for this final round (since the loop bounds
1267 * are the same). */
1268 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1269 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1270 output[i] = prev_output[i];
1271 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1274 /* Copy ciphertext bytes from the previous block for input in this
1275 * round. */
1276 for( ; i < 16; i++ )
1277 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1280 if( ret != 0 )
1281 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1283 /* Write the result back to the previous block, overriding the previous
1284 * output we copied. */
1285 for( i = 0; i < 16; i++ )
1286 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1287 }
1288
1289 return( 0 );
1290}
1291#endif /* MBEDTLS_CIPHER_MODE_XTS */
1292
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1293#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1294/*
1295 * AES-CFB128 buffer encryption/decryption
1296 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1299 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1300 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1302 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 unsigned char *output )
1304{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1305 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1306 size_t n;
1307
1308 AES_VALIDATE_RET( ctx != NULL );
1309 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1310 mode == MBEDTLS_AES_DECRYPT );
1311 AES_VALIDATE_RET( iv_off != NULL );
1312 AES_VALIDATE_RET( iv != NULL );
1313 AES_VALIDATE_RET( input != NULL );
1314 AES_VALIDATE_RET( output != NULL );
1315
1316 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1318 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1319 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322 {
1323 while( length-- )
1324 {
1325 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1326 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
1328 c = *input++;
1329 *output++ = (unsigned char)( c ^ iv[n] );
1330 iv[n] = (unsigned char) c;
1331
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1332 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 }
1334 }
1335 else
1336 {
1337 while( length-- )
1338 {
1339 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1340 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341
1342 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1343
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1344 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345 }
1346 }
1347
1348 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1349
1350 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1352
1353/*
1354 * AES-CFB8 buffer encryption/decryption
1355 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1356int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1357 int mode,
1358 size_t length,
1359 unsigned char iv[16],
1360 const unsigned char *input,
1361 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1362{
1363 unsigned char c;
1364 unsigned char ov[17];
1365
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1366 AES_VALIDATE_RET( ctx != NULL );
1367 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1368 mode == MBEDTLS_AES_DECRYPT );
1369 AES_VALIDATE_RET( iv != NULL );
1370 AES_VALIDATE_RET( input != NULL );
1371 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1372 while( length-- )
1373 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1374 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1375 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1378 ov[16] = *input;
1379
1380 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1381
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1382 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1383 ov[16] = c;
1384
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1385 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386 }
1387
1388 return( 0 );
1389}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1390#endif /* MBEDTLS_CIPHER_MODE_CFB */
1391
1392#if defined(MBEDTLS_CIPHER_MODE_OFB)
1393/*
1394 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1395 */
1396int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1397 size_t length,
1398 size_t *iv_off,
1399 unsigned char iv[16],
1400 const unsigned char *input,
1401 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1402{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1403 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1404 size_t n;
1405
1406 AES_VALIDATE_RET( ctx != NULL );
1407 AES_VALIDATE_RET( iv_off != NULL );
1408 AES_VALIDATE_RET( iv != NULL );
1409 AES_VALIDATE_RET( input != NULL );
1410 AES_VALIDATE_RET( output != NULL );
1411
1412 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1413
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1414 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1415 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1416
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1417 while( length-- )
1418 {
1419 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1420 {
1421 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1422 if( ret != 0 )
1423 goto exit;
1424 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1425 *output++ = *input++ ^ iv[n];
1426
1427 n = ( n + 1 ) & 0x0F;
1428 }
1429
1430 *iv_off = n;
1431
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1432exit:
1433 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1434}
1435#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1436
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1437#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1438/*
1439 * AES-CTR buffer encryption/decryption
1440 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1441int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1442 size_t length,
1443 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1444 unsigned char nonce_counter[16],
1445 unsigned char stream_block[16],
1446 const unsigned char *input,
1447 unsigned char *output )
1448{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1449 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1450 size_t n;
1451
1452 AES_VALIDATE_RET( ctx != NULL );
1453 AES_VALIDATE_RET( nc_off != NULL );
1454 AES_VALIDATE_RET( nonce_counter != NULL );
1455 AES_VALIDATE_RET( stream_block != NULL );
1456 AES_VALIDATE_RET( input != NULL );
1457 AES_VALIDATE_RET( output != NULL );
1458
1459 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1460
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1461 if ( n > 0x0F )
1462 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1463
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1464 while( length-- )
1465 {
1466 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1467 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1468
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1469 for( i = 16; i > 0; i-- )
1470 if( ++nonce_counter[i - 1] != 0 )
1471 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1472 }
1473 c = *input++;
1474 *output++ = (unsigned char)( c ^ stream_block[n] );
1475
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1476 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1477 }
1478
1479 *nc_off = n;
1480
1481 return( 0 );
1482}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1483#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1485#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1487#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488/*
1489 * AES test vectors from:
1490 *
1491 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1492 */
1493static const unsigned char aes_test_ecb_dec[3][16] =
1494{
1495 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1496 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1497 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1498 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1499 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1500 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1501};
1502
1503static const unsigned char aes_test_ecb_enc[3][16] =
1504{
1505 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1506 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1507 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1508 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1509 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1510 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1511};
1512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1514static const unsigned char aes_test_cbc_dec[3][16] =
1515{
1516 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1517 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1518 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1519 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1520 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1521 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1522};
1523
1524static const unsigned char aes_test_cbc_enc[3][16] =
1525{
1526 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1527 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1528 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1529 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1530 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1531 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1532};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1533#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1535#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536/*
1537 * AES-CFB128 test vectors from:
1538 *
1539 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1540 */
1541static const unsigned char aes_test_cfb128_key[3][32] =
1542{
1543 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1544 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1545 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1546 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1547 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1548 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1549 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1550 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1551 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1552};
1553
1554static const unsigned char aes_test_cfb128_iv[16] =
1555{
1556 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1557 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1558};
1559
1560static const unsigned char aes_test_cfb128_pt[64] =
1561{
1562 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1563 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1564 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1565 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1566 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1567 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1568 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1569 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1570};
1571
1572static const unsigned char aes_test_cfb128_ct[3][64] =
1573{
1574 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1575 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1576 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1577 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1578 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1579 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1580 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1581 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1582 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1583 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1584 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1585 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1586 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1587 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1588 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1589 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1590 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1591 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1592 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1593 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1594 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1595 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1596 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1597 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1598};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1599#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1600
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1601#if defined(MBEDTLS_CIPHER_MODE_OFB)
1602/*
1603 * AES-OFB test vectors from:
1604 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1605 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1606 */
1607static const unsigned char aes_test_ofb_key[3][32] =
1608{
1609 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1610 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1611 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1612 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1613 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1614 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1615 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1616 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1617 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1618};
1619
1620static const unsigned char aes_test_ofb_iv[16] =
1621{
1622 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1623 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1624};
1625
1626static const unsigned char aes_test_ofb_pt[64] =
1627{
1628 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1629 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1630 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1631 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1632 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1633 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1634 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1635 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1636};
1637
1638static const unsigned char aes_test_ofb_ct[3][64] =
1639{
1640 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1641 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1642 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1643 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1644 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1645 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1646 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1647 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1648 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1649 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1650 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1651 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1652 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1653 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1654 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1655 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1656 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1657 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1658 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1659 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1660 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1661 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1662 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1663 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1664};
1665#endif /* MBEDTLS_CIPHER_MODE_OFB */
1666
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1668/*
1669 * AES-CTR test vectors from:
1670 *
1671 * http://www.faqs.org/rfcs/rfc3686.html
1672 */
1673
1674static const unsigned char aes_test_ctr_key[3][16] =
1675{
1676 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1677 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1678 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1679 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1680 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1681 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1682};
1683
1684static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1685{
1686 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1688 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1689 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1690 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1691 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1692};
1693
1694static const unsigned char aes_test_ctr_pt[3][48] =
1695{
1696 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1697 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1698
1699 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1700 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1701 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1702 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1703
1704 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1705 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1706 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1707 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1708 0x20, 0x21, 0x22, 0x23 }
1709};
1710
1711static const unsigned char aes_test_ctr_ct[3][48] =
1712{
1713 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1714 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1715 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1716 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1717 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1718 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1719 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1720 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1721 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1722 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1723 0x25, 0xB2, 0x07, 0x2F }
1724};
1725
1726static const int aes_test_ctr_len[3] =
1727 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1728#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1729
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1730#if defined(MBEDTLS_CIPHER_MODE_XTS)
1731/*
1732 * AES-XTS test vectors from:
1733 *
1734 * IEEE P1619/D16 Annex B
1735 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1736 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1737 */
1738static const unsigned char aes_test_xts_key[][32] =
1739{
1740 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1744 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1745 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1746 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1747 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1748 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1749 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1750 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1751 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1752};
1753
1754static const unsigned char aes_test_xts_pt32[][32] =
1755{
1756 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1760 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1761 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1762 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1763 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1764 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1765 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1766 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1767 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1768};
1769
1770static const unsigned char aes_test_xts_ct32[][32] =
1771{
1772 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1773 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1774 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1775 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1776 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1777 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1778 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1779 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1780 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1781 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1782 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1783 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1784};
1785
1786static const unsigned char aes_test_xts_data_unit[][16] =
1787{
1788 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1790 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1792 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1794};
1795
1796#endif /* MBEDTLS_CIPHER_MODE_XTS */
1797
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798/*
1799 * Checkup routine
1800 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1803 int ret = 0, i, j, u, mode;
1804 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805 unsigned char key[32];
1806 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1807 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1808#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1810#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1812 unsigned char prv[16];
1813#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1814#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1815 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1816 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1817#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1818#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1819 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1820#endif
1821#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1822 unsigned char nonce_counter[16];
1823 unsigned char stream_block[16];
1824#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1825 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826
1827 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1828 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829
1830 /*
1831 * ECB mode
1832 */
1833 for( i = 0; i < 6; i++ )
1834 {
1835 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1836 keybits = 128 + u * 64;
1837 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838
1839 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1840 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1841 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
1843 memset( buf, 0, 16 );
1844
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1848 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849 }
1850 else
1851 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1852 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1853 aes_tests = aes_test_ecb_enc[u];
1854 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1856 /*
1857 * AES-192 is an optional feature that may be unavailable when
1858 * there is an alternative underlying implementation i.e. when
1859 * MBEDTLS_AES_ALT is defined.
1860 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1861 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 {
1863 mbedtls_printf( "skipped\n" );
1864 continue;
1865 }
1866 else if( ret != 0 )
1867 {
1868 goto exit;
1869 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1870
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1871 for( j = 0; j < 10000; j++ )
1872 {
1873 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1874 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1875 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 }
1877
1878 if( memcmp( buf, aes_tests, 16 ) != 0 )
1879 {
1880 ret = 1;
1881 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 }
1883
1884 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 }
1887
1888 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1891#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892 /*
1893 * CBC mode
1894 */
1895 for( i = 0; i < 6; i++ )
1896 {
1897 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898 keybits = 128 + u * 64;
1899 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
1901 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1902 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1903 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904
1905 memset( iv , 0, 16 );
1906 memset( prv, 0, 16 );
1907 memset( buf, 0, 16 );
1908
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1911 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1912 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913 }
1914 else
1915 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1916 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1917 aes_tests = aes_test_cbc_enc[u];
1918 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1920 /*
1921 * AES-192 is an optional feature that may be unavailable when
1922 * there is an alternative underlying implementation i.e. when
1923 * MBEDTLS_AES_ALT is defined.
1924 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1925 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926 {
1927 mbedtls_printf( "skipped\n" );
1928 continue;
1929 }
1930 else if( ret != 0 )
1931 {
1932 goto exit;
1933 }
1934
1935 for( j = 0; j < 10000; j++ )
1936 {
1937 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938 {
1939 unsigned char tmp[16];
1940
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941 memcpy( tmp, prv, 16 );
1942 memcpy( prv, buf, 16 );
1943 memcpy( buf, tmp, 16 );
1944 }
1945
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1946 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1947 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1948 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949
1950 }
1951
1952 if( memcmp( buf, aes_tests, 16 ) != 0 )
1953 {
1954 ret = 1;
1955 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956 }
1957
1958 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1959 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 }
1961
1962 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963 mbedtls_printf( "\n" );
1964#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1965
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1966#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 /*
1968 * CFB128 mode
1969 */
1970 for( i = 0; i < 6; i++ )
1971 {
1972 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1973 keybits = 128 + u * 64;
1974 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975
1976 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1977 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1978 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979
1980 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982
1983 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1985 /*
1986 * AES-192 is an optional feature that may be unavailable when
1987 * there is an alternative underlying implementation i.e. when
1988 * MBEDTLS_AES_ALT is defined.
1989 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1990 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1991 {
1992 mbedtls_printf( "skipped\n" );
1993 continue;
1994 }
1995 else if( ret != 0 )
1996 {
1997 goto exit;
1998 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2000 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001 {
2002 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004 }
2005 else
2006 {
2007 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2008 aes_tests = aes_test_cfb128_ct[u];
2009 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2012 if( ret != 0 )
2013 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 if( memcmp( buf, aes_tests, 64 ) != 0 )
2016 {
2017 ret = 1;
2018 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019 }
2020
2021 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2023 }
2024
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2025 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026 mbedtls_printf( "\n" );
2027#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2028
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2029#if defined(MBEDTLS_CIPHER_MODE_OFB)
2030 /*
2031 * OFB mode
2032 */
2033 for( i = 0; i < 6; i++ )
2034 {
2035 u = i >> 1;
2036 keybits = 128 + u * 64;
2037 mode = i & 1;
2038
2039 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2040 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2041 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2042
2043 memcpy( iv, aes_test_ofb_iv, 16 );
2044 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2045
2046 offset = 0;
2047 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2048 /*
2049 * AES-192 is an optional feature that may be unavailable when
2050 * there is an alternative underlying implementation i.e. when
2051 * MBEDTLS_AES_ALT is defined.
2052 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2053 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2054 {
2055 mbedtls_printf( "skipped\n" );
2056 continue;
2057 }
2058 else if( ret != 0 )
2059 {
2060 goto exit;
2061 }
2062
2063 if( mode == MBEDTLS_AES_DECRYPT )
2064 {
2065 memcpy( buf, aes_test_ofb_ct[u], 64 );
2066 aes_tests = aes_test_ofb_pt;
2067 }
2068 else
2069 {
2070 memcpy( buf, aes_test_ofb_pt, 64 );
2071 aes_tests = aes_test_ofb_ct[u];
2072 }
2073
2074 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2075 if( ret != 0 )
2076 goto exit;
2077
2078 if( memcmp( buf, aes_tests, 64 ) != 0 )
2079 {
2080 ret = 1;
2081 goto exit;
2082 }
2083
2084 if( verbose != 0 )
2085 mbedtls_printf( "passed\n" );
2086 }
2087
2088 if( verbose != 0 )
2089 mbedtls_printf( "\n" );
2090#endif /* MBEDTLS_CIPHER_MODE_OFB */
2091
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2092#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2093 /*
2094 * CTR mode
2095 */
2096 for( i = 0; i < 6; i++ )
2097 {
2098 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2099 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2100
2101 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2104
2105 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2106 memcpy( key, aes_test_ctr_key[u], 16 );
2107
2108 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2109 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2110 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2111
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2112 len = aes_test_ctr_len[u];
2113
2114 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2116 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2117 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2118 }
2119 else
2120 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2121 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2122 aes_tests = aes_test_ctr_ct[u];
2123 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2125 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2126 stream_block, buf, buf );
2127 if( ret != 0 )
2128 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2129
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2130 if( memcmp( buf, aes_tests, len ) != 0 )
2131 {
2132 ret = 1;
2133 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2134 }
2135
2136 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139
2140 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141 mbedtls_printf( "\n" );
2142#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2144#if defined(MBEDTLS_CIPHER_MODE_XTS)
2145 {
2146 static const int num_tests =
2147 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2148 mbedtls_aes_xts_context ctx_xts;
2149
2150 /*
2151 * XTS mode
2152 */
2153 mbedtls_aes_xts_init( &ctx_xts );
2154
2155 for( i = 0; i < num_tests << 1; i++ )
2156 {
2157 const unsigned char *data_unit;
2158 u = i >> 1;
2159 mode = i & 1;
2160
2161 if( verbose != 0 )
2162 mbedtls_printf( " AES-XTS-128 (%s): ",
2163 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2164
2165 memset( key, 0, sizeof( key ) );
2166 memcpy( key, aes_test_xts_key[u], 32 );
2167 data_unit = aes_test_xts_data_unit[u];
2168
2169 len = sizeof( *aes_test_xts_ct32 );
2170
2171 if( mode == MBEDTLS_AES_DECRYPT )
2172 {
2173 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2174 if( ret != 0)
2175 goto exit;
2176 memcpy( buf, aes_test_xts_ct32[u], len );
2177 aes_tests = aes_test_xts_pt32[u];
2178 }
2179 else
2180 {
2181 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2182 if( ret != 0)
2183 goto exit;
2184 memcpy( buf, aes_test_xts_pt32[u], len );
2185 aes_tests = aes_test_xts_ct32[u];
2186 }
2187
2188
2189 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2190 buf, buf );
2191 if( ret != 0 )
2192 goto exit;
2193
2194 if( memcmp( buf, aes_tests, len ) != 0 )
2195 {
2196 ret = 1;
2197 goto exit;
2198 }
2199
2200 if( verbose != 0 )
2201 mbedtls_printf( "passed\n" );
2202 }
2203
2204 if( verbose != 0 )
2205 mbedtls_printf( "\n" );
2206
2207 mbedtls_aes_xts_free( &ctx_xts );
2208 }
2209#endif /* MBEDTLS_CIPHER_MODE_XTS */
2210
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2211 ret = 0;
2212
2213exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2214 if( ret != 0 && verbose != 0 )
2215 mbedtls_printf( "failed\n" );
2216
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2217 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2218
2219 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2220}
2221
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2222#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2223
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2224#endif /* MBEDTLS_AES_C */