TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5197c6692c6d895956b833951079dcf4d937fd5c / . / library / aes.c
blob: 8b54e7eaba26f51dd3653c33f673b0370c7fa4d7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
659 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]733
734#if defined(MBEDTLS_CIPHER_MODE_XTS)
735static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
736 unsigned int keybits,
737 const unsigned char **key1,
738 unsigned int *key1bits,
739 const unsigned char **key2,
740 unsigned int *key2bits )
741{
742 const unsigned int half_keybits = keybits / 2;
743 const unsigned int half_keybytes = half_keybits / 8;
744
745 switch( keybits )
746 {
747 case 256: break;
748 case 512: break;
749 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
750 }
751
752 *key1bits = half_keybits;
753 *key2bits = half_keybits;
754 *key1 = &key[0];
755 *key2 = &key[half_keybytes];
756
757 return 0;
758}
759
760int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
761 const unsigned char *key,
762 unsigned int keybits)
763{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]764 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765 const unsigned char *key1, *key2;
766 unsigned int key1bits, key2bits;
767
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]768 AES_VALIDATE_RET( ctx != NULL );
769 AES_VALIDATE_RET( key != NULL );
770
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
772 &key2, &key2bits );
773 if( ret != 0 )
774 return( ret );
775
776 /* Set the tweak key. Always set tweak key for the encryption mode. */
777 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set crypt key for encryption. */
782 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
783}
784
785int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
786 const unsigned char *key,
787 unsigned int keybits)
788{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]789 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]790 const unsigned char *key1, *key2;
791 unsigned int key1bits, key2bits;
792
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]793 AES_VALIDATE_RET( ctx != NULL );
794 AES_VALIDATE_RET( key != NULL );
795
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
797 &key2, &key2bits );
798 if( ret != 0 )
799 return( ret );
800
801 /* Set the tweak key. Always set tweak key for encryption. */
802 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set crypt key for decryption. */
807 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
808}
809#endif /* MBEDTLS_CIPHER_MODE_XTS */
810
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]811#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
814 do \
815 { \
816 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
817 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
818 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
819 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
820 \
821 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
825 \
826 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
830 \
831 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
835 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]837#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
838 do \
839 { \
840 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
841 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
842 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
843 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
844 \
845 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
849 \
850 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
854 \
855 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
859 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
861/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]862 * AES-ECB block encryption
863 */
864#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]865int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
866 const unsigned char input[16],
867 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868{
869 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]870 uint32_t *RK = ctx->rk;
871 struct
872 {
873 uint32_t X[4];
874 uint32_t Y[4];
875 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]876
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]877 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
878 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
879 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
880 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]881
882 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
883 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]884 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
885 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]886 }
887
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]888 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]889
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]890 t.X[0] = *RK++ ^ \
891 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
892 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
893 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
894 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]895
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]896 t.X[1] = *RK++ ^ \
897 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
898 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
899 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
900 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]901
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]902 t.X[2] = *RK++ ^ \
903 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
904 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
905 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
906 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]907
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]908 t.X[3] = *RK++ ^ \
909 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
910 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
911 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
912 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]913
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]914 PUT_UINT32_LE( t.X[0], output, 0 );
915 PUT_UINT32_LE( t.X[1], output, 4 );
916 PUT_UINT32_LE( t.X[2], output, 8 );
917 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]918
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]919 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]920
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]921 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]922}
923#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
924
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]925#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]926void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
927 const unsigned char input[16],
928 unsigned char output[16] )
929{
930 mbedtls_internal_aes_encrypt( ctx, input, output );
931}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]932#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]933
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]934/*
935 * AES-ECB block decryption
936 */
937#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]938int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
939 const unsigned char input[16],
940 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]941{
942 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]943 uint32_t *RK = ctx->rk;
944 struct
945 {
946 uint32_t X[4];
947 uint32_t Y[4];
948 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]949
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]950 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
951 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
952 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
953 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]954
955 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
956 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]957 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
958 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]959 }
960
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]961 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]962
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]963 t.X[0] = *RK++ ^ \
964 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
965 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
966 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
967 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]968
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]969 t.X[1] = *RK++ ^ \
970 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
971 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
972 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
973 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]974
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]975 t.X[2] = *RK++ ^ \
976 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
977 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
978 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
979 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]980
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]981 t.X[3] = *RK++ ^ \
982 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
983 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
984 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
985 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]986
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]987 PUT_UINT32_LE( t.X[0], output, 0 );
988 PUT_UINT32_LE( t.X[1], output, 4 );
989 PUT_UINT32_LE( t.X[2], output, 8 );
990 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]991
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame^]992 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]993
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]994 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]995}
996#endif /* !MBEDTLS_AES_DECRYPT_ALT */
997
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]998#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]999void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1000 const unsigned char input[16],
1001 unsigned char output[16] )
1002{
1003 mbedtls_internal_aes_decrypt( ctx, input, output );
1004}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1005#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1006
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1007/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008 * AES-ECB block encryption/decryption
1009 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1010int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1011 int mode,
1012 const unsigned char input[16],
1013 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1015 AES_VALIDATE_RET( ctx != NULL );
1016 AES_VALIDATE_RET( input != NULL );
1017 AES_VALIDATE_RET( output != NULL );
1018 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1019 mode == MBEDTLS_AES_DECRYPT );
1020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1022 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1024#endif
1025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1027 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1030 return( 0 );
1031
1032 // If padlock data misaligned, we just fall back to
1033 // unaccelerated mode
1034 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 }
1036#endif
1037
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1038 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1039 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1040 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1041 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042}
1043
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045/*
1046 * AES-CBC buffer encryption/decryption
1047 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1050 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1052 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 unsigned char *output )
1054{
1055 int i;
1056 unsigned char temp[16];
1057
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1058 AES_VALIDATE_RET( ctx != NULL );
1059 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1060 mode == MBEDTLS_AES_DECRYPT );
1061 AES_VALIDATE_RET( iv != NULL );
1062 AES_VALIDATE_RET( input != NULL );
1063 AES_VALIDATE_RET( output != NULL );
1064
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1065 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1069 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1072 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1073
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1074 // If padlock data misaligned, we just fall back to
1075 // unaccelerated mode
1076 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 }
1078#endif
1079
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081 {
1082 while( length > 0 )
1083 {
1084 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086
1087 for( i = 0; i < 16; i++ )
1088 output[i] = (unsigned char)( output[i] ^ iv[i] );
1089
1090 memcpy( iv, temp, 16 );
1091
1092 input += 16;
1093 output += 16;
1094 length -= 16;
1095 }
1096 }
1097 else
1098 {
1099 while( length > 0 )
1100 {
1101 for( i = 0; i < 16; i++ )
1102 output[i] = (unsigned char)( input[i] ^ iv[i] );
1103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105 memcpy( iv, output, 16 );
1106
1107 input += 16;
1108 output += 16;
1109 length -= 16;
1110 }
1111 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1112
1113 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1115#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1116
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1117#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1118
1119/* Endianess with 64 bits values */
1120#ifndef GET_UINT64_LE
1121#define GET_UINT64_LE(n,b,i) \
1122{ \
1123 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1124 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1125 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1126 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1127 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1128 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1129 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1130 | ( (uint64_t) (b)[(i) ] ); \
1131}
1132#endif
1133
1134#ifndef PUT_UINT64_LE
1135#define PUT_UINT64_LE(n,b,i) \
1136{ \
1137 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1138 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1139 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1140 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1141 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1142 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1143 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1144 (b)[(i) ] = (unsigned char) ( (n) ); \
1145}
1146#endif
1147
1148typedef unsigned char mbedtls_be128[16];
1149
1150/*
1151 * GF(2^128) multiplication function
1152 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1153 * This function multiplies a field element by x in the polynomial field
1154 * representation. It uses 64-bit word operations to gain speed but compensates
1155 * for machine endianess and hence works correctly on both big and little
1156 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1157 */
1158static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1159 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1160{
1161 uint64_t a, b, ra, rb;
1162
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1163 GET_UINT64_LE( a, x, 0 );
1164 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1165
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1166 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1167 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1168
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1169 PUT_UINT64_LE( ra, r, 0 );
1170 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1171}
1172
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1173/*
1174 * AES-XTS buffer encryption/decryption
1175 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1176int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1177 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1178 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1179 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1180 const unsigned char *input,
1181 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1182{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1183 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1184 size_t blocks = length / 16;
1185 size_t leftover = length % 16;
1186 unsigned char tweak[16];
1187 unsigned char prev_tweak[16];
1188 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1189
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1190 AES_VALIDATE_RET( ctx != NULL );
1191 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1192 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1193 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1194 AES_VALIDATE_RET( input != NULL );
1195 AES_VALIDATE_RET( output != NULL );
1196
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1197 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1198 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1199 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1200
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1201 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1202 if( length > ( 1 << 20 ) * 16 )
1203 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1204
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1205 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1206 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1207 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1208 if( ret != 0 )
1209 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1211 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1212 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1213 size_t i;
1214
1215 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1216 {
1217 /* We are on the last block in a decrypt operation that has
1218 * leftover bytes, so we need to use the next tweak for this block,
1219 * and this tweak for the lefover bytes. Save the current tweak for
1220 * the leftovers and then update the current tweak for use on this,
1221 * the last full block. */
1222 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1223 mbedtls_gf128mul_x_ble( tweak, tweak );
1224 }
1225
1226 for( i = 0; i < 16; i++ )
1227 tmp[i] = input[i] ^ tweak[i];
1228
1229 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1230 if( ret != 0 )
1231 return( ret );
1232
1233 for( i = 0; i < 16; i++ )
1234 output[i] = tmp[i] ^ tweak[i];
1235
1236 /* Update the tweak for the next block. */
1237 mbedtls_gf128mul_x_ble( tweak, tweak );
1238
1239 output += 16;
1240 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1241 }
1242
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 /* If we are on the leftover bytes in a decrypt operation, we need to
1246 * use the previous tweak for these bytes (as saved in prev_tweak). */
1247 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1248
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 /* We are now on the final part of the data unit, which doesn't divide
1250 * evenly by 16. It's time for ciphertext stealing. */
1251 size_t i;
1252 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1253
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1254 /* Copy ciphertext bytes from the previous block to our output for each
1255 * byte of cyphertext we won't steal. At the same time, copy the
1256 * remainder of the input for this final round (since the loop bounds
1257 * are the same). */
1258 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1259 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1260 output[i] = prev_output[i];
1261 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1264 /* Copy ciphertext bytes from the previous block for input in this
1265 * round. */
1266 for( ; i < 16; i++ )
1267 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1268
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1269 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1270 if( ret != 0 )
1271 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 /* Write the result back to the previous block, overriding the previous
1274 * output we copied. */
1275 for( i = 0; i < 16; i++ )
1276 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277 }
1278
1279 return( 0 );
1280}
1281#endif /* MBEDTLS_CIPHER_MODE_XTS */
1282
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1283#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284/*
1285 * AES-CFB128 buffer encryption/decryption
1286 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1287int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1289 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1290 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1291 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1292 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 unsigned char *output )
1294{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1295 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1296 size_t n;
1297
1298 AES_VALIDATE_RET( ctx != NULL );
1299 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1300 mode == MBEDTLS_AES_DECRYPT );
1301 AES_VALIDATE_RET( iv_off != NULL );
1302 AES_VALIDATE_RET( iv != NULL );
1303 AES_VALIDATE_RET( input != NULL );
1304 AES_VALIDATE_RET( output != NULL );
1305
1306 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1308 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1309 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1310
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 {
1313 while( length-- )
1314 {
1315 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317
1318 c = *input++;
1319 *output++ = (unsigned char)( c ^ iv[n] );
1320 iv[n] = (unsigned char) c;
1321
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1322 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323 }
1324 }
1325 else
1326 {
1327 while( length-- )
1328 {
1329 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331
1332 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1333
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1334 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335 }
1336 }
1337
1338 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1339
1340 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1342
1343/*
1344 * AES-CFB8 buffer encryption/decryption
1345 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1347 int mode,
1348 size_t length,
1349 unsigned char iv[16],
1350 const unsigned char *input,
1351 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1352{
1353 unsigned char c;
1354 unsigned char ov[17];
1355
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1356 AES_VALIDATE_RET( ctx != NULL );
1357 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1358 mode == MBEDTLS_AES_DECRYPT );
1359 AES_VALIDATE_RET( iv != NULL );
1360 AES_VALIDATE_RET( input != NULL );
1361 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1362 while( length-- )
1363 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1364 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1367 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1368 ov[16] = *input;
1369
1370 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1373 ov[16] = c;
1374
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1375 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1376 }
1377
1378 return( 0 );
1379}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1380#endif /* MBEDTLS_CIPHER_MODE_CFB */
1381
1382#if defined(MBEDTLS_CIPHER_MODE_OFB)
1383/*
1384 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1385 */
1386int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1387 size_t length,
1388 size_t *iv_off,
1389 unsigned char iv[16],
1390 const unsigned char *input,
1391 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1392{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1393 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1394 size_t n;
1395
1396 AES_VALIDATE_RET( ctx != NULL );
1397 AES_VALIDATE_RET( iv_off != NULL );
1398 AES_VALIDATE_RET( iv != NULL );
1399 AES_VALIDATE_RET( input != NULL );
1400 AES_VALIDATE_RET( output != NULL );
1401
1402 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1403
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1404 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1405 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1406
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1407 while( length-- )
1408 {
1409 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1410 {
1411 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1412 if( ret != 0 )
1413 goto exit;
1414 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1415 *output++ = *input++ ^ iv[n];
1416
1417 n = ( n + 1 ) & 0x0F;
1418 }
1419
1420 *iv_off = n;
1421
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1422exit:
1423 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1424}
1425#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1427#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1428/*
1429 * AES-CTR buffer encryption/decryption
1430 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1432 size_t length,
1433 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1434 unsigned char nonce_counter[16],
1435 unsigned char stream_block[16],
1436 const unsigned char *input,
1437 unsigned char *output )
1438{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1439 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1440 size_t n;
1441
1442 AES_VALIDATE_RET( ctx != NULL );
1443 AES_VALIDATE_RET( nc_off != NULL );
1444 AES_VALIDATE_RET( nonce_counter != NULL );
1445 AES_VALIDATE_RET( stream_block != NULL );
1446 AES_VALIDATE_RET( input != NULL );
1447 AES_VALIDATE_RET( output != NULL );
1448
1449 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1451 if ( n > 0x0F )
1452 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1453
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1454 while( length-- )
1455 {
1456 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1457 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1459 for( i = 16; i > 0; i-- )
1460 if( ++nonce_counter[i - 1] != 0 )
1461 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1462 }
1463 c = *input++;
1464 *output++ = (unsigned char)( c ^ stream_block[n] );
1465
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1466 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1467 }
1468
1469 *nc_off = n;
1470
1471 return( 0 );
1472}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1477#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1478/*
1479 * AES test vectors from:
1480 *
1481 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1482 */
1483static const unsigned char aes_test_ecb_dec[3][16] =
1484{
1485 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1486 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1487 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1488 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1489 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1490 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1491};
1492
1493static const unsigned char aes_test_ecb_enc[3][16] =
1494{
1495 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1496 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1497 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1498 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1499 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1500 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1501};
1502
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1504static const unsigned char aes_test_cbc_dec[3][16] =
1505{
1506 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1507 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1508 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1509 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1510 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1511 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1512};
1513
1514static const unsigned char aes_test_cbc_enc[3][16] =
1515{
1516 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1517 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1518 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1519 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1520 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1521 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1522};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1525#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1526/*
1527 * AES-CFB128 test vectors from:
1528 *
1529 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1530 */
1531static const unsigned char aes_test_cfb128_key[3][32] =
1532{
1533 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1534 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1535 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1536 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1537 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1538 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1539 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1540 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1541 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1542};
1543
1544static const unsigned char aes_test_cfb128_iv[16] =
1545{
1546 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1547 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1548};
1549
1550static const unsigned char aes_test_cfb128_pt[64] =
1551{
1552 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1553 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1554 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1555 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1556 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1557 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1558 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1559 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1560};
1561
1562static const unsigned char aes_test_cfb128_ct[3][64] =
1563{
1564 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1565 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1566 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1567 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1568 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1569 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1570 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1571 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1572 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1573 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1574 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1575 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1576 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1577 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1578 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1579 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1580 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1581 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1582 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1583 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1584 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1585 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1586 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1587 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1588};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1589#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1590
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1591#if defined(MBEDTLS_CIPHER_MODE_OFB)
1592/*
1593 * AES-OFB test vectors from:
1594 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1595 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1596 */
1597static const unsigned char aes_test_ofb_key[3][32] =
1598{
1599 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1600 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1601 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1602 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1603 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1604 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1605 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1606 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1607 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1608};
1609
1610static const unsigned char aes_test_ofb_iv[16] =
1611{
1612 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1613 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1614};
1615
1616static const unsigned char aes_test_ofb_pt[64] =
1617{
1618 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1619 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1620 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1621 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1622 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1623 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1624 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1625 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1626};
1627
1628static const unsigned char aes_test_ofb_ct[3][64] =
1629{
1630 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1631 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1632 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1633 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1634 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1635 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1636 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1637 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1638 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1639 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1640 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1641 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1642 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1643 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1644 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1645 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1646 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1647 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1648 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1649 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1650 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1651 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1652 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1653 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1654};
1655#endif /* MBEDTLS_CIPHER_MODE_OFB */
1656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1658/*
1659 * AES-CTR test vectors from:
1660 *
1661 * http://www.faqs.org/rfcs/rfc3686.html
1662 */
1663
1664static const unsigned char aes_test_ctr_key[3][16] =
1665{
1666 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1667 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1668 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1669 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1670 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1671 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1672};
1673
1674static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1675{
1676 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1678 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1679 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1680 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1681 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1682};
1683
1684static const unsigned char aes_test_ctr_pt[3][48] =
1685{
1686 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1687 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1688
1689 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1690 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1691 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1692 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1693
1694 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1695 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1696 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1697 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1698 0x20, 0x21, 0x22, 0x23 }
1699};
1700
1701static const unsigned char aes_test_ctr_ct[3][48] =
1702{
1703 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1704 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1705 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1706 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1707 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1708 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1709 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1710 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1711 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1712 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1713 0x25, 0xB2, 0x07, 0x2F }
1714};
1715
1716static const int aes_test_ctr_len[3] =
1717 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1718#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1720#if defined(MBEDTLS_CIPHER_MODE_XTS)
1721/*
1722 * AES-XTS test vectors from:
1723 *
1724 * IEEE P1619/D16 Annex B
1725 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1726 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1727 */
1728static const unsigned char aes_test_xts_key[][32] =
1729{
1730 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1733 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1734 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1735 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1737 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1738 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1739 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1740 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1741 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1742};
1743
1744static const unsigned char aes_test_xts_pt32[][32] =
1745{
1746 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1750 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1753 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1754 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1755 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1756 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1757 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1758};
1759
1760static const unsigned char aes_test_xts_ct32[][32] =
1761{
1762 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1763 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1764 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1765 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1766 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1767 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1768 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1769 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1770 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1771 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1772 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1773 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1774};
1775
1776static const unsigned char aes_test_xts_data_unit[][16] =
1777{
1778 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1780 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1782 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1783 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1784};
1785
1786#endif /* MBEDTLS_CIPHER_MODE_XTS */
1787
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788/*
1789 * Checkup routine
1790 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1791int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1793 int ret = 0, i, j, u, mode;
1794 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795 unsigned char key[32];
1796 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1797 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1798#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1799 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1800#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1802 unsigned char prv[16];
1803#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1804#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1805 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1806 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1807#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1808#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1809 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1810#endif
1811#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1812 unsigned char nonce_counter[16];
1813 unsigned char stream_block[16];
1814#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816
1817 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1818 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
1820 /*
1821 * ECB mode
1822 */
1823 for( i = 0; i < 6; i++ )
1824 {
1825 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1826 keybits = 128 + u * 64;
1827 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828
1829 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1830 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1831 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832
1833 memset( buf, 0, 16 );
1834
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1835 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1837 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1838 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 }
1840 else
1841 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1842 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1843 aes_tests = aes_test_ecb_enc[u];
1844 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1846 /*
1847 * AES-192 is an optional feature that may be unavailable when
1848 * there is an alternative underlying implementation i.e. when
1849 * MBEDTLS_AES_ALT is defined.
1850 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1851 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1852 {
1853 mbedtls_printf( "skipped\n" );
1854 continue;
1855 }
1856 else if( ret != 0 )
1857 {
1858 goto exit;
1859 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1861 for( j = 0; j < 10000; j++ )
1862 {
1863 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1864 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1865 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1866 }
1867
1868 if( memcmp( buf, aes_tests, 16 ) != 0 )
1869 {
1870 ret = 1;
1871 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872 }
1873
1874 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876 }
1877
1878 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 /*
1883 * CBC mode
1884 */
1885 for( i = 0; i < 6; i++ )
1886 {
1887 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 keybits = 128 + u * 64;
1889 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
1891 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1892 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894
1895 memset( iv , 0, 16 );
1896 memset( prv, 0, 16 );
1897 memset( buf, 0, 16 );
1898
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1899 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1901 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1902 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 }
1904 else
1905 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1906 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1907 aes_tests = aes_test_cbc_enc[u];
1908 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1910 /*
1911 * AES-192 is an optional feature that may be unavailable when
1912 * there is an alternative underlying implementation i.e. when
1913 * MBEDTLS_AES_ALT is defined.
1914 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1915 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1916 {
1917 mbedtls_printf( "skipped\n" );
1918 continue;
1919 }
1920 else if( ret != 0 )
1921 {
1922 goto exit;
1923 }
1924
1925 for( j = 0; j < 10000; j++ )
1926 {
1927 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928 {
1929 unsigned char tmp[16];
1930
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931 memcpy( tmp, prv, 16 );
1932 memcpy( prv, buf, 16 );
1933 memcpy( buf, tmp, 16 );
1934 }
1935
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1936 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1937 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1938 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939
1940 }
1941
1942 if( memcmp( buf, aes_tests, 16 ) != 0 )
1943 {
1944 ret = 1;
1945 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 }
1947
1948 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1949 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950 }
1951
1952 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1953 mbedtls_printf( "\n" );
1954#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1955
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1956#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957 /*
1958 * CFB128 mode
1959 */
1960 for( i = 0; i < 6; i++ )
1961 {
1962 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 keybits = 128 + u * 64;
1964 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1965
1966 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1967 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1968 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969
1970 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1971 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1972
1973 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1974 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1975 /*
1976 * AES-192 is an optional feature that may be unavailable when
1977 * there is an alternative underlying implementation i.e. when
1978 * MBEDTLS_AES_ALT is defined.
1979 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1980 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 {
1982 mbedtls_printf( "skipped\n" );
1983 continue;
1984 }
1985 else if( ret != 0 )
1986 {
1987 goto exit;
1988 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1989
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1990 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1991 {
1992 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994 }
1995 else
1996 {
1997 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1998 aes_tests = aes_test_cfb128_ct[u];
1999 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2002 if( ret != 0 )
2003 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2005 if( memcmp( buf, aes_tests, 64 ) != 0 )
2006 {
2007 ret = 1;
2008 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009 }
2010
2011 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2012 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 }
2014
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2015 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2016 mbedtls_printf( "\n" );
2017#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2018
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2019#if defined(MBEDTLS_CIPHER_MODE_OFB)
2020 /*
2021 * OFB mode
2022 */
2023 for( i = 0; i < 6; i++ )
2024 {
2025 u = i >> 1;
2026 keybits = 128 + u * 64;
2027 mode = i & 1;
2028
2029 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2030 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2031 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2032
2033 memcpy( iv, aes_test_ofb_iv, 16 );
2034 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2035
2036 offset = 0;
2037 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2038 /*
2039 * AES-192 is an optional feature that may be unavailable when
2040 * there is an alternative underlying implementation i.e. when
2041 * MBEDTLS_AES_ALT is defined.
2042 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2043 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2044 {
2045 mbedtls_printf( "skipped\n" );
2046 continue;
2047 }
2048 else if( ret != 0 )
2049 {
2050 goto exit;
2051 }
2052
2053 if( mode == MBEDTLS_AES_DECRYPT )
2054 {
2055 memcpy( buf, aes_test_ofb_ct[u], 64 );
2056 aes_tests = aes_test_ofb_pt;
2057 }
2058 else
2059 {
2060 memcpy( buf, aes_test_ofb_pt, 64 );
2061 aes_tests = aes_test_ofb_ct[u];
2062 }
2063
2064 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2065 if( ret != 0 )
2066 goto exit;
2067
2068 if( memcmp( buf, aes_tests, 64 ) != 0 )
2069 {
2070 ret = 1;
2071 goto exit;
2072 }
2073
2074 if( verbose != 0 )
2075 mbedtls_printf( "passed\n" );
2076 }
2077
2078 if( verbose != 0 )
2079 mbedtls_printf( "\n" );
2080#endif /* MBEDTLS_CIPHER_MODE_OFB */
2081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2082#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2083 /*
2084 * CTR mode
2085 */
2086 for( i = 0; i < 6; i++ )
2087 {
2088 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2089 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2090
2091 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2092 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2093 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2094
2095 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2096 memcpy( key, aes_test_ctr_key[u], 16 );
2097
2098 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2099 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2100 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2101
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2102 len = aes_test_ctr_len[u];
2103
2104 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2105 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2106 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2107 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2108 }
2109 else
2110 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2111 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2112 aes_tests = aes_test_ctr_ct[u];
2113 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2114
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2115 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2116 stream_block, buf, buf );
2117 if( ret != 0 )
2118 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 if( memcmp( buf, aes_tests, len ) != 0 )
2121 {
2122 ret = 1;
2123 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 }
2125
2126 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2127 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2128 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2129
2130 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2131 mbedtls_printf( "\n" );
2132#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2133
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2134#if defined(MBEDTLS_CIPHER_MODE_XTS)
2135 {
2136 static const int num_tests =
2137 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2138 mbedtls_aes_xts_context ctx_xts;
2139
2140 /*
2141 * XTS mode
2142 */
2143 mbedtls_aes_xts_init( &ctx_xts );
2144
2145 for( i = 0; i < num_tests << 1; i++ )
2146 {
2147 const unsigned char *data_unit;
2148 u = i >> 1;
2149 mode = i & 1;
2150
2151 if( verbose != 0 )
2152 mbedtls_printf( " AES-XTS-128 (%s): ",
2153 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2154
2155 memset( key, 0, sizeof( key ) );
2156 memcpy( key, aes_test_xts_key[u], 32 );
2157 data_unit = aes_test_xts_data_unit[u];
2158
2159 len = sizeof( *aes_test_xts_ct32 );
2160
2161 if( mode == MBEDTLS_AES_DECRYPT )
2162 {
2163 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2164 if( ret != 0)
2165 goto exit;
2166 memcpy( buf, aes_test_xts_ct32[u], len );
2167 aes_tests = aes_test_xts_pt32[u];
2168 }
2169 else
2170 {
2171 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2172 if( ret != 0)
2173 goto exit;
2174 memcpy( buf, aes_test_xts_pt32[u], len );
2175 aes_tests = aes_test_xts_ct32[u];
2176 }
2177
2178
2179 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2180 buf, buf );
2181 if( ret != 0 )
2182 goto exit;
2183
2184 if( memcmp( buf, aes_tests, len ) != 0 )
2185 {
2186 ret = 1;
2187 goto exit;
2188 }
2189
2190 if( verbose != 0 )
2191 mbedtls_printf( "passed\n" );
2192 }
2193
2194 if( verbose != 0 )
2195 mbedtls_printf( "\n" );
2196
2197 mbedtls_aes_xts_free( &ctx_xts );
2198 }
2199#endif /* MBEDTLS_CIPHER_MODE_XTS */
2200
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2201 ret = 0;
2202
2203exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2204 if( ret != 0 && verbose != 0 )
2205 mbedtls_printf( "failed\n" );
2206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2208
2209 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210}
2211
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2212#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214#endif /* MBEDTLS_AES_C */