TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7cd1ebe0bb739866124dd376f53711bc900ed6ca / . / library / aes.c
blob: 289890dbe12db560e32e65811d0b0120cd52e04a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_PADLOCK_C) && \
48 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]49static int aes_padlock_ace = -1;
50#endif
51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53/*
54 * Forward S-box
55 */
56static const unsigned char FSb[256] =
57{
58 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
59 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
60 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
61 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
62 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
63 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
64 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
65 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
66 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
67 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
68 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
69 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
70 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
71 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
72 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
73 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
74 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
75 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
76 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
77 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
78 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
79 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
80 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
81 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
82 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
83 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
84 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
85 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
86 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
87 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
88 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
89 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
90};
91
92/*
93 * Forward tables
94 */
95#define FT \
96\
97 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
98 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
99 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
100 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
101 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
102 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
103 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
104 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
105 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
106 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
107 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
108 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
109 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
110 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
111 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
112 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
113 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
114 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
115 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
116 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
117 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
118 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
119 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
120 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
121 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
122 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
123 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
124 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
125 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
126 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
127 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
128 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
129 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
130 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
131 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
132 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
133 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
134 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
135 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
136 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
137 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
138 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
139 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
140 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
141 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
142 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
143 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
144 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
145 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
146 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
147 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
148 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
149 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
150 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
151 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
152 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
153 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
154 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
155 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
156 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
157 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
158 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
159 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
160 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
161
162#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]163static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164#undef V
165
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]166#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]167
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]168#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]169static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]170#undef V
171
172#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]173static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]174#undef V
175
176#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]177static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]178#undef V
179
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]180#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]181
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]182#undef FT
183
184/*
185 * Reverse S-box
186 */
187static const unsigned char RSb[256] =
188{
189 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
190 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
191 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
192 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
193 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
194 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
195 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
196 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
197 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
198 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
199 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
200 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
201 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
202 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
203 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
204 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
205 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
206 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
207 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
208 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
209 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
210 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
211 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
212 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
213 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
214 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
215 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
216 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
217 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
218 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
219 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
220 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
221};
222
223/*
224 * Reverse tables
225 */
226#define RT \
227\
228 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
229 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
230 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
231 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
232 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
233 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
234 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
235 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
236 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
237 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
238 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
239 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
240 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
241 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
242 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
243 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
244 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
245 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
246 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
247 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
248 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
249 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
250 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
251 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
252 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
253 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
254 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
255 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
256 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
257 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
258 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
259 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
260 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
261 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
262 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
263 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
264 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
265 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
266 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
267 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
268 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
269 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
270 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
271 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
272 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
273 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
274 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
275 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
276 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
277 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
278 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
279 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
280 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
281 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
282 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
283 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
284 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
285 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
286 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
287 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
288 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
289 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
290 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
291 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
292
293#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]294static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295#undef V
296
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]297#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]298
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]299#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]300static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]301#undef V
302
303#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]304static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]305#undef V
306
307#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]308static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]309#undef V
310
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]311#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]312
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]313#undef RT
314
315/*
316 * Round constants
317 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]318static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319{
320 0x00000001, 0x00000002, 0x00000004, 0x00000008,
321 0x00000010, 0x00000020, 0x00000040, 0x00000080,
322 0x0000001B, 0x00000036
323};
324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]325#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326
327/*
328 * Forward S-box & tables
329 */
330static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]331static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]332#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]333static uint32_t FT1[256];
334static uint32_t FT2[256];
335static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]336#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337
338/*
339 * Reverse S-box & tables
340 */
341static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]343#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static uint32_t RT1[256];
345static uint32_t RT2[256];
346static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353
354/*
355 * Tables generation code
356 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]357#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
358#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]359#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361static int aes_init_done = 0;
362
363static void aes_gen_tables( void )
364{
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]376 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384 RCON[i] = (uint32_t) x;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]385 x = MBEDTLS_BYTE_0( XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]398 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
399 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
400 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
401 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]414 y = MBEDTLS_BYTE_0( XTIME( x ) );
415 z = MBEDTLS_BYTE_0( y ^ x );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]417 FT0[i] = ( (uint32_t) y ) ^
418 ( (uint32_t) x << 8 ) ^
419 ( (uint32_t) x << 16 ) ^
420 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]422#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 FT1[i] = ROTL8( FT0[i] );
424 FT2[i] = ROTL8( FT1[i] );
425 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]426#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427
428 x = RSb[i];
429
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]430 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
431 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
432 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
433 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]435#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 RT1[i] = ROTL8( RT0[i] );
437 RT2[i] = ROTL8( RT1[i] );
438 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]439#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 }
441}
442
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]443#undef ROTL8
444
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]445#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]447#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]448
449#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
450#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
451#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
452
453#define AES_RT0(idx) RT0[idx]
454#define AES_RT1(idx) ROTL8( RT0[idx] )
455#define AES_RT2(idx) ROTL16( RT0[idx] )
456#define AES_RT3(idx) ROTL24( RT0[idx] )
457
458#define AES_FT0(idx) FT0[idx]
459#define AES_FT1(idx) ROTL8( FT0[idx] )
460#define AES_FT2(idx) ROTL16( FT0[idx] )
461#define AES_FT3(idx) ROTL24( FT0[idx] )
462
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]463#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]464
465#define AES_RT0(idx) RT0[idx]
466#define AES_RT1(idx) RT1[idx]
467#define AES_RT2(idx) RT2[idx]
468#define AES_RT3(idx) RT3[idx]
469
470#define AES_FT0(idx) FT0[idx]
471#define AES_FT1(idx) FT1[idx]
472#define AES_FT2(idx) FT2[idx]
473#define AES_FT3(idx) FT3[idx]
474
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]476
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]477void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]478{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]480}
481
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]482void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]483{
484 if( ctx == NULL )
485 return;
486
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]487 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]488}
489
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]490#if defined(MBEDTLS_CIPHER_MODE_XTS)
491void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
492{
493 mbedtls_aes_init( &ctx->crypt );
494 mbedtls_aes_init( &ctx->tweak );
495}
496
497void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
498{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]499 if( ctx == NULL )
500 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]501
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]502 mbedtls_aes_free( &ctx->crypt );
503 mbedtls_aes_free( &ctx->tweak );
504}
505#endif /* MBEDTLS_CIPHER_MODE_XTS */
506
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]507/*
508 * AES key schedule (encryption)
509 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]510#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]512 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]513{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]514 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]515 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]517 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518 {
519 case 128: ctx->nr = 10; break;
520 case 192: ctx->nr = 12; break;
521 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523 }
524
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]525#if !defined(MBEDTLS_AES_ROM_TABLES)
526 if( aes_init_done == 0 )
527 {
528 aes_gen_tables();
529 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]530 }
531#endif
532
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]533 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]534#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]535 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]536 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]537
538 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]539 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]540#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]541 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]544 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]545 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]546#endif
547
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]548 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]550 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551 }
552
553 switch( ctx->nr )
554 {
555 case 10:
556
557 for( i = 0; i < 10; i++, RK += 4 )
558 {
559 RK[4] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]560 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
561 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
562 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
563 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
565 RK[5] = RK[1] ^ RK[4];
566 RK[6] = RK[2] ^ RK[5];
567 RK[7] = RK[3] ^ RK[6];
568 }
569 break;
570
571 case 12:
572
573 for( i = 0; i < 8; i++, RK += 6 )
574 {
575 RK[6] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]576 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
577 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
578 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
579 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]580
581 RK[7] = RK[1] ^ RK[6];
582 RK[8] = RK[2] ^ RK[7];
583 RK[9] = RK[3] ^ RK[8];
584 RK[10] = RK[4] ^ RK[9];
585 RK[11] = RK[5] ^ RK[10];
586 }
587 break;
588
589 case 14:
590
591 for( i = 0; i < 7; i++, RK += 8 )
592 {
593 RK[8] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]594 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
595 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
596 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
597 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
599 RK[9] = RK[1] ^ RK[8];
600 RK[10] = RK[2] ^ RK[9];
601 RK[11] = RK[3] ^ RK[10];
602
603 RK[12] = RK[4] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]604 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
605 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
606 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
607 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608
609 RK[13] = RK[5] ^ RK[12];
610 RK[14] = RK[6] ^ RK[13];
611 RK[15] = RK[7] ^ RK[14];
612 }
613 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]615
616 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]618#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619
620/*
621 * AES key schedule (decryption)
622 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]623#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]625 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]627 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]628 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]629 uint32_t *RK;
630 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]631
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]632 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]634 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]636 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]637 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]638
639 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]640 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]642 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]644 /* Also checks keybits */
645 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]646 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]647
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]648 ctx->nr = cty.nr;
649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]651 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]652 {
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]653 mbedtls_aesni_inverse_key( (unsigned char *) RK,
654 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]655 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]656 }
657#endif
658
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]659 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664 *RK++ = *SK++;
665
666 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
667 {
668 for( j = 0; j < 4; j++, SK++ )
669 {
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]670 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
671 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
672 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
673 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674 }
675 }
676
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]682exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]684
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]685 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]686}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]687#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]688
689#if defined(MBEDTLS_CIPHER_MODE_XTS)
690static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
691 unsigned int keybits,
692 const unsigned char **key1,
693 unsigned int *key1bits,
694 const unsigned char **key2,
695 unsigned int *key2bits )
696{
697 const unsigned int half_keybits = keybits / 2;
698 const unsigned int half_keybytes = half_keybits / 8;
699
700 switch( keybits )
701 {
702 case 256: break;
703 case 512: break;
704 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
705 }
706
707 *key1bits = half_keybits;
708 *key2bits = half_keybits;
709 *key1 = &key[0];
710 *key2 = &key[half_keybytes];
711
712 return 0;
713}
714
715int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
716 const unsigned char *key,
717 unsigned int keybits)
718{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]719 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]720 const unsigned char *key1, *key2;
721 unsigned int key1bits, key2bits;
722
723 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
724 &key2, &key2bits );
725 if( ret != 0 )
726 return( ret );
727
728 /* Set the tweak key. Always set tweak key for the encryption mode. */
729 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
730 if( ret != 0 )
731 return( ret );
732
733 /* Set crypt key for encryption. */
734 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
735}
736
737int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
738 const unsigned char *key,
739 unsigned int keybits)
740{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]741 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]742 const unsigned char *key1, *key2;
743 unsigned int key1bits, key2bits;
744
745 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
746 &key2, &key2bits );
747 if( ret != 0 )
748 return( ret );
749
750 /* Set the tweak key. Always set tweak key for encryption. */
751 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
752 if( ret != 0 )
753 return( ret );
754
755 /* Set crypt key for decryption. */
756 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
757}
758#endif /* MBEDTLS_CIPHER_MODE_XTS */
759
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]760#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
761 do \
762 { \
763 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
764 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
765 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
766 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
767 \
768 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
769 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
770 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
771 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
772 \
773 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
774 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
775 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
776 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
777 \
778 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
779 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
780 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
781 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]782 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]784#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
785 do \
786 { \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]787 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
788 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
789 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
790 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]791 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]792 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
793 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
794 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
795 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]796 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]797 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
798 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
799 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
800 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]801 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]802 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
803 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
804 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
805 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]806 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807
808/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]809 * AES-ECB block encryption
810 */
811#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]812int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
813 const unsigned char input[16],
814 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]815{
816 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]817 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]818 struct
819 {
820 uint32_t X[4];
821 uint32_t Y[4];
822 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]823
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]824 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
825 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
826 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
827 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]828
829 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
830 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]831 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
832 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]833 }
834
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]835 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]836
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]837 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]838 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
839 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
840 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
841 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]842
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]843 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]844 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
845 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
846 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
847 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]848
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]849 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]850 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
851 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
852 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
853 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]854
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]855 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]856 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
857 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
858 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
859 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]860
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]861 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
862 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
863 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
864 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]865
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]866 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]867
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]868 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]869}
870#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
871
872/*
873 * AES-ECB block decryption
874 */
875#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]876int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
877 const unsigned char input[16],
878 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]879{
880 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]881 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]882 struct
883 {
884 uint32_t X[4];
885 uint32_t Y[4];
886 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]887
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]888 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
889 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
890 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
891 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892
893 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
894 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
896 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]897 }
898
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]899 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]901 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]902 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
903 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
904 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
905 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]906
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]907 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]908 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
909 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
910 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
911 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]912
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]913 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]914 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
915 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
916 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
917 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]919 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]920 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
921 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
922 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
923 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]925 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
926 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
927 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
928 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]929
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]930 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]931
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]932 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933}
934#endif /* !MBEDTLS_AES_DECRYPT_ALT */
935
936/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]937 * AES-ECB block encryption/decryption
938 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]939int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]940 int mode,
941 const unsigned char input[16],
942 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943{
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]944 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
945 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]946
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]947#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]948 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]949 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]950#endif
951
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]953 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]956 return( 0 );
957
958 // If padlock data misaligned, we just fall back to
959 // unaccelerated mode
960 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]961 }
962#endif
963
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]964 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]965 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]966 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]967 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968}
969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971/*
972 * AES-CBC buffer encryption/decryption
973 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]974int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]975 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]976 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]977 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]978 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]979 unsigned char *output )
980{
981 int i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]982 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]983 unsigned char temp[16];
984
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]985 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
986 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]987
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]988 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]989 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]990
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]992 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]994 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]995 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]996
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]997 // If padlock data misaligned, we just fall back to
998 // unaccelerated mode
999 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000 }
1001#endif
1002
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1003 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004 {
1005 while( length > 0 )
1006 {
1007 memcpy( temp, input, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1008 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1009 if( ret != 0 )
1010 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011
1012 for( i = 0; i < 16; i++ )
1013 output[i] = (unsigned char)( output[i] ^ iv[i] );
1014
1015 memcpy( iv, temp, 16 );
1016
1017 input += 16;
1018 output += 16;
1019 length -= 16;
1020 }
1021 }
1022 else
1023 {
1024 while( length > 0 )
1025 {
1026 for( i = 0; i < 16; i++ )
1027 output[i] = (unsigned char)( input[i] ^ iv[i] );
1028
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1029 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1030 if( ret != 0 )
1031 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 memcpy( iv, output, 16 );
1033
1034 input += 16;
1035 output += 16;
1036 length -= 16;
1037 }
1038 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1039 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1040
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1041exit:
1042 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1044#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1046#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1047
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1048typedef unsigned char mbedtls_be128[16];
1049
1050/*
1051 * GF(2^128) multiplication function
1052 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1053 * This function multiplies a field element by x in the polynomial field
1054 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1055 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1056 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1057 */
1058static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1059 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1060{
1061 uint64_t a, b, ra, rb;
1062
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1063 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1064 b = MBEDTLS_GET_UINT64_LE( x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1065
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1066 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1067 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1068
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1069 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1070 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1071}
1072
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1073/*
1074 * AES-XTS buffer encryption/decryption
1075 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1076int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1077 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1078 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1079 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1080 const unsigned char *input,
1081 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1082{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1083 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1084 size_t blocks = length / 16;
1085 size_t leftover = length % 16;
1086 unsigned char tweak[16];
1087 unsigned char prev_tweak[16];
1088 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1089
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1090 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1091 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1092
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1093 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1094 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1095 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1096
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1097 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1098 if( length > ( 1 << 20 ) * 16 )
1099 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1100
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1101 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1102 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1103 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1104 if( ret != 0 )
1105 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1106
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1107 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1108 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1109 size_t i;
1110
1111 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1112 {
1113 /* We are on the last block in a decrypt operation that has
1114 * leftover bytes, so we need to use the next tweak for this block,
1115 * and this tweak for the lefover bytes. Save the current tweak for
1116 * the leftovers and then update the current tweak for use on this,
1117 * the last full block. */
1118 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1119 mbedtls_gf128mul_x_ble( tweak, tweak );
1120 }
1121
1122 for( i = 0; i < 16; i++ )
1123 tmp[i] = input[i] ^ tweak[i];
1124
1125 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1126 if( ret != 0 )
1127 return( ret );
1128
1129 for( i = 0; i < 16; i++ )
1130 output[i] = tmp[i] ^ tweak[i];
1131
1132 /* Update the tweak for the next block. */
1133 mbedtls_gf128mul_x_ble( tweak, tweak );
1134
1135 output += 16;
1136 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1137 }
1138
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1139 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1140 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1141 /* If we are on the leftover bytes in a decrypt operation, we need to
1142 * use the previous tweak for these bytes (as saved in prev_tweak). */
1143 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1144
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1145 /* We are now on the final part of the data unit, which doesn't divide
1146 * evenly by 16. It's time for ciphertext stealing. */
1147 size_t i;
1148 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1149
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1150 /* Copy ciphertext bytes from the previous block to our output for each
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1151 * byte of ciphertext we won't steal. At the same time, copy the
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1152 * remainder of the input for this final round (since the loop bounds
1153 * are the same). */
1154 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1155 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1156 output[i] = prev_output[i];
1157 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1158 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1159
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1160 /* Copy ciphertext bytes from the previous block for input in this
1161 * round. */
1162 for( ; i < 16; i++ )
1163 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1164
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1165 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1166 if( ret != 0 )
1167 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1169 /* Write the result back to the previous block, overriding the previous
1170 * output we copied. */
1171 for( i = 0; i < 16; i++ )
1172 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1173 }
1174
1175 return( 0 );
1176}
1177#endif /* MBEDTLS_CIPHER_MODE_XTS */
1178
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1179#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1180/*
1181 * AES-CFB128 buffer encryption/decryption
1182 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1184 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1185 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1186 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1188 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1189 unsigned char *output )
1190{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1191 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1193 size_t n;
1194
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1195 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1196 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1197
1198 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1199
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1200 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1201 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204 {
1205 while( length-- )
1206 {
1207 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1208 {
1209 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1210 if( ret != 0 )
1211 goto exit;
1212 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1213
1214 c = *input++;
1215 *output++ = (unsigned char)( c ^ iv[n] );
1216 iv[n] = (unsigned char) c;
1217
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1218 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1219 }
1220 }
1221 else
1222 {
1223 while( length-- )
1224 {
1225 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1226 {
1227 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1228 if( ret != 0 )
1229 goto exit;
1230 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1231
1232 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1233
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1234 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235 }
1236 }
1237
1238 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1239 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1240
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1241exit:
1242 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1243}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1244
1245/*
1246 * AES-CFB8 buffer encryption/decryption
1247 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1248int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1249 int mode,
1250 size_t length,
1251 unsigned char iv[16],
1252 const unsigned char *input,
1253 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1254{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1256 unsigned char c;
1257 unsigned char ov[17];
1258
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1259 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1260 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1261 while( length-- )
1262 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1263 memcpy( ov, iv, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1264 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1265 if( ret != 0 )
1266 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1267
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1269 ov[16] = *input;
1270
1271 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1273 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1274 ov[16] = c;
1275
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1276 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1277 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1278 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1279
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1280exit:
1281 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1282}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1283#endif /* MBEDTLS_CIPHER_MODE_CFB */
1284
1285#if defined(MBEDTLS_CIPHER_MODE_OFB)
1286/*
1287 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1288 */
1289int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1290 size_t length,
1291 size_t *iv_off,
1292 unsigned char iv[16],
1293 const unsigned char *input,
1294 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1295{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1296 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1297 size_t n;
1298
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1299 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1300
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1301 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1302 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1303
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1304 while( length-- )
1305 {
1306 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1307 {
1308 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1309 if( ret != 0 )
1310 goto exit;
1311 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1312 *output++ = *input++ ^ iv[n];
1313
1314 n = ( n + 1 ) & 0x0F;
1315 }
1316
1317 *iv_off = n;
1318
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1319exit:
1320 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1321}
1322#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1324#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1325/*
1326 * AES-CTR buffer encryption/decryption
1327 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1328int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1329 size_t length,
1330 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1331 unsigned char nonce_counter[16],
1332 unsigned char stream_block[16],
1333 const unsigned char *input,
1334 unsigned char *output )
1335{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1336 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1337 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1338 size_t n;
1339
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1340 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1341
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1342 if ( n > 0x0F )
1343 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1344
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1345 while( length-- )
1346 {
1347 if( n == 0 ) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1348 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1349 if( ret != 0 )
1350 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1351
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1352 for( i = 16; i > 0; i-- )
1353 if( ++nonce_counter[i - 1] != 0 )
1354 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1355 }
1356 c = *input++;
1357 *output++ = (unsigned char)( c ^ stream_block[n] );
1358
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1359 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1360 }
1361
1362 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1363 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1364
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1365exit:
1366 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1367}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1368#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373/*
1374 * AES test vectors from:
1375 *
1376 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1377 */
1378static const unsigned char aes_test_ecb_dec[3][16] =
1379{
1380 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1381 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1382 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1383 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1384 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1385 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1386};
1387
1388static const unsigned char aes_test_ecb_enc[3][16] =
1389{
1390 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1391 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1392 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1393 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1394 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1395 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1396};
1397
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1398#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1399static const unsigned char aes_test_cbc_dec[3][16] =
1400{
1401 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1402 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1403 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1404 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1405 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1406 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1407};
1408
1409static const unsigned char aes_test_cbc_enc[3][16] =
1410{
1411 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1412 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1413 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1414 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1415 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1416 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1417};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1418#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1420#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1421/*
1422 * AES-CFB128 test vectors from:
1423 *
1424 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1425 */
1426static const unsigned char aes_test_cfb128_key[3][32] =
1427{
1428 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1429 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1430 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1431 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1432 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1433 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1434 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1435 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1436 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1437};
1438
1439static const unsigned char aes_test_cfb128_iv[16] =
1440{
1441 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1442 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1443};
1444
1445static const unsigned char aes_test_cfb128_pt[64] =
1446{
1447 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1448 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1449 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1450 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1451 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1452 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1453 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1454 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1455};
1456
1457static const unsigned char aes_test_cfb128_ct[3][64] =
1458{
1459 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1460 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1461 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1462 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1463 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1464 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1465 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1466 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1467 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1468 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1469 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1470 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1471 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1472 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1473 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1474 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1475 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1476 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1477 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1478 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1479 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1480 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1481 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1482 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1483};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1484#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1485
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1486#if defined(MBEDTLS_CIPHER_MODE_OFB)
1487/*
1488 * AES-OFB test vectors from:
1489 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1490 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1491 */
1492static const unsigned char aes_test_ofb_key[3][32] =
1493{
1494 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1495 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1496 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1497 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1498 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1499 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1500 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1501 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1502 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1503};
1504
1505static const unsigned char aes_test_ofb_iv[16] =
1506{
1507 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1508 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1509};
1510
1511static const unsigned char aes_test_ofb_pt[64] =
1512{
1513 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1514 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1515 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1516 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1517 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1518 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1519 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1520 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1521};
1522
1523static const unsigned char aes_test_ofb_ct[3][64] =
1524{
1525 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1526 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1527 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1528 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1529 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1530 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1531 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1532 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1533 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1534 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1535 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1536 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1537 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1538 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1539 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1540 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1541 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1542 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1543 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1544 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1545 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1546 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1547 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1548 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1549};
1550#endif /* MBEDTLS_CIPHER_MODE_OFB */
1551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1553/*
1554 * AES-CTR test vectors from:
1555 *
1556 * http://www.faqs.org/rfcs/rfc3686.html
1557 */
1558
1559static const unsigned char aes_test_ctr_key[3][16] =
1560{
1561 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1562 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1563 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1564 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1565 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1566 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1567};
1568
1569static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1570{
1571 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1573 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1574 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1575 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1576 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1577};
1578
1579static const unsigned char aes_test_ctr_pt[3][48] =
1580{
1581 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1582 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1583
1584 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1585 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1586 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1587 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1588
1589 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1590 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1591 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1592 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1593 0x20, 0x21, 0x22, 0x23 }
1594};
1595
1596static const unsigned char aes_test_ctr_ct[3][48] =
1597{
1598 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1599 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1600 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1601 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1602 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1603 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1604 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1605 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1606 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1607 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1608 0x25, 0xB2, 0x07, 0x2F }
1609};
1610
1611static const int aes_test_ctr_len[3] =
1612 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1614
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1615#if defined(MBEDTLS_CIPHER_MODE_XTS)
1616/*
1617 * AES-XTS test vectors from:
1618 *
1619 * IEEE P1619/D16 Annex B
1620 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1621 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1622 */
1623static const unsigned char aes_test_xts_key[][32] =
1624{
1625 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1629 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1630 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1631 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1632 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1633 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1634 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1635 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1636 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1637};
1638
1639static const unsigned char aes_test_xts_pt32[][32] =
1640{
1641 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1645 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1646 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1647 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1648 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1649 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1650 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1651 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1652 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1653};
1654
1655static const unsigned char aes_test_xts_ct32[][32] =
1656{
1657 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1658 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1659 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1660 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1661 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1662 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1663 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1664 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1665 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1666 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1667 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1668 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1669};
1670
1671static const unsigned char aes_test_xts_data_unit[][16] =
1672{
1673 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1675 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1677 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1679};
1680
1681#endif /* MBEDTLS_CIPHER_MODE_XTS */
1682
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683/*
1684 * Checkup routine
1685 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1687{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1688 int ret = 0, i, j, u, mode;
1689 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690 unsigned char key[32];
1691 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1692 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1693#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1695#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1696#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1697 unsigned char prv[16];
1698#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1699#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1700 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1701 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1702#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1703#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1704 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1705#endif
1706#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1707 unsigned char nonce_counter[16];
1708 unsigned char stream_block[16];
1709#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1710 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1711
1712 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1713 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1714
1715 /*
1716 * ECB mode
1717 */
1718 for( i = 0; i < 6; i++ )
1719 {
1720 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1721 keybits = 128 + u * 64;
1722 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1723
1724 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1725 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1726 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727
1728 memset( buf, 0, 16 );
1729
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1730 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1731 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1732 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1733 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734 }
1735 else
1736 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1737 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1738 aes_tests = aes_test_ecb_enc[u];
1739 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1741 /*
1742 * AES-192 is an optional feature that may be unavailable when
1743 * there is an alternative underlying implementation i.e. when
1744 * MBEDTLS_AES_ALT is defined.
1745 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1746 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1747 {
1748 mbedtls_printf( "skipped\n" );
1749 continue;
1750 }
1751 else if( ret != 0 )
1752 {
1753 goto exit;
1754 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1756 for( j = 0; j < 10000; j++ )
1757 {
1758 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1759 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1760 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1761 }
1762
1763 if( memcmp( buf, aes_tests, 16 ) != 0 )
1764 {
1765 ret = 1;
1766 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767 }
1768
1769 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1770 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771 }
1772
1773 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1774 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1775
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1777 /*
1778 * CBC mode
1779 */
1780 for( i = 0; i < 6; i++ )
1781 {
1782 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1783 keybits = 128 + u * 64;
1784 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1785
1786 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1787 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1788 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789
1790 memset( iv , 0, 16 );
1791 memset( prv, 0, 16 );
1792 memset( buf, 0, 16 );
1793
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1794 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1796 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1797 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 }
1799 else
1800 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1801 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1802 aes_tests = aes_test_cbc_enc[u];
1803 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1805 /*
1806 * AES-192 is an optional feature that may be unavailable when
1807 * there is an alternative underlying implementation i.e. when
1808 * MBEDTLS_AES_ALT is defined.
1809 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1810 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1811 {
1812 mbedtls_printf( "skipped\n" );
1813 continue;
1814 }
1815 else if( ret != 0 )
1816 {
1817 goto exit;
1818 }
1819
1820 for( j = 0; j < 10000; j++ )
1821 {
1822 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823 {
1824 unsigned char tmp[16];
1825
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826 memcpy( tmp, prv, 16 );
1827 memcpy( prv, buf, 16 );
1828 memcpy( buf, tmp, 16 );
1829 }
1830
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1831 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1832 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1833 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1834
1835 }
1836
1837 if( memcmp( buf, aes_tests, 16 ) != 0 )
1838 {
1839 ret = 1;
1840 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841 }
1842
1843 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 }
1846
1847 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 mbedtls_printf( "\n" );
1849#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1850
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1851#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 /*
1853 * CFB128 mode
1854 */
1855 for( i = 0; i < 6; i++ )
1856 {
1857 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 keybits = 128 + u * 64;
1859 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860
1861 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1862 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1863 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864
1865 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1866 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867
1868 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1869 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1870 /*
1871 * AES-192 is an optional feature that may be unavailable when
1872 * there is an alternative underlying implementation i.e. when
1873 * MBEDTLS_AES_ALT is defined.
1874 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1875 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 {
1877 mbedtls_printf( "skipped\n" );
1878 continue;
1879 }
1880 else if( ret != 0 )
1881 {
1882 goto exit;
1883 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1885 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 {
1887 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 }
1890 else
1891 {
1892 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 aes_tests = aes_test_cfb128_ct[u];
1894 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1896 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1897 if( ret != 0 )
1898 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 if( memcmp( buf, aes_tests, 64 ) != 0 )
1901 {
1902 ret = 1;
1903 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904 }
1905
1906 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1907 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908 }
1909
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1910 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 mbedtls_printf( "\n" );
1912#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1913
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1914#if defined(MBEDTLS_CIPHER_MODE_OFB)
1915 /*
1916 * OFB mode
1917 */
1918 for( i = 0; i < 6; i++ )
1919 {
1920 u = i >> 1;
1921 keybits = 128 + u * 64;
1922 mode = i & 1;
1923
1924 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1925 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1926 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1927
1928 memcpy( iv, aes_test_ofb_iv, 16 );
1929 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1930
1931 offset = 0;
1932 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1933 /*
1934 * AES-192 is an optional feature that may be unavailable when
1935 * there is an alternative underlying implementation i.e. when
1936 * MBEDTLS_AES_ALT is defined.
1937 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1938 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1939 {
1940 mbedtls_printf( "skipped\n" );
1941 continue;
1942 }
1943 else if( ret != 0 )
1944 {
1945 goto exit;
1946 }
1947
1948 if( mode == MBEDTLS_AES_DECRYPT )
1949 {
1950 memcpy( buf, aes_test_ofb_ct[u], 64 );
1951 aes_tests = aes_test_ofb_pt;
1952 }
1953 else
1954 {
1955 memcpy( buf, aes_test_ofb_pt, 64 );
1956 aes_tests = aes_test_ofb_ct[u];
1957 }
1958
1959 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1960 if( ret != 0 )
1961 goto exit;
1962
1963 if( memcmp( buf, aes_tests, 64 ) != 0 )
1964 {
1965 ret = 1;
1966 goto exit;
1967 }
1968
1969 if( verbose != 0 )
1970 mbedtls_printf( "passed\n" );
1971 }
1972
1973 if( verbose != 0 )
1974 mbedtls_printf( "\n" );
1975#endif /* MBEDTLS_CIPHER_MODE_OFB */
1976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1977#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1978 /*
1979 * CTR mode
1980 */
1981 for( i = 0; i < 6; i++ )
1982 {
1983 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1985
1986 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1987 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1988 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1989
1990 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1991 memcpy( key, aes_test_ctr_key[u], 16 );
1992
1993 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1994 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1995 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1996
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1997 len = aes_test_ctr_len[u];
1998
1999 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2000 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2001 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2003 }
2004 else
2005 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2006 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 aes_tests = aes_test_ctr_ct[u];
2008 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2009
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2010 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2011 stream_block, buf, buf );
2012 if( ret != 0 )
2013 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2014
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 if( memcmp( buf, aes_tests, len ) != 0 )
2016 {
2017 ret = 1;
2018 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2019 }
2020
2021 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2022 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2023 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2024
2025 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026 mbedtls_printf( "\n" );
2027#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2029#if defined(MBEDTLS_CIPHER_MODE_XTS)
2030 {
2031 static const int num_tests =
2032 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2033 mbedtls_aes_xts_context ctx_xts;
2034
2035 /*
2036 * XTS mode
2037 */
2038 mbedtls_aes_xts_init( &ctx_xts );
2039
2040 for( i = 0; i < num_tests << 1; i++ )
2041 {
2042 const unsigned char *data_unit;
2043 u = i >> 1;
2044 mode = i & 1;
2045
2046 if( verbose != 0 )
2047 mbedtls_printf( " AES-XTS-128 (%s): ",
2048 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2049
2050 memset( key, 0, sizeof( key ) );
2051 memcpy( key, aes_test_xts_key[u], 32 );
2052 data_unit = aes_test_xts_data_unit[u];
2053
2054 len = sizeof( *aes_test_xts_ct32 );
2055
2056 if( mode == MBEDTLS_AES_DECRYPT )
2057 {
2058 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2059 if( ret != 0)
2060 goto exit;
2061 memcpy( buf, aes_test_xts_ct32[u], len );
2062 aes_tests = aes_test_xts_pt32[u];
2063 }
2064 else
2065 {
2066 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2067 if( ret != 0)
2068 goto exit;
2069 memcpy( buf, aes_test_xts_pt32[u], len );
2070 aes_tests = aes_test_xts_ct32[u];
2071 }
2072
2073
2074 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2075 buf, buf );
2076 if( ret != 0 )
2077 goto exit;
2078
2079 if( memcmp( buf, aes_tests, len ) != 0 )
2080 {
2081 ret = 1;
2082 goto exit;
2083 }
2084
2085 if( verbose != 0 )
2086 mbedtls_printf( "passed\n" );
2087 }
2088
2089 if( verbose != 0 )
2090 mbedtls_printf( "\n" );
2091
2092 mbedtls_aes_xts_free( &ctx_xts );
2093 }
2094#endif /* MBEDTLS_CIPHER_MODE_XTS */
2095
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2096 ret = 0;
2097
2098exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2099 if( ret != 0 && verbose != 0 )
2100 mbedtls_printf( "failed\n" );
2101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2103
2104 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105}
2106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109#endif /* MBEDTLS_AES_C */