TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 02c7b48a7057aa524e9d5d801b45e372c61b46ed / . / library / aes.c
blob: 132849d8e3704a9ea9b3f03f5beec0085ffc047f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkútia2947ac2020-08-19 16:37:36 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]64#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]65#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]84/* Parameter validation macros based on platform_util.h */
85#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]87#define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * 32-bit integer manipulation macros (little endian)
92 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93#ifndef GET_UINT32_LE
94#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100}
101#endif
102
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]103#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]104#define PUT_UINT32_LE(n,b,i) \
105{ \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111#endif
112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113#if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]115static int aes_padlock_ace = -1;
116#endif
117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]118#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119/*
120 * Forward S-box
121 */
122static const unsigned char FSb[256] =
123{
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156};
157
158/*
159 * Forward tables
160 */
161#define FT \
162\
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]232#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]235static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#undef V
237
238#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]239static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240#undef V
241
242#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]243static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244#undef V
245
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]246#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]247
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248#undef FT
249
250/*
251 * Reverse S-box
252 */
253static const unsigned char RSb[256] =
254{
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287};
288
289/*
290 * Reverse tables
291 */
292#define RT \
293\
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361#undef V
362
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]363#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]366static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#undef V
368
369#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371#undef V
372
373#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]374static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375#undef V
376
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379#undef RT
380
381/*
382 * Round constants
383 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385{
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389};
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Forward S-box & tables
395 */
396static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]397static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]398#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT1[256];
400static uint32_t FT2[256];
401static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]402#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Reverse S-box & tables
406 */
407static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]408static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]409#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT1[256];
411static uint32_t RT2[256];
412static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]413#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414
415/*
416 * Round constants
417 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
420/*
421 * Tables generation code
422 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]423#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]425#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427static int aes_init_done = 0;
428
429static void aes_gen_tables( void )
430{
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]450 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
494 x = RSb[i];
495
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]501#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 }
507}
508
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509#undef ROTL8
510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]513#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
515#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519#define AES_RT0(idx) RT0[idx]
520#define AES_RT1(idx) ROTL8( RT0[idx] )
521#define AES_RT2(idx) ROTL16( RT0[idx] )
522#define AES_RT3(idx) ROTL24( RT0[idx] )
523
524#define AES_FT0(idx) FT0[idx]
525#define AES_FT1(idx) ROTL8( FT0[idx] )
526#define AES_FT2(idx) ROTL16( FT0[idx] )
527#define AES_FT3(idx) ROTL24( FT0[idx] )
528
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]529#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]530
531#define AES_RT0(idx) RT0[idx]
532#define AES_RT1(idx) RT1[idx]
533#define AES_RT2(idx) RT2[idx]
534#define AES_RT3(idx) RT3[idx]
535
536#define AES_FT0(idx) FT0[idx]
537#define AES_FT1(idx) FT1[idx]
538#define AES_FT2(idx) FT2[idx]
539#define AES_FT3(idx) FT3[idx]
540
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]541#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]544{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]545 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]548}
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]551{
552 if( ctx == NULL )
553 return;
554
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]556}
557
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]558#if defined(MBEDTLS_CIPHER_MODE_XTS)
559void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]561 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]562
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565}
566
567void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]569 if( ctx == NULL )
570 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574}
575#endif /* MBEDTLS_CIPHER_MODE_XTS */
576
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577/*
578 * AES key schedule (encryption)
579 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]580#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]584 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598#if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603 }
604#endif
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]607 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609
610 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]616#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]619#endif
620
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]621 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]688
689 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]691#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693/*
694 * AES key schedule (decryption)
695 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]696#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 uint32_t *RK;
703 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]711 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713
714 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]716 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]722 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]723
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]724 ctx->nr = cty.nr;
725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 }
733#endif
734
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]760
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]761 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]763
764#if defined(MBEDTLS_CIPHER_MODE_XTS)
765static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
766 unsigned int keybits,
767 const unsigned char **key1,
768 unsigned int *key1bits,
769 const unsigned char **key2,
770 unsigned int *key2bits )
771{
772 const unsigned int half_keybits = keybits / 2;
773 const unsigned int half_keybytes = half_keybits / 8;
774
775 switch( keybits )
776 {
777 case 256: break;
778 case 512: break;
779 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
780 }
781
782 *key1bits = half_keybits;
783 *key2bits = half_keybits;
784 *key1 = &key[0];
785 *key2 = &key[half_keybytes];
786
787 return 0;
788}
789
790int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for the encryption mode. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for encryption. */
812 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
813}
814
815int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
816 const unsigned char *key,
817 unsigned int keybits)
818{
819 int ret;
820 const unsigned char *key1, *key2;
821 unsigned int key1bits, key2bits;
822
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]823 AES_VALIDATE_RET( ctx != NULL );
824 AES_VALIDATE_RET( key != NULL );
825
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]826 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
827 &key2, &key2bits );
828 if( ret != 0 )
829 return( ret );
830
831 /* Set the tweak key. Always set tweak key for encryption. */
832 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
833 if( ret != 0 )
834 return( ret );
835
836 /* Set crypt key for decryption. */
837 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
838}
839#endif /* MBEDTLS_CIPHER_MODE_XTS */
840
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]841#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]843#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
848 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
853 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
858 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
863 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]867#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
868 do \
869 { \
870 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
871 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
872 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
873 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
874 \
875 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
876 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
877 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
878 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
879 \
880 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
881 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
882 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
883 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
884 \
885 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
886 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
887 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
888 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
889 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890
891/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892 * AES-ECB block encryption
893 */
894#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]895int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
896 const unsigned char input[16],
897 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]898{
899 int i;
900 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
901
902 RK = ctx->rk;
903
904 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
905 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
906 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
907 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
908
909 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
910 {
911 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
912 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
913 }
914
915 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
916
917 X0 = *RK++ ^ \
918 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
919 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
920 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
921 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
922
923 X1 = *RK++ ^ \
924 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
925 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
926 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
927 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
928
929 X2 = *RK++ ^ \
930 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
931 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
932 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
933 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
934
935 X3 = *RK++ ^ \
936 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
937 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
938 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
939 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
940
941 PUT_UINT32_LE( X0, output, 0 );
942 PUT_UINT32_LE( X1, output, 4 );
943 PUT_UINT32_LE( X2, output, 8 );
944 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]945
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]946 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
947 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
948 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
949 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
950
951 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
952 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
953 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
954 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
955
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]956 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]957}
958#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
959
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]960#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]961void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
962 const unsigned char input[16],
963 unsigned char output[16] )
964{
965 mbedtls_internal_aes_encrypt( ctx, input, output );
966}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]967#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]968
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]969/*
970 * AES-ECB block decryption
971 */
972#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]973int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
974 const unsigned char input[16],
975 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]976{
977 int i;
978 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
979
980 RK = ctx->rk;
981
982 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
983 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
984 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
985 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
986
987 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
988 {
989 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
990 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
991 }
992
993 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
994
995 X0 = *RK++ ^ \
996 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
997 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
998 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
999 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
1000
1001 X1 = *RK++ ^ \
1002 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
1003 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
1004 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
1005 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
1006
1007 X2 = *RK++ ^ \
1008 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
1009 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
1010 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
1011 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
1012
1013 X3 = *RK++ ^ \
1014 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
1015 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
1016 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
1017 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1018
1019 PUT_UINT32_LE( X0, output, 0 );
1020 PUT_UINT32_LE( X1, output, 4 );
1021 PUT_UINT32_LE( X2, output, 8 );
1022 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1023
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1024 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1025 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1026 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1027 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1028
1029 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1030 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1031 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1032 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1033
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1034 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1035}
1036#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1037
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1038#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1039void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1040 const unsigned char input[16],
1041 unsigned char output[16] )
1042{
1043 mbedtls_internal_aes_decrypt( ctx, input, output );
1044}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1045#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1046
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1047/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 * AES-ECB block encryption/decryption
1049 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1051 int mode,
1052 const unsigned char input[16],
1053 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1055 AES_VALIDATE_RET( ctx != NULL );
1056 AES_VALIDATE_RET( input != NULL );
1057 AES_VALIDATE_RET( output != NULL );
1058 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1059 mode == MBEDTLS_AES_DECRYPT );
1060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1062 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1064#endif
1065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1067 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1070 return( 0 );
1071
1072 // If padlock data misaligned, we just fall back to
1073 // unaccelerated mode
1074 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 }
1076#endif
1077
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1078 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1079 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1080 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1081 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082}
1083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085/*
1086 * AES-CBC buffer encryption/decryption
1087 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1090 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1092 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093 unsigned char *output )
1094{
1095 int i;
1096 unsigned char temp[16];
1097
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1098 AES_VALIDATE_RET( ctx != NULL );
1099 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1100 mode == MBEDTLS_AES_DECRYPT );
1101 AES_VALIDATE_RET( iv != NULL );
1102 AES_VALIDATE_RET( input != NULL );
1103 AES_VALIDATE_RET( output != NULL );
1104
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1105 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1106 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1108#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1109 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1112 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1113
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1114 // If padlock data misaligned, we just fall back to
1115 // unaccelerated mode
1116 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117 }
1118#endif
1119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1120 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121 {
1122 while( length > 0 )
1123 {
1124 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126
1127 for( i = 0; i < 16; i++ )
1128 output[i] = (unsigned char)( output[i] ^ iv[i] );
1129
1130 memcpy( iv, temp, 16 );
1131
1132 input += 16;
1133 output += 16;
1134 length -= 16;
1135 }
1136 }
1137 else
1138 {
1139 while( length > 0 )
1140 {
1141 for( i = 0; i < 16; i++ )
1142 output[i] = (unsigned char)( input[i] ^ iv[i] );
1143
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1144 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145 memcpy( iv, output, 16 );
1146
1147 input += 16;
1148 output += 16;
1149 length -= 16;
1150 }
1151 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1152
1153 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1154}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1156
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1157#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1158
1159/* Endianess with 64 bits values */
1160#ifndef GET_UINT64_LE
1161#define GET_UINT64_LE(n,b,i) \
1162{ \
1163 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1164 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1165 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1166 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1167 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1168 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1169 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1170 | ( (uint64_t) (b)[(i) ] ); \
1171}
1172#endif
1173
1174#ifndef PUT_UINT64_LE
1175#define PUT_UINT64_LE(n,b,i) \
1176{ \
1177 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1178 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1179 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1180 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1181 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1182 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1183 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1184 (b)[(i) ] = (unsigned char) ( (n) ); \
1185}
1186#endif
1187
1188typedef unsigned char mbedtls_be128[16];
1189
1190/*
1191 * GF(2^128) multiplication function
1192 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1193 * This function multiplies a field element by x in the polynomial field
1194 * representation. It uses 64-bit word operations to gain speed but compensates
1195 * for machine endianess and hence works correctly on both big and little
1196 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1197 */
1198static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1199 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1200{
1201 uint64_t a, b, ra, rb;
1202
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1203 GET_UINT64_LE( a, x, 0 );
1204 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1205
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1206 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1207 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1208
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1209 PUT_UINT64_LE( ra, r, 0 );
1210 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1211}
1212
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1213/*
1214 * AES-XTS buffer encryption/decryption
1215 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1216int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1217 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1218 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1219 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1220 const unsigned char *input,
1221 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223 int ret;
1224 size_t blocks = length / 16;
1225 size_t leftover = length % 16;
1226 unsigned char tweak[16];
1227 unsigned char prev_tweak[16];
1228 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1229
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1230 AES_VALIDATE_RET( ctx != NULL );
1231 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1232 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1233 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1234 AES_VALIDATE_RET( input != NULL );
1235 AES_VALIDATE_RET( output != NULL );
1236
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1237 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1238 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1239 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1241 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1242 if( length > ( 1 << 20 ) * 16 )
1243 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1246 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1247 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1248 if( ret != 0 )
1249 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1250
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1251 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1252 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1253 size_t i;
1254
1255 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1256 {
1257 /* We are on the last block in a decrypt operation that has
1258 * leftover bytes, so we need to use the next tweak for this block,
1259 * and this tweak for the lefover bytes. Save the current tweak for
1260 * the leftovers and then update the current tweak for use on this,
1261 * the last full block. */
1262 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1263 mbedtls_gf128mul_x_ble( tweak, tweak );
1264 }
1265
1266 for( i = 0; i < 16; i++ )
1267 tmp[i] = input[i] ^ tweak[i];
1268
1269 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1270 if( ret != 0 )
1271 return( ret );
1272
1273 for( i = 0; i < 16; i++ )
1274 output[i] = tmp[i] ^ tweak[i];
1275
1276 /* Update the tweak for the next block. */
1277 mbedtls_gf128mul_x_ble( tweak, tweak );
1278
1279 output += 16;
1280 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1281 }
1282
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1283 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1284 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1285 /* If we are on the leftover bytes in a decrypt operation, we need to
1286 * use the previous tweak for these bytes (as saved in prev_tweak). */
1287 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 /* We are now on the final part of the data unit, which doesn't divide
1290 * evenly by 16. It's time for ciphertext stealing. */
1291 size_t i;
1292 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1293
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1294 /* Copy ciphertext bytes from the previous block to our output for each
1295 * byte of cyphertext we won't steal. At the same time, copy the
1296 * remainder of the input for this final round (since the loop bounds
1297 * are the same). */
1298 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1299 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1300 output[i] = prev_output[i];
1301 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1302 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1303
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1304 /* Copy ciphertext bytes from the previous block for input in this
1305 * round. */
1306 for( ; i < 16; i++ )
1307 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1308
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1309 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1310 if( ret != 0 )
1311 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1312
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1313 /* Write the result back to the previous block, overriding the previous
1314 * output we copied. */
1315 for( i = 0; i < 16; i++ )
1316 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1317 }
1318
1319 return( 0 );
1320}
1321#endif /* MBEDTLS_CIPHER_MODE_XTS */
1322
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1323#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324/*
1325 * AES-CFB128 buffer encryption/decryption
1326 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1329 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1330 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1332 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 unsigned char *output )
1334{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1335 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1336 size_t n;
1337
1338 AES_VALIDATE_RET( ctx != NULL );
1339 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1340 mode == MBEDTLS_AES_DECRYPT );
1341 AES_VALIDATE_RET( iv_off != NULL );
1342 AES_VALIDATE_RET( iv != NULL );
1343 AES_VALIDATE_RET( input != NULL );
1344 AES_VALIDATE_RET( output != NULL );
1345
1346 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1348 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1349 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1350
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 {
1353 while( length-- )
1354 {
1355 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1356 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357
1358 c = *input++;
1359 *output++ = (unsigned char)( c ^ iv[n] );
1360 iv[n] = (unsigned char) c;
1361
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1362 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363 }
1364 }
1365 else
1366 {
1367 while( length-- )
1368 {
1369 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371
1372 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1373
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1374 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375 }
1376 }
1377
1378 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1379
1380 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1382
1383/*
1384 * AES-CFB8 buffer encryption/decryption
1385 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1387 int mode,
1388 size_t length,
1389 unsigned char iv[16],
1390 const unsigned char *input,
1391 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1392{
1393 unsigned char c;
1394 unsigned char ov[17];
1395
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1396 AES_VALIDATE_RET( ctx != NULL );
1397 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1398 mode == MBEDTLS_AES_DECRYPT );
1399 AES_VALIDATE_RET( iv != NULL );
1400 AES_VALIDATE_RET( input != NULL );
1401 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1402 while( length-- )
1403 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1404 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1406
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1407 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1408 ov[16] = *input;
1409
1410 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1411
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1413 ov[16] = c;
1414
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1415 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1416 }
1417
1418 return( 0 );
1419}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1420#endif /* MBEDTLS_CIPHER_MODE_CFB */
1421
1422#if defined(MBEDTLS_CIPHER_MODE_OFB)
1423/*
1424 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1425 */
1426int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1427 size_t length,
1428 size_t *iv_off,
1429 unsigned char iv[16],
1430 const unsigned char *input,
1431 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1432{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1433 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1434 size_t n;
1435
1436 AES_VALIDATE_RET( ctx != NULL );
1437 AES_VALIDATE_RET( iv_off != NULL );
1438 AES_VALIDATE_RET( iv != NULL );
1439 AES_VALIDATE_RET( input != NULL );
1440 AES_VALIDATE_RET( output != NULL );
1441
1442 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1443
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1444 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1445 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1446
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1447 while( length-- )
1448 {
1449 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1450 {
1451 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1452 if( ret != 0 )
1453 goto exit;
1454 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1455 *output++ = *input++ ^ iv[n];
1456
1457 n = ( n + 1 ) & 0x0F;
1458 }
1459
1460 *iv_off = n;
1461
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1462exit:
1463 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1464}
1465#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1466
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1467#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1468/*
1469 * AES-CTR buffer encryption/decryption
1470 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1472 size_t length,
1473 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1474 unsigned char nonce_counter[16],
1475 unsigned char stream_block[16],
1476 const unsigned char *input,
1477 unsigned char *output )
1478{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1479 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1480 size_t n;
1481
1482 AES_VALIDATE_RET( ctx != NULL );
1483 AES_VALIDATE_RET( nc_off != NULL );
1484 AES_VALIDATE_RET( nonce_counter != NULL );
1485 AES_VALIDATE_RET( stream_block != NULL );
1486 AES_VALIDATE_RET( input != NULL );
1487 AES_VALIDATE_RET( output != NULL );
1488
1489 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1490
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1491 if ( n > 0x0F )
1492 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1493
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1494 while( length-- )
1495 {
1496 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1498
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1499 for( i = 16; i > 0; i-- )
1500 if( ++nonce_counter[i - 1] != 0 )
1501 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1502 }
1503 c = *input++;
1504 *output++ = (unsigned char)( c ^ stream_block[n] );
1505
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1506 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1507 }
1508
1509 *nc_off = n;
1510
1511 return( 0 );
1512}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1515#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518/*
1519 * AES test vectors from:
1520 *
1521 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1522 */
1523static const unsigned char aes_test_ecb_dec[3][16] =
1524{
1525 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1526 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1527 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1528 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1529 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1530 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1531};
1532
1533static const unsigned char aes_test_ecb_enc[3][16] =
1534{
1535 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1536 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1537 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1538 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1539 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1540 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1541};
1542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544static const unsigned char aes_test_cbc_dec[3][16] =
1545{
1546 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1547 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1548 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1549 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1550 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1551 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1552};
1553
1554static const unsigned char aes_test_cbc_enc[3][16] =
1555{
1556 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1557 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1558 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1559 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1560 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1561 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1562};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1563#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1565#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1566/*
1567 * AES-CFB128 test vectors from:
1568 *
1569 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1570 */
1571static const unsigned char aes_test_cfb128_key[3][32] =
1572{
1573 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1574 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1575 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1576 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1577 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1578 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1579 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1580 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1581 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1582};
1583
1584static const unsigned char aes_test_cfb128_iv[16] =
1585{
1586 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1587 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1588};
1589
1590static const unsigned char aes_test_cfb128_pt[64] =
1591{
1592 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1593 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1594 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1595 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1596 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1597 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1598 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1599 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1600};
1601
1602static const unsigned char aes_test_cfb128_ct[3][64] =
1603{
1604 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1605 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1606 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1607 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1608 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1609 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1610 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1611 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1612 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1613 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1614 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1615 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1616 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1617 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1618 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1619 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1620 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1621 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1622 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1623 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1624 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1625 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1626 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1627 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1628};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1629#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1630
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1631#if defined(MBEDTLS_CIPHER_MODE_OFB)
1632/*
1633 * AES-OFB test vectors from:
1634 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1635 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1636 */
1637static const unsigned char aes_test_ofb_key[3][32] =
1638{
1639 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1640 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1641 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1642 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1643 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1644 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1645 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1646 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1647 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1648};
1649
1650static const unsigned char aes_test_ofb_iv[16] =
1651{
1652 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1653 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1654};
1655
1656static const unsigned char aes_test_ofb_pt[64] =
1657{
1658 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1659 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1660 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1661 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1662 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1663 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1664 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1665 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1666};
1667
1668static const unsigned char aes_test_ofb_ct[3][64] =
1669{
1670 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1671 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1672 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1673 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1674 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1675 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1676 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1677 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1678 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1679 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1680 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1681 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1682 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1683 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1684 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1685 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1686 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1687 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1688 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1689 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1690 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1691 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1692 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1693 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1694};
1695#endif /* MBEDTLS_CIPHER_MODE_OFB */
1696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1697#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1698/*
1699 * AES-CTR test vectors from:
1700 *
1701 * http://www.faqs.org/rfcs/rfc3686.html
1702 */
1703
1704static const unsigned char aes_test_ctr_key[3][16] =
1705{
1706 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1707 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1708 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1709 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1710 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1711 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1712};
1713
1714static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1715{
1716 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1717 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1718 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1719 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1720 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1721 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1722};
1723
1724static const unsigned char aes_test_ctr_pt[3][48] =
1725{
1726 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1727 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1728
1729 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1730 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1731 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1732 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1733
1734 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1735 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1736 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1737 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1738 0x20, 0x21, 0x22, 0x23 }
1739};
1740
1741static const unsigned char aes_test_ctr_ct[3][48] =
1742{
1743 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1744 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1745 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1746 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1747 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1748 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1749 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1750 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1751 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1752 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1753 0x25, 0xB2, 0x07, 0x2F }
1754};
1755
1756static const int aes_test_ctr_len[3] =
1757 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1758#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1760#if defined(MBEDTLS_CIPHER_MODE_XTS)
1761/*
1762 * AES-XTS test vectors from:
1763 *
1764 * IEEE P1619/D16 Annex B
1765 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1766 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1767 */
1768static const unsigned char aes_test_xts_key[][32] =
1769{
1770 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1774 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1775 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1776 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1777 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1778 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1779 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1780 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1781 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1782};
1783
1784static const unsigned char aes_test_xts_pt32[][32] =
1785{
1786 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1787 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1788 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1790 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1791 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1792 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1793 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1794 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1795 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1796 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1797 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1798};
1799
1800static const unsigned char aes_test_xts_ct32[][32] =
1801{
1802 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1803 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1804 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1805 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1806 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1807 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1808 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1809 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1810 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1811 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1812 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1813 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1814};
1815
1816static const unsigned char aes_test_xts_data_unit[][16] =
1817{
1818 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1819 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1820 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1822 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1824};
1825
1826#endif /* MBEDTLS_CIPHER_MODE_XTS */
1827
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828/*
1829 * Checkup routine
1830 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1833 int ret = 0, i, j, u, mode;
1834 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835 unsigned char key[32];
1836 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1837 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1838#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1840#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1841#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1842 unsigned char prv[16];
1843#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1844#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1845 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1846 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1847#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1848#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1849 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1850#endif
1851#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1852 unsigned char nonce_counter[16];
1853 unsigned char stream_block[16];
1854#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1855 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
1857 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
1860 /*
1861 * ECB mode
1862 */
1863 for( i = 0; i < 6; i++ )
1864 {
1865 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1866 keybits = 128 + u * 64;
1867 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868
1869 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1870 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1871 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872
1873 memset( buf, 0, 16 );
1874
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1875 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1877 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1878 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879 }
1880 else
1881 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1883 aes_tests = aes_test_ecb_enc[u];
1884 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1886 /*
1887 * AES-192 is an optional feature that may be unavailable when
1888 * there is an alternative underlying implementation i.e. when
1889 * MBEDTLS_AES_ALT is defined.
1890 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1891 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 {
1893 mbedtls_printf( "skipped\n" );
1894 continue;
1895 }
1896 else if( ret != 0 )
1897 {
1898 goto exit;
1899 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1901 for( j = 0; j < 10000; j++ )
1902 {
1903 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1904 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1905 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1906 }
1907
1908 if( memcmp( buf, aes_tests, 16 ) != 0 )
1909 {
1910 ret = 1;
1911 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 }
1913
1914 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1915 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 }
1917
1918 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1919 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1921#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 /*
1923 * CBC mode
1924 */
1925 for( i = 0; i < 6; i++ )
1926 {
1927 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1928 keybits = 128 + u * 64;
1929 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930
1931 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1932 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1933 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934
1935 memset( iv , 0, 16 );
1936 memset( prv, 0, 16 );
1937 memset( buf, 0, 16 );
1938
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1940 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1941 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1942 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1943 }
1944 else
1945 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1946 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1947 aes_tests = aes_test_cbc_enc[u];
1948 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1950 /*
1951 * AES-192 is an optional feature that may be unavailable when
1952 * there is an alternative underlying implementation i.e. when
1953 * MBEDTLS_AES_ALT is defined.
1954 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1955 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1956 {
1957 mbedtls_printf( "skipped\n" );
1958 continue;
1959 }
1960 else if( ret != 0 )
1961 {
1962 goto exit;
1963 }
1964
1965 for( j = 0; j < 10000; j++ )
1966 {
1967 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968 {
1969 unsigned char tmp[16];
1970
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 memcpy( tmp, prv, 16 );
1972 memcpy( prv, buf, 16 );
1973 memcpy( buf, tmp, 16 );
1974 }
1975
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1977 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1978 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1979
1980 }
1981
1982 if( memcmp( buf, aes_tests, 16 ) != 0 )
1983 {
1984 ret = 1;
1985 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986 }
1987
1988 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1989 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990 }
1991
1992 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1993 mbedtls_printf( "\n" );
1994#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997 /*
1998 * CFB128 mode
1999 */
2000 for( i = 0; i < 6; i++ )
2001 {
2002 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 keybits = 128 + u * 64;
2004 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005
2006 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2008 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
2010 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2012
2013 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2014 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2015 /*
2016 * AES-192 is an optional feature that may be unavailable when
2017 * there is an alternative underlying implementation i.e. when
2018 * MBEDTLS_AES_ALT is defined.
2019 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2020 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2021 {
2022 mbedtls_printf( "skipped\n" );
2023 continue;
2024 }
2025 else if( ret != 0 )
2026 {
2027 goto exit;
2028 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2030 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031 {
2032 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2033 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034 }
2035 else
2036 {
2037 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2038 aes_tests = aes_test_cfb128_ct[u];
2039 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2041 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2042 if( ret != 0 )
2043 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2045 if( memcmp( buf, aes_tests, 64 ) != 0 )
2046 {
2047 ret = 1;
2048 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2049 }
2050
2051 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2052 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2053 }
2054
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2055 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056 mbedtls_printf( "\n" );
2057#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2058
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2059#if defined(MBEDTLS_CIPHER_MODE_OFB)
2060 /*
2061 * OFB mode
2062 */
2063 for( i = 0; i < 6; i++ )
2064 {
2065 u = i >> 1;
2066 keybits = 128 + u * 64;
2067 mode = i & 1;
2068
2069 if( verbose != 0 )
2070 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2071 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2072
2073 memcpy( iv, aes_test_ofb_iv, 16 );
2074 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2075
2076 offset = 0;
2077 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2078 /*
2079 * AES-192 is an optional feature that may be unavailable when
2080 * there is an alternative underlying implementation i.e. when
2081 * MBEDTLS_AES_ALT is defined.
2082 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2083 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2084 {
2085 mbedtls_printf( "skipped\n" );
2086 continue;
2087 }
2088 else if( ret != 0 )
2089 {
2090 goto exit;
2091 }
2092
2093 if( mode == MBEDTLS_AES_DECRYPT )
2094 {
2095 memcpy( buf, aes_test_ofb_ct[u], 64 );
2096 aes_tests = aes_test_ofb_pt;
2097 }
2098 else
2099 {
2100 memcpy( buf, aes_test_ofb_pt, 64 );
2101 aes_tests = aes_test_ofb_ct[u];
2102 }
2103
2104 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2105 if( ret != 0 )
2106 goto exit;
2107
2108 if( memcmp( buf, aes_tests, 64 ) != 0 )
2109 {
2110 ret = 1;
2111 goto exit;
2112 }
2113
2114 if( verbose != 0 )
2115 mbedtls_printf( "passed\n" );
2116 }
2117
2118 if( verbose != 0 )
2119 mbedtls_printf( "\n" );
2120#endif /* MBEDTLS_CIPHER_MODE_OFB */
2121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2123 /*
2124 * CTR mode
2125 */
2126 for( i = 0; i < 6; i++ )
2127 {
2128 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2129 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2130
2131 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2132 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2134
2135 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2136 memcpy( key, aes_test_ctr_key[u], 16 );
2137
2138 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2139 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2140 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2141
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2142 len = aes_test_ctr_len[u];
2143
2144 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2145 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2146 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2147 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2148 }
2149 else
2150 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2152 aes_tests = aes_test_ctr_ct[u];
2153 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2154
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2155 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2156 stream_block, buf, buf );
2157 if( ret != 0 )
2158 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2159
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2160 if( memcmp( buf, aes_tests, len ) != 0 )
2161 {
2162 ret = 1;
2163 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2164 }
2165
2166 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2168 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169
2170 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 mbedtls_printf( "\n" );
2172#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2174#if defined(MBEDTLS_CIPHER_MODE_XTS)
2175 {
2176 static const int num_tests =
2177 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2178 mbedtls_aes_xts_context ctx_xts;
2179
2180 /*
2181 * XTS mode
2182 */
2183 mbedtls_aes_xts_init( &ctx_xts );
2184
2185 for( i = 0; i < num_tests << 1; i++ )
2186 {
2187 const unsigned char *data_unit;
2188 u = i >> 1;
2189 mode = i & 1;
2190
2191 if( verbose != 0 )
2192 mbedtls_printf( " AES-XTS-128 (%s): ",
2193 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2194
2195 memset( key, 0, sizeof( key ) );
2196 memcpy( key, aes_test_xts_key[u], 32 );
2197 data_unit = aes_test_xts_data_unit[u];
2198
2199 len = sizeof( *aes_test_xts_ct32 );
2200
2201 if( mode == MBEDTLS_AES_DECRYPT )
2202 {
2203 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2204 if( ret != 0)
2205 goto exit;
2206 memcpy( buf, aes_test_xts_ct32[u], len );
2207 aes_tests = aes_test_xts_pt32[u];
2208 }
2209 else
2210 {
2211 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2212 if( ret != 0)
2213 goto exit;
2214 memcpy( buf, aes_test_xts_pt32[u], len );
2215 aes_tests = aes_test_xts_ct32[u];
2216 }
2217
2218
2219 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2220 buf, buf );
2221 if( ret != 0 )
2222 goto exit;
2223
2224 if( memcmp( buf, aes_tests, len ) != 0 )
2225 {
2226 ret = 1;
2227 goto exit;
2228 }
2229
2230 if( verbose != 0 )
2231 mbedtls_printf( "passed\n" );
2232 }
2233
2234 if( verbose != 0 )
2235 mbedtls_printf( "\n" );
2236
2237 mbedtls_aes_xts_free( &ctx_xts );
2238 }
2239#endif /* MBEDTLS_CIPHER_MODE_XTS */
2240
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2241 ret = 0;
2242
2243exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2244 if( ret != 0 && verbose != 0 )
2245 mbedtls_printf( "failed\n" );
2246
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2247 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2248
2249 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2250}
2251
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2252#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2253
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2254#endif /* MBEDTLS_AES_C */