TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 9fd1b526c332d314b3cb235e28cd1fc12a1ace19 / . / library / aes.c
blob: 4972fba1a845180b379dde105e2f6e7d0639bbe8 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
Tom Cosgrovece37c5e2023-08-04 13:53:36 +0100[diff] [blame]22 * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Jerry Yu02b15192023-04-23 14:43:19 +0800[diff] [blame]36
Dave Rodgman782df0352023-09-29 12:57:52 +0100[diff] [blame]37#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
Dave Rodgman9fd1b522023-10-10 15:23:44 +0100[diff] [blame^]38#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
39 (defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \
40 (defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C)))
Jerry Yu69436812023-04-25 11:08:30 +0800[diff] [blame]41#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
Jerry Yu02b15192023-04-23 14:43:19 +0800[diff] [blame]42#endif
43#endif
44
Jerry Yud6e312d2023-08-18 17:19:51 +0800[diff] [blame]45#if defined(MBEDTLS_ARCH_IS_X86)
Jerry Yu61fc5ed2023-08-18 17:28:48 +0800[diff] [blame]46#if defined(MBEDTLS_PADLOCK_C)
47#if !defined(MBEDTLS_HAVE_ASM)
Jerry Yu13696bb2023-08-10 13:36:32 +0800[diff] [blame]48#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
49#endif
Jerry Yu61fc5ed2023-08-18 17:28:48 +0800[diff] [blame]50#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
51#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
52 "MBEDTLS_PADLOCK_C is set"
53#endif
54#endif
Jerry Yu02b15192023-04-23 14:43:19 +0800[diff] [blame]55#endif
56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]58#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]59#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]61#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]62#endif
Jerry Yu3f2fb712023-01-10 17:05:42 +0800[diff] [blame]63#if defined(MBEDTLS_AESCE_C)
64#include "aesce.h"
65#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]68
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]70
Jerry Yu9e628622023-08-17 11:20:09 +0800[diff] [blame]71#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]72static int aes_padlock_ace = -1;
73#endif
74
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]75#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76/*
77 * Forward S-box
78 */
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]79MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80{
81 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
82 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
83 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
84 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
85 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
86 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
87 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
88 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
89 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
90 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
91 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
92 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
93 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
94 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
95 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
96 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
97 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
98 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
99 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
100 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
101 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
102 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
103 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
104 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
105 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
106 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
107 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
108 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
109 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
110 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
111 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
112 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
113};
114
115/*
116 * Forward tables
117 */
118#define FT \
119\
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]120 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
121 V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
122 V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
123 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
124 V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
125 V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
126 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
127 V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
128 V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
129 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
130 V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
131 V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
132 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
133 V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
134 V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
135 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
136 V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
137 V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
138 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
139 V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
140 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
141 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
142 V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
143 V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
144 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
145 V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
146 V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
147 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
148 V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
149 V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
150 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
151 V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
152 V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
153 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
154 V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
155 V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
156 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
157 V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
158 V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
159 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
160 V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
161 V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
162 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
163 V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
164 V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
165 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
166 V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
167 V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
168 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
169 V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
170 V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
171 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
172 V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
173 V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
174 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
175 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
176 V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
177 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
178 V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
179 V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
180 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
181 V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
182 V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
183 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]185#define V(a, b, c, d) 0x##a##b##c##d
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]186MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]189#define V(a, b, c, d) 0x##b##c##d##a
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]190MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]193#define V(a, b, c, d) 0x##c##d##a##b
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]194MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef V
196
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]197#define V(a, b, c, d) 0x##d##a##b##c
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]198MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199#undef V
200
201#undef FT
202
203/*
204 * Reverse S-box
205 */
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]206MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]207{
208 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
209 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
210 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
211 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
212 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
213 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
214 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
215 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
216 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
217 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
218 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
219 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
220 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
221 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
222 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
223 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
224 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
225 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
226 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
227 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
228 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
229 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
230 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
231 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
232 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
233 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
234 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
235 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
236 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
237 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
238 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
239 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
240};
241
242/*
243 * Reverse tables
244 */
245#define RT \
246\
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]247 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
248 V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
249 V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
250 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
251 V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
252 V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
253 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
254 V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
255 V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
256 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
257 V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
258 V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
259 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
260 V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
261 V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
262 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
263 V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
264 V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
265 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
266 V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
267 V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
268 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
269 V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
270 V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
271 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
272 V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
273 V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
274 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
275 V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
276 V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
277 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
278 V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
279 V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
280 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
281 V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
282 V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
283 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
284 V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
285 V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
286 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
287 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
288 V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
289 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
290 V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
291 V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
292 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
293 V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
294 V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
295 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
296 V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
297 V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
298 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
299 V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
300 V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
301 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
302 V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
303 V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
304 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
305 V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
306 V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
307 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
308 V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
309 V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
310 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]311
Dave Rodgmanad4e76b2023-06-27 19:20:27 +0100[diff] [blame]312
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]313#define V(a, b, c, d) 0x##a##b##c##d
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]314MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315#undef V
316
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]317#define V(a, b, c, d) 0x##b##c##d##a
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]318MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319#undef V
320
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]321#define V(a, b, c, d) 0x##c##d##a##b
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]322MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]323#undef V
324
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]325#define V(a, b, c, d) 0x##d##a##b##c
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]326MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327#undef V
328
329#undef RT
330
331/*
332 * Round constants
333 */
Dave Rodgman4b779be2023-10-12 16:17:10 +0100[diff] [blame]334MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335{
336 0x00000001, 0x00000002, 0x00000004, 0x00000008,
337 0x00000010, 0x00000020, 0x00000040, 0x00000080,
338 0x0000001B, 0x00000036
339};
340
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]341#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342
343/*
344 * Forward S-box & tables
345 */
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]346MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
347MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
348MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
349MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
350MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351
352/*
353 * Reverse S-box & tables
354 */
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]355MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
Dave Rodgmanad4e76b2023-06-27 19:20:27 +0100[diff] [blame]356
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]357MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
358MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
359MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
360MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
362/*
363 * Round constants
364 */
Dave Rodgman4b779be2023-10-12 16:17:10 +0100[diff] [blame]365MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367/*
368 * Tables generation code
369 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]370#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
371#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
372#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]374MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]376MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377{
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]378 int i;
379 uint8_t x, y, z;
Yanray Wang5c86b172023-06-26 16:54:52 +0800[diff] [blame]380 uint8_t pow[256];
381 uint8_t log[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383 /*
384 * compute pow and log tables over GF(2^8)
385 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]386 for (i = 0, x = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387 pow[i] = x;
Yanray Wang5c86b172023-06-26 16:54:52 +0800[diff] [blame]388 log[x] = (uint8_t) i;
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]389 x ^= XTIME(x);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 }
391
392 /*
393 * calculate the round constants
394 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]395 for (i = 0, x = 1; i < 10; i++) {
Jerzy Kasenbergee62fce2023-10-11 16:36:24 +0200[diff] [blame]396 round_constants[i] = x;
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]397 x = XTIME(x);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398 }
399
400 /*
401 * generate the forward and reverse S-boxes
402 */
403 FSb[0x00] = 0x63;
404 RSb[0x63] = 0x00;
405
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]406 for (i = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407 x = pow[255 - log[i]];
408
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]409 y = x; y = (y << 1) | (y >> 7);
410 x ^= y; y = (y << 1) | (y >> 7);
411 x ^= y; y = (y << 1) | (y >> 7);
412 x ^= y; y = (y << 1) | (y >> 7);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]413 x ^= y ^ 0x63;
414
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]415 FSb[i] = x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416 RSb[x] = (unsigned char) i;
417 }
418
419 /*
420 * generate the forward and reverse tables
421 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]422 for (i = 0; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 x = FSb[i];
Yanray Wangfe944ce2023-06-26 18:16:01 +0800[diff] [blame]424 y = XTIME(x);
425 z = y ^ x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]427 FT0[i] = ((uint32_t) y) ^
428 ((uint32_t) x << 8) ^
429 ((uint32_t) x << 16) ^
430 ((uint32_t) z << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]432#if !defined(MBEDTLS_AES_FEWER_TABLES)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]433 FT1[i] = ROTL8(FT0[i]);
434 FT2[i] = ROTL8(FT1[i]);
435 FT3[i] = ROTL8(FT2[i]);
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]436#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]437
438 x = RSb[i];
439
Dave Rodgman450c1ff2023-09-29 15:52:33 +0100[diff] [blame]440#if !defined(MBEDTLS_AES_DECRYPT_ALT) || \
441 (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]442 RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
443 ((uint32_t) MUL(0x09, x) << 8) ^
444 ((uint32_t) MUL(0x0D, x) << 16) ^
445 ((uint32_t) MUL(0x0B, x) << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]446
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]447#if !defined(MBEDTLS_AES_FEWER_TABLES)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]448 RT1[i] = ROTL8(RT0[i]);
449 RT2[i] = ROTL8(RT1[i]);
450 RT3[i] = ROTL8(RT2[i]);
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]451#endif /* !MBEDTLS_AES_FEWER_TABLES */
Dave Rodgman450c1ff2023-09-29 15:52:33 +0100[diff] [blame]452#endif \
453 /* !defined(MBEDTLS_AES_DECRYPT_ALT) || (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)) */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454 }
455}
456
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]457#undef ROTL8
458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]459#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]461#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]462
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]463#define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24))
464#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
465#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8))
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]466
467#define AES_RT0(idx) RT0[idx]
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]468#define AES_RT1(idx) ROTL8(RT0[idx])
469#define AES_RT2(idx) ROTL16(RT0[idx])
470#define AES_RT3(idx) ROTL24(RT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]471
472#define AES_FT0(idx) FT0[idx]
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]473#define AES_FT1(idx) ROTL8(FT0[idx])
474#define AES_FT2(idx) ROTL16(FT0[idx])
475#define AES_FT3(idx) ROTL24(FT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]476
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]478
479#define AES_RT0(idx) RT0[idx]
480#define AES_RT1(idx) RT1[idx]
481#define AES_RT2(idx) RT2[idx]
482#define AES_RT3(idx) RT3[idx]
483
484#define AES_FT0(idx) FT0[idx]
485#define AES_FT1(idx) FT1[idx]
486#define AES_FT2(idx) FT2[idx]
487#define AES_FT3(idx) FT3[idx]
488
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]489#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]490
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]491void mbedtls_aes_init(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]492{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]493 memset(ctx, 0, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]494}
495
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]496void mbedtls_aes_free(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]497{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]498 if (ctx == NULL) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]499 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]500 }
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]501
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]502 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]503}
504
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]505#if defined(MBEDTLS_CIPHER_MODE_XTS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]506void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]507{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]508 mbedtls_aes_init(&ctx->crypt);
509 mbedtls_aes_init(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]510}
511
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]512void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]513{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]514 if (ctx == NULL) {
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]515 return;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]516 }
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]517
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]518 mbedtls_aes_free(&ctx->crypt);
519 mbedtls_aes_free(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]520}
521#endif /* MBEDTLS_CIPHER_MODE_XTS */
522
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]523/* Some implementations need the round keys to be aligned.
524 * Return an offset to be added to buf, such that (buf + offset) is
525 * correctly aligned.
526 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
527 * i.e. an offset of 1 means 4 bytes and so on.
528 */
Jerry Yu96084472023-08-17 18:10:45 +0800[diff] [blame]529#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \
Gilles Peskine9c682e72023-03-16 17:21:33 +0100[diff] [blame]530 (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]531#define MAY_NEED_TO_ALIGN
532#endif
Dave Rodgman28a539a2023-06-27 18:22:34 +0100[diff] [blame]533
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]534MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]535{
536#if defined(MAY_NEED_TO_ALIGN)
537 int align_16_bytes = 0;
538
Jerry Yu9e628622023-08-17 11:20:09 +0800[diff] [blame]539#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]540 if (aes_padlock_ace == -1) {
541 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
542 }
543 if (aes_padlock_ace) {
544 align_16_bytes = 1;
545 }
546#endif
547
Gilles Peskine9c682e72023-03-16 17:21:33 +0100[diff] [blame]548#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]549 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
550 align_16_bytes = 1;
551 }
552#endif
553
554 if (align_16_bytes) {
555 /* These implementations needs 16-byte alignment
556 * for the round key array. */
557 unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
558 if (delta == 0) {
559 return 0;
560 } else {
561 return 4 - delta; // 16 bytes = 4 uint32_t
562 }
563 }
564#else /* MAY_NEED_TO_ALIGN */
565 (void) buf;
566#endif /* MAY_NEED_TO_ALIGN */
567
568 return 0;
569}
570
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571/*
572 * AES key schedule (encryption)
573 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]574#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]575int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
576 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577{
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]578 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]580 switch (keybits) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 case 128: ctx->nr = 10; break;
Arto Kinnunen732ca322023-04-14 14:26:10 +0800[diff] [blame]582#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 case 192: ctx->nr = 12; break;
584 case 256: ctx->nr = 14; break;
Arto Kinnunen732ca322023-04-14 14:26:10 +0800[diff] [blame]585#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]586 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587 }
588
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]589#if !defined(MBEDTLS_AES_ROM_TABLES)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]590 if (aes_init_done == 0) {
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]591 aes_gen_tables();
592 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]593 }
594#endif
595
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]596 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]597 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
Gilles Peskine9af58cd2023-03-10 22:29:32 +0100[diff] [blame]599#if defined(MBEDTLS_AESNI_HAVE_CODE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]600 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
601 return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
602 }
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]603#endif
604
Jerry Yu72fd0bd2023-08-18 16:31:01 +0800[diff] [blame]605#if defined(MBEDTLS_AESCE_HAVE_CODE)
Dave Rodgmanf2249ec2023-08-04 14:27:58 +0100[diff] [blame]606 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
Jerry Yu3f2fb712023-01-10 17:05:42 +0800[diff] [blame]607 return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
608 }
609#endif
610
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]611#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
Jerry Yu3a0f0442023-08-17 17:06:21 +0800[diff] [blame]612 for (unsigned int i = 0; i < (keybits >> 5); i++) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]613 RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614 }
615
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]616 switch (ctx->nr) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617 case 10:
618
Jerry Yu3a0f0442023-08-17 17:06:21 +0800[diff] [blame]619 for (unsigned int i = 0; i < 10; i++, RK += 4) {
Jerzy Kasenbergee62fce2023-10-11 16:36:24 +0200[diff] [blame]620 RK[4] = RK[0] ^ round_constants[i] ^
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]621 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
622 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
623 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
624 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625
626 RK[5] = RK[1] ^ RK[4];
627 RK[6] = RK[2] ^ RK[5];
628 RK[7] = RK[3] ^ RK[6];
629 }
630 break;
631
Arto Kinnunen732ca322023-04-14 14:26:10 +0800[diff] [blame]632#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633 case 12:
634
Jerry Yu3a0f0442023-08-17 17:06:21 +0800[diff] [blame]635 for (unsigned int i = 0; i < 8; i++, RK += 6) {
Jerzy Kasenbergee62fce2023-10-11 16:36:24 +0200[diff] [blame]636 RK[6] = RK[0] ^ round_constants[i] ^
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]637 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
638 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
639 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
640 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[7] = RK[1] ^ RK[6];
643 RK[8] = RK[2] ^ RK[7];
644 RK[9] = RK[3] ^ RK[8];
645 RK[10] = RK[4] ^ RK[9];
646 RK[11] = RK[5] ^ RK[10];
647 }
648 break;
649
650 case 14:
651
Jerry Yu3a0f0442023-08-17 17:06:21 +0800[diff] [blame]652 for (unsigned int i = 0; i < 7; i++, RK += 8) {
Jerzy Kasenbergee62fce2023-10-11 16:36:24 +0200[diff] [blame]653 RK[8] = RK[0] ^ round_constants[i] ^
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]654 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
655 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
656 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
657 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658
659 RK[9] = RK[1] ^ RK[8];
660 RK[10] = RK[2] ^ RK[9];
661 RK[11] = RK[3] ^ RK[10];
662
663 RK[12] = RK[4] ^
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]664 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
665 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^
666 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
667 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669 RK[13] = RK[5] ^ RK[12];
670 RK[14] = RK[6] ^ RK[13];
671 RK[15] = RK[7] ^ RK[14];
672 }
673 break;
Arto Kinnunen732ca322023-04-14 14:26:10 +0800[diff] [blame]674#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]676
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]677 return 0;
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]678#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]680#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682/*
683 * AES key schedule (decryption)
684 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]685#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]686int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
687 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688{
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]689#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]690 uint32_t *SK;
691#endif
692 int ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]693 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]694 uint32_t *RK;
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]695
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]696
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]697 mbedtls_aes_init(&cty);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]699 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]700 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]702 /* Also checks keybits */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]703 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]705 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]706
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]707 ctx->nr = cty.nr;
708
Gilles Peskine9af58cd2023-03-10 22:29:32 +0100[diff] [blame]709#if defined(MBEDTLS_AESNI_HAVE_CODE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]710 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
711 mbedtls_aesni_inverse_key((unsigned char *) RK,
712 (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]713 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]714 }
715#endif
716
Jerry Yu72fd0bd2023-08-18 16:31:01 +0800[diff] [blame]717#if defined(MBEDTLS_AESCE_HAVE_CODE)
Dave Rodgmanf2249ec2023-08-04 14:27:58 +0100[diff] [blame]718 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
Jerry Yue096da12023-01-10 17:07:01 +0800[diff] [blame]719 mbedtls_aesce_inverse_key(
720 (unsigned char *) RK,
721 (const unsigned char *) (cty.buf + cty.rk_offset),
722 ctx->nr);
723 goto exit;
724 }
725#endif
726
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]727#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]728 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733 *RK++ = *SK++;
Jerry Yu3a0f0442023-08-17 17:06:21 +0800[diff] [blame]734 SK -= 8;
735 for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
736 for (int j = 0; j < 4; j++, SK++) {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]737 *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
738 AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
739 AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
740 AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]741 }
742 }
743
744 *RK++ = *SK++;
745 *RK++ = *SK++;
746 *RK++ = *SK++;
747 *RK++ = *SK++;
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]748#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]749exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]750 mbedtls_aes_free(&cty);
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]751
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]752 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]753}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]754#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]755
756#if defined(MBEDTLS_CIPHER_MODE_XTS)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]757static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
758 unsigned int keybits,
759 const unsigned char **key1,
760 unsigned int *key1bits,
761 const unsigned char **key2,
762 unsigned int *key2bits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]763{
764 const unsigned int half_keybits = keybits / 2;
765 const unsigned int half_keybytes = half_keybits / 8;
766
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]767 switch (keybits) {
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]768 case 256: break;
769 case 512: break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]770 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 }
772
773 *key1bits = half_keybits;
774 *key2bits = half_keybits;
775 *key1 = &key[0];
776 *key2 = &key[half_keybytes];
777
778 return 0;
779}
780
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]781int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
782 const unsigned char *key,
783 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]784{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]785 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]786 const unsigned char *key1, *key2;
787 unsigned int key1bits, key2bits;
788
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]789 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
790 &key2, &key2bits);
791 if (ret != 0) {
792 return ret;
793 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]794
795 /* Set the tweak key. Always set tweak key for the encryption mode. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]796 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
797 if (ret != 0) {
798 return ret;
799 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]800
801 /* Set crypt key for encryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]802 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]803}
804
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]805int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
806 const unsigned char *key,
807 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]808{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]809 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]810 const unsigned char *key1, *key2;
811 unsigned int key1bits, key2bits;
812
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]813 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
814 &key2, &key2bits);
815 if (ret != 0) {
816 return ret;
817 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]818
819 /* Set the tweak key. Always set tweak key for encryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]820 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
821 if (ret != 0) {
822 return ret;
823 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]824
825 /* Set crypt key for decryption. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]826 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]827}
828#endif /* MBEDTLS_CIPHER_MODE_XTS */
829
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]830#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]831 do \
832 { \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]833 (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \
834 AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \
835 AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \
836 AES_FT3(MBEDTLS_BYTE_3(Y3)); \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]837 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]838 (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \
839 AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \
840 AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \
841 AES_FT3(MBEDTLS_BYTE_3(Y0)); \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]842 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]843 (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \
844 AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \
845 AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \
846 AES_FT3(MBEDTLS_BYTE_3(Y1)); \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]847 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]848 (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \
849 AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \
850 AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \
851 AES_FT3(MBEDTLS_BYTE_3(Y2)); \
852 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]853
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]854#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]855 do \
856 { \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]857 (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \
858 AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \
859 AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \
860 AES_RT3(MBEDTLS_BYTE_3(Y1)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]861 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]862 (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \
863 AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \
864 AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \
865 AES_RT3(MBEDTLS_BYTE_3(Y2)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]866 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]867 (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \
868 AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \
869 AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \
870 AES_RT3(MBEDTLS_BYTE_3(Y3)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]871 \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]872 (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \
873 AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \
874 AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \
875 AES_RT3(MBEDTLS_BYTE_3(Y0)); \
876 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]877
878/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]879 * AES-ECB block encryption
880 */
881#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]882int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
883 const unsigned char input[16],
884 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]885{
886 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]887 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]888 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]889 uint32_t X[4];
890 uint32_t Y[4];
891 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]893 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
894 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
895 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
896 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]897
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]898 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
899 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
900 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]901 }
902
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]903 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]904
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]905 t.X[0] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]906 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
907 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
908 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
909 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]911 t.X[1] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]912 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
913 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
914 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
915 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]916
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]917 t.X[2] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]918 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
919 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
920 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
921 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]922
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]923 t.X[3] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]924 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
925 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
926 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
927 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]928
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]929 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
930 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
931 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
932 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]933
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]934 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]935
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]936 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937}
938#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
939
940/*
941 * AES-ECB block decryption
942 */
943#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]944int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
945 const unsigned char input[16],
946 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]947{
948 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]949 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]950 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]951 uint32_t X[4];
952 uint32_t Y[4];
953 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]954
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]955 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
956 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
957 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
958 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]959
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]960 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
961 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
962 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]963 }
964
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]965 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]966
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]967 t.X[0] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]968 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
969 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
970 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
971 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]972
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]973 t.X[1] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]974 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
975 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
976 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
977 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]978
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]979 t.X[2] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]980 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
981 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
982 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
983 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]984
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]985 t.X[3] = *RK++ ^ \
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]986 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
987 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
988 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
989 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]990
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]991 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
992 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
993 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
994 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]995
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]996 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]997
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]998 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]999}
1000#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1001
Gilles Peskine148cad12023-03-16 13:08:42 +0100[diff] [blame]1002/* VIA Padlock and our intrinsics-based implementation of AESNI require
1003 * the round keys to be aligned on a 16-byte boundary. We take care of this
1004 * before creating them, but the AES context may have moved (this can happen
1005 * if the library is called from a language with managed memory), and in later
1006 * calls it might have a different alignment with respect to 16-byte memory.
1007 * So we may need to realign.
1008 */
Dave Rodgman18ddf612023-10-04 14:03:12 +0100[diff] [blame]1009MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
Gilles Peskine148cad12023-03-16 13:08:42 +0100[diff] [blame]1010{
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]1011 unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
1012 if (new_offset != ctx->rk_offset) {
Gilles Peskine148cad12023-03-16 13:08:42 +0100[diff] [blame]1013 memmove(ctx->buf + new_offset, // new address
1014 ctx->buf + ctx->rk_offset, // current address
1015 (ctx->nr + 1) * 16); // number of round keys * bytes per rk
1016 ctx->rk_offset = new_offset;
1017 }
1018}
Gilles Peskine148cad12023-03-16 13:08:42 +0100[diff] [blame]1019
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1020/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021 * AES-ECB block encryption/decryption
1022 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1023int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
1024 int mode,
1025 const unsigned char input[16],
1026 unsigned char output[16])
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1028 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1029 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1030 }
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1031
Gilles Peskine0de8f852023-03-16 17:14:59 +0100[diff] [blame]1032#if defined(MAY_NEED_TO_ALIGN)
1033 aes_maybe_realign(ctx);
1034#endif
1035
Gilles Peskine9af58cd2023-03-10 22:29:32 +0100[diff] [blame]1036#if defined(MBEDTLS_AESNI_HAVE_CODE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1037 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1038 return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
1039 }
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1040#endif
1041
Jerry Yu72fd0bd2023-08-18 16:31:01 +0800[diff] [blame]1042#if defined(MBEDTLS_AESCE_HAVE_CODE)
Dave Rodgmanf2249ec2023-08-04 14:27:58 +0100[diff] [blame]1043 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
Jerry Yu2bb3d812023-01-10 17:38:26 +0800[diff] [blame]1044 return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
1045 }
1046#endif
1047
Jerry Yu9e628622023-08-17 11:20:09 +0800[diff] [blame]1048#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1049 if (aes_padlock_ace > 0) {
Gilles Peskine148cad12023-03-16 13:08:42 +0100[diff] [blame]1050 return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 }
1052#endif
1053
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]1054#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1055 if (mode == MBEDTLS_AES_ENCRYPT) {
1056 return mbedtls_internal_aes_encrypt(ctx, input, output);
1057 } else {
1058 return mbedtls_internal_aes_decrypt(ctx, input, output);
1059 }
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]1060#endif
1061
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062}
1063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064#if defined(MBEDTLS_CIPHER_MODE_CBC)
Dave Rodgmand05e7f12023-06-14 18:58:48 +0100[diff] [blame]1065
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066/*
1067 * AES-CBC buffer encryption/decryption
1068 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1069int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1070 int mode,
1071 size_t length,
1072 unsigned char iv[16],
1073 const unsigned char *input,
1074 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1076 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 unsigned char temp[16];
1078
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1079 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1080 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1081 }
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1082
Paul Elliott2ad93672023-08-11 11:07:06 +0100[diff] [blame]1083 /* Nothing to do if length is zero. */
1084 if (length == 0) {
1085 return 0;
1086 }
1087
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1088 if (length % 16) {
1089 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1090 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1091
Jerry Yu9e628622023-08-17 11:20:09 +0800[diff] [blame]1092#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1093 if (aes_padlock_ace > 0) {
1094 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1095 return 0;
1096 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1097
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1098 // If padlock data misaligned, we just fall back to
1099 // unaccelerated mode
1100 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 }
1102#endif
1103
Dave Rodgman906c63c2023-06-14 17:53:51 +0100[diff] [blame]1104 const unsigned char *ivp = iv;
1105
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1106 if (mode == MBEDTLS_AES_DECRYPT) {
1107 while (length > 0) {
1108 memcpy(temp, input, 16);
1109 ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1110 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1111 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1112 }
Dave Rodgmana0b166e2023-06-15 18:44:16 +0100[diff] [blame]1113 /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
Dave Rodgman2dd15b32023-06-15 20:27:53 +0100[diff] [blame]1114 * the result for the next block in CBC, and the cost of transferring that data from
1115 * NEON registers, NEON is slower on aarch64. */
Dave Rodgmana0b166e2023-06-15 18:44:16 +0100[diff] [blame]1116 mbedtls_xor_no_simd(output, output, iv, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1117
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1118 memcpy(iv, temp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119
1120 input += 16;
1121 output += 16;
1122 length -= 16;
1123 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1124 } else {
1125 while (length > 0) {
Dave Rodgmana0b166e2023-06-15 18:44:16 +0100[diff] [blame]1126 mbedtls_xor_no_simd(output, input, ivp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1128 ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1129 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1130 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1131 }
Dave Rodgman906c63c2023-06-14 17:53:51 +0100[diff] [blame]1132 ivp = output;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1133
1134 input += 16;
1135 output += 16;
1136 length -= 16;
1137 }
Dave Rodgman906c63c2023-06-14 17:53:51 +0100[diff] [blame]1138 memcpy(iv, ivp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1140 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1141
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1142exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1143 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1145#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1147#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1148
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1149typedef unsigned char mbedtls_be128[16];
1150
1151/*
1152 * GF(2^128) multiplication function
1153 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1154 * This function multiplies a field element by x in the polynomial field
1155 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1156 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1157 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1158 */
Dave Rodgman4ad81cc2023-06-16 15:04:04 +0100[diff] [blame]1159#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
Dave Rodgman9bb7e6f2023-06-16 09:41:21 +0100[diff] [blame]1160MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
Dave Rodgman4ad81cc2023-06-16 15:04:04 +0100[diff] [blame]1161#endif
Dave Rodgman6cfd9b52023-06-15 18:46:23 +0100[diff] [blame]1162static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
Dave Rodgman2dd15b32023-06-15 20:27:53 +0100[diff] [blame]1163 const unsigned char x[16])
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1164{
1165 uint64_t a, b, ra, rb;
1166
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1167 a = MBEDTLS_GET_UINT64_LE(x, 0);
1168 b = MBEDTLS_GET_UINT64_LE(x, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1169
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1170 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1171 rb = (a >> 63) | (b << 1);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1172
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1173 MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1174 MBEDTLS_PUT_UINT64_LE(rb, r, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1175}
1176
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1177/*
1178 * AES-XTS buffer encryption/decryption
Dave Rodgman6cfd9b52023-06-15 18:46:23 +0100[diff] [blame]1179 *
Dave Rodgman9bb7e6f2023-06-16 09:41:21 +0100[diff] [blame]1180 * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
Dave Rodgmanb2814bd2023-06-16 14:50:33 +0100[diff] [blame]1181 * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1182 */
Dave Rodgmanb2814bd2023-06-16 14:50:33 +0100[diff] [blame]1183#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
Dave Rodgman9bb7e6f2023-06-16 09:41:21 +0100[diff] [blame]1184MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
Dave Rodgmanb2814bd2023-06-16 14:50:33 +0100[diff] [blame]1185#endif
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1186int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1187 int mode,
1188 size_t length,
1189 const unsigned char data_unit[16],
1190 const unsigned char *input,
1191 unsigned char *output)
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1192{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1193 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1194 size_t blocks = length / 16;
1195 size_t leftover = length % 16;
1196 unsigned char tweak[16];
1197 unsigned char prev_tweak[16];
1198 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1199
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1200 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1201 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1202 }
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1203
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1204 /* Data units must be at least 16 bytes long. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1205 if (length < 16) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1206 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1207 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1208
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1209 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1210 if (length > (1 << 20) * 16) {
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1211 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1212 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1213
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1214 /* Compute the tweak. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1215 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1216 data_unit, tweak);
1217 if (ret != 0) {
1218 return ret;
1219 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1221 while (blocks--) {
Dave Rodgman360e04f2023-06-09 17:18:32 +0100[diff] [blame]1222 if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223 /* We are on the last block in a decrypt operation that has
1224 * leftover bytes, so we need to use the next tweak for this block,
Tom Cosgrove1797b052022-12-04 17:19:59 +0000[diff] [blame]1225 * and this tweak for the leftover bytes. Save the current tweak for
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1226 * the leftovers and then update the current tweak for use on this,
1227 * the last full block. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1228 memcpy(prev_tweak, tweak, sizeof(tweak));
1229 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1230 }
1231
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1232 mbedtls_xor(tmp, input, tweak, 16);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1233
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1234 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1235 if (ret != 0) {
1236 return ret;
1237 }
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1239 mbedtls_xor(output, tmp, tweak, 16);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1240
1241 /* Update the tweak for the next block. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1242 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243
1244 output += 16;
1245 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246 }
1247
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1248 if (leftover) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 /* If we are on the leftover bytes in a decrypt operation, we need to
1250 * use the previous tweak for these bytes (as saved in prev_tweak). */
1251 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1252
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1253 /* We are now on the final part of the data unit, which doesn't divide
1254 * evenly by 16. It's time for ciphertext stealing. */
1255 size_t i;
1256 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1258 /* Copy ciphertext bytes from the previous block to our output for each
Dave Rodgman069e7f42022-11-24 19:37:26 +0000[diff] [blame]1259 * byte of ciphertext we won't steal. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1260 for (i = 0; i < leftover; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1261 output[i] = prev_output[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263
Dave Rodgman069e7f42022-11-24 19:37:26 +0000[diff] [blame]1264 /* Copy the remainder of the input for this final round. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1265 mbedtls_xor(tmp, input, t, leftover);
Dave Rodgmana8cf6072022-11-22 15:02:54 +0000[diff] [blame]1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 /* Copy ciphertext bytes from the previous block for input in this
1268 * round. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1269 mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1270
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1271 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1272 if (ret != 0) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 return ret;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1274 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1275
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1276 /* Write the result back to the previous block, overriding the previous
1277 * output we copied. */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1278 mbedtls_xor(prev_output, tmp, t, 16);
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1279 }
1280
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1281 return 0;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282}
1283#endif /* MBEDTLS_CIPHER_MODE_XTS */
1284
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1285#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286/*
1287 * AES-CFB128 buffer encryption/decryption
1288 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1289int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1290 int mode,
1291 size_t length,
1292 size_t *iv_off,
1293 unsigned char iv[16],
1294 const unsigned char *input,
1295 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1297 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1298 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1299 size_t n;
1300
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1301 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1302 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1303 }
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1304
1305 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1307 if (n > 15) {
1308 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1309 }
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1310
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1311 if (mode == MBEDTLS_AES_DECRYPT) {
1312 while (length--) {
1313 if (n == 0) {
1314 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1315 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1316 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1317 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1318 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319
1320 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1321 *output++ = (unsigned char) (c ^ iv[n]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322 iv[n] = (unsigned char) c;
1323
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1324 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1326 } else {
1327 while (length--) {
1328 if (n == 0) {
1329 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1330 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1331 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1332 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1333 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1335 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1337 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338 }
1339 }
1340
1341 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1342 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1343
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1344exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1345 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1347
1348/*
1349 * AES-CFB8 buffer encryption/decryption
1350 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1351int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1352 int mode,
1353 size_t length,
1354 unsigned char iv[16],
1355 const unsigned char *input,
1356 unsigned char *output)
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1357{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1358 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1359 unsigned char c;
1360 unsigned char ov[17];
1361
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1362 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame]1363 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1364 }
1365 while (length--) {
1366 memcpy(ov, iv, 16);
1367 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1368 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1369 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1370 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1372 if (mode == MBEDTLS_AES_DECRYPT) {
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1373 ov[16] = *input;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1374 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1375
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1376 c = *output++ = (unsigned char) (iv[0] ^ *input++);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1377
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1378 if (mode == MBEDTLS_AES_ENCRYPT) {
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1379 ov[16] = c;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1380 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1381
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1382 memcpy(iv, ov + 1, 16);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1383 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1384 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1385
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1386exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1387 return ret;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1388}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1389#endif /* MBEDTLS_CIPHER_MODE_CFB */
1390
1391#if defined(MBEDTLS_CIPHER_MODE_OFB)
1392/*
1393 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1394 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1395int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1396 size_t length,
1397 size_t *iv_off,
1398 unsigned char iv[16],
1399 const unsigned char *input,
1400 unsigned char *output)
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1401{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1402 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1403 size_t n;
1404
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1405 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1406
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1407 if (n > 15) {
1408 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1409 }
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1410
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1411 while (length--) {
1412 if (n == 0) {
1413 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1414 if (ret != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1415 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1416 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1417 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1418 *output++ = *input++ ^ iv[n];
1419
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1420 n = (n + 1) & 0x0F;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1421 }
1422
1423 *iv_off = n;
1424
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1425exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1426 return ret;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1427}
1428#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1429
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1430#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1431/*
1432 * AES-CTR buffer encryption/decryption
1433 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1434int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1435 size_t length,
1436 size_t *nc_off,
1437 unsigned char nonce_counter[16],
1438 unsigned char stream_block[16],
1439 const unsigned char *input,
1440 unsigned char *output)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1441{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1442 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1443 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1444 size_t n;
1445
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1446 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1447
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1448 if (n > 0x0F) {
1449 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1450 }
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1451
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1452 while (length--) {
1453 if (n == 0) {
1454 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1455 if (ret != 0) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1456 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1457 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1459 for (i = 16; i > 0; i--) {
1460 if (++nonce_counter[i - 1] != 0) {
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1461 break;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1462 }
1463 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1464 }
1465 c = *input++;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1466 *output++ = (unsigned char) (c ^ stream_block[n]);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1467
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1468 n = (n + 1) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1469 }
1470
1471 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1472 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1473
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1474exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1475 return ret;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1476}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1477#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1479#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482/*
1483 * AES test vectors from:
1484 *
1485 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1486 */
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1487static const unsigned char aes_test_ecb_dec[][16] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1488{
1489 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1490 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1491#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1493 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1494 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1495 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1496#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497};
1498
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1499static const unsigned char aes_test_ecb_enc[][16] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500{
1501 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1502 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1503#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1504 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1505 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1506 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1507 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1508#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1509};
1510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511#if defined(MBEDTLS_CIPHER_MODE_CBC)
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1512static const unsigned char aes_test_cbc_dec[][16] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1513{
1514 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1515 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1516#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1517 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1518 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1519 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1520 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1521#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522};
1523
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1524static const unsigned char aes_test_cbc_enc[][16] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1525{
1526 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1527 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1528#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1529 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1530 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1531 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1532 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1533#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1534};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1535#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1537#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538/*
1539 * AES-CFB128 test vectors from:
1540 *
1541 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1542 */
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1543static const unsigned char aes_test_cfb128_key[][32] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544{
1545 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1546 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1547#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1549 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1550 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1551 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1552 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1553 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1554 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1555#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1556};
1557
1558static const unsigned char aes_test_cfb128_iv[16] =
1559{
1560 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1561 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1562};
1563
1564static const unsigned char aes_test_cfb128_pt[64] =
1565{
1566 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1567 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1568 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1569 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1570 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1571 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1572 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1573 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1574};
1575
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1576static const unsigned char aes_test_cfb128_ct[][64] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1577{
1578 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1579 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1580 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1581 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1582 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1583 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1584 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1585 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1586#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1587 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1588 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1589 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1590 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1591 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1592 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1593 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1594 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1595 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1596 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1597 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1598 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1599 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1600 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1601 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1602 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1603#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1604};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1605#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1606
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1607#if defined(MBEDTLS_CIPHER_MODE_OFB)
1608/*
1609 * AES-OFB test vectors from:
1610 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1611 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1612 */
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1613static const unsigned char aes_test_ofb_key[][32] =
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1614{
1615 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1616 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1617#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1618 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1619 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1620 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1621 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1622 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1623 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1624 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1625#endif
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1626};
1627
1628static const unsigned char aes_test_ofb_iv[16] =
1629{
1630 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1631 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1632};
1633
1634static const unsigned char aes_test_ofb_pt[64] =
1635{
1636 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1637 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1638 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1639 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1640 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1641 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1642 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1643 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1644};
1645
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1646static const unsigned char aes_test_ofb_ct[][64] =
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1647{
1648 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1649 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1650 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1651 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1652 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1653 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1654 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1655 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1656#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1657 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1658 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1659 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1660 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1661 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1662 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1663 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1664 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1665 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1666 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1667 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1668 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1669 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1670 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1671 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1672 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1673#endif
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1674};
1675#endif /* MBEDTLS_CIPHER_MODE_OFB */
1676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1678/*
1679 * AES-CTR test vectors from:
1680 *
1681 * http://www.faqs.org/rfcs/rfc3686.html
1682 */
1683
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1684static const unsigned char aes_test_ctr_key[][16] =
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1685{
1686 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1687 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1688 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1689 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1690 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1691 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1692};
1693
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1694static const unsigned char aes_test_ctr_nonce_counter[][16] =
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1695{
1696 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1698 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1699 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1700 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1701 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1702};
1703
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1704static const unsigned char aes_test_ctr_pt[][48] =
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1705{
1706 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1707 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1708 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1709 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1710 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1711 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1712
1713 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1714 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1715 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1716 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1717 0x20, 0x21, 0x22, 0x23 }
1718};
1719
Yanray Wang62c99912023-05-11 11:06:53 +0800[diff] [blame]1720static const unsigned char aes_test_ctr_ct[][48] =
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1721{
1722 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1723 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1724 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1725 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1726 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1727 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1728 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1729 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1730 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1731 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1732 0x25, 0xB2, 0x07, 0x2F }
1733};
1734
1735static const int aes_test_ctr_len[3] =
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1736{ 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1739#if defined(MBEDTLS_CIPHER_MODE_XTS)
1740/*
1741 * AES-XTS test vectors from:
1742 *
1743 * IEEE P1619/D16 Annex B
1744 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1745 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1746 */
1747static const unsigned char aes_test_xts_key[][32] =
1748{
1749 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1753 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1754 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1755 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1757 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1758 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1759 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1761};
1762
1763static const unsigned char aes_test_xts_pt32[][32] =
1764{
1765 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1769 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1773 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1774 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1777};
1778
1779static const unsigned char aes_test_xts_ct32[][32] =
1780{
1781 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1782 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1783 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1784 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1785 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1786 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1787 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1788 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1789 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1790 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1791 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1792 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1793};
1794
1795static const unsigned char aes_test_xts_data_unit[][16] =
1796{
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1797 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1799 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1801 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1803};
1804
1805#endif /* MBEDTLS_CIPHER_MODE_XTS */
1806
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1807/*
1808 * Checkup routine
1809 */
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1810int mbedtls_aes_self_test(int verbose)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1812 int ret = 0, i, j, u, mode;
1813 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814 unsigned char key[32];
1815 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1816 const unsigned char *aes_tests;
Andrzej Kurek252283f2022-09-27 07:54:16 -0400[diff] [blame]1817#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1818 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1820#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1821#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1822 unsigned char prv[16];
1823#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1824#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1825 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1826 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1827#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1828#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1829 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1830#endif
1831#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1832 unsigned char nonce_counter[16];
1833 unsigned char stream_block[16];
1834#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1835 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1837 memset(key, 0, 32);
1838 mbedtls_aes_init(&ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839
Gilles Peskine7e67bd52023-03-10 22:35:24 +0100[diff] [blame]1840 if (verbose != 0) {
1841#if defined(MBEDTLS_AES_ALT)
1842 mbedtls_printf(" AES note: alternative implementation.\n");
1843#else /* MBEDTLS_AES_ALT */
Gilles Peskine7e67bd52023-03-10 22:35:24 +0100[diff] [blame]1844#if defined(MBEDTLS_AESNI_HAVE_CODE)
Dave Rodgman96a9e6a2023-06-16 20:18:36 +0100[diff] [blame]1845#if MBEDTLS_AESNI_HAVE_CODE == 1
Dave Rodgman086e1372023-06-16 20:21:39 +0100[diff] [blame]1846 mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n");
Dave Rodgman96a9e6a2023-06-16 20:18:36 +0100[diff] [blame]1847#elif MBEDTLS_AESNI_HAVE_CODE == 2
Dave Rodgman086e1372023-06-16 20:21:39 +0100[diff] [blame]1848 mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n");
Dave Rodgman96a9e6a2023-06-16 20:18:36 +0100[diff] [blame]1849#else
Antonio de Angelis1ee4d122023-08-16 12:26:37 +0100[diff] [blame]1850#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
Dave Rodgman96a9e6a2023-06-16 20:18:36 +0100[diff] [blame]1851#endif
Gilles Peskine7e67bd52023-03-10 22:35:24 +0100[diff] [blame]1852 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1853 mbedtls_printf(" AES note: using AESNI.\n");
1854 } else
1855#endif
Jerry Yu9e628622023-08-17 11:20:09 +0800[diff] [blame]1856#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
Jerry Yu2319af02023-08-17 10:38:57 +0800[diff] [blame]1857 if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
1858 mbedtls_printf(" AES note: using VIA Padlock.\n");
1859 } else
1860#endif
Jerry Yu72fd0bd2023-08-18 16:31:01 +0800[diff] [blame]1861#if defined(MBEDTLS_AESCE_HAVE_CODE)
Dave Rodgmanf2249ec2023-08-04 14:27:58 +0100[diff] [blame]1862 if (MBEDTLS_AESCE_HAS_SUPPORT()) {
Gilles Peskine7e67bd52023-03-10 22:35:24 +0100[diff] [blame]1863 mbedtls_printf(" AES note: using AESCE.\n");
1864 } else
1865#endif
Jerry Yu29c91ba2023-08-04 11:02:04 +0800[diff] [blame]1866 {
1867#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
1868 mbedtls_printf(" AES note: built-in implementation.\n");
1869#endif
1870 }
Gilles Peskine7e67bd52023-03-10 22:35:24 +0100[diff] [blame]1871#endif /* MBEDTLS_AES_ALT */
1872 }
1873
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874 /*
1875 * ECB mode
1876 */
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1877 {
1878 static const int num_tests =
1879 sizeof(aes_test_ecb_dec) / sizeof(*aes_test_ecb_dec);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1881 for (i = 0; i < num_tests << 1; i++) {
1882 u = i >> 1;
1883 keybits = 128 + u * 64;
1884 mode = i & 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1885
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1886 if (verbose != 0) {
1887 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1888 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1889 }
Arto Kinnunen0f066182023-04-20 10:02:46 +0800[diff] [blame]1890
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1891 memset(buf, 0, 16);
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1892
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1893 if (mode == MBEDTLS_AES_DECRYPT) {
1894 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1895 aes_tests = aes_test_ecb_dec[u];
1896 } else {
1897 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1898 aes_tests = aes_test_ecb_enc[u];
1899 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1901 /*
1902 * AES-192 is an optional feature that may be unavailable when
1903 * there is an alternative underlying implementation i.e. when
1904 * MBEDTLS_AES_ALT is defined.
1905 */
1906 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1907 mbedtls_printf("skipped\n");
1908 continue;
1909 } else if (ret != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1910 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1911 }
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1912
1913 for (j = 0; j < 10000; j++) {
1914 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1915 if (ret != 0) {
1916 goto exit;
1917 }
1918 }
1919
1920 if (memcmp(buf, aes_tests, 16) != 0) {
1921 ret = 1;
1922 goto exit;
1923 }
1924
1925 if (verbose != 0) {
1926 mbedtls_printf("passed\n");
1927 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1928 }
1929
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1930 if (verbose != 0) {
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1931 mbedtls_printf("\n");
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1932 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1935#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936 /*
1937 * CBC mode
1938 */
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1939 {
1940 static const int num_tests =
1941 sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1943 for (i = 0; i < num_tests << 1; i++) {
1944 u = i >> 1;
1945 keybits = 128 + u * 64;
1946 mode = i & 1;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1947
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1948 if (verbose != 0) {
1949 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1950 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951 }
1952
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1953 memset(iv, 0, 16);
1954 memset(prv, 0, 16);
1955 memset(buf, 0, 16);
1956
1957 if (mode == MBEDTLS_AES_DECRYPT) {
1958 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1959 aes_tests = aes_test_cbc_dec[u];
1960 } else {
1961 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1962 aes_tests = aes_test_cbc_enc[u];
1963 }
1964
1965 /*
1966 * AES-192 is an optional feature that may be unavailable when
1967 * there is an alternative underlying implementation i.e. when
1968 * MBEDTLS_AES_ALT is defined.
1969 */
1970 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1971 mbedtls_printf("skipped\n");
1972 continue;
1973 } else if (ret != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1974 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]1975 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1977 for (j = 0; j < 10000; j++) {
1978 if (mode == MBEDTLS_AES_ENCRYPT) {
1979 unsigned char tmp[16];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1980
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]1981 memcpy(tmp, prv, 16);
1982 memcpy(prv, buf, 16);
1983 memcpy(buf, tmp, 16);
1984 }
1985
1986 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1987 if (ret != 0) {
1988 goto exit;
1989 }
1990
1991 }
1992
1993 if (memcmp(buf, aes_tests, 16) != 0) {
1994 ret = 1;
1995 goto exit;
1996 }
1997
1998 if (verbose != 0) {
1999 mbedtls_printf("passed\n");
2000 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001 }
2002
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2003 if (verbose != 0) {
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2004 mbedtls_printf("\n");
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2005 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2006 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2007#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 /*
2011 * CFB128 mode
2012 */
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2013 {
2014 static const int num_tests =
2015 sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2017 for (i = 0; i < num_tests << 1; i++) {
2018 u = i >> 1;
2019 keybits = 128 + u * 64;
2020 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2022 if (verbose != 0) {
2023 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
2024 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2025 }
Arto Kinnunen0f066182023-04-20 10:02:46 +0800[diff] [blame]2026
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2027 memcpy(iv, aes_test_cfb128_iv, 16);
2028 memcpy(key, aes_test_cfb128_key[u], keybits / 8);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2030 offset = 0;
2031 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2032 /*
2033 * AES-192 is an optional feature that may be unavailable when
2034 * there is an alternative underlying implementation i.e. when
2035 * MBEDTLS_AES_ALT is defined.
2036 */
2037 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2038 mbedtls_printf("skipped\n");
2039 continue;
2040 } else if (ret != 0) {
2041 goto exit;
2042 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2044 if (mode == MBEDTLS_AES_DECRYPT) {
2045 memcpy(buf, aes_test_cfb128_ct[u], 64);
2046 aes_tests = aes_test_cfb128_pt;
2047 } else {
2048 memcpy(buf, aes_test_cfb128_pt, 64);
2049 aes_tests = aes_test_cfb128_ct[u];
2050 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2052 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
2053 if (ret != 0) {
2054 goto exit;
2055 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2056
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2057 if (memcmp(buf, aes_tests, 64) != 0) {
2058 ret = 1;
2059 goto exit;
2060 }
2061
2062 if (verbose != 0) {
2063 mbedtls_printf("passed\n");
2064 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2065 }
2066
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2067 if (verbose != 0) {
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2068 mbedtls_printf("\n");
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2069 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2071#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2072
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2073#if defined(MBEDTLS_CIPHER_MODE_OFB)
2074 /*
2075 * OFB mode
2076 */
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2077 {
2078 static const int num_tests =
2079 sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2080
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2081 for (i = 0; i < num_tests << 1; i++) {
2082 u = i >> 1;
2083 keybits = 128 + u * 64;
2084 mode = i & 1;
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2085
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2086 if (verbose != 0) {
2087 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
2088 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2089 }
Arto Kinnunen0f066182023-04-20 10:02:46 +0800[diff] [blame]2090
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2091 memcpy(iv, aes_test_ofb_iv, 16);
2092 memcpy(key, aes_test_ofb_key[u], keybits / 8);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2093
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2094 offset = 0;
2095 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2096 /*
2097 * AES-192 is an optional feature that may be unavailable when
2098 * there is an alternative underlying implementation i.e. when
2099 * MBEDTLS_AES_ALT is defined.
2100 */
2101 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2102 mbedtls_printf("skipped\n");
2103 continue;
2104 } else if (ret != 0) {
2105 goto exit;
2106 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2107
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2108 if (mode == MBEDTLS_AES_DECRYPT) {
2109 memcpy(buf, aes_test_ofb_ct[u], 64);
2110 aes_tests = aes_test_ofb_pt;
2111 } else {
2112 memcpy(buf, aes_test_ofb_pt, 64);
2113 aes_tests = aes_test_ofb_ct[u];
2114 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2115
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2116 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2117 if (ret != 0) {
2118 goto exit;
2119 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2120
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2121 if (memcmp(buf, aes_tests, 64) != 0) {
2122 ret = 1;
2123 goto exit;
2124 }
2125
2126 if (verbose != 0) {
2127 mbedtls_printf("passed\n");
2128 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2129 }
2130
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2131 if (verbose != 0) {
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2132 mbedtls_printf("\n");
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2133 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2134 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2135#endif /* MBEDTLS_CIPHER_MODE_OFB */
2136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 /*
2139 * CTR mode
2140 */
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2141 {
2142 static const int num_tests =
2143 sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2144
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2145 for (i = 0; i < num_tests << 1; i++) {
2146 u = i >> 1;
2147 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2148
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2149 if (verbose != 0) {
2150 mbedtls_printf(" AES-CTR-128 (%s): ",
2151 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2152 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2153
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2154 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2155 memcpy(key, aes_test_ctr_key[u], 16);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2156
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2157 offset = 0;
2158 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
2159 goto exit;
2160 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2161
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2162 len = aes_test_ctr_len[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2163
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2164 if (mode == MBEDTLS_AES_DECRYPT) {
2165 memcpy(buf, aes_test_ctr_ct[u], len);
2166 aes_tests = aes_test_ctr_pt[u];
2167 } else {
2168 memcpy(buf, aes_test_ctr_pt[u], len);
2169 aes_tests = aes_test_ctr_ct[u];
2170 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2171
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2172 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2173 stream_block, buf, buf);
2174 if (ret != 0) {
2175 goto exit;
2176 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2177
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2178 if (memcmp(buf, aes_tests, len) != 0) {
2179 ret = 1;
2180 goto exit;
2181 }
2182
2183 if (verbose != 0) {
2184 mbedtls_printf("passed\n");
2185 }
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2186 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2187 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2188
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2189 if (verbose != 0) {
2190 mbedtls_printf("\n");
2191 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2192#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2194#if defined(MBEDTLS_CIPHER_MODE_XTS)
Yanray Wang59c2dfa2023-05-11 12:04:23 +0800[diff] [blame]2195 /*
2196 * XTS mode
2197 */
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2198 {
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2199 static const int num_tests =
2200 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2201 mbedtls_aes_xts_context ctx_xts;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2202
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2203 mbedtls_aes_xts_init(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2204
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2205 for (i = 0; i < num_tests << 1; i++) {
2206 const unsigned char *data_unit;
2207 u = i >> 1;
2208 mode = i & 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2209
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2210 if (verbose != 0) {
2211 mbedtls_printf(" AES-XTS-128 (%s): ",
2212 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2213 }
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2214
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2215 memset(key, 0, sizeof(key));
2216 memcpy(key, aes_test_xts_key[u], 32);
2217 data_unit = aes_test_xts_data_unit[u];
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2218
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2219 len = sizeof(*aes_test_xts_ct32);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2220
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2221 if (mode == MBEDTLS_AES_DECRYPT) {
2222 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2223 if (ret != 0) {
2224 goto exit;
2225 }
2226 memcpy(buf, aes_test_xts_ct32[u], len);
2227 aes_tests = aes_test_xts_pt32[u];
2228 } else {
2229 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2230 if (ret != 0) {
2231 goto exit;
2232 }
2233 memcpy(buf, aes_test_xts_pt32[u], len);
2234 aes_tests = aes_test_xts_ct32[u];
2235 }
2236
2237
2238 ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2239 buf, buf);
2240 if (ret != 0) {
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2241 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2242 }
2243
2244 if (memcmp(buf, aes_tests, len) != 0) {
2245 ret = 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2246 goto exit;
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2247 }
2248
2249 if (verbose != 0) {
2250 mbedtls_printf("passed\n");
2251 }
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2252 }
2253
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2254 if (verbose != 0) {
2255 mbedtls_printf("\n");
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2256 }
2257
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2258 mbedtls_aes_xts_free(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2259 }
2260#endif /* MBEDTLS_CIPHER_MODE_XTS */
2261
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2262 ret = 0;
2263
2264exit:
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2265 if (ret != 0 && verbose != 0) {
2266 mbedtls_printf("failed\n");
2267 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2268
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2269 mbedtls_aes_free(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2270
Gilles Peskine449bd832023-01-11 14:50:10 +0100[diff] [blame]2271 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2272}
2273
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2274#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2276#endif /* MBEDTLS_AES_C */