TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a2947ac7bb172526bbadd54e7625ce1db7d99b33 / . / library / aes.c
blob: 9b337505fd15c8152650ab098681e66804853b95 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkútia2947ac2020-08-19 16:37:36 +0200[diff] [blame^]4 * Copyright The Mbed TLS Contributors
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]64#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]65#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]84/* Parameter validation macros based on platform_util.h */
85#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]87#define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * 32-bit integer manipulation macros (little endian)
92 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93#ifndef GET_UINT32_LE
94#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100}
101#endif
102
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]103#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]104#define PUT_UINT32_LE(n,b,i) \
105{ \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111#endif
112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113#if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]115static int aes_padlock_ace = -1;
116#endif
117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]118#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119/*
120 * Forward S-box
121 */
122static const unsigned char FSb[256] =
123{
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156};
157
158/*
159 * Forward tables
160 */
161#define FT \
162\
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]232#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]235static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#undef V
237
238#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]239static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240#undef V
241
242#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]243static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244#undef V
245
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]246#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]247
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248#undef FT
249
250/*
251 * Reverse S-box
252 */
253static const unsigned char RSb[256] =
254{
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287};
288
289/*
290 * Reverse tables
291 */
292#define RT \
293\
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361#undef V
362
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]363#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]366static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#undef V
368
369#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371#undef V
372
373#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]374static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375#undef V
376
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379#undef RT
380
381/*
382 * Round constants
383 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385{
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389};
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Forward S-box & tables
395 */
396static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]397static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]398#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT1[256];
400static uint32_t FT2[256];
401static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]402#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Reverse S-box & tables
406 */
407static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]408static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]409#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT1[256];
411static uint32_t RT2[256];
412static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]413#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414
415/*
416 * Round constants
417 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
420/*
421 * Tables generation code
422 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]423#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]425#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427static int aes_init_done = 0;
428
429static void aes_gen_tables( void )
430{
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]450 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
494 x = RSb[i];
495
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]501#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 }
507}
508
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509#undef ROTL8
510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]513#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
515#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519#define AES_RT0(idx) RT0[idx]
520#define AES_RT1(idx) ROTL8( RT0[idx] )
521#define AES_RT2(idx) ROTL16( RT0[idx] )
522#define AES_RT3(idx) ROTL24( RT0[idx] )
523
524#define AES_FT0(idx) FT0[idx]
525#define AES_FT1(idx) ROTL8( FT0[idx] )
526#define AES_FT2(idx) ROTL16( FT0[idx] )
527#define AES_FT3(idx) ROTL24( FT0[idx] )
528
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]529#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]530
531#define AES_RT0(idx) RT0[idx]
532#define AES_RT1(idx) RT1[idx]
533#define AES_RT2(idx) RT2[idx]
534#define AES_RT3(idx) RT3[idx]
535
536#define AES_FT0(idx) FT0[idx]
537#define AES_FT1(idx) FT1[idx]
538#define AES_FT2(idx) FT2[idx]
539#define AES_FT3(idx) FT3[idx]
540
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]541#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]544{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]545 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]548}
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]551{
552 if( ctx == NULL )
553 return;
554
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]556}
557
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]558#if defined(MBEDTLS_CIPHER_MODE_XTS)
559void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]561 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]562
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565}
566
567void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]569 if( ctx == NULL )
570 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574}
575#endif /* MBEDTLS_CIPHER_MODE_XTS */
576
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577/*
578 * AES key schedule (encryption)
579 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]580#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]584 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598#if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603 }
604#endif
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]607 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609
610 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]616#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]619#endif
620
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]621 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]688
689 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]691#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693/*
694 * AES key schedule (decryption)
695 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]696#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 uint32_t *RK;
703 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]711 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713
714 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]716 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]722 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]723
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]724 ctx->nr = cty.nr;
725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 }
733#endif
734
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]760
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]761 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]763
764#if defined(MBEDTLS_CIPHER_MODE_XTS)
765static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
766 unsigned int keybits,
767 const unsigned char **key1,
768 unsigned int *key1bits,
769 const unsigned char **key2,
770 unsigned int *key2bits )
771{
772 const unsigned int half_keybits = keybits / 2;
773 const unsigned int half_keybytes = half_keybits / 8;
774
775 switch( keybits )
776 {
777 case 256: break;
778 case 512: break;
779 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
780 }
781
782 *key1bits = half_keybits;
783 *key2bits = half_keybits;
784 *key1 = &key[0];
785 *key2 = &key[half_keybytes];
786
787 return 0;
788}
789
790int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for the encryption mode. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for encryption. */
812 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
813}
814
815int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
816 const unsigned char *key,
817 unsigned int keybits)
818{
819 int ret;
820 const unsigned char *key1, *key2;
821 unsigned int key1bits, key2bits;
822
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]823 AES_VALIDATE_RET( ctx != NULL );
824 AES_VALIDATE_RET( key != NULL );
825
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]826 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
827 &key2, &key2bits );
828 if( ret != 0 )
829 return( ret );
830
831 /* Set the tweak key. Always set tweak key for encryption. */
832 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
833 if( ret != 0 )
834 return( ret );
835
836 /* Set crypt key for decryption. */
837 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
838}
839#endif /* MBEDTLS_CIPHER_MODE_XTS */
840
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]841#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]843#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
848 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
853 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
858 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
863 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]867#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
868 do \
869 { \
870 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
871 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
872 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
873 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
874 \
875 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
876 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
877 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
878 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
879 \
880 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
881 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
882 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
883 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
884 \
885 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
886 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
887 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
888 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
889 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890
891/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892 * AES-ECB block encryption
893 */
894#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]895int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
896 const unsigned char input[16],
897 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]898{
899 int i;
900 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
901
902 RK = ctx->rk;
903
904 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
905 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
906 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
907 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
908
909 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
910 {
911 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
912 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
913 }
914
915 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
916
917 X0 = *RK++ ^ \
918 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
919 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
920 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
921 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
922
923 X1 = *RK++ ^ \
924 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
925 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
926 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
927 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
928
929 X2 = *RK++ ^ \
930 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
931 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
932 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
933 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
934
935 X3 = *RK++ ^ \
936 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
937 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
938 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
939 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
940
941 PUT_UINT32_LE( X0, output, 0 );
942 PUT_UINT32_LE( X1, output, 4 );
943 PUT_UINT32_LE( X2, output, 8 );
944 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]945
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]946 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
947 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
948 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
949 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
950
951 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
952 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
953 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
954 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
955
956 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
957
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]958 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]959}
960#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
961
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]962#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]963void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
964 const unsigned char input[16],
965 unsigned char output[16] )
966{
967 mbedtls_internal_aes_encrypt( ctx, input, output );
968}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]969#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]970
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]971/*
972 * AES-ECB block decryption
973 */
974#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]975int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
976 const unsigned char input[16],
977 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]978{
979 int i;
980 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
981
982 RK = ctx->rk;
983
984 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
985 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
986 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
987 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
988
989 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
990 {
991 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
992 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
993 }
994
995 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
996
997 X0 = *RK++ ^ \
998 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
999 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
1000 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
1001 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
1002
1003 X1 = *RK++ ^ \
1004 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
1005 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
1006 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
1007 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
1008
1009 X2 = *RK++ ^ \
1010 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
1011 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
1012 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
1013 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
1014
1015 X3 = *RK++ ^ \
1016 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
1017 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
1018 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
1019 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1020
1021 PUT_UINT32_LE( X0, output, 0 );
1022 PUT_UINT32_LE( X1, output, 4 );
1023 PUT_UINT32_LE( X2, output, 8 );
1024 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1025
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1026 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1027 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1028 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1029 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1030
1031 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1032 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1033 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1034 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1035
1036 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1037
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1038 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1039}
1040#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1041
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1042#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1043void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1044 const unsigned char input[16],
1045 unsigned char output[16] )
1046{
1047 mbedtls_internal_aes_decrypt( ctx, input, output );
1048}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1049#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1050
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1051/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052 * AES-ECB block encryption/decryption
1053 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1055 int mode,
1056 const unsigned char input[16],
1057 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1059 AES_VALIDATE_RET( ctx != NULL );
1060 AES_VALIDATE_RET( input != NULL );
1061 AES_VALIDATE_RET( output != NULL );
1062 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1063 mode == MBEDTLS_AES_DECRYPT );
1064
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1065#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1066 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1068#endif
1069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1070#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1071 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1074 return( 0 );
1075
1076 // If padlock data misaligned, we just fall back to
1077 // unaccelerated mode
1078 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 }
1080#endif
1081
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1082 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1083 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1084 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1085 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086}
1087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089/*
1090 * AES-CBC buffer encryption/decryption
1091 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1092int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1094 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1096 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 unsigned char *output )
1098{
1099 int i;
1100 unsigned char temp[16];
1101
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1102 AES_VALIDATE_RET( ctx != NULL );
1103 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1104 mode == MBEDTLS_AES_DECRYPT );
1105 AES_VALIDATE_RET( iv != NULL );
1106 AES_VALIDATE_RET( input != NULL );
1107 AES_VALIDATE_RET( output != NULL );
1108
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1109 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1112#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1113 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1115 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1116 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1117
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1118 // If padlock data misaligned, we just fall back to
1119 // unaccelerated mode
1120 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121 }
1122#endif
1123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1124 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125 {
1126 while( length > 0 )
1127 {
1128 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1129 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1130
1131 for( i = 0; i < 16; i++ )
1132 output[i] = (unsigned char)( output[i] ^ iv[i] );
1133
1134 memcpy( iv, temp, 16 );
1135
1136 input += 16;
1137 output += 16;
1138 length -= 16;
1139 }
1140 }
1141 else
1142 {
1143 while( length > 0 )
1144 {
1145 for( i = 0; i < 16; i++ )
1146 output[i] = (unsigned char)( input[i] ^ iv[i] );
1147
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1148 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1149 memcpy( iv, output, 16 );
1150
1151 input += 16;
1152 output += 16;
1153 length -= 16;
1154 }
1155 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1156
1157 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1158}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1159#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1161#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1162
1163/* Endianess with 64 bits values */
1164#ifndef GET_UINT64_LE
1165#define GET_UINT64_LE(n,b,i) \
1166{ \
1167 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1168 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1169 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1170 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1171 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1172 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1173 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1174 | ( (uint64_t) (b)[(i) ] ); \
1175}
1176#endif
1177
1178#ifndef PUT_UINT64_LE
1179#define PUT_UINT64_LE(n,b,i) \
1180{ \
1181 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1182 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1183 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1184 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1185 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1186 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1187 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1188 (b)[(i) ] = (unsigned char) ( (n) ); \
1189}
1190#endif
1191
1192typedef unsigned char mbedtls_be128[16];
1193
1194/*
1195 * GF(2^128) multiplication function
1196 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1197 * This function multiplies a field element by x in the polynomial field
1198 * representation. It uses 64-bit word operations to gain speed but compensates
1199 * for machine endianess and hence works correctly on both big and little
1200 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1201 */
1202static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1203 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1204{
1205 uint64_t a, b, ra, rb;
1206
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1207 GET_UINT64_LE( a, x, 0 );
1208 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1209
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1210 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1211 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1212
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1213 PUT_UINT64_LE( ra, r, 0 );
1214 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1215}
1216
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1217/*
1218 * AES-XTS buffer encryption/decryption
1219 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1220int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1221 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1222 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1223 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1224 const unsigned char *input,
1225 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1226{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1227 int ret;
1228 size_t blocks = length / 16;
1229 size_t leftover = length % 16;
1230 unsigned char tweak[16];
1231 unsigned char prev_tweak[16];
1232 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1233
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1234 AES_VALIDATE_RET( ctx != NULL );
1235 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1236 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1237 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1238 AES_VALIDATE_RET( input != NULL );
1239 AES_VALIDATE_RET( output != NULL );
1240
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1241 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1245 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1246 if( length > ( 1 << 20 ) * 16 )
1247 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1248
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1250 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1251 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1252 if( ret != 0 )
1253 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1254
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1255 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1256 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1257 size_t i;
1258
1259 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1260 {
1261 /* We are on the last block in a decrypt operation that has
1262 * leftover bytes, so we need to use the next tweak for this block,
1263 * and this tweak for the lefover bytes. Save the current tweak for
1264 * the leftovers and then update the current tweak for use on this,
1265 * the last full block. */
1266 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1267 mbedtls_gf128mul_x_ble( tweak, tweak );
1268 }
1269
1270 for( i = 0; i < 16; i++ )
1271 tmp[i] = input[i] ^ tweak[i];
1272
1273 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1274 if( ret != 0 )
1275 return( ret );
1276
1277 for( i = 0; i < 16; i++ )
1278 output[i] = tmp[i] ^ tweak[i];
1279
1280 /* Update the tweak for the next block. */
1281 mbedtls_gf128mul_x_ble( tweak, tweak );
1282
1283 output += 16;
1284 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1285 }
1286
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1287 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 /* If we are on the leftover bytes in a decrypt operation, we need to
1290 * use the previous tweak for these bytes (as saved in prev_tweak). */
1291 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1292
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1293 /* We are now on the final part of the data unit, which doesn't divide
1294 * evenly by 16. It's time for ciphertext stealing. */
1295 size_t i;
1296 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1297
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1298 /* Copy ciphertext bytes from the previous block to our output for each
1299 * byte of cyphertext we won't steal. At the same time, copy the
1300 * remainder of the input for this final round (since the loop bounds
1301 * are the same). */
1302 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1303 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1304 output[i] = prev_output[i];
1305 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1306 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1307
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1308 /* Copy ciphertext bytes from the previous block for input in this
1309 * round. */
1310 for( ; i < 16; i++ )
1311 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1312
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1313 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1314 if( ret != 0 )
1315 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1316
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1317 /* Write the result back to the previous block, overriding the previous
1318 * output we copied. */
1319 for( i = 0; i < 16; i++ )
1320 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1321 }
1322
1323 return( 0 );
1324}
1325#endif /* MBEDTLS_CIPHER_MODE_XTS */
1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328/*
1329 * AES-CFB128 buffer encryption/decryption
1330 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1333 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1334 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1335 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1336 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337 unsigned char *output )
1338{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1339 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1340 size_t n;
1341
1342 AES_VALIDATE_RET( ctx != NULL );
1343 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1344 mode == MBEDTLS_AES_DECRYPT );
1345 AES_VALIDATE_RET( iv_off != NULL );
1346 AES_VALIDATE_RET( iv != NULL );
1347 AES_VALIDATE_RET( input != NULL );
1348 AES_VALIDATE_RET( output != NULL );
1349
1350 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1352 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1353 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1356 {
1357 while( length-- )
1358 {
1359 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361
1362 c = *input++;
1363 *output++ = (unsigned char)( c ^ iv[n] );
1364 iv[n] = (unsigned char) c;
1365
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1366 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367 }
1368 }
1369 else
1370 {
1371 while( length-- )
1372 {
1373 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1374 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375
1376 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1377
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1378 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1379 }
1380 }
1381
1382 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1383
1384 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1385}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386
1387/*
1388 * AES-CFB8 buffer encryption/decryption
1389 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1390int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1391 int mode,
1392 size_t length,
1393 unsigned char iv[16],
1394 const unsigned char *input,
1395 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1396{
1397 unsigned char c;
1398 unsigned char ov[17];
1399
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1400 AES_VALIDATE_RET( ctx != NULL );
1401 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1402 mode == MBEDTLS_AES_DECRYPT );
1403 AES_VALIDATE_RET( iv != NULL );
1404 AES_VALIDATE_RET( input != NULL );
1405 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1406 while( length-- )
1407 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1408 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1409 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1412 ov[16] = *input;
1413
1414 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1415
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1416 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1417 ov[16] = c;
1418
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1419 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1420 }
1421
1422 return( 0 );
1423}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1424#endif /* MBEDTLS_CIPHER_MODE_CFB */
1425
1426#if defined(MBEDTLS_CIPHER_MODE_OFB)
1427/*
1428 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1429 */
1430int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1431 size_t length,
1432 size_t *iv_off,
1433 unsigned char iv[16],
1434 const unsigned char *input,
1435 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1436{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1437 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1438 size_t n;
1439
1440 AES_VALIDATE_RET( ctx != NULL );
1441 AES_VALIDATE_RET( iv_off != NULL );
1442 AES_VALIDATE_RET( iv != NULL );
1443 AES_VALIDATE_RET( input != NULL );
1444 AES_VALIDATE_RET( output != NULL );
1445
1446 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1447
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1448 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1449 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1450
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1451 while( length-- )
1452 {
1453 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1454 {
1455 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1456 if( ret != 0 )
1457 goto exit;
1458 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1459 *output++ = *input++ ^ iv[n];
1460
1461 n = ( n + 1 ) & 0x0F;
1462 }
1463
1464 *iv_off = n;
1465
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1466exit:
1467 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1468}
1469#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1470
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1472/*
1473 * AES-CTR buffer encryption/decryption
1474 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1476 size_t length,
1477 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1478 unsigned char nonce_counter[16],
1479 unsigned char stream_block[16],
1480 const unsigned char *input,
1481 unsigned char *output )
1482{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1483 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1484 size_t n;
1485
1486 AES_VALIDATE_RET( ctx != NULL );
1487 AES_VALIDATE_RET( nc_off != NULL );
1488 AES_VALIDATE_RET( nonce_counter != NULL );
1489 AES_VALIDATE_RET( stream_block != NULL );
1490 AES_VALIDATE_RET( input != NULL );
1491 AES_VALIDATE_RET( output != NULL );
1492
1493 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1494
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1495 if ( n > 0x0F )
1496 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1497
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1498 while( length-- )
1499 {
1500 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1501 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1502
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1503 for( i = 16; i > 0; i-- )
1504 if( ++nonce_counter[i - 1] != 0 )
1505 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1506 }
1507 c = *input++;
1508 *output++ = (unsigned char)( c ^ stream_block[n] );
1509
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1510 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1511 }
1512
1513 *nc_off = n;
1514
1515 return( 0 );
1516}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522/*
1523 * AES test vectors from:
1524 *
1525 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1526 */
1527static const unsigned char aes_test_ecb_dec[3][16] =
1528{
1529 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1530 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1531 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1532 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1533 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1534 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1535};
1536
1537static const unsigned char aes_test_ecb_enc[3][16] =
1538{
1539 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1540 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1541 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1542 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1543 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1544 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1545};
1546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548static const unsigned char aes_test_cbc_dec[3][16] =
1549{
1550 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1551 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1552 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1553 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1554 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1555 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1556};
1557
1558static const unsigned char aes_test_cbc_enc[3][16] =
1559{
1560 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1561 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1562 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1563 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1564 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1565 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1566};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1567#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1569#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1570/*
1571 * AES-CFB128 test vectors from:
1572 *
1573 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1574 */
1575static const unsigned char aes_test_cfb128_key[3][32] =
1576{
1577 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1578 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1579 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1580 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1581 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1582 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1583 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1584 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1585 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1586};
1587
1588static const unsigned char aes_test_cfb128_iv[16] =
1589{
1590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1591 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1592};
1593
1594static const unsigned char aes_test_cfb128_pt[64] =
1595{
1596 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1597 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1598 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1599 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1600 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1601 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1602 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1603 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1604};
1605
1606static const unsigned char aes_test_cfb128_ct[3][64] =
1607{
1608 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1609 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1610 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1611 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1612 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1613 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1614 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1615 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1616 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1617 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1618 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1619 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1620 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1621 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1622 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1623 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1624 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1625 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1626 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1627 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1628 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1629 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1630 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1631 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1632};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1634
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1635#if defined(MBEDTLS_CIPHER_MODE_OFB)
1636/*
1637 * AES-OFB test vectors from:
1638 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1639 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1640 */
1641static const unsigned char aes_test_ofb_key[3][32] =
1642{
1643 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1644 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1645 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1646 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1647 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1648 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1649 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1650 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1651 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1652};
1653
1654static const unsigned char aes_test_ofb_iv[16] =
1655{
1656 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1658};
1659
1660static const unsigned char aes_test_ofb_pt[64] =
1661{
1662 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1663 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1664 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1665 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1666 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1667 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1668 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1669 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1670};
1671
1672static const unsigned char aes_test_ofb_ct[3][64] =
1673{
1674 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1675 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1676 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1677 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1678 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1679 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1680 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1681 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1682 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1683 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1684 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1685 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1686 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1687 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1688 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1689 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1690 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1691 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1692 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1693 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1694 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1695 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1696 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1697 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1698};
1699#endif /* MBEDTLS_CIPHER_MODE_OFB */
1700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1701#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1702/*
1703 * AES-CTR test vectors from:
1704 *
1705 * http://www.faqs.org/rfcs/rfc3686.html
1706 */
1707
1708static const unsigned char aes_test_ctr_key[3][16] =
1709{
1710 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1711 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1712 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1713 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1714 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1715 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1716};
1717
1718static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1719{
1720 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1722 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1723 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1724 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1725 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1726};
1727
1728static const unsigned char aes_test_ctr_pt[3][48] =
1729{
1730 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1731 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1732
1733 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1734 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1735 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1736 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1737
1738 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1739 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1740 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1741 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1742 0x20, 0x21, 0x22, 0x23 }
1743};
1744
1745static const unsigned char aes_test_ctr_ct[3][48] =
1746{
1747 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1748 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1749 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1750 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1751 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1752 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1753 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1754 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1755 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1756 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1757 0x25, 0xB2, 0x07, 0x2F }
1758};
1759
1760static const int aes_test_ctr_len[3] =
1761 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1762#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1763
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1764#if defined(MBEDTLS_CIPHER_MODE_XTS)
1765/*
1766 * AES-XTS test vectors from:
1767 *
1768 * IEEE P1619/D16 Annex B
1769 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1770 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1771 */
1772static const unsigned char aes_test_xts_key[][32] =
1773{
1774 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1778 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1779 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1780 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1781 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1782 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1783 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1784 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1785 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1786};
1787
1788static const unsigned char aes_test_xts_pt32[][32] =
1789{
1790 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1794 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1795 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1796 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1797 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1798 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1799 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1800 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1801 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1802};
1803
1804static const unsigned char aes_test_xts_ct32[][32] =
1805{
1806 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1807 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1808 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1809 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1810 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1811 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1812 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1813 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1814 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1815 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1816 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1817 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1818};
1819
1820static const unsigned char aes_test_xts_data_unit[][16] =
1821{
1822 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1824 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1826 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1828};
1829
1830#endif /* MBEDTLS_CIPHER_MODE_XTS */
1831
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832/*
1833 * Checkup routine
1834 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1835int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1837 int ret = 0, i, j, u, mode;
1838 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 unsigned char key[32];
1840 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1841 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1842#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1843 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1844#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1846 unsigned char prv[16];
1847#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1848#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1849 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1850 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1851#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1852#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1853 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1854#endif
1855#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1856 unsigned char nonce_counter[16];
1857 unsigned char stream_block[16];
1858#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1859 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860
1861 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863
1864 /*
1865 * ECB mode
1866 */
1867 for( i = 0; i < 6; i++ )
1868 {
1869 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1870 keybits = 128 + u * 64;
1871 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872
1873 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1874 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1875 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
1877 memset( buf, 0, 16 );
1878
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1881 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1882 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1883 }
1884 else
1885 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1886 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1887 aes_tests = aes_test_ecb_enc[u];
1888 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1890 /*
1891 * AES-192 is an optional feature that may be unavailable when
1892 * there is an alternative underlying implementation i.e. when
1893 * MBEDTLS_AES_ALT is defined.
1894 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1895 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1896 {
1897 mbedtls_printf( "skipped\n" );
1898 continue;
1899 }
1900 else if( ret != 0 )
1901 {
1902 goto exit;
1903 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1905 for( j = 0; j < 10000; j++ )
1906 {
1907 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1908 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1909 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1910 }
1911
1912 if( memcmp( buf, aes_tests, 16 ) != 0 )
1913 {
1914 ret = 1;
1915 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 }
1917
1918 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1919 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 }
1921
1922 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1925#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926 /*
1927 * CBC mode
1928 */
1929 for( i = 0; i < 6; i++ )
1930 {
1931 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1932 keybits = 128 + u * 64;
1933 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934
1935 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1936 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1937 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938
1939 memset( iv , 0, 16 );
1940 memset( prv, 0, 16 );
1941 memset( buf, 0, 16 );
1942
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1943 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1945 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1946 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947 }
1948 else
1949 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1950 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1951 aes_tests = aes_test_cbc_enc[u];
1952 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1954 /*
1955 * AES-192 is an optional feature that may be unavailable when
1956 * there is an alternative underlying implementation i.e. when
1957 * MBEDTLS_AES_ALT is defined.
1958 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1959 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1960 {
1961 mbedtls_printf( "skipped\n" );
1962 continue;
1963 }
1964 else if( ret != 0 )
1965 {
1966 goto exit;
1967 }
1968
1969 for( j = 0; j < 10000; j++ )
1970 {
1971 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1972 {
1973 unsigned char tmp[16];
1974
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975 memcpy( tmp, prv, 16 );
1976 memcpy( prv, buf, 16 );
1977 memcpy( buf, tmp, 16 );
1978 }
1979
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1980 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1981 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1982 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1983
1984 }
1985
1986 if( memcmp( buf, aes_tests, 16 ) != 0 )
1987 {
1988 ret = 1;
1989 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990 }
1991
1992 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1993 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994 }
1995
1996 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1997 mbedtls_printf( "\n" );
1998#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001 /*
2002 * CFB128 mode
2003 */
2004 for( i = 0; i < 6; i++ )
2005 {
2006 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 keybits = 128 + u * 64;
2008 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
2010 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2012 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013
2014 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
2017 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2018 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2019 /*
2020 * AES-192 is an optional feature that may be unavailable when
2021 * there is an alternative underlying implementation i.e. when
2022 * MBEDTLS_AES_ALT is defined.
2023 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2024 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2025 {
2026 mbedtls_printf( "skipped\n" );
2027 continue;
2028 }
2029 else if( ret != 0 )
2030 {
2031 goto exit;
2032 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2034 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035 {
2036 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2037 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 }
2039 else
2040 {
2041 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2042 aes_tests = aes_test_cfb128_ct[u];
2043 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2045 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2046 if( ret != 0 )
2047 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2049 if( memcmp( buf, aes_tests, 64 ) != 0 )
2050 {
2051 ret = 1;
2052 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2053 }
2054
2055 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057 }
2058
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2059 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 mbedtls_printf( "\n" );
2061#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2062
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2063#if defined(MBEDTLS_CIPHER_MODE_OFB)
2064 /*
2065 * OFB mode
2066 */
2067 for( i = 0; i < 6; i++ )
2068 {
2069 u = i >> 1;
2070 keybits = 128 + u * 64;
2071 mode = i & 1;
2072
2073 if( verbose != 0 )
2074 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2075 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2076
2077 memcpy( iv, aes_test_ofb_iv, 16 );
2078 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2079
2080 offset = 0;
2081 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2082 /*
2083 * AES-192 is an optional feature that may be unavailable when
2084 * there is an alternative underlying implementation i.e. when
2085 * MBEDTLS_AES_ALT is defined.
2086 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2087 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2088 {
2089 mbedtls_printf( "skipped\n" );
2090 continue;
2091 }
2092 else if( ret != 0 )
2093 {
2094 goto exit;
2095 }
2096
2097 if( mode == MBEDTLS_AES_DECRYPT )
2098 {
2099 memcpy( buf, aes_test_ofb_ct[u], 64 );
2100 aes_tests = aes_test_ofb_pt;
2101 }
2102 else
2103 {
2104 memcpy( buf, aes_test_ofb_pt, 64 );
2105 aes_tests = aes_test_ofb_ct[u];
2106 }
2107
2108 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2109 if( ret != 0 )
2110 goto exit;
2111
2112 if( memcmp( buf, aes_tests, 64 ) != 0 )
2113 {
2114 ret = 1;
2115 goto exit;
2116 }
2117
2118 if( verbose != 0 )
2119 mbedtls_printf( "passed\n" );
2120 }
2121
2122 if( verbose != 0 )
2123 mbedtls_printf( "\n" );
2124#endif /* MBEDTLS_CIPHER_MODE_OFB */
2125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2126#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2127 /*
2128 * CTR mode
2129 */
2130 for( i = 0; i < 6; i++ )
2131 {
2132 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2134
2135 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2136 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2137 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138
2139 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2140 memcpy( key, aes_test_ctr_key[u], 16 );
2141
2142 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2143 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2144 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2145
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2146 len = aes_test_ctr_len[u];
2147
2148 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2149 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2150 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2151 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2152 }
2153 else
2154 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2155 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2156 aes_tests = aes_test_ctr_ct[u];
2157 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2158
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2159 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2160 stream_block, buf, buf );
2161 if( ret != 0 )
2162 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2163
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2164 if( memcmp( buf, aes_tests, len ) != 0 )
2165 {
2166 ret = 1;
2167 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2168 }
2169
2170 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2172 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2173
2174 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2175 mbedtls_printf( "\n" );
2176#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2177
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2178#if defined(MBEDTLS_CIPHER_MODE_XTS)
2179 {
2180 static const int num_tests =
2181 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2182 mbedtls_aes_xts_context ctx_xts;
2183
2184 /*
2185 * XTS mode
2186 */
2187 mbedtls_aes_xts_init( &ctx_xts );
2188
2189 for( i = 0; i < num_tests << 1; i++ )
2190 {
2191 const unsigned char *data_unit;
2192 u = i >> 1;
2193 mode = i & 1;
2194
2195 if( verbose != 0 )
2196 mbedtls_printf( " AES-XTS-128 (%s): ",
2197 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2198
2199 memset( key, 0, sizeof( key ) );
2200 memcpy( key, aes_test_xts_key[u], 32 );
2201 data_unit = aes_test_xts_data_unit[u];
2202
2203 len = sizeof( *aes_test_xts_ct32 );
2204
2205 if( mode == MBEDTLS_AES_DECRYPT )
2206 {
2207 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2208 if( ret != 0)
2209 goto exit;
2210 memcpy( buf, aes_test_xts_ct32[u], len );
2211 aes_tests = aes_test_xts_pt32[u];
2212 }
2213 else
2214 {
2215 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2216 if( ret != 0)
2217 goto exit;
2218 memcpy( buf, aes_test_xts_pt32[u], len );
2219 aes_tests = aes_test_xts_ct32[u];
2220 }
2221
2222
2223 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2224 buf, buf );
2225 if( ret != 0 )
2226 goto exit;
2227
2228 if( memcmp( buf, aes_tests, len ) != 0 )
2229 {
2230 ret = 1;
2231 goto exit;
2232 }
2233
2234 if( verbose != 0 )
2235 mbedtls_printf( "passed\n" );
2236 }
2237
2238 if( verbose != 0 )
2239 mbedtls_printf( "\n" );
2240
2241 mbedtls_aes_xts_free( &ctx_xts );
2242 }
2243#endif /* MBEDTLS_CIPHER_MODE_XTS */
2244
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2245 ret = 0;
2246
2247exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2248 if( ret != 0 && verbose != 0 )
2249 mbedtls_printf( "failed\n" );
2250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2252
2253 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254}
2255
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2256#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258#endif /* MBEDTLS_AES_C */