TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6a5063149756e1d5d12b0497867f5c22aaa8100e / . / library / aes.c
blob: 7a44a78408835b3ab9d7d9dfb403875a92551bbd [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#if defined(MBEDTLS_PADLOCK_C) && \
61 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]62static int aes_padlock_ace = -1;
63#endif
64
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]65#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * Forward S-box
68 */
69static const unsigned char FSb[256] =
70{
71 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
72 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
73 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
74 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
75 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
76 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
77 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
78 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
79 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
80 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
81 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
82 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
83 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
84 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
85 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
86 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
87 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
88 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
89 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
90 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
91 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
92 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
93 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
94 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
95 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
96 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
97 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
98 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
99 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
100 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
101 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
102 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
103};
104
105/*
106 * Forward tables
107 */
108#define FT \
109\
110 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
111 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
112 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
113 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
114 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
115 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
116 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
117 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
118 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
119 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
120 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
121 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
122 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
123 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
124 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
125 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
126 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
127 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
128 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
129 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
130 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
131 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
132 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
133 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
134 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
135 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
136 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
137 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
138 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
139 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
140 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
141 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
142 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
143 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
144 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
145 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
146 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
147 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
148 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
149 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
150 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
151 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
152 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
153 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
154 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
155 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
156 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
157 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
158 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
159 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
160 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
161 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
162 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
163 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
164 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
165 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
166 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
167 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
168 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
169 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
170 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
171 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
172 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
173 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
174
175#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]176static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]177#undef V
178
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]179#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]180
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]182static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183#undef V
184
185#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]186static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
189#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]190static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]193#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]194
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef FT
196
197/*
198 * Reverse S-box
199 */
200static const unsigned char RSb[256] =
201{
202 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234};
235
236/*
237 * Reverse tables
238 */
239#define RT \
240\
241 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]307static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308#undef V
309
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]310#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]311
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]313static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314#undef V
315
316#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318#undef V
319
320#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]321static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322#undef V
323
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]324#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]325
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326#undef RT
327
328/*
329 * Round constants
330 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]331static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332{
333 0x00000001, 0x00000002, 0x00000004, 0x00000008,
334 0x00000010, 0x00000020, 0x00000040, 0x00000080,
335 0x0000001B, 0x00000036
336};
337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339
340/*
341 * Forward S-box & tables
342 */
343static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]344static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]345#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351/*
352 * Reverse S-box & tables
353 */
354static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]355static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static uint32_t RT1[256];
358static uint32_t RT2[256];
359static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]360#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
362/*
363 * Round constants
364 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367/*
368 * Tables generation code
369 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]370#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
371#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]372#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374static int aes_init_done = 0;
375
376static void aes_gen_tables( void )
377{
378 int i, x, y, z;
379 int pow[256];
380 int log[256];
381
382 /*
383 * compute pow and log tables over GF(2^8)
384 */
385 for( i = 0, x = 1; i < 256; i++ )
386 {
387 pow[i] = x;
388 log[x] = i;
389 x = ( x ^ XTIME( x ) ) & 0xFF;
390 }
391
392 /*
393 * calculate the round constants
394 */
395 for( i = 0, x = 1; i < 10; i++ )
396 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398 x = XTIME( x ) & 0xFF;
399 }
400
401 /*
402 * generate the forward and reverse S-boxes
403 */
404 FSb[0x00] = 0x63;
405 RSb[0x63] = 0x00;
406
407 for( i = 1; i < 256; i++ )
408 {
409 x = pow[255 - log[i]];
410
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]411 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
412 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
413 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
414 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 x ^= y ^ 0x63;
416
417 FSb[i] = (unsigned char) x;
418 RSb[x] = (unsigned char) i;
419 }
420
421 /*
422 * generate the forward and reverse tables
423 */
424 for( i = 0; i < 256; i++ )
425 {
426 x = FSb[i];
427 y = XTIME( x ) & 0xFF;
428 z = ( y ^ x ) & 0xFF;
429
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]430 FT0[i] = ( (uint32_t) y ) ^
431 ( (uint32_t) x << 8 ) ^
432 ( (uint32_t) x << 16 ) ^
433 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]435#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 FT1[i] = ROTL8( FT0[i] );
437 FT2[i] = ROTL8( FT1[i] );
438 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]439#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440
441 x = RSb[i];
442
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]443 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
444 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
445 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
446 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]448#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 RT1[i] = ROTL8( RT0[i] );
450 RT2[i] = ROTL8( RT1[i] );
451 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]452#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 }
454}
455
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]456#undef ROTL8
457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]458#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]461
462#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
463#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
464#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
465
466#define AES_RT0(idx) RT0[idx]
467#define AES_RT1(idx) ROTL8( RT0[idx] )
468#define AES_RT2(idx) ROTL16( RT0[idx] )
469#define AES_RT3(idx) ROTL24( RT0[idx] )
470
471#define AES_FT0(idx) FT0[idx]
472#define AES_FT1(idx) ROTL8( FT0[idx] )
473#define AES_FT2(idx) ROTL16( FT0[idx] )
474#define AES_FT3(idx) ROTL24( FT0[idx] )
475
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]476#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477
478#define AES_RT0(idx) RT0[idx]
479#define AES_RT1(idx) RT1[idx]
480#define AES_RT2(idx) RT2[idx]
481#define AES_RT3(idx) RT3[idx]
482
483#define AES_FT0(idx) FT0[idx]
484#define AES_FT1(idx) FT1[idx]
485#define AES_FT2(idx) FT2[idx]
486#define AES_FT3(idx) FT3[idx]
487
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]488#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]491{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]492 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495}
496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]497void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]498{
499 if( ctx == NULL )
500 return;
501
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]502 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]503}
504
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]505#if defined(MBEDTLS_CIPHER_MODE_XTS)
506void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
507{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]508 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]509
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]510 mbedtls_aes_init( &ctx->crypt );
511 mbedtls_aes_init( &ctx->tweak );
512}
513
514void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
515{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]516 if( ctx == NULL )
517 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]518
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]519 mbedtls_aes_free( &ctx->crypt );
520 mbedtls_aes_free( &ctx->tweak );
521}
522#endif /* MBEDTLS_CIPHER_MODE_XTS */
523
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524/*
525 * AES key schedule (encryption)
526 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]527#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]528int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]529 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]531 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]532 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]534 AES_VALIDATE_RET( ctx != NULL );
535 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]537 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538 {
539 case 128: ctx->nr = 10; break;
540 case 192: ctx->nr = 12; break;
541 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543 }
544
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]545#if !defined(MBEDTLS_AES_ROM_TABLES)
546 if( aes_init_done == 0 )
547 {
548 aes_gen_tables();
549 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]550 }
551#endif
552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]553#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]554 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]555 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]556
557 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]558 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]559 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]561 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]563#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]564 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]566#endif
567
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]568 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]569 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame^]570 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
573 switch( ctx->nr )
574 {
575 case 10:
576
577 for( i = 0; i < 10; i++, RK += 4 )
578 {
579 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]580 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
581 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
582 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
583 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]584
585 RK[5] = RK[1] ^ RK[4];
586 RK[6] = RK[2] ^ RK[5];
587 RK[7] = RK[3] ^ RK[6];
588 }
589 break;
590
591 case 12:
592
593 for( i = 0; i < 8; i++, RK += 6 )
594 {
595 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]596 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
597 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
598 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
599 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600
601 RK[7] = RK[1] ^ RK[6];
602 RK[8] = RK[2] ^ RK[7];
603 RK[9] = RK[3] ^ RK[8];
604 RK[10] = RK[4] ^ RK[9];
605 RK[11] = RK[5] ^ RK[10];
606 }
607 break;
608
609 case 14:
610
611 for( i = 0; i < 7; i++, RK += 8 )
612 {
613 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]614 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
615 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
616 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
617 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618
619 RK[9] = RK[1] ^ RK[8];
620 RK[10] = RK[2] ^ RK[9];
621 RK[11] = RK[3] ^ RK[10];
622
623 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]624 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
629 RK[13] = RK[5] ^ RK[12];
630 RK[14] = RK[6] ^ RK[13];
631 RK[15] = RK[7] ^ RK[14];
632 }
633 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]635
636 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]638#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639
640/*
641 * AES key schedule (decryption)
642 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]643#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]644int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]645 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]647 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]648 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 uint32_t *RK;
650 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]651
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]652 AES_VALIDATE_RET( ctx != NULL );
653 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]655 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]658 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]659 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]660
661 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]663 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]665 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]667 /* Also checks keybits */
668 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]669 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]670
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]671 ctx->nr = cty.nr;
672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]674 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]675 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]677 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]678 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]679 }
680#endif
681
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682 SK = cty.rk + cty.nr * 4;
683
684 *RK++ = *SK++;
685 *RK++ = *SK++;
686 *RK++ = *SK++;
687 *RK++ = *SK++;
688
689 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
690 {
691 for( j = 0; j < 4; j++, SK++ )
692 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]693 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
694 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
695 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
696 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697 }
698 }
699
700 *RK++ = *SK++;
701 *RK++ = *SK++;
702 *RK++ = *SK++;
703 *RK++ = *SK++;
704
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]705exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]706 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]707
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]708 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]710#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]711
712#if defined(MBEDTLS_CIPHER_MODE_XTS)
713static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
714 unsigned int keybits,
715 const unsigned char **key1,
716 unsigned int *key1bits,
717 const unsigned char **key2,
718 unsigned int *key2bits )
719{
720 const unsigned int half_keybits = keybits / 2;
721 const unsigned int half_keybytes = half_keybits / 8;
722
723 switch( keybits )
724 {
725 case 256: break;
726 case 512: break;
727 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
728 }
729
730 *key1bits = half_keybits;
731 *key2bits = half_keybits;
732 *key1 = &key[0];
733 *key2 = &key[half_keybytes];
734
735 return 0;
736}
737
738int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
739 const unsigned char *key,
740 unsigned int keybits)
741{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]742 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]743 const unsigned char *key1, *key2;
744 unsigned int key1bits, key2bits;
745
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]746 AES_VALIDATE_RET( ctx != NULL );
747 AES_VALIDATE_RET( key != NULL );
748
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]749 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
750 &key2, &key2bits );
751 if( ret != 0 )
752 return( ret );
753
754 /* Set the tweak key. Always set tweak key for the encryption mode. */
755 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
756 if( ret != 0 )
757 return( ret );
758
759 /* Set crypt key for encryption. */
760 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
761}
762
763int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
764 const unsigned char *key,
765 unsigned int keybits)
766{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]767 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]768 const unsigned char *key1, *key2;
769 unsigned int key1bits, key2bits;
770
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]771 AES_VALIDATE_RET( ctx != NULL );
772 AES_VALIDATE_RET( key != NULL );
773
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]774 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
775 &key2, &key2bits );
776 if( ret != 0 )
777 return( ret );
778
779 /* Set the tweak key. Always set tweak key for encryption. */
780 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
781 if( ret != 0 )
782 return( ret );
783
784 /* Set crypt key for decryption. */
785 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
786}
787#endif /* MBEDTLS_CIPHER_MODE_XTS */
788
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]789#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
790 do \
791 { \
792 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
793 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
794 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
795 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
796 \
797 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
798 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
799 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
800 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
801 \
802 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
803 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
804 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
805 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
806 \
807 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
808 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
809 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
810 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
811 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
814 do \
815 { \
816 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
817 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
818 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
819 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
820 \
821 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
822 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
823 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
824 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
825 \
826 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
827 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
828 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
829 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
830 \
831 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
832 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
833 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
834 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
835 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836
837/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]838 * AES-ECB block encryption
839 */
840#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]841int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
842 const unsigned char input[16],
843 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]844{
845 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]846 uint32_t *RK = ctx->rk;
847 struct
848 {
849 uint32_t X[4];
850 uint32_t Y[4];
851 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]852
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame^]853 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
854 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
855 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
856 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]857
858 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
859 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]860 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
861 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]862 }
863
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]864 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]865
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]866 t.X[0] = *RK++ ^ \
867 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
868 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
869 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
870 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]871
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]872 t.X[1] = *RK++ ^ \
873 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
874 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
875 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
876 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]877
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]878 t.X[2] = *RK++ ^ \
879 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
880 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
881 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
882 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]883
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]884 t.X[3] = *RK++ ^ \
885 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
886 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
887 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
888 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]889
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]890 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
891 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
892 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
893 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]894
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]896
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]897 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]898}
899#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
900
901/*
902 * AES-ECB block decryption
903 */
904#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]905int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
906 const unsigned char input[16],
907 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]908{
909 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]910 uint32_t *RK = ctx->rk;
911 struct
912 {
913 uint32_t X[4];
914 uint32_t Y[4];
915 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]916
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame^]917 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
918 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
919 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
920 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921
922 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
923 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]924 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
925 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]926 }
927
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]928 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]929
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]930 t.X[0] = *RK++ ^ \
931 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
932 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
933 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
934 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]935
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]936 t.X[1] = *RK++ ^ \
937 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
938 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
939 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
940 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]941
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]942 t.X[2] = *RK++ ^ \
943 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
944 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
945 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
946 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]947
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]948 t.X[3] = *RK++ ^ \
949 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
950 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
951 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
952 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]953
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]954 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
955 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
956 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
957 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]958
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]959 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]960
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]961 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]962}
963#endif /* !MBEDTLS_AES_DECRYPT_ALT */
964
965/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]966 * AES-ECB block encryption/decryption
967 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]968int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]969 int mode,
970 const unsigned char input[16],
971 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]972{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]973 AES_VALIDATE_RET( ctx != NULL );
974 AES_VALIDATE_RET( input != NULL );
975 AES_VALIDATE_RET( output != NULL );
976 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
977 mode == MBEDTLS_AES_DECRYPT );
978
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]979#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]980 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]982#endif
983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]984#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]985 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]988 return( 0 );
989
990 // If padlock data misaligned, we just fall back to
991 // unaccelerated mode
992 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993 }
994#endif
995
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]996 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]997 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]998 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]999 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000}
1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003/*
1004 * AES-CBC buffer encryption/decryption
1005 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1008 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1010 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 unsigned char *output )
1012{
1013 int i;
1014 unsigned char temp[16];
1015
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1016 AES_VALIDATE_RET( ctx != NULL );
1017 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1018 mode == MBEDTLS_AES_DECRYPT );
1019 AES_VALIDATE_RET( iv != NULL );
1020 AES_VALIDATE_RET( input != NULL );
1021 AES_VALIDATE_RET( output != NULL );
1022
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1023 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]1027 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1030 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1031
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1032 // If padlock data misaligned, we just fall back to
1033 // unaccelerated mode
1034 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 }
1036#endif
1037
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1038 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039 {
1040 while( length > 0 )
1041 {
1042 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044
1045 for( i = 0; i < 16; i++ )
1046 output[i] = (unsigned char)( output[i] ^ iv[i] );
1047
1048 memcpy( iv, temp, 16 );
1049
1050 input += 16;
1051 output += 16;
1052 length -= 16;
1053 }
1054 }
1055 else
1056 {
1057 while( length > 0 )
1058 {
1059 for( i = 0; i < 16; i++ )
1060 output[i] = (unsigned char)( input[i] ^ iv[i] );
1061
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 memcpy( iv, output, 16 );
1064
1065 input += 16;
1066 output += 16;
1067 length -= 16;
1068 }
1069 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1070
1071 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1075#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1076
1077/* Endianess with 64 bits values */
1078#ifndef GET_UINT64_LE
1079#define GET_UINT64_LE(n,b,i) \
1080{ \
1081 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1082 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1083 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1084 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1085 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1086 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1087 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1088 | ( (uint64_t) (b)[(i) ] ); \
1089}
1090#endif
1091
1092#ifndef PUT_UINT64_LE
1093#define PUT_UINT64_LE(n,b,i) \
1094{ \
1095 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1096 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1097 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1098 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1099 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1100 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1101 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1102 (b)[(i) ] = (unsigned char) ( (n) ); \
1103}
1104#endif
1105
1106typedef unsigned char mbedtls_be128[16];
1107
1108/*
1109 * GF(2^128) multiplication function
1110 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1111 * This function multiplies a field element by x in the polynomial field
1112 * representation. It uses 64-bit word operations to gain speed but compensates
1113 * for machine endianess and hence works correctly on both big and little
1114 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1115 */
1116static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1117 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1118{
1119 uint64_t a, b, ra, rb;
1120
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1121 GET_UINT64_LE( a, x, 0 );
1122 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1123
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1124 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1125 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1126
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1127 PUT_UINT64_LE( ra, r, 0 );
1128 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1129}
1130
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1131/*
1132 * AES-XTS buffer encryption/decryption
1133 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1134int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1135 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1136 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1137 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1138 const unsigned char *input,
1139 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1140{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1141 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1142 size_t blocks = length / 16;
1143 size_t leftover = length % 16;
1144 unsigned char tweak[16];
1145 unsigned char prev_tweak[16];
1146 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1147
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1148 AES_VALIDATE_RET( ctx != NULL );
1149 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1150 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1151 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1152 AES_VALIDATE_RET( input != NULL );
1153 AES_VALIDATE_RET( output != NULL );
1154
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1155 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1156 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1157 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1158
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1159 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1160 if( length > ( 1 << 20 ) * 16 )
1161 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1162
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1163 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1164 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1165 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1166 if( ret != 0 )
1167 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1169 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1170 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1171 size_t i;
1172
1173 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1174 {
1175 /* We are on the last block in a decrypt operation that has
1176 * leftover bytes, so we need to use the next tweak for this block,
1177 * and this tweak for the lefover bytes. Save the current tweak for
1178 * the leftovers and then update the current tweak for use on this,
1179 * the last full block. */
1180 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1181 mbedtls_gf128mul_x_ble( tweak, tweak );
1182 }
1183
1184 for( i = 0; i < 16; i++ )
1185 tmp[i] = input[i] ^ tweak[i];
1186
1187 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1188 if( ret != 0 )
1189 return( ret );
1190
1191 for( i = 0; i < 16; i++ )
1192 output[i] = tmp[i] ^ tweak[i];
1193
1194 /* Update the tweak for the next block. */
1195 mbedtls_gf128mul_x_ble( tweak, tweak );
1196
1197 output += 16;
1198 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1199 }
1200
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1201 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1202 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1203 /* If we are on the leftover bytes in a decrypt operation, we need to
1204 * use the previous tweak for these bytes (as saved in prev_tweak). */
1205 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1207 /* We are now on the final part of the data unit, which doesn't divide
1208 * evenly by 16. It's time for ciphertext stealing. */
1209 size_t i;
1210 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1211
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1212 /* Copy ciphertext bytes from the previous block to our output for each
1213 * byte of cyphertext we won't steal. At the same time, copy the
1214 * remainder of the input for this final round (since the loop bounds
1215 * are the same). */
1216 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1217 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1218 output[i] = prev_output[i];
1219 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1221
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1222 /* Copy ciphertext bytes from the previous block for input in this
1223 * round. */
1224 for( ; i < 16; i++ )
1225 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1226
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1227 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1228 if( ret != 0 )
1229 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1231 /* Write the result back to the previous block, overriding the previous
1232 * output we copied. */
1233 for( i = 0; i < 16; i++ )
1234 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1235 }
1236
1237 return( 0 );
1238}
1239#endif /* MBEDTLS_CIPHER_MODE_XTS */
1240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1241#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242/*
1243 * AES-CFB128 buffer encryption/decryption
1244 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1245int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1246 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1247 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1248 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1249 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1250 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 unsigned char *output )
1252{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1253 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1254 size_t n;
1255
1256 AES_VALIDATE_RET( ctx != NULL );
1257 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1258 mode == MBEDTLS_AES_DECRYPT );
1259 AES_VALIDATE_RET( iv_off != NULL );
1260 AES_VALIDATE_RET( iv != NULL );
1261 AES_VALIDATE_RET( input != NULL );
1262 AES_VALIDATE_RET( output != NULL );
1263
1264 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1266 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1267 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1269 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1270 {
1271 while( length-- )
1272 {
1273 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275
1276 c = *input++;
1277 *output++ = (unsigned char)( c ^ iv[n] );
1278 iv[n] = (unsigned char) c;
1279
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1280 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281 }
1282 }
1283 else
1284 {
1285 while( length-- )
1286 {
1287 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1288 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289
1290 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1291
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1292 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 }
1294 }
1295
1296 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1297
1298 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1300
1301/*
1302 * AES-CFB8 buffer encryption/decryption
1303 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1304int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1305 int mode,
1306 size_t length,
1307 unsigned char iv[16],
1308 const unsigned char *input,
1309 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1310{
1311 unsigned char c;
1312 unsigned char ov[17];
1313
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1314 AES_VALIDATE_RET( ctx != NULL );
1315 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1316 mode == MBEDTLS_AES_DECRYPT );
1317 AES_VALIDATE_RET( iv != NULL );
1318 AES_VALIDATE_RET( input != NULL );
1319 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1320 while( length-- )
1321 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1322 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1323 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1326 ov[16] = *input;
1327
1328 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1331 ov[16] = c;
1332
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1333 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1334 }
1335
1336 return( 0 );
1337}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1338#endif /* MBEDTLS_CIPHER_MODE_CFB */
1339
1340#if defined(MBEDTLS_CIPHER_MODE_OFB)
1341/*
1342 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1343 */
1344int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1345 size_t length,
1346 size_t *iv_off,
1347 unsigned char iv[16],
1348 const unsigned char *input,
1349 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1350{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1351 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1352 size_t n;
1353
1354 AES_VALIDATE_RET( ctx != NULL );
1355 AES_VALIDATE_RET( iv_off != NULL );
1356 AES_VALIDATE_RET( iv != NULL );
1357 AES_VALIDATE_RET( input != NULL );
1358 AES_VALIDATE_RET( output != NULL );
1359
1360 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1361
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1362 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1363 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1364
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1365 while( length-- )
1366 {
1367 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1368 {
1369 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1370 if( ret != 0 )
1371 goto exit;
1372 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1373 *output++ = *input++ ^ iv[n];
1374
1375 n = ( n + 1 ) & 0x0F;
1376 }
1377
1378 *iv_off = n;
1379
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1380exit:
1381 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1382}
1383#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1386/*
1387 * AES-CTR buffer encryption/decryption
1388 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1390 size_t length,
1391 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1392 unsigned char nonce_counter[16],
1393 unsigned char stream_block[16],
1394 const unsigned char *input,
1395 unsigned char *output )
1396{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1397 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1398 size_t n;
1399
1400 AES_VALIDATE_RET( ctx != NULL );
1401 AES_VALIDATE_RET( nc_off != NULL );
1402 AES_VALIDATE_RET( nonce_counter != NULL );
1403 AES_VALIDATE_RET( stream_block != NULL );
1404 AES_VALIDATE_RET( input != NULL );
1405 AES_VALIDATE_RET( output != NULL );
1406
1407 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1408
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1409 if ( n > 0x0F )
1410 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1411
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1412 while( length-- )
1413 {
1414 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1416
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1417 for( i = 16; i > 0; i-- )
1418 if( ++nonce_counter[i - 1] != 0 )
1419 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1420 }
1421 c = *input++;
1422 *output++ = (unsigned char)( c ^ stream_block[n] );
1423
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1424 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1425 }
1426
1427 *nc_off = n;
1428
1429 return( 0 );
1430}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1433#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1434
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1435#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1436/*
1437 * AES test vectors from:
1438 *
1439 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1440 */
1441static const unsigned char aes_test_ecb_dec[3][16] =
1442{
1443 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1444 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1445 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1446 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1447 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1448 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1449};
1450
1451static const unsigned char aes_test_ecb_enc[3][16] =
1452{
1453 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1454 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1455 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1456 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1457 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1458 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1459};
1460
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1462static const unsigned char aes_test_cbc_dec[3][16] =
1463{
1464 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1465 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1466 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1467 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1468 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1469 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1470};
1471
1472static const unsigned char aes_test_cbc_enc[3][16] =
1473{
1474 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1475 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1476 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1477 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1478 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1479 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1480};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1483#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484/*
1485 * AES-CFB128 test vectors from:
1486 *
1487 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1488 */
1489static const unsigned char aes_test_cfb128_key[3][32] =
1490{
1491 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1492 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1493 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1494 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1495 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1496 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1497 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1498 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1499 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1500};
1501
1502static const unsigned char aes_test_cfb128_iv[16] =
1503{
1504 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1505 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1506};
1507
1508static const unsigned char aes_test_cfb128_pt[64] =
1509{
1510 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1511 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1512 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1513 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1514 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1515 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1516 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1517 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1518};
1519
1520static const unsigned char aes_test_cfb128_ct[3][64] =
1521{
1522 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1523 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1524 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1525 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1526 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1527 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1528 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1529 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1530 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1531 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1532 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1533 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1534 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1535 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1536 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1537 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1538 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1539 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1540 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1541 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1542 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1543 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1544 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1545 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1546};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1548
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1549#if defined(MBEDTLS_CIPHER_MODE_OFB)
1550/*
1551 * AES-OFB test vectors from:
1552 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1553 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1554 */
1555static const unsigned char aes_test_ofb_key[3][32] =
1556{
1557 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1558 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1559 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1560 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1561 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1562 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1563 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1564 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1565 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1566};
1567
1568static const unsigned char aes_test_ofb_iv[16] =
1569{
1570 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1571 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1572};
1573
1574static const unsigned char aes_test_ofb_pt[64] =
1575{
1576 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1577 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1578 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1579 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1580 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1581 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1582 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1583 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1584};
1585
1586static const unsigned char aes_test_ofb_ct[3][64] =
1587{
1588 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1589 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1590 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1591 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1592 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1593 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1594 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1595 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1596 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1597 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1598 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1599 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1600 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1601 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1602 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1603 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1604 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1605 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1606 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1607 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1608 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1609 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1610 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1611 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1612};
1613#endif /* MBEDTLS_CIPHER_MODE_OFB */
1614
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1615#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1616/*
1617 * AES-CTR test vectors from:
1618 *
1619 * http://www.faqs.org/rfcs/rfc3686.html
1620 */
1621
1622static const unsigned char aes_test_ctr_key[3][16] =
1623{
1624 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1625 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1626 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1627 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1628 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1629 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1630};
1631
1632static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1633{
1634 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1636 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1637 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1638 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1639 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1640};
1641
1642static const unsigned char aes_test_ctr_pt[3][48] =
1643{
1644 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1645 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1646
1647 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1648 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1649 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1650 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1651
1652 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1653 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1654 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1655 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1656 0x20, 0x21, 0x22, 0x23 }
1657};
1658
1659static const unsigned char aes_test_ctr_ct[3][48] =
1660{
1661 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1662 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1663 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1664 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1665 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1666 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1667 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1668 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1669 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1670 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1671 0x25, 0xB2, 0x07, 0x2F }
1672};
1673
1674static const int aes_test_ctr_len[3] =
1675 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1677
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1678#if defined(MBEDTLS_CIPHER_MODE_XTS)
1679/*
1680 * AES-XTS test vectors from:
1681 *
1682 * IEEE P1619/D16 Annex B
1683 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1684 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1685 */
1686static const unsigned char aes_test_xts_key[][32] =
1687{
1688 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1692 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1693 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1694 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1695 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1696 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1697 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1698 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1699 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1700};
1701
1702static const unsigned char aes_test_xts_pt32[][32] =
1703{
1704 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1708 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1709 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1710 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1711 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1712 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1713 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1714 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1715 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1716};
1717
1718static const unsigned char aes_test_xts_ct32[][32] =
1719{
1720 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1721 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1722 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1723 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1724 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1725 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1726 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1727 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1728 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1729 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1730 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1731 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1732};
1733
1734static const unsigned char aes_test_xts_data_unit[][16] =
1735{
1736 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1738 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1740 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1742};
1743
1744#endif /* MBEDTLS_CIPHER_MODE_XTS */
1745
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1746/*
1747 * Checkup routine
1748 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1750{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1751 int ret = 0, i, j, u, mode;
1752 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753 unsigned char key[32];
1754 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1755 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1756#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1757 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1758#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1759#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1760 unsigned char prv[16];
1761#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1762#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1763 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1764 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1765#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1766#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1767 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1768#endif
1769#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1770 unsigned char nonce_counter[16];
1771 unsigned char stream_block[16];
1772#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1773 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774
1775 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1776 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1777
1778 /*
1779 * ECB mode
1780 */
1781 for( i = 0; i < 6; i++ )
1782 {
1783 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1784 keybits = 128 + u * 64;
1785 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786
1787 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1788 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1789 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790
1791 memset( buf, 0, 16 );
1792
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1793 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1794 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1795 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1796 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797 }
1798 else
1799 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1800 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1801 aes_tests = aes_test_ecb_enc[u];
1802 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1804 /*
1805 * AES-192 is an optional feature that may be unavailable when
1806 * there is an alternative underlying implementation i.e. when
1807 * MBEDTLS_AES_ALT is defined.
1808 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1809 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1810 {
1811 mbedtls_printf( "skipped\n" );
1812 continue;
1813 }
1814 else if( ret != 0 )
1815 {
1816 goto exit;
1817 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1819 for( j = 0; j < 10000; j++ )
1820 {
1821 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1822 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1823 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 }
1825
1826 if( memcmp( buf, aes_tests, 16 ) != 0 )
1827 {
1828 ret = 1;
1829 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830 }
1831
1832 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 }
1835
1836 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1839#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840 /*
1841 * CBC mode
1842 */
1843 for( i = 0; i < 6; i++ )
1844 {
1845 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1846 keybits = 128 + u * 64;
1847 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
1849 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1850 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1851 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
1853 memset( iv , 0, 16 );
1854 memset( prv, 0, 16 );
1855 memset( buf, 0, 16 );
1856
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1857 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1859 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1860 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861 }
1862 else
1863 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1864 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1865 aes_tests = aes_test_cbc_enc[u];
1866 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1868 /*
1869 * AES-192 is an optional feature that may be unavailable when
1870 * there is an alternative underlying implementation i.e. when
1871 * MBEDTLS_AES_ALT is defined.
1872 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1873 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1874 {
1875 mbedtls_printf( "skipped\n" );
1876 continue;
1877 }
1878 else if( ret != 0 )
1879 {
1880 goto exit;
1881 }
1882
1883 for( j = 0; j < 10000; j++ )
1884 {
1885 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 {
1887 unsigned char tmp[16];
1888
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 memcpy( tmp, prv, 16 );
1890 memcpy( prv, buf, 16 );
1891 memcpy( buf, tmp, 16 );
1892 }
1893
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1894 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1895 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1896 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1897
1898 }
1899
1900 if( memcmp( buf, aes_tests, 16 ) != 0 )
1901 {
1902 ret = 1;
1903 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904 }
1905
1906 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1907 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908 }
1909
1910 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 mbedtls_printf( "\n" );
1912#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1914#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 /*
1916 * CFB128 mode
1917 */
1918 for( i = 0; i < 6; i++ )
1919 {
1920 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1921 keybits = 128 + u * 64;
1922 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
1924 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1925 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927
1928 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1929 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930
1931 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1932 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1933 /*
1934 * AES-192 is an optional feature that may be unavailable when
1935 * there is an alternative underlying implementation i.e. when
1936 * MBEDTLS_AES_ALT is defined.
1937 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1938 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939 {
1940 mbedtls_printf( "skipped\n" );
1941 continue;
1942 }
1943 else if( ret != 0 )
1944 {
1945 goto exit;
1946 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1948 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949 {
1950 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1951 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1952 }
1953 else
1954 {
1955 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1956 aes_tests = aes_test_cfb128_ct[u];
1957 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1958
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1959 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1960 if( ret != 0 )
1961 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 if( memcmp( buf, aes_tests, 64 ) != 0 )
1964 {
1965 ret = 1;
1966 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 }
1968
1969 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 }
1972
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1973 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974 mbedtls_printf( "\n" );
1975#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1976
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1977#if defined(MBEDTLS_CIPHER_MODE_OFB)
1978 /*
1979 * OFB mode
1980 */
1981 for( i = 0; i < 6; i++ )
1982 {
1983 u = i >> 1;
1984 keybits = 128 + u * 64;
1985 mode = i & 1;
1986
1987 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1988 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1989 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1990
1991 memcpy( iv, aes_test_ofb_iv, 16 );
1992 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1993
1994 offset = 0;
1995 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1996 /*
1997 * AES-192 is an optional feature that may be unavailable when
1998 * there is an alternative underlying implementation i.e. when
1999 * MBEDTLS_AES_ALT is defined.
2000 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2001 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2002 {
2003 mbedtls_printf( "skipped\n" );
2004 continue;
2005 }
2006 else if( ret != 0 )
2007 {
2008 goto exit;
2009 }
2010
2011 if( mode == MBEDTLS_AES_DECRYPT )
2012 {
2013 memcpy( buf, aes_test_ofb_ct[u], 64 );
2014 aes_tests = aes_test_ofb_pt;
2015 }
2016 else
2017 {
2018 memcpy( buf, aes_test_ofb_pt, 64 );
2019 aes_tests = aes_test_ofb_ct[u];
2020 }
2021
2022 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2023 if( ret != 0 )
2024 goto exit;
2025
2026 if( memcmp( buf, aes_tests, 64 ) != 0 )
2027 {
2028 ret = 1;
2029 goto exit;
2030 }
2031
2032 if( verbose != 0 )
2033 mbedtls_printf( "passed\n" );
2034 }
2035
2036 if( verbose != 0 )
2037 mbedtls_printf( "\n" );
2038#endif /* MBEDTLS_CIPHER_MODE_OFB */
2039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2040#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2041 /*
2042 * CTR mode
2043 */
2044 for( i = 0; i < 6; i++ )
2045 {
2046 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2047 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2048
2049 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2050 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2051 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2052
2053 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2054 memcpy( key, aes_test_ctr_key[u], 16 );
2055
2056 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2057 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2058 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2059
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2060 len = aes_test_ctr_len[u];
2061
2062 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2063 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2064 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2065 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2066 }
2067 else
2068 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2069 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2070 aes_tests = aes_test_ctr_ct[u];
2071 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2072
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2073 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2074 stream_block, buf, buf );
2075 if( ret != 0 )
2076 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2077
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2078 if( memcmp( buf, aes_tests, len ) != 0 )
2079 {
2080 ret = 1;
2081 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2082 }
2083
2084 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2085 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2086 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2087
2088 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2089 mbedtls_printf( "\n" );
2090#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2091
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2092#if defined(MBEDTLS_CIPHER_MODE_XTS)
2093 {
2094 static const int num_tests =
2095 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2096 mbedtls_aes_xts_context ctx_xts;
2097
2098 /*
2099 * XTS mode
2100 */
2101 mbedtls_aes_xts_init( &ctx_xts );
2102
2103 for( i = 0; i < num_tests << 1; i++ )
2104 {
2105 const unsigned char *data_unit;
2106 u = i >> 1;
2107 mode = i & 1;
2108
2109 if( verbose != 0 )
2110 mbedtls_printf( " AES-XTS-128 (%s): ",
2111 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2112
2113 memset( key, 0, sizeof( key ) );
2114 memcpy( key, aes_test_xts_key[u], 32 );
2115 data_unit = aes_test_xts_data_unit[u];
2116
2117 len = sizeof( *aes_test_xts_ct32 );
2118
2119 if( mode == MBEDTLS_AES_DECRYPT )
2120 {
2121 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2122 if( ret != 0)
2123 goto exit;
2124 memcpy( buf, aes_test_xts_ct32[u], len );
2125 aes_tests = aes_test_xts_pt32[u];
2126 }
2127 else
2128 {
2129 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2130 if( ret != 0)
2131 goto exit;
2132 memcpy( buf, aes_test_xts_pt32[u], len );
2133 aes_tests = aes_test_xts_ct32[u];
2134 }
2135
2136
2137 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2138 buf, buf );
2139 if( ret != 0 )
2140 goto exit;
2141
2142 if( memcmp( buf, aes_tests, len ) != 0 )
2143 {
2144 ret = 1;
2145 goto exit;
2146 }
2147
2148 if( verbose != 0 )
2149 mbedtls_printf( "passed\n" );
2150 }
2151
2152 if( verbose != 0 )
2153 mbedtls_printf( "\n" );
2154
2155 mbedtls_aes_xts_free( &ctx_xts );
2156 }
2157#endif /* MBEDTLS_CIPHER_MODE_XTS */
2158
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2159 ret = 0;
2160
2161exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2162 if( ret != 0 && verbose != 0 )
2163 mbedtls_printf( "failed\n" );
2164
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2165 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2166
2167 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2168}
2169
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2170#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2172#endif /* MBEDTLS_AES_C */