TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d6028a1894ed9675769b13ae619a0ea6d937882b / . / library / aes.c
blob: b2e346ec119579fc4e3d0536615dcff5ab76a9fc [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame^]398#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
399#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
400#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[x]+log[y]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]578 }
579#endif
580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584
585 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]587 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]594#endif
595
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]596 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]598 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 }
600
601 switch( ctx->nr )
602 {
603 case 10:
604
605 for( i = 0; i < 10; i++, RK += 4 )
606 {
607 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
616 }
617 break;
618
619 case 12:
620
621 for( i = 0; i < 8; i++, RK += 6 )
622 {
623 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
634 }
635 break;
636
637 case 14:
638
639 for( i = 0; i < 7; i++, RK += 8 )
640 {
641 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
650
651 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
660 }
661 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]663
664 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
668/*
669 * AES key schedule (decryption)
670 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]671#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]673 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]675 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 uint32_t *RK;
678 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]679
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]697 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]698
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]699 ctx->nr = cty.nr;
700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]703 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]705 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]706 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]707 }
708#endif
709
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 SK = cty.rk + cty.nr * 4;
711
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
718 {
719 for( j = 0; j < 4; j++, SK++ )
720 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726 }
727
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]735
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]736 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]738
739#if defined(MBEDTLS_CIPHER_MODE_XTS)
740static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
741 unsigned int keybits,
742 const unsigned char **key1,
743 unsigned int *key1bits,
744 const unsigned char **key2,
745 unsigned int *key2bits )
746{
747 const unsigned int half_keybits = keybits / 2;
748 const unsigned int half_keybytes = half_keybits / 8;
749
750 switch( keybits )
751 {
752 case 256: break;
753 case 512: break;
754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
755 }
756
757 *key1bits = half_keybits;
758 *key2bits = half_keybits;
759 *key1 = &key[0];
760 *key2 = &key[half_keybytes];
761
762 return 0;
763}
764
765int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
768{
769 int ret;
770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
772
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
775
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for the encryption mode. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for encryption. */
787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
788}
789
790int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for encryption. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for decryption. */
812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
813}
814#endif /* MBEDTLS_CIPHER_MODE_XTS */
815
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]816#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame^]818#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
819 do \
820 { \
821 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
825 \
826 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
830 \
831 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
835 \
836 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
837 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
838 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
839 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
840 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame^]842#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843 do \
844 { \
845 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
849 \
850 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
854 \
855 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
859 \
860 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
862 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
864 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865
866/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867 * AES-ECB block encryption
868 */
869#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]870int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
871 const unsigned char input[16],
872 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]873{
874 int i;
875 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
876
877 RK = ctx->rk;
878
879 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
880 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
881 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
882 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
883
884 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
885 {
886 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
887 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
888 }
889
890 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
891
892 X0 = *RK++ ^ \
893 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
894 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
895 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
897
898 X1 = *RK++ ^ \
899 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
900 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
901 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
903
904 X2 = *RK++ ^ \
905 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
906 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
907 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
908 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
909
910 X3 = *RK++ ^ \
911 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
912 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
913 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
914 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
915
916 PUT_UINT32_LE( X0, output, 0 );
917 PUT_UINT32_LE( X1, output, 4 );
918 PUT_UINT32_LE( X2, output, 8 );
919 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]920
921 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]922}
923#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
924
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]925#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]926void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
927 const unsigned char input[16],
928 unsigned char output[16] )
929{
930 mbedtls_internal_aes_encrypt( ctx, input, output );
931}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]932#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]933
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]934/*
935 * AES-ECB block decryption
936 */
937#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]938int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
939 const unsigned char input[16],
940 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]941{
942 int i;
943 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
944
945 RK = ctx->rk;
946
947 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
948 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
949 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
950 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
951
952 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
953 {
954 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
955 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
956 }
957
958 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
959
960 X0 = *RK++ ^ \
961 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
962 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
963 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
964 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
965
966 X1 = *RK++ ^ \
967 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
968 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
969 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
970 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
971
972 X2 = *RK++ ^ \
973 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
974 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
975 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
976 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
977
978 X3 = *RK++ ^ \
979 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
980 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
981 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
982 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
983
984 PUT_UINT32_LE( X0, output, 0 );
985 PUT_UINT32_LE( X1, output, 4 );
986 PUT_UINT32_LE( X2, output, 8 );
987 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]988
989 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]990}
991#endif /* !MBEDTLS_AES_DECRYPT_ALT */
992
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]993#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]994void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
995 const unsigned char input[16],
996 unsigned char output[16] )
997{
998 mbedtls_internal_aes_decrypt( ctx, input, output );
999}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1000#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1001
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1002/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 * AES-ECB block encryption/decryption
1004 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1006 int mode,
1007 const unsigned char input[16],
1008 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1010 AES_VALIDATE_RET( ctx != NULL );
1011 AES_VALIDATE_RET( input != NULL );
1012 AES_VALIDATE_RET( output != NULL );
1013 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1014 mode == MBEDTLS_AES_DECRYPT );
1015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1017 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1018 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1019#endif
1020
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1022 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1023 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1025 return( 0 );
1026
1027 // If padlock data misaligned, we just fall back to
1028 // unaccelerated mode
1029 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 }
1031#endif
1032
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1033 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1034 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1035 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1036 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037}
1038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040/*
1041 * AES-CBC buffer encryption/decryption
1042 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1045 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1047 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 unsigned char *output )
1049{
1050 int i;
1051 unsigned char temp[16];
1052
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1053 AES_VALIDATE_RET( ctx != NULL );
1054 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1055 mode == MBEDTLS_AES_DECRYPT );
1056 AES_VALIDATE_RET( iv != NULL );
1057 AES_VALIDATE_RET( input != NULL );
1058 AES_VALIDATE_RET( output != NULL );
1059
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1060 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1064 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1068
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1069 // If padlock data misaligned, we just fall back to
1070 // unaccelerated mode
1071 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 }
1073#endif
1074
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 {
1077 while( length > 0 )
1078 {
1079 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
1082 for( i = 0; i < 16; i++ )
1083 output[i] = (unsigned char)( output[i] ^ iv[i] );
1084
1085 memcpy( iv, temp, 16 );
1086
1087 input += 16;
1088 output += 16;
1089 length -= 16;
1090 }
1091 }
1092 else
1093 {
1094 while( length > 0 )
1095 {
1096 for( i = 0; i < 16; i++ )
1097 output[i] = (unsigned char)( input[i] ^ iv[i] );
1098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 memcpy( iv, output, 16 );
1101
1102 input += 16;
1103 output += 16;
1104 length -= 16;
1105 }
1106 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1107
1108 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1112#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1113
1114/* Endianess with 64 bits values */
1115#ifndef GET_UINT64_LE
1116#define GET_UINT64_LE(n,b,i) \
1117{ \
1118 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1119 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1120 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1121 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1122 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1123 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1124 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1125 | ( (uint64_t) (b)[(i) ] ); \
1126}
1127#endif
1128
1129#ifndef PUT_UINT64_LE
1130#define PUT_UINT64_LE(n,b,i) \
1131{ \
1132 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1133 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1134 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1135 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1136 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1137 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1138 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1139 (b)[(i) ] = (unsigned char) ( (n) ); \
1140}
1141#endif
1142
1143typedef unsigned char mbedtls_be128[16];
1144
1145/*
1146 * GF(2^128) multiplication function
1147 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1148 * This function multiplies a field element by x in the polynomial field
1149 * representation. It uses 64-bit word operations to gain speed but compensates
1150 * for machine endianess and hence works correctly on both big and little
1151 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1152 */
1153static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1154 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1155{
1156 uint64_t a, b, ra, rb;
1157
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1158 GET_UINT64_LE( a, x, 0 );
1159 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1160
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1161 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1162 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1163
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1164 PUT_UINT64_LE( ra, r, 0 );
1165 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1166}
1167
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168/*
1169 * AES-XTS buffer encryption/decryption
1170 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1171int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1172 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1173 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1174 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1175 const unsigned char *input,
1176 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1177{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1178 int ret;
1179 size_t blocks = length / 16;
1180 size_t leftover = length % 16;
1181 unsigned char tweak[16];
1182 unsigned char prev_tweak[16];
1183 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1184
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1185 AES_VALIDATE_RET( ctx != NULL );
1186 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1187 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1188 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1189 AES_VALIDATE_RET( input != NULL );
1190 AES_VALIDATE_RET( output != NULL );
1191
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1192 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1193 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1194 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1195
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1196 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1197 if( length > ( 1 << 20 ) * 16 )
1198 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1199
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1200 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1201 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1202 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1203 if( ret != 0 )
1204 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1205
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1206 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1207 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1208 size_t i;
1209
1210 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1211 {
1212 /* We are on the last block in a decrypt operation that has
1213 * leftover bytes, so we need to use the next tweak for this block,
1214 * and this tweak for the lefover bytes. Save the current tweak for
1215 * the leftovers and then update the current tweak for use on this,
1216 * the last full block. */
1217 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1218 mbedtls_gf128mul_x_ble( tweak, tweak );
1219 }
1220
1221 for( i = 0; i < 16; i++ )
1222 tmp[i] = input[i] ^ tweak[i];
1223
1224 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1225 if( ret != 0 )
1226 return( ret );
1227
1228 for( i = 0; i < 16; i++ )
1229 output[i] = tmp[i] ^ tweak[i];
1230
1231 /* Update the tweak for the next block. */
1232 mbedtls_gf128mul_x_ble( tweak, tweak );
1233
1234 output += 16;
1235 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1236 }
1237
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1239 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1240 /* If we are on the leftover bytes in a decrypt operation, we need to
1241 * use the previous tweak for these bytes (as saved in prev_tweak). */
1242 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1243
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1244 /* We are now on the final part of the data unit, which doesn't divide
1245 * evenly by 16. It's time for ciphertext stealing. */
1246 size_t i;
1247 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1248
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 /* Copy ciphertext bytes from the previous block to our output for each
1250 * byte of cyphertext we won't steal. At the same time, copy the
1251 * remainder of the input for this final round (since the loop bounds
1252 * are the same). */
1253 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1254 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1255 output[i] = prev_output[i];
1256 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 /* Copy ciphertext bytes from the previous block for input in this
1260 * round. */
1261 for( ; i < 16; i++ )
1262 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1264 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1265 if( ret != 0 )
1266 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1267
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1268 /* Write the result back to the previous block, overriding the previous
1269 * output we copied. */
1270 for( i = 0; i < 16; i++ )
1271 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272 }
1273
1274 return( 0 );
1275}
1276#endif /* MBEDTLS_CIPHER_MODE_XTS */
1277
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1278#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1279/*
1280 * AES-CFB128 buffer encryption/decryption
1281 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1282int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1283 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1284 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1285 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1287 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288 unsigned char *output )
1289{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1290 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1291 size_t n;
1292
1293 AES_VALIDATE_RET( ctx != NULL );
1294 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1295 mode == MBEDTLS_AES_DECRYPT );
1296 AES_VALIDATE_RET( iv_off != NULL );
1297 AES_VALIDATE_RET( iv != NULL );
1298 AES_VALIDATE_RET( input != NULL );
1299 AES_VALIDATE_RET( output != NULL );
1300
1301 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1303 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1304 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 {
1308 while( length-- )
1309 {
1310 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312
1313 c = *input++;
1314 *output++ = (unsigned char)( c ^ iv[n] );
1315 iv[n] = (unsigned char) c;
1316
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1317 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 }
1319 }
1320 else
1321 {
1322 while( length-- )
1323 {
1324 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
1327 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1328
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1329 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330 }
1331 }
1332
1333 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1334
1335 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1337
1338/*
1339 * AES-CFB8 buffer encryption/decryption
1340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1342 int mode,
1343 size_t length,
1344 unsigned char iv[16],
1345 const unsigned char *input,
1346 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1347{
1348 unsigned char c;
1349 unsigned char ov[17];
1350
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1351 AES_VALIDATE_RET( ctx != NULL );
1352 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1353 mode == MBEDTLS_AES_DECRYPT );
1354 AES_VALIDATE_RET( iv != NULL );
1355 AES_VALIDATE_RET( input != NULL );
1356 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1357 while( length-- )
1358 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1359 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1363 ov[16] = *input;
1364
1365 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1367 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1368 ov[16] = c;
1369
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1370 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371 }
1372
1373 return( 0 );
1374}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1375#endif /* MBEDTLS_CIPHER_MODE_CFB */
1376
1377#if defined(MBEDTLS_CIPHER_MODE_OFB)
1378/*
1379 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1380 */
1381int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1382 size_t length,
1383 size_t *iv_off,
1384 unsigned char iv[16],
1385 const unsigned char *input,
1386 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1387{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1388 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1389 size_t n;
1390
1391 AES_VALIDATE_RET( ctx != NULL );
1392 AES_VALIDATE_RET( iv_off != NULL );
1393 AES_VALIDATE_RET( iv != NULL );
1394 AES_VALIDATE_RET( input != NULL );
1395 AES_VALIDATE_RET( output != NULL );
1396
1397 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1398
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1399 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1400 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1401
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1402 while( length-- )
1403 {
1404 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1405 {
1406 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1407 if( ret != 0 )
1408 goto exit;
1409 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1410 *output++ = *input++ ^ iv[n];
1411
1412 n = ( n + 1 ) & 0x0F;
1413 }
1414
1415 *iv_off = n;
1416
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1417exit:
1418 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1419}
1420#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1422#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1423/*
1424 * AES-CTR buffer encryption/decryption
1425 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1426int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1427 size_t length,
1428 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1429 unsigned char nonce_counter[16],
1430 unsigned char stream_block[16],
1431 const unsigned char *input,
1432 unsigned char *output )
1433{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1434 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1435 size_t n;
1436
1437 AES_VALIDATE_RET( ctx != NULL );
1438 AES_VALIDATE_RET( nc_off != NULL );
1439 AES_VALIDATE_RET( nonce_counter != NULL );
1440 AES_VALIDATE_RET( stream_block != NULL );
1441 AES_VALIDATE_RET( input != NULL );
1442 AES_VALIDATE_RET( output != NULL );
1443
1444 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1445
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1446 if ( n > 0x0F )
1447 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1448
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1449 while( length-- )
1450 {
1451 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1453
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1454 for( i = 16; i > 0; i-- )
1455 if( ++nonce_counter[i - 1] != 0 )
1456 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1457 }
1458 c = *input++;
1459 *output++ = (unsigned char)( c ^ stream_block[n] );
1460
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1461 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1462 }
1463
1464 *nc_off = n;
1465
1466 return( 0 );
1467}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1468#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1470#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1471
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1472#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1473/*
1474 * AES test vectors from:
1475 *
1476 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1477 */
1478static const unsigned char aes_test_ecb_dec[3][16] =
1479{
1480 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1481 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1482 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1483 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1484 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1485 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1486};
1487
1488static const unsigned char aes_test_ecb_enc[3][16] =
1489{
1490 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1491 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1492 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1493 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1494 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1495 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1496};
1497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1499static const unsigned char aes_test_cbc_dec[3][16] =
1500{
1501 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1502 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1503 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1504 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1505 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1506 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1507};
1508
1509static const unsigned char aes_test_cbc_enc[3][16] =
1510{
1511 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1512 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1513 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1514 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1515 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1516 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1517};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1518#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1521/*
1522 * AES-CFB128 test vectors from:
1523 *
1524 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1525 */
1526static const unsigned char aes_test_cfb128_key[3][32] =
1527{
1528 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1529 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1530 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1531 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1532 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1533 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1534 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1535 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1536 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1537};
1538
1539static const unsigned char aes_test_cfb128_iv[16] =
1540{
1541 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1542 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1543};
1544
1545static const unsigned char aes_test_cfb128_pt[64] =
1546{
1547 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1548 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1549 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1550 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1551 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1552 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1553 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1554 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1555};
1556
1557static const unsigned char aes_test_cfb128_ct[3][64] =
1558{
1559 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1560 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1561 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1562 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1563 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1564 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1565 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1566 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1567 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1568 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1569 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1570 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1571 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1572 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1573 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1574 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1575 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1576 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1577 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1578 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1579 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1580 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1581 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1582 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1583};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1585
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1586#if defined(MBEDTLS_CIPHER_MODE_OFB)
1587/*
1588 * AES-OFB test vectors from:
1589 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1590 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1591 */
1592static const unsigned char aes_test_ofb_key[3][32] =
1593{
1594 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1595 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1596 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1597 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1598 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1599 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1600 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1601 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1602 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1603};
1604
1605static const unsigned char aes_test_ofb_iv[16] =
1606{
1607 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1608 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1609};
1610
1611static const unsigned char aes_test_ofb_pt[64] =
1612{
1613 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1614 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1615 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1616 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1617 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1618 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1619 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1620 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1621};
1622
1623static const unsigned char aes_test_ofb_ct[3][64] =
1624{
1625 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1626 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1627 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1628 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1629 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1630 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1631 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1632 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1633 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1634 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1635 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1636 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1637 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1638 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1639 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1640 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1641 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1642 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1643 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1644 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1645 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1646 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1647 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1648 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1649};
1650#endif /* MBEDTLS_CIPHER_MODE_OFB */
1651
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1652#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1653/*
1654 * AES-CTR test vectors from:
1655 *
1656 * http://www.faqs.org/rfcs/rfc3686.html
1657 */
1658
1659static const unsigned char aes_test_ctr_key[3][16] =
1660{
1661 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1662 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1663 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1664 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1665 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1666 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1667};
1668
1669static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1670{
1671 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1673 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1674 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1675 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1676 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1677};
1678
1679static const unsigned char aes_test_ctr_pt[3][48] =
1680{
1681 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1682 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1683
1684 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1685 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1686 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1687 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1688
1689 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1690 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1691 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1692 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1693 0x20, 0x21, 0x22, 0x23 }
1694};
1695
1696static const unsigned char aes_test_ctr_ct[3][48] =
1697{
1698 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1699 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1700 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1701 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1702 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1703 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1704 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1705 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1706 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1707 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1708 0x25, 0xB2, 0x07, 0x2F }
1709};
1710
1711static const int aes_test_ctr_len[3] =
1712 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1713#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1714
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1715#if defined(MBEDTLS_CIPHER_MODE_XTS)
1716/*
1717 * AES-XTS test vectors from:
1718 *
1719 * IEEE P1619/D16 Annex B
1720 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1721 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1722 */
1723static const unsigned char aes_test_xts_key[][32] =
1724{
1725 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1729 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1730 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1731 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1732 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1733 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1734 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1735 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1737};
1738
1739static const unsigned char aes_test_xts_pt32[][32] =
1740{
1741 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1745 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1746 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1747 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1749 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1753};
1754
1755static const unsigned char aes_test_xts_ct32[][32] =
1756{
1757 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1758 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1759 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1760 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1761 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1762 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1763 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1764 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1765 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1766 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1767 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1768 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1769};
1770
1771static const unsigned char aes_test_xts_data_unit[][16] =
1772{
1773 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1775 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1777 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1779};
1780
1781#endif /* MBEDTLS_CIPHER_MODE_XTS */
1782
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1783/*
1784 * Checkup routine
1785 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1786int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1788 int ret = 0, i, j, u, mode;
1789 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 unsigned char key[32];
1791 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1792 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1793#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1794 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1795#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1797 unsigned char prv[16];
1798#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1799#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1800 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1801 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1802#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1803#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1804 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1805#endif
1806#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1807 unsigned char nonce_counter[16];
1808 unsigned char stream_block[16];
1809#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1810 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811
1812 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1813 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814
1815 /*
1816 * ECB mode
1817 */
1818 for( i = 0; i < 6; i++ )
1819 {
1820 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1821 keybits = 128 + u * 64;
1822 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
1824 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1826 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827
1828 memset( buf, 0, 16 );
1829
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1830 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1832 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1833 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 }
1835 else
1836 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1837 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1838 aes_tests = aes_test_ecb_enc[u];
1839 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1841 /*
1842 * AES-192 is an optional feature that may be unavailable when
1843 * there is an alternative underlying implementation i.e. when
1844 * MBEDTLS_AES_ALT is defined.
1845 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1846 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 {
1848 mbedtls_printf( "skipped\n" );
1849 continue;
1850 }
1851 else if( ret != 0 )
1852 {
1853 goto exit;
1854 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 for( j = 0; j < 10000; j++ )
1857 {
1858 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1859 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1860 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1861 }
1862
1863 if( memcmp( buf, aes_tests, 16 ) != 0 )
1864 {
1865 ret = 1;
1866 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867 }
1868
1869 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1870 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1871 }
1872
1873 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1874 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1876#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877 /*
1878 * CBC mode
1879 */
1880 for( i = 0; i < 6; i++ )
1881 {
1882 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 keybits = 128 + u * 64;
1884 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
1886 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1887 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1888 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889
1890 memset( iv , 0, 16 );
1891 memset( prv, 0, 16 );
1892 memset( buf, 0, 16 );
1893
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1894 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1896 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1897 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898 }
1899 else
1900 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1901 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1902 aes_tests = aes_test_cbc_enc[u];
1903 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1905 /*
1906 * AES-192 is an optional feature that may be unavailable when
1907 * there is an alternative underlying implementation i.e. when
1908 * MBEDTLS_AES_ALT is defined.
1909 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1910 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1911 {
1912 mbedtls_printf( "skipped\n" );
1913 continue;
1914 }
1915 else if( ret != 0 )
1916 {
1917 goto exit;
1918 }
1919
1920 for( j = 0; j < 10000; j++ )
1921 {
1922 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923 {
1924 unsigned char tmp[16];
1925
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926 memcpy( tmp, prv, 16 );
1927 memcpy( prv, buf, 16 );
1928 memcpy( buf, tmp, 16 );
1929 }
1930
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1931 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1932 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1933 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1934
1935 }
1936
1937 if( memcmp( buf, aes_tests, 16 ) != 0 )
1938 {
1939 ret = 1;
1940 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941 }
1942
1943 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1944 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 }
1946
1947 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1948 mbedtls_printf( "\n" );
1949#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1951#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1952 /*
1953 * CFB128 mode
1954 */
1955 for( i = 0; i < 6; i++ )
1956 {
1957 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1958 keybits = 128 + u * 64;
1959 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960
1961 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1962 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1963 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964
1965 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1966 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967
1968 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1969 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1970 /*
1971 * AES-192 is an optional feature that may be unavailable when
1972 * there is an alternative underlying implementation i.e. when
1973 * MBEDTLS_AES_ALT is defined.
1974 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1975 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976 {
1977 mbedtls_printf( "skipped\n" );
1978 continue;
1979 }
1980 else if( ret != 0 )
1981 {
1982 goto exit;
1983 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1985 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986 {
1987 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1988 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1989 }
1990 else
1991 {
1992 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 aes_tests = aes_test_cfb128_ct[u];
1994 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1996 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1997 if( ret != 0 )
1998 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2000 if( memcmp( buf, aes_tests, 64 ) != 0 )
2001 {
2002 ret = 1;
2003 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004 }
2005
2006 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2007 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008 }
2009
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2010 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2011 mbedtls_printf( "\n" );
2012#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2013
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2014#if defined(MBEDTLS_CIPHER_MODE_OFB)
2015 /*
2016 * OFB mode
2017 */
2018 for( i = 0; i < 6; i++ )
2019 {
2020 u = i >> 1;
2021 keybits = 128 + u * 64;
2022 mode = i & 1;
2023
2024 if( verbose != 0 )
2025 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2026 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2027
2028 memcpy( iv, aes_test_ofb_iv, 16 );
2029 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2030
2031 offset = 0;
2032 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2033 /*
2034 * AES-192 is an optional feature that may be unavailable when
2035 * there is an alternative underlying implementation i.e. when
2036 * MBEDTLS_AES_ALT is defined.
2037 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2038 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2039 {
2040 mbedtls_printf( "skipped\n" );
2041 continue;
2042 }
2043 else if( ret != 0 )
2044 {
2045 goto exit;
2046 }
2047
2048 if( mode == MBEDTLS_AES_DECRYPT )
2049 {
2050 memcpy( buf, aes_test_ofb_ct[u], 64 );
2051 aes_tests = aes_test_ofb_pt;
2052 }
2053 else
2054 {
2055 memcpy( buf, aes_test_ofb_pt, 64 );
2056 aes_tests = aes_test_ofb_ct[u];
2057 }
2058
2059 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2060 if( ret != 0 )
2061 goto exit;
2062
2063 if( memcmp( buf, aes_tests, 64 ) != 0 )
2064 {
2065 ret = 1;
2066 goto exit;
2067 }
2068
2069 if( verbose != 0 )
2070 mbedtls_printf( "passed\n" );
2071 }
2072
2073 if( verbose != 0 )
2074 mbedtls_printf( "\n" );
2075#endif /* MBEDTLS_CIPHER_MODE_OFB */
2076
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2077#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2078 /*
2079 * CTR mode
2080 */
2081 for( i = 0; i < 6; i++ )
2082 {
2083 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2084 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2085
2086 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2087 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2088 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2089
2090 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2091 memcpy( key, aes_test_ctr_key[u], 16 );
2092
2093 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2094 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2095 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2096
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2097 len = aes_test_ctr_len[u];
2098
2099 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2100 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2101 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2102 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2103 }
2104 else
2105 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2106 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2107 aes_tests = aes_test_ctr_ct[u];
2108 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2109
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2110 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2111 stream_block, buf, buf );
2112 if( ret != 0 )
2113 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2114
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2115 if( memcmp( buf, aes_tests, len ) != 0 )
2116 {
2117 ret = 1;
2118 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119 }
2120
2121 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2123 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124
2125 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2126 mbedtls_printf( "\n" );
2127#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2128
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2129#if defined(MBEDTLS_CIPHER_MODE_XTS)
2130 {
2131 static const int num_tests =
2132 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2133 mbedtls_aes_xts_context ctx_xts;
2134
2135 /*
2136 * XTS mode
2137 */
2138 mbedtls_aes_xts_init( &ctx_xts );
2139
2140 for( i = 0; i < num_tests << 1; i++ )
2141 {
2142 const unsigned char *data_unit;
2143 u = i >> 1;
2144 mode = i & 1;
2145
2146 if( verbose != 0 )
2147 mbedtls_printf( " AES-XTS-128 (%s): ",
2148 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2149
2150 memset( key, 0, sizeof( key ) );
2151 memcpy( key, aes_test_xts_key[u], 32 );
2152 data_unit = aes_test_xts_data_unit[u];
2153
2154 len = sizeof( *aes_test_xts_ct32 );
2155
2156 if( mode == MBEDTLS_AES_DECRYPT )
2157 {
2158 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2159 if( ret != 0)
2160 goto exit;
2161 memcpy( buf, aes_test_xts_ct32[u], len );
2162 aes_tests = aes_test_xts_pt32[u];
2163 }
2164 else
2165 {
2166 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2167 if( ret != 0)
2168 goto exit;
2169 memcpy( buf, aes_test_xts_pt32[u], len );
2170 aes_tests = aes_test_xts_ct32[u];
2171 }
2172
2173
2174 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2175 buf, buf );
2176 if( ret != 0 )
2177 goto exit;
2178
2179 if( memcmp( buf, aes_tests, len ) != 0 )
2180 {
2181 ret = 1;
2182 goto exit;
2183 }
2184
2185 if( verbose != 0 )
2186 mbedtls_printf( "passed\n" );
2187 }
2188
2189 if( verbose != 0 )
2190 mbedtls_printf( "\n" );
2191
2192 mbedtls_aes_xts_free( &ctx_xts );
2193 }
2194#endif /* MBEDTLS_CIPHER_MODE_XTS */
2195
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2196 ret = 0;
2197
2198exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2199 if( ret != 0 && verbose != 0 )
2200 mbedtls_printf( "failed\n" );
2201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2202 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2203
2204 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205}
2206
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2209#endif /* MBEDTLS_AES_C */