TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / db09ef6d22f3043536910833c43faf425a7e0401 / . / library / aes.c
blob: 80e8134baf50ee5333ee440f74cbe3d7c04adfc4 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame^]28#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]31
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]32#include <string.h>
33
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]34#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]35#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]36#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]37#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]38#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]39#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]40#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]43#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if defined(MBEDTLS_SELF_TEST)
46#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]47#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]49#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#define mbedtls_printf printf
51#endif /* MBEDTLS_PLATFORM_C */
52#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]55
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]56/* Parameter validation macros based on platform_util.h */
57#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]58 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59#define AES_VALIDATE( cond ) \
60 MBEDTLS_INTERNAL_VALIDATE( cond )
61
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * 32-bit integer manipulation macros (little endian)
64 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef GET_UINT32_LE
66#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72}
73#endif
74
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]75#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]76#define PUT_UINT32_LE(n,b,i) \
77{ \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82}
83#endif
84
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85#if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]87static int aes_padlock_ace = -1;
88#endif
89
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91/*
92 * Forward S-box
93 */
94static const unsigned char FSb[256] =
95{
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128};
129
130/*
131 * Forward tables
132 */
133#define FT \
134\
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199
200#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]201static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#undef V
203
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]204#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]205
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]218#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]219
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef FT
221
222/*
223 * Reverse S-box
224 */
225static const unsigned char RSb[256] =
226{
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
228 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
229 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
230 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
231 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
232 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
233 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
234 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
235 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
236 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
237 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
238 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
239 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
240 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
241 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
242 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
243 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
244 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
245 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
246 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
247 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
248 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
249 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
250 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
251 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
252 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
253 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
254 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
255 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
256 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
257 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
258 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
259};
260
261/*
262 * Reverse tables
263 */
264#define RT \
265\
266 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
267 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
268 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
269 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
270 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
271 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
272 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
273 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
274 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
275 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
276 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
277 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
278 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
279 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
280 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
281 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
282 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
283 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
284 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
285 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
286 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
287 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
288 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
289 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
290 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
291 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
292 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
293 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
294 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
295 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
296 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
297 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
298 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
299 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
300 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
301 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
302 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
303 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
304 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
305 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
306 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
307 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
308 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
309 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
310 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
311 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
312 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
313 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
314 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
315 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
316 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
317 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
318 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
319 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
320 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
321 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
322 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
323 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
324 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
325 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
326 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
327 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
328 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
329 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
330
331#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#undef V
334
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]335#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]336
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]350
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef RT
352
353/*
354 * Round constants
355 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]356static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357{
358 0x00000001, 0x00000002, 0x00000004, 0x00000008,
359 0x00000010, 0x00000020, 0x00000040, 0x00000080,
360 0x0000001B, 0x00000036
361};
362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Forward S-box & tables
367 */
368static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]370#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]371static uint32_t FT1[256];
372static uint32_t FT2[256];
373static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]374#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
376/*
377 * Reverse S-box & tables
378 */
379static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]381#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]382static uint32_t RT1[256];
383static uint32_t RT2[256];
384static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]385#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Round constants
389 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]391
392/*
393 * Tables generation code
394 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]395#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
396#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]397#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398
399static int aes_init_done = 0;
400
401static void aes_gen_tables( void )
402{
403 int i, x, y, z;
404 int pow[256];
405 int log[256];
406
407 /*
408 * compute pow and log tables over GF(2^8)
409 */
410 for( i = 0, x = 1; i < 256; i++ )
411 {
412 pow[i] = x;
413 log[x] = i;
414 x = ( x ^ XTIME( x ) ) & 0xFF;
415 }
416
417 /*
418 * calculate the round constants
419 */
420 for( i = 0, x = 1; i < 10; i++ )
421 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]422 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 x = XTIME( x ) & 0xFF;
424 }
425
426 /*
427 * generate the forward and reverse S-boxes
428 */
429 FSb[0x00] = 0x63;
430 RSb[0x63] = 0x00;
431
432 for( i = 1; i < 256; i++ )
433 {
434 x = pow[255 - log[i]];
435
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]436 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
438 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
439 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 x ^= y ^ 0x63;
441
442 FSb[i] = (unsigned char) x;
443 RSb[x] = (unsigned char) i;
444 }
445
446 /*
447 * generate the forward and reverse tables
448 */
449 for( i = 0; i < 256; i++ )
450 {
451 x = FSb[i];
452 y = XTIME( x ) & 0xFF;
453 z = ( y ^ x ) & 0xFF;
454
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]455 FT0[i] = ( (uint32_t) y ) ^
456 ( (uint32_t) x << 8 ) ^
457 ( (uint32_t) x << 16 ) ^
458 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 FT1[i] = ROTL8( FT0[i] );
462 FT2[i] = ROTL8( FT1[i] );
463 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]464#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465
466 x = RSb[i];
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
469 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
470 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
471 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]473#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 RT1[i] = ROTL8( RT0[i] );
475 RT2[i] = ROTL8( RT1[i] );
476 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 }
479}
480
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]481#undef ROTL8
482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]483#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]485#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]486
487#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
488#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
489#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
490
491#define AES_RT0(idx) RT0[idx]
492#define AES_RT1(idx) ROTL8( RT0[idx] )
493#define AES_RT2(idx) ROTL16( RT0[idx] )
494#define AES_RT3(idx) ROTL24( RT0[idx] )
495
496#define AES_FT0(idx) FT0[idx]
497#define AES_FT1(idx) ROTL8( FT0[idx] )
498#define AES_FT2(idx) ROTL16( FT0[idx] )
499#define AES_FT3(idx) ROTL24( FT0[idx] )
500
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]501#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]502
503#define AES_RT0(idx) RT0[idx]
504#define AES_RT1(idx) RT1[idx]
505#define AES_RT2(idx) RT2[idx]
506#define AES_RT3(idx) RT3[idx]
507
508#define AES_FT0(idx) FT0[idx]
509#define AES_FT1(idx) FT1[idx]
510#define AES_FT2(idx) FT2[idx]
511#define AES_FT3(idx) FT3[idx]
512
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]513#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]516{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]517 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]520}
521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523{
524 if( ctx == NULL )
525 return;
526
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]527 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]528}
529
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]530#if defined(MBEDTLS_CIPHER_MODE_XTS)
531void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
532{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]533 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]534
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]535 mbedtls_aes_init( &ctx->crypt );
536 mbedtls_aes_init( &ctx->tweak );
537}
538
539void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
540{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]541 if( ctx == NULL )
542 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]543
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]544 mbedtls_aes_free( &ctx->crypt );
545 mbedtls_aes_free( &ctx->tweak );
546}
547#endif /* MBEDTLS_CIPHER_MODE_XTS */
548
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549/*
550 * AES key schedule (encryption)
551 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]552#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]553int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]554 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]555{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]556 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]557 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]559 AES_VALIDATE_RET( ctx != NULL );
560 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]562 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 {
564 case 128: ctx->nr = 10; break;
565 case 192: ctx->nr = 12; break;
566 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]567 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 }
569
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]570#if !defined(MBEDTLS_AES_ROM_TABLES)
571 if( aes_init_done == 0 )
572 {
573 aes_gen_tables();
574 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]575 }
576#endif
577
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]578#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]580 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]581
582 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]586 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]589 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]591#endif
592
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]595 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
598 switch( ctx->nr )
599 {
600 case 10:
601
602 for( i = 0; i < 10; i++, RK += 4 )
603 {
604 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]605 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
606 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
607 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
608 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
610 RK[5] = RK[1] ^ RK[4];
611 RK[6] = RK[2] ^ RK[5];
612 RK[7] = RK[3] ^ RK[6];
613 }
614 break;
615
616 case 12:
617
618 for( i = 0; i < 8; i++, RK += 6 )
619 {
620 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]621 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
622 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
623 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
624 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625
626 RK[7] = RK[1] ^ RK[6];
627 RK[8] = RK[2] ^ RK[7];
628 RK[9] = RK[3] ^ RK[8];
629 RK[10] = RK[4] ^ RK[9];
630 RK[11] = RK[5] ^ RK[10];
631 }
632 break;
633
634 case 14:
635
636 for( i = 0; i < 7; i++, RK += 8 )
637 {
638 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]639 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
640 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
641 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
642 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643
644 RK[9] = RK[1] ^ RK[8];
645 RK[10] = RK[2] ^ RK[9];
646 RK[11] = RK[3] ^ RK[10];
647
648 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[13] = RK[5] ^ RK[12];
655 RK[14] = RK[6] ^ RK[13];
656 RK[15] = RK[7] ^ RK[14];
657 }
658 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]660
661 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]663#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664
665/*
666 * AES key schedule (decryption)
667 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]668#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]669int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]670 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]672 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]674 uint32_t *RK;
675 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]677 AES_VALIDATE_RET( ctx != NULL );
678 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]684 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]685
686 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]690 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]692 /* Also checks keybits */
693 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]694 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]695
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]696 ctx->nr = cty.nr;
697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]699 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]703 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 }
705#endif
706
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]707 SK = cty.rk + cty.nr * 4;
708
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713
714 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
715 {
716 for( j = 0; j < 4; j++, SK++ )
717 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]718 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
719 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
720 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
721 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722 }
723 }
724
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727 *RK++ = *SK++;
728 *RK++ = *SK++;
729
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]730exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]735
736#if defined(MBEDTLS_CIPHER_MODE_XTS)
737static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
738 unsigned int keybits,
739 const unsigned char **key1,
740 unsigned int *key1bits,
741 const unsigned char **key2,
742 unsigned int *key2bits )
743{
744 const unsigned int half_keybits = keybits / 2;
745 const unsigned int half_keybytes = half_keybits / 8;
746
747 switch( keybits )
748 {
749 case 256: break;
750 case 512: break;
751 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
752 }
753
754 *key1bits = half_keybits;
755 *key2bits = half_keybits;
756 *key1 = &key[0];
757 *key2 = &key[half_keybytes];
758
759 return 0;
760}
761
762int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
763 const unsigned char *key,
764 unsigned int keybits)
765{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]766 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]767 const unsigned char *key1, *key2;
768 unsigned int key1bits, key2bits;
769
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]770 AES_VALIDATE_RET( ctx != NULL );
771 AES_VALIDATE_RET( key != NULL );
772
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]773 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
774 &key2, &key2bits );
775 if( ret != 0 )
776 return( ret );
777
778 /* Set the tweak key. Always set tweak key for the encryption mode. */
779 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
780 if( ret != 0 )
781 return( ret );
782
783 /* Set crypt key for encryption. */
784 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
785}
786
787int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
788 const unsigned char *key,
789 unsigned int keybits)
790{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]791 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]792 const unsigned char *key1, *key2;
793 unsigned int key1bits, key2bits;
794
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]795 AES_VALIDATE_RET( ctx != NULL );
796 AES_VALIDATE_RET( key != NULL );
797
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]798 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
799 &key2, &key2bits );
800 if( ret != 0 )
801 return( ret );
802
803 /* Set the tweak key. Always set tweak key for encryption. */
804 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
805 if( ret != 0 )
806 return( ret );
807
808 /* Set crypt key for decryption. */
809 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
810}
811#endif /* MBEDTLS_CIPHER_MODE_XTS */
812
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]813#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]815#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
816 do \
817 { \
818 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
819 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
820 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
821 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
822 \
823 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
824 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
825 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
826 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
827 \
828 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
829 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
830 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
831 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
832 \
833 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
834 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
835 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
836 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
837 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]839#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
840 do \
841 { \
842 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
843 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
844 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
845 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
846 \
847 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
848 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
849 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
850 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
851 \
852 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
853 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
854 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
855 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
856 \
857 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
858 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
859 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
860 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
861 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
863/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]864 * AES-ECB block encryption
865 */
866#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]867int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
868 const unsigned char input[16],
869 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]870{
871 int i;
872 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
873
874 RK = ctx->rk;
875
876 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
877 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
878 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
879 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
880
881 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
882 {
883 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
884 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
885 }
886
887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
888
889 X0 = *RK++ ^ \
890 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
891 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
892 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
893 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
894
895 X1 = *RK++ ^ \
896 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
897 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
898 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
899 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
900
901 X2 = *RK++ ^ \
902 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
903 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
904 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
905 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
906
907 X3 = *RK++ ^ \
908 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
912
913 PUT_UINT32_LE( X0, output, 0 );
914 PUT_UINT32_LE( X1, output, 4 );
915 PUT_UINT32_LE( X2, output, 8 );
916 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]917
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]918 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
919 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
920 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
921 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
922
923 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
924 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
925 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
926 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
927
928 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
929
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]930 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931}
932#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
933
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]934#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]935void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
936 const unsigned char input[16],
937 unsigned char output[16] )
938{
939 mbedtls_internal_aes_encrypt( ctx, input, output );
940}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]941#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]942
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]943/*
944 * AES-ECB block decryption
945 */
946#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]947int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
948 const unsigned char input[16],
949 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]950{
951 int i;
952 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
953
954 RK = ctx->rk;
955
956 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
957 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
958 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
959 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
960
961 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
962 {
963 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
964 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
965 }
966
967 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
968
969 X0 = *RK++ ^ \
970 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
971 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
972 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
973 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
974
975 X1 = *RK++ ^ \
976 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
977 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
978 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
979 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
980
981 X2 = *RK++ ^ \
982 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
983 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
984 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
985 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
986
987 X3 = *RK++ ^ \
988 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
989 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
990 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
991 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
992
993 PUT_UINT32_LE( X0, output, 0 );
994 PUT_UINT32_LE( X1, output, 4 );
995 PUT_UINT32_LE( X2, output, 8 );
996 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]997
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]998 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
999 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1000 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1001 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1002
1003 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1004 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1005 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1006 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1007
1008 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1009
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1010 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1011}
1012#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1013
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1014#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1015void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1016 const unsigned char input[16],
1017 unsigned char output[16] )
1018{
1019 mbedtls_internal_aes_decrypt( ctx, input, output );
1020}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1021#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1022
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1023/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024 * AES-ECB block encryption/decryption
1025 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1027 int mode,
1028 const unsigned char input[16],
1029 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1031 AES_VALIDATE_RET( ctx != NULL );
1032 AES_VALIDATE_RET( input != NULL );
1033 AES_VALIDATE_RET( output != NULL );
1034 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1035 mode == MBEDTLS_AES_DECRYPT );
1036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1038 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1040#endif
1041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1043 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1046 return( 0 );
1047
1048 // If padlock data misaligned, we just fall back to
1049 // unaccelerated mode
1050 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 }
1052#endif
1053
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1054 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1055 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1056 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1057 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058}
1059
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1060#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061/*
1062 * AES-CBC buffer encryption/decryption
1063 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1066 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1068 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 unsigned char *output )
1070{
1071 int i;
1072 unsigned char temp[16];
1073
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1074 AES_VALIDATE_RET( ctx != NULL );
1075 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1076 mode == MBEDTLS_AES_DECRYPT );
1077 AES_VALIDATE_RET( iv != NULL );
1078 AES_VALIDATE_RET( input != NULL );
1079 AES_VALIDATE_RET( output != NULL );
1080
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1081 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1083
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1085 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1088 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1089
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1090 // If padlock data misaligned, we just fall back to
1091 // unaccelerated mode
1092 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093 }
1094#endif
1095
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 {
1098 while( length > 0 )
1099 {
1100 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102
1103 for( i = 0; i < 16; i++ )
1104 output[i] = (unsigned char)( output[i] ^ iv[i] );
1105
1106 memcpy( iv, temp, 16 );
1107
1108 input += 16;
1109 output += 16;
1110 length -= 16;
1111 }
1112 }
1113 else
1114 {
1115 while( length > 0 )
1116 {
1117 for( i = 0; i < 16; i++ )
1118 output[i] = (unsigned char)( input[i] ^ iv[i] );
1119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1120 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1121 memcpy( iv, output, 16 );
1122
1123 input += 16;
1124 output += 16;
1125 length -= 16;
1126 }
1127 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1128
1129 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1130}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1131#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1133#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1134
1135/* Endianess with 64 bits values */
1136#ifndef GET_UINT64_LE
1137#define GET_UINT64_LE(n,b,i) \
1138{ \
1139 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1140 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1141 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1142 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1143 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1144 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1145 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1146 | ( (uint64_t) (b)[(i) ] ); \
1147}
1148#endif
1149
1150#ifndef PUT_UINT64_LE
1151#define PUT_UINT64_LE(n,b,i) \
1152{ \
1153 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1154 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1155 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1156 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1157 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1158 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1159 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1160 (b)[(i) ] = (unsigned char) ( (n) ); \
1161}
1162#endif
1163
1164typedef unsigned char mbedtls_be128[16];
1165
1166/*
1167 * GF(2^128) multiplication function
1168 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1169 * This function multiplies a field element by x in the polynomial field
1170 * representation. It uses 64-bit word operations to gain speed but compensates
1171 * for machine endianess and hence works correctly on both big and little
1172 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1173 */
1174static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1175 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1176{
1177 uint64_t a, b, ra, rb;
1178
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1179 GET_UINT64_LE( a, x, 0 );
1180 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1181
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1182 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1183 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1184
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1185 PUT_UINT64_LE( ra, r, 0 );
1186 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1187}
1188
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1189/*
1190 * AES-XTS buffer encryption/decryption
1191 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1192int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1193 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1194 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1195 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1196 const unsigned char *input,
1197 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1198{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1200 size_t blocks = length / 16;
1201 size_t leftover = length % 16;
1202 unsigned char tweak[16];
1203 unsigned char prev_tweak[16];
1204 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1205
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1206 AES_VALIDATE_RET( ctx != NULL );
1207 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1208 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1209 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1210 AES_VALIDATE_RET( input != NULL );
1211 AES_VALIDATE_RET( output != NULL );
1212
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1213 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1214 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1215 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1217 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1218 if( length > ( 1 << 20 ) * 16 )
1219 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1221 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1222 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1223 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1224 if( ret != 0 )
1225 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1226
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1227 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 size_t i;
1230
1231 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1232 {
1233 /* We are on the last block in a decrypt operation that has
1234 * leftover bytes, so we need to use the next tweak for this block,
1235 * and this tweak for the lefover bytes. Save the current tweak for
1236 * the leftovers and then update the current tweak for use on this,
1237 * the last full block. */
1238 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1239 mbedtls_gf128mul_x_ble( tweak, tweak );
1240 }
1241
1242 for( i = 0; i < 16; i++ )
1243 tmp[i] = input[i] ^ tweak[i];
1244
1245 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1246 if( ret != 0 )
1247 return( ret );
1248
1249 for( i = 0; i < 16; i++ )
1250 output[i] = tmp[i] ^ tweak[i];
1251
1252 /* Update the tweak for the next block. */
1253 mbedtls_gf128mul_x_ble( tweak, tweak );
1254
1255 output += 16;
1256 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257 }
1258
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1260 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1261 /* If we are on the leftover bytes in a decrypt operation, we need to
1262 * use the previous tweak for these bytes (as saved in prev_tweak). */
1263 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1264
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1265 /* We are now on the final part of the data unit, which doesn't divide
1266 * evenly by 16. It's time for ciphertext stealing. */
1267 size_t i;
1268 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1269
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1270 /* Copy ciphertext bytes from the previous block to our output for each
1271 * byte of cyphertext we won't steal. At the same time, copy the
1272 * remainder of the input for this final round (since the loop bounds
1273 * are the same). */
1274 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1275 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1276 output[i] = prev_output[i];
1277 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1279
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1280 /* Copy ciphertext bytes from the previous block for input in this
1281 * round. */
1282 for( ; i < 16; i++ )
1283 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1284
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1285 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1286 if( ret != 0 )
1287 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 /* Write the result back to the previous block, overriding the previous
1290 * output we copied. */
1291 for( i = 0; i < 16; i++ )
1292 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1293 }
1294
1295 return( 0 );
1296}
1297#endif /* MBEDTLS_CIPHER_MODE_XTS */
1298
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1299#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300/*
1301 * AES-CFB128 buffer encryption/decryption
1302 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1303int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1305 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1306 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1308 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309 unsigned char *output )
1310{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1311 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1312 size_t n;
1313
1314 AES_VALIDATE_RET( ctx != NULL );
1315 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1316 mode == MBEDTLS_AES_DECRYPT );
1317 AES_VALIDATE_RET( iv_off != NULL );
1318 AES_VALIDATE_RET( iv != NULL );
1319 AES_VALIDATE_RET( input != NULL );
1320 AES_VALIDATE_RET( output != NULL );
1321
1322 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1324 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1325 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328 {
1329 while( length-- )
1330 {
1331 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1332 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333
1334 c = *input++;
1335 *output++ = (unsigned char)( c ^ iv[n] );
1336 iv[n] = (unsigned char) c;
1337
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1338 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339 }
1340 }
1341 else
1342 {
1343 while( length-- )
1344 {
1345 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347
1348 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1349
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1350 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351 }
1352 }
1353
1354 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1355
1356 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1358
1359/*
1360 * AES-CFB8 buffer encryption/decryption
1361 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1363 int mode,
1364 size_t length,
1365 unsigned char iv[16],
1366 const unsigned char *input,
1367 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1368{
1369 unsigned char c;
1370 unsigned char ov[17];
1371
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1372 AES_VALIDATE_RET( ctx != NULL );
1373 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1374 mode == MBEDTLS_AES_DECRYPT );
1375 AES_VALIDATE_RET( iv != NULL );
1376 AES_VALIDATE_RET( input != NULL );
1377 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1378 while( length-- )
1379 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1380 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1384 ov[16] = *input;
1385
1386 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1388 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1389 ov[16] = c;
1390
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1391 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1392 }
1393
1394 return( 0 );
1395}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1396#endif /* MBEDTLS_CIPHER_MODE_CFB */
1397
1398#if defined(MBEDTLS_CIPHER_MODE_OFB)
1399/*
1400 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1401 */
1402int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1403 size_t length,
1404 size_t *iv_off,
1405 unsigned char iv[16],
1406 const unsigned char *input,
1407 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1408{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1409 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1410 size_t n;
1411
1412 AES_VALIDATE_RET( ctx != NULL );
1413 AES_VALIDATE_RET( iv_off != NULL );
1414 AES_VALIDATE_RET( iv != NULL );
1415 AES_VALIDATE_RET( input != NULL );
1416 AES_VALIDATE_RET( output != NULL );
1417
1418 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1419
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1420 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1421 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1422
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1423 while( length-- )
1424 {
1425 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1426 {
1427 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1428 if( ret != 0 )
1429 goto exit;
1430 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1431 *output++ = *input++ ^ iv[n];
1432
1433 n = ( n + 1 ) & 0x0F;
1434 }
1435
1436 *iv_off = n;
1437
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1438exit:
1439 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1440}
1441#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1442
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1443#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1444/*
1445 * AES-CTR buffer encryption/decryption
1446 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1447int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1448 size_t length,
1449 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450 unsigned char nonce_counter[16],
1451 unsigned char stream_block[16],
1452 const unsigned char *input,
1453 unsigned char *output )
1454{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1455 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1456 size_t n;
1457
1458 AES_VALIDATE_RET( ctx != NULL );
1459 AES_VALIDATE_RET( nc_off != NULL );
1460 AES_VALIDATE_RET( nonce_counter != NULL );
1461 AES_VALIDATE_RET( stream_block != NULL );
1462 AES_VALIDATE_RET( input != NULL );
1463 AES_VALIDATE_RET( output != NULL );
1464
1465 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1466
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1467 if ( n > 0x0F )
1468 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1469
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1470 while( length-- )
1471 {
1472 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1474
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1475 for( i = 16; i > 0; i-- )
1476 if( ++nonce_counter[i - 1] != 0 )
1477 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1478 }
1479 c = *input++;
1480 *output++ = (unsigned char)( c ^ stream_block[n] );
1481
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1482 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1483 }
1484
1485 *nc_off = n;
1486
1487 return( 0 );
1488}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1489#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1494/*
1495 * AES test vectors from:
1496 *
1497 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1498 */
1499static const unsigned char aes_test_ecb_dec[3][16] =
1500{
1501 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1502 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1503 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1504 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1505 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1506 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1507};
1508
1509static const unsigned char aes_test_ecb_enc[3][16] =
1510{
1511 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1512 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1513 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1514 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1515 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1516 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1517};
1518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520static const unsigned char aes_test_cbc_dec[3][16] =
1521{
1522 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1523 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1524 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1525 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1526 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1527 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1528};
1529
1530static const unsigned char aes_test_cbc_enc[3][16] =
1531{
1532 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1533 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1534 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1535 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1536 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1537 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1538};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1539#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1541#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1542/*
1543 * AES-CFB128 test vectors from:
1544 *
1545 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1546 */
1547static const unsigned char aes_test_cfb128_key[3][32] =
1548{
1549 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1550 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1551 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1552 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1553 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1554 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1555 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1556 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1557 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1558};
1559
1560static const unsigned char aes_test_cfb128_iv[16] =
1561{
1562 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1563 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1564};
1565
1566static const unsigned char aes_test_cfb128_pt[64] =
1567{
1568 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1569 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1570 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1571 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1572 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1573 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1574 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1575 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1576};
1577
1578static const unsigned char aes_test_cfb128_ct[3][64] =
1579{
1580 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1581 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1582 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1583 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1584 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1585 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1586 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1587 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1588 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1589 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1590 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1591 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1592 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1593 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1594 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1595 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1596 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1597 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1598 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1599 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1600 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1601 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1602 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1603 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1604};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1605#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1606
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1607#if defined(MBEDTLS_CIPHER_MODE_OFB)
1608/*
1609 * AES-OFB test vectors from:
1610 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1611 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1612 */
1613static const unsigned char aes_test_ofb_key[3][32] =
1614{
1615 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1616 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1617 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1618 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1619 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1620 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1621 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1622 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1623 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1624};
1625
1626static const unsigned char aes_test_ofb_iv[16] =
1627{
1628 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1629 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1630};
1631
1632static const unsigned char aes_test_ofb_pt[64] =
1633{
1634 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1635 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1636 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1637 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1638 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1639 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1640 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1641 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1642};
1643
1644static const unsigned char aes_test_ofb_ct[3][64] =
1645{
1646 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1647 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1648 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1649 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1650 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1651 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1652 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1653 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1654 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1655 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1656 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1657 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1658 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1659 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1660 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1661 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1662 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1663 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1664 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1665 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1666 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1667 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1668 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1669 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1670};
1671#endif /* MBEDTLS_CIPHER_MODE_OFB */
1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1674/*
1675 * AES-CTR test vectors from:
1676 *
1677 * http://www.faqs.org/rfcs/rfc3686.html
1678 */
1679
1680static const unsigned char aes_test_ctr_key[3][16] =
1681{
1682 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1683 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1684 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1685 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1686 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1687 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1688};
1689
1690static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1691{
1692 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1694 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1695 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1696 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1697 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1698};
1699
1700static const unsigned char aes_test_ctr_pt[3][48] =
1701{
1702 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1703 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1704
1705 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1706 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1707 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1708 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1709
1710 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1711 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1712 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1713 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1714 0x20, 0x21, 0x22, 0x23 }
1715};
1716
1717static const unsigned char aes_test_ctr_ct[3][48] =
1718{
1719 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1720 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1721 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1722 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1723 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1724 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1725 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1726 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1727 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1728 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1729 0x25, 0xB2, 0x07, 0x2F }
1730};
1731
1732static const int aes_test_ctr_len[3] =
1733 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1734#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1735
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1736#if defined(MBEDTLS_CIPHER_MODE_XTS)
1737/*
1738 * AES-XTS test vectors from:
1739 *
1740 * IEEE P1619/D16 Annex B
1741 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1742 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1743 */
1744static const unsigned char aes_test_xts_key[][32] =
1745{
1746 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1750 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1751 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1752 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1753 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1754 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1755 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1757 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1758};
1759
1760static const unsigned char aes_test_xts_pt32[][32] =
1761{
1762 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1766 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1767 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1768 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1769 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1770 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1774};
1775
1776static const unsigned char aes_test_xts_ct32[][32] =
1777{
1778 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1779 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1780 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1781 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1782 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1783 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1784 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1785 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1786 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1787 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1788 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1789 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1790};
1791
1792static const unsigned char aes_test_xts_data_unit[][16] =
1793{
1794 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1796 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1798 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1800};
1801
1802#endif /* MBEDTLS_CIPHER_MODE_XTS */
1803
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804/*
1805 * Checkup routine
1806 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1809 int ret = 0, i, j, u, mode;
1810 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811 unsigned char key[32];
1812 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1813 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1814#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1816#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1817#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1818 unsigned char prv[16];
1819#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1820#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1821 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1822 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1823#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1824#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1825 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1826#endif
1827#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1828 unsigned char nonce_counter[16];
1829 unsigned char stream_block[16];
1830#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832
1833 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1834 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835
1836 /*
1837 * ECB mode
1838 */
1839 for( i = 0; i < 6; i++ )
1840 {
1841 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1842 keybits = 128 + u * 64;
1843 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844
1845 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1846 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
1849 memset( buf, 0, 16 );
1850
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1851 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1853 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1854 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 }
1856 else
1857 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1859 aes_tests = aes_test_ecb_enc[u];
1860 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1862 /*
1863 * AES-192 is an optional feature that may be unavailable when
1864 * there is an alternative underlying implementation i.e. when
1865 * MBEDTLS_AES_ALT is defined.
1866 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1867 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1868 {
1869 mbedtls_printf( "skipped\n" );
1870 continue;
1871 }
1872 else if( ret != 0 )
1873 {
1874 goto exit;
1875 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1877 for( j = 0; j < 10000; j++ )
1878 {
1879 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1880 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1881 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 }
1883
1884 if( memcmp( buf, aes_tests, 16 ) != 0 )
1885 {
1886 ret = 1;
1887 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888 }
1889
1890 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1891 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892 }
1893
1894 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1895 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1897#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898 /*
1899 * CBC mode
1900 */
1901 for( i = 0; i < 6; i++ )
1902 {
1903 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1904 keybits = 128 + u * 64;
1905 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906
1907 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1908 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910
1911 memset( iv , 0, 16 );
1912 memset( prv, 0, 16 );
1913 memset( buf, 0, 16 );
1914
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1915 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1917 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1918 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919 }
1920 else
1921 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1922 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1923 aes_tests = aes_test_cbc_enc[u];
1924 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1925
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1926 /*
1927 * AES-192 is an optional feature that may be unavailable when
1928 * there is an alternative underlying implementation i.e. when
1929 * MBEDTLS_AES_ALT is defined.
1930 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1931 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1932 {
1933 mbedtls_printf( "skipped\n" );
1934 continue;
1935 }
1936 else if( ret != 0 )
1937 {
1938 goto exit;
1939 }
1940
1941 for( j = 0; j < 10000; j++ )
1942 {
1943 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944 {
1945 unsigned char tmp[16];
1946
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947 memcpy( tmp, prv, 16 );
1948 memcpy( prv, buf, 16 );
1949 memcpy( buf, tmp, 16 );
1950 }
1951
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1953 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1954 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1955
1956 }
1957
1958 if( memcmp( buf, aes_tests, 16 ) != 0 )
1959 {
1960 ret = 1;
1961 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962 }
1963
1964 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1965 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1966 }
1967
1968 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 mbedtls_printf( "\n" );
1970#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1973 /*
1974 * CFB128 mode
1975 */
1976 for( i = 0; i < 6; i++ )
1977 {
1978 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1979 keybits = 128 + u * 64;
1980 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1981
1982 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1983 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
1986 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1987 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988
1989 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1990 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1991 /*
1992 * AES-192 is an optional feature that may be unavailable when
1993 * there is an alternative underlying implementation i.e. when
1994 * MBEDTLS_AES_ALT is defined.
1995 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1996 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1997 {
1998 mbedtls_printf( "skipped\n" );
1999 continue;
2000 }
2001 else if( ret != 0 )
2002 {
2003 goto exit;
2004 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2006 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007 {
2008 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2009 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 }
2011 else
2012 {
2013 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2014 aes_tests = aes_test_cfb128_ct[u];
2015 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2017 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2018 if( ret != 0 )
2019 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2021 if( memcmp( buf, aes_tests, 64 ) != 0 )
2022 {
2023 ret = 1;
2024 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025 }
2026
2027 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2028 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029 }
2030
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2031 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2032 mbedtls_printf( "\n" );
2033#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2034
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2035#if defined(MBEDTLS_CIPHER_MODE_OFB)
2036 /*
2037 * OFB mode
2038 */
2039 for( i = 0; i < 6; i++ )
2040 {
2041 u = i >> 1;
2042 keybits = 128 + u * 64;
2043 mode = i & 1;
2044
2045 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2046 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2047 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2048
2049 memcpy( iv, aes_test_ofb_iv, 16 );
2050 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2051
2052 offset = 0;
2053 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2054 /*
2055 * AES-192 is an optional feature that may be unavailable when
2056 * there is an alternative underlying implementation i.e. when
2057 * MBEDTLS_AES_ALT is defined.
2058 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2059 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2060 {
2061 mbedtls_printf( "skipped\n" );
2062 continue;
2063 }
2064 else if( ret != 0 )
2065 {
2066 goto exit;
2067 }
2068
2069 if( mode == MBEDTLS_AES_DECRYPT )
2070 {
2071 memcpy( buf, aes_test_ofb_ct[u], 64 );
2072 aes_tests = aes_test_ofb_pt;
2073 }
2074 else
2075 {
2076 memcpy( buf, aes_test_ofb_pt, 64 );
2077 aes_tests = aes_test_ofb_ct[u];
2078 }
2079
2080 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2081 if( ret != 0 )
2082 goto exit;
2083
2084 if( memcmp( buf, aes_tests, 64 ) != 0 )
2085 {
2086 ret = 1;
2087 goto exit;
2088 }
2089
2090 if( verbose != 0 )
2091 mbedtls_printf( "passed\n" );
2092 }
2093
2094 if( verbose != 0 )
2095 mbedtls_printf( "\n" );
2096#endif /* MBEDTLS_CIPHER_MODE_OFB */
2097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2098#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2099 /*
2100 * CTR mode
2101 */
2102 for( i = 0; i < 6; i++ )
2103 {
2104 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2105 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2106
2107 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2109 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2110
2111 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2112 memcpy( key, aes_test_ctr_key[u], 16 );
2113
2114 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2115 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2116 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2117
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2118 len = aes_test_ctr_len[u];
2119
2120 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2121 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2122 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2123 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 }
2125 else
2126 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2127 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2128 aes_tests = aes_test_ctr_ct[u];
2129 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2130
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2131 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2132 stream_block, buf, buf );
2133 if( ret != 0 )
2134 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2135
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 if( memcmp( buf, aes_tests, len ) != 0 )
2137 {
2138 ret = 1;
2139 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2140 }
2141
2142 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2143 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2144 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2145
2146 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147 mbedtls_printf( "\n" );
2148#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2149
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2150#if defined(MBEDTLS_CIPHER_MODE_XTS)
2151 {
2152 static const int num_tests =
2153 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2154 mbedtls_aes_xts_context ctx_xts;
2155
2156 /*
2157 * XTS mode
2158 */
2159 mbedtls_aes_xts_init( &ctx_xts );
2160
2161 for( i = 0; i < num_tests << 1; i++ )
2162 {
2163 const unsigned char *data_unit;
2164 u = i >> 1;
2165 mode = i & 1;
2166
2167 if( verbose != 0 )
2168 mbedtls_printf( " AES-XTS-128 (%s): ",
2169 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2170
2171 memset( key, 0, sizeof( key ) );
2172 memcpy( key, aes_test_xts_key[u], 32 );
2173 data_unit = aes_test_xts_data_unit[u];
2174
2175 len = sizeof( *aes_test_xts_ct32 );
2176
2177 if( mode == MBEDTLS_AES_DECRYPT )
2178 {
2179 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2180 if( ret != 0)
2181 goto exit;
2182 memcpy( buf, aes_test_xts_ct32[u], len );
2183 aes_tests = aes_test_xts_pt32[u];
2184 }
2185 else
2186 {
2187 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2188 if( ret != 0)
2189 goto exit;
2190 memcpy( buf, aes_test_xts_pt32[u], len );
2191 aes_tests = aes_test_xts_ct32[u];
2192 }
2193
2194
2195 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2196 buf, buf );
2197 if( ret != 0 )
2198 goto exit;
2199
2200 if( memcmp( buf, aes_tests, len ) != 0 )
2201 {
2202 ret = 1;
2203 goto exit;
2204 }
2205
2206 if( verbose != 0 )
2207 mbedtls_printf( "passed\n" );
2208 }
2209
2210 if( verbose != 0 )
2211 mbedtls_printf( "\n" );
2212
2213 mbedtls_aes_xts_free( &ctx_xts );
2214 }
2215#endif /* MBEDTLS_CIPHER_MODE_XTS */
2216
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2217 ret = 0;
2218
2219exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2220 if( ret != 0 && verbose != 0 )
2221 mbedtls_printf( "failed\n" );
2222
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2223 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2224
2225 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226}
2227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2229
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2230#endif /* MBEDTLS_AES_C */