TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e128636646ae23f9017cfee6ef997a59bb559c2e / . / library / aes.c
blob: c07f78b380422604bd190c0558fcd3d36c017847 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Markku-Juhani O. Saarinen63f21392017-11-20 14:59:12 +0000[diff] [blame]42#if defined(MBEDTLS_ARMV8CE_AES_C)
43#include "mbedtls/armv8ce_aes.h"
44#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if defined(MBEDTLS_SELF_TEST)
46#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]47#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]48#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]49#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]50#define mbedtls_printf printf
51#endif /* MBEDTLS_PLATFORM_C */
52#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]55
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]56/* Parameter validation macros based on platform_util.h */
57#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]58 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59#define AES_VALIDATE( cond ) \
60 MBEDTLS_INTERNAL_VALIDATE( cond )
61
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * 32-bit integer manipulation macros (little endian)
64 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef GET_UINT32_LE
66#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72}
73#endif
74
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]75#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]76#define PUT_UINT32_LE(n,b,i) \
77{ \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82}
83#endif
84
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85#if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]87static int aes_padlock_ace = -1;
88#endif
89
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91/*
92 * Forward S-box
93 */
94static const unsigned char FSb[256] =
95{
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128};
129
130/*
131 * Forward tables
132 */
133#define FT \
134\
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199
200#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]201static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#undef V
203
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]204#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]205
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]218#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]219
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef FT
221
222/*
223 * Reverse S-box
224 */
225static const unsigned char RSb[256] =
226{
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
228 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
229 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
230 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
231 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
232 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
233 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
234 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
235 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
236 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
237 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
238 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
239 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
240 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
241 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
242 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
243 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
244 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
245 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
246 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
247 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
248 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
249 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
250 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
251 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
252 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
253 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
254 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
255 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
256 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
257 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
258 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
259};
260
261/*
262 * Reverse tables
263 */
264#define RT \
265\
266 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
267 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
268 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
269 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
270 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
271 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
272 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
273 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
274 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
275 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
276 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
277 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
278 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
279 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
280 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
281 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
282 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
283 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
284 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
285 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
286 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
287 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
288 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
289 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
290 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
291 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
292 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
293 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
294 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
295 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
296 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
297 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
298 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
299 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
300 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
301 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
302 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
303 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
304 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
305 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
306 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
307 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
308 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
309 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
310 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
311 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
312 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
313 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
314 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
315 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
316 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
317 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
318 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
319 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
320 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
321 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
322 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
323 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
324 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
325 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
326 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
327 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
328 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
329 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
330
331#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#undef V
334
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]335#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]336
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]350
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef RT
352
353/*
354 * Round constants
355 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]356static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357{
358 0x00000001, 0x00000002, 0x00000004, 0x00000008,
359 0x00000010, 0x00000020, 0x00000040, 0x00000080,
360 0x0000001B, 0x00000036
361};
362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Forward S-box & tables
367 */
368static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]370#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]371static uint32_t FT1[256];
372static uint32_t FT2[256];
373static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]374#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
376/*
377 * Reverse S-box & tables
378 */
379static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]381#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]382static uint32_t RT1[256];
383static uint32_t RT2[256];
384static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]385#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Round constants
389 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]391
392/*
393 * Tables generation code
394 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]395#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
396#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]397#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398
399static int aes_init_done = 0;
400
401static void aes_gen_tables( void )
402{
403 int i, x, y, z;
404 int pow[256];
405 int log[256];
406
407 /*
408 * compute pow and log tables over GF(2^8)
409 */
410 for( i = 0, x = 1; i < 256; i++ )
411 {
412 pow[i] = x;
413 log[x] = i;
414 x = ( x ^ XTIME( x ) ) & 0xFF;
415 }
416
417 /*
418 * calculate the round constants
419 */
420 for( i = 0, x = 1; i < 10; i++ )
421 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]422 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 x = XTIME( x ) & 0xFF;
424 }
425
426 /*
427 * generate the forward and reverse S-boxes
428 */
429 FSb[0x00] = 0x63;
430 RSb[0x63] = 0x00;
431
432 for( i = 1; i < 256; i++ )
433 {
434 x = pow[255 - log[i]];
435
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]436 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
438 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
439 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 x ^= y ^ 0x63;
441
442 FSb[i] = (unsigned char) x;
443 RSb[x] = (unsigned char) i;
444 }
445
446 /*
447 * generate the forward and reverse tables
448 */
449 for( i = 0; i < 256; i++ )
450 {
451 x = FSb[i];
452 y = XTIME( x ) & 0xFF;
453 z = ( y ^ x ) & 0xFF;
454
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]455 FT0[i] = ( (uint32_t) y ) ^
456 ( (uint32_t) x << 8 ) ^
457 ( (uint32_t) x << 16 ) ^
458 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 FT1[i] = ROTL8( FT0[i] );
462 FT2[i] = ROTL8( FT1[i] );
463 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]464#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465
466 x = RSb[i];
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
469 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
470 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
471 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]473#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 RT1[i] = ROTL8( RT0[i] );
475 RT2[i] = ROTL8( RT1[i] );
476 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 }
479}
480
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]481#undef ROTL8
482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]483#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]485#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]486
487#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
488#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
489#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
490
491#define AES_RT0(idx) RT0[idx]
492#define AES_RT1(idx) ROTL8( RT0[idx] )
493#define AES_RT2(idx) ROTL16( RT0[idx] )
494#define AES_RT3(idx) ROTL24( RT0[idx] )
495
496#define AES_FT0(idx) FT0[idx]
497#define AES_FT1(idx) ROTL8( FT0[idx] )
498#define AES_FT2(idx) ROTL16( FT0[idx] )
499#define AES_FT3(idx) ROTL24( FT0[idx] )
500
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]501#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]502
503#define AES_RT0(idx) RT0[idx]
504#define AES_RT1(idx) RT1[idx]
505#define AES_RT2(idx) RT2[idx]
506#define AES_RT3(idx) RT3[idx]
507
508#define AES_FT0(idx) FT0[idx]
509#define AES_FT1(idx) FT1[idx]
510#define AES_FT2(idx) FT2[idx]
511#define AES_FT3(idx) FT3[idx]
512
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]513#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]516{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]517 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]520}
521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523{
524 if( ctx == NULL )
525 return;
526
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]527 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]528}
529
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]530#if defined(MBEDTLS_CIPHER_MODE_XTS)
531void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
532{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]533 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]534
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]535 mbedtls_aes_init( &ctx->crypt );
536 mbedtls_aes_init( &ctx->tweak );
537}
538
539void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
540{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]541 if( ctx == NULL )
542 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]543
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]544 mbedtls_aes_free( &ctx->crypt );
545 mbedtls_aes_free( &ctx->tweak );
546}
547#endif /* MBEDTLS_CIPHER_MODE_XTS */
548
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549/*
550 * AES key schedule (encryption)
551 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]552#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]553int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]554 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]555{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]556 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]557 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]559 AES_VALIDATE_RET( ctx != NULL );
560 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]562 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 {
564 case 128: ctx->nr = 10; break;
565 case 192: ctx->nr = 12; break;
566 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]567 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568 }
569
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]570#if !defined(MBEDTLS_AES_ROM_TABLES)
571 if( aes_init_done == 0 )
572 {
573 aes_gen_tables();
574 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]575 }
576#endif
577
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]578#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]580 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]581
582 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]586 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]589 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]591#endif
592
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]595 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
598 switch( ctx->nr )
599 {
600 case 10:
601
602 for( i = 0; i < 10; i++, RK += 4 )
603 {
604 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]605 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
606 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
607 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
608 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]609
610 RK[5] = RK[1] ^ RK[4];
611 RK[6] = RK[2] ^ RK[5];
612 RK[7] = RK[3] ^ RK[6];
613 }
614 break;
615
616 case 12:
617
618 for( i = 0; i < 8; i++, RK += 6 )
619 {
620 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]621 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
622 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
623 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
624 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625
626 RK[7] = RK[1] ^ RK[6];
627 RK[8] = RK[2] ^ RK[7];
628 RK[9] = RK[3] ^ RK[8];
629 RK[10] = RK[4] ^ RK[9];
630 RK[11] = RK[5] ^ RK[10];
631 }
632 break;
633
634 case 14:
635
636 for( i = 0; i < 7; i++, RK += 8 )
637 {
638 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]639 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
640 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
641 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
642 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]643
644 RK[9] = RK[1] ^ RK[8];
645 RK[10] = RK[2] ^ RK[9];
646 RK[11] = RK[3] ^ RK[10];
647
648 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[13] = RK[5] ^ RK[12];
655 RK[14] = RK[6] ^ RK[13];
656 RK[15] = RK[7] ^ RK[14];
657 }
658 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]659 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]660
661 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]663#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664
665/*
666 * AES key schedule (decryption)
667 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]668#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]669int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]670 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]672 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]674 uint32_t *RK;
675 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]677 AES_VALIDATE_RET( ctx != NULL );
678 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]684 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]685
686 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]690 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]692 /* Also checks keybits */
693 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]694 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]695
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]696 ctx->nr = cty.nr;
697
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]699 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]703 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 }
705#endif
706
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]707 SK = cty.rk + cty.nr * 4;
708
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713
714 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
715 {
716 for( j = 0; j < 4; j++, SK++ )
717 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]718 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
719 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
720 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
721 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]722 }
723 }
724
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727 *RK++ = *SK++;
728 *RK++ = *SK++;
729
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]730exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]735
736#if defined(MBEDTLS_CIPHER_MODE_XTS)
737static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
738 unsigned int keybits,
739 const unsigned char **key1,
740 unsigned int *key1bits,
741 const unsigned char **key2,
742 unsigned int *key2bits )
743{
744 const unsigned int half_keybits = keybits / 2;
745 const unsigned int half_keybytes = half_keybits / 8;
746
747 switch( keybits )
748 {
749 case 256: break;
750 case 512: break;
751 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
752 }
753
754 *key1bits = half_keybits;
755 *key2bits = half_keybits;
756 *key1 = &key[0];
757 *key2 = &key[half_keybytes];
758
759 return 0;
760}
761
762int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
763 const unsigned char *key,
764 unsigned int keybits)
765{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]766 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]767 const unsigned char *key1, *key2;
768 unsigned int key1bits, key2bits;
769
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]770 AES_VALIDATE_RET( ctx != NULL );
771 AES_VALIDATE_RET( key != NULL );
772
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]773 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
774 &key2, &key2bits );
775 if( ret != 0 )
776 return( ret );
777
778 /* Set the tweak key. Always set tweak key for the encryption mode. */
779 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
780 if( ret != 0 )
781 return( ret );
782
783 /* Set crypt key for encryption. */
784 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
785}
786
787int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
788 const unsigned char *key,
789 unsigned int keybits)
790{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]791 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]792 const unsigned char *key1, *key2;
793 unsigned int key1bits, key2bits;
794
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]795 AES_VALIDATE_RET( ctx != NULL );
796 AES_VALIDATE_RET( key != NULL );
797
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]798 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
799 &key2, &key2bits );
800 if( ret != 0 )
801 return( ret );
802
803 /* Set the tweak key. Always set tweak key for encryption. */
804 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
805 if( ret != 0 )
806 return( ret );
807
808 /* Set crypt key for decryption. */
809 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
810}
811#endif /* MBEDTLS_CIPHER_MODE_XTS */
812
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]813#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]815#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
816 do \
817 { \
818 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
819 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
820 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
821 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
822 \
823 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
824 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
825 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
826 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
827 \
828 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
829 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
830 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
831 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
832 \
833 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
834 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
835 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
836 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
837 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]839#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
840 do \
841 { \
842 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
843 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
844 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
845 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
846 \
847 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
848 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
849 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
850 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
851 \
852 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
853 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
854 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
855 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
856 \
857 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
858 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
859 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
860 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
861 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
863/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]864 * AES-ECB block encryption
865 */
866#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]867int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
868 const unsigned char input[16],
869 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]870{
871 int i;
872 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
873
874 RK = ctx->rk;
875
876 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
877 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
878 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
879 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
880
881 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
882 {
883 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
884 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
885 }
886
887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
888
889 X0 = *RK++ ^ \
890 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
891 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
892 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
893 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
894
895 X1 = *RK++ ^ \
896 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
897 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
898 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
899 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
900
901 X2 = *RK++ ^ \
902 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
903 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
904 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
905 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
906
907 X3 = *RK++ ^ \
908 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
912
913 PUT_UINT32_LE( X0, output, 0 );
914 PUT_UINT32_LE( X1, output, 4 );
915 PUT_UINT32_LE( X2, output, 8 );
916 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]917
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]918 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
919 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
920 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
921 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
922
923 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
924 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
925 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
926 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
927
928 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
929
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]930 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931}
932#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
933
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]934#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]935void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
936 const unsigned char input[16],
937 unsigned char output[16] )
938{
939 mbedtls_internal_aes_encrypt( ctx, input, output );
940}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]941#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]942
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]943/*
944 * AES-ECB block decryption
945 */
946#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]947int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
948 const unsigned char input[16],
949 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]950{
951 int i;
952 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
953
954 RK = ctx->rk;
955
956 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
957 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
958 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
959 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
960
961 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
962 {
963 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
964 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
965 }
966
967 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
968
969 X0 = *RK++ ^ \
970 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
971 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
972 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
973 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
974
975 X1 = *RK++ ^ \
976 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
977 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
978 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
979 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
980
981 X2 = *RK++ ^ \
982 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
983 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
984 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
985 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
986
987 X3 = *RK++ ^ \
988 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
989 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
990 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
991 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
992
993 PUT_UINT32_LE( X0, output, 0 );
994 PUT_UINT32_LE( X1, output, 4 );
995 PUT_UINT32_LE( X2, output, 8 );
996 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]997
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]998 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
999 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1000 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1001 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1002
1003 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1004 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1005 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1006 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1007
1008 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1009
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1010 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1011}
1012#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1013
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1014#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1015void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1016 const unsigned char input[16],
1017 unsigned char output[16] )
1018{
1019 mbedtls_internal_aes_decrypt( ctx, input, output );
1020}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1021#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1022
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1023/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024 * AES-ECB block encryption/decryption
1025 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1027 int mode,
1028 const unsigned char input[16],
1029 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1031 AES_VALIDATE_RET( ctx != NULL );
1032 AES_VALIDATE_RET( input != NULL );
1033 AES_VALIDATE_RET( output != NULL );
1034 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1035 mode == MBEDTLS_AES_DECRYPT );
1036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1038 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1040#endif
1041
Markku-Juhani O. Saarinen63f21392017-11-20 14:59:12 +0000[diff] [blame]1042#if defined(MBEDTLS_ARMV8CE_AES_C)
1043 // We don't do runtime checking for ARMv8 Crypto Extensions
1044 return mbedtls_armv8ce_aes_crypt_ecb( ctx, mode, input, output );
1045#endif
1046
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1047#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1048 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1051 return( 0 );
1052
1053 // If padlock data misaligned, we just fall back to
1054 // unaccelerated mode
1055 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056 }
1057#endif
1058
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1059 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1060 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1061 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1062 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063}
1064
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1065#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066/*
1067 * AES-CBC buffer encryption/decryption
1068 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1071 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1073 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 unsigned char *output )
1075{
1076 int i;
1077 unsigned char temp[16];
1078
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1079 AES_VALIDATE_RET( ctx != NULL );
1080 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1081 mode == MBEDTLS_AES_DECRYPT );
1082 AES_VALIDATE_RET( iv != NULL );
1083 AES_VALIDATE_RET( input != NULL );
1084 AES_VALIDATE_RET( output != NULL );
1085
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1086 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1088
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1090 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1092 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1093 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1094
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1095 // If padlock data misaligned, we just fall back to
1096 // unaccelerated mode
1097 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1098 }
1099#endif
1100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 {
1103 while( length > 0 )
1104 {
1105 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1106 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107
1108 for( i = 0; i < 16; i++ )
1109 output[i] = (unsigned char)( output[i] ^ iv[i] );
1110
1111 memcpy( iv, temp, 16 );
1112
1113 input += 16;
1114 output += 16;
1115 length -= 16;
1116 }
1117 }
1118 else
1119 {
1120 while( length > 0 )
1121 {
1122 for( i = 0; i < 16; i++ )
1123 output[i] = (unsigned char)( input[i] ^ iv[i] );
1124
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1125 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1126 memcpy( iv, output, 16 );
1127
1128 input += 16;
1129 output += 16;
1130 length -= 16;
1131 }
1132 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1133
1134 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1135}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1137
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1138#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1139
1140/* Endianess with 64 bits values */
1141#ifndef GET_UINT64_LE
1142#define GET_UINT64_LE(n,b,i) \
1143{ \
1144 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1145 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1146 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1147 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1148 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1149 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1150 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1151 | ( (uint64_t) (b)[(i) ] ); \
1152}
1153#endif
1154
1155#ifndef PUT_UINT64_LE
1156#define PUT_UINT64_LE(n,b,i) \
1157{ \
1158 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1159 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1160 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1161 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1162 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1163 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1164 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1165 (b)[(i) ] = (unsigned char) ( (n) ); \
1166}
1167#endif
1168
1169typedef unsigned char mbedtls_be128[16];
1170
1171/*
1172 * GF(2^128) multiplication function
1173 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1174 * This function multiplies a field element by x in the polynomial field
1175 * representation. It uses 64-bit word operations to gain speed but compensates
1176 * for machine endianess and hence works correctly on both big and little
1177 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1178 */
1179static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1180 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1181{
1182 uint64_t a, b, ra, rb;
1183
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1184 GET_UINT64_LE( a, x, 0 );
1185 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1186
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1187 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1188 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1189
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1190 PUT_UINT64_LE( ra, r, 0 );
1191 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1192}
1193
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1194/*
1195 * AES-XTS buffer encryption/decryption
1196 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1197int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1198 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1199 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1200 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1201 const unsigned char *input,
1202 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1203{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1204 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1205 size_t blocks = length / 16;
1206 size_t leftover = length % 16;
1207 unsigned char tweak[16];
1208 unsigned char prev_tweak[16];
1209 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1211 AES_VALIDATE_RET( ctx != NULL );
1212 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1213 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1214 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1215 AES_VALIDATE_RET( input != NULL );
1216 AES_VALIDATE_RET( output != NULL );
1217
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1218 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1219 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1220 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1221
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1222 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1223 if( length > ( 1 << 20 ) * 16 )
1224 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1226 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1227 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1228 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 if( ret != 0 )
1230 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1231
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1232 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1233 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1234 size_t i;
1235
1236 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1237 {
1238 /* We are on the last block in a decrypt operation that has
1239 * leftover bytes, so we need to use the next tweak for this block,
1240 * and this tweak for the lefover bytes. Save the current tweak for
1241 * the leftovers and then update the current tweak for use on this,
1242 * the last full block. */
1243 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1244 mbedtls_gf128mul_x_ble( tweak, tweak );
1245 }
1246
1247 for( i = 0; i < 16; i++ )
1248 tmp[i] = input[i] ^ tweak[i];
1249
1250 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1251 if( ret != 0 )
1252 return( ret );
1253
1254 for( i = 0; i < 16; i++ )
1255 output[i] = tmp[i] ^ tweak[i];
1256
1257 /* Update the tweak for the next block. */
1258 mbedtls_gf128mul_x_ble( tweak, tweak );
1259
1260 output += 16;
1261 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262 }
1263
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1264 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1265 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1266 /* If we are on the leftover bytes in a decrypt operation, we need to
1267 * use the previous tweak for these bytes (as saved in prev_tweak). */
1268 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1269
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1270 /* We are now on the final part of the data unit, which doesn't divide
1271 * evenly by 16. It's time for ciphertext stealing. */
1272 size_t i;
1273 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1274
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1275 /* Copy ciphertext bytes from the previous block to our output for each
1276 * byte of cyphertext we won't steal. At the same time, copy the
1277 * remainder of the input for this final round (since the loop bounds
1278 * are the same). */
1279 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1280 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1281 output[i] = prev_output[i];
1282 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1283 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1284
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1285 /* Copy ciphertext bytes from the previous block for input in this
1286 * round. */
1287 for( ; i < 16; i++ )
1288 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1289
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1290 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1291 if( ret != 0 )
1292 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1293
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1294 /* Write the result back to the previous block, overriding the previous
1295 * output we copied. */
1296 for( i = 0; i < 16; i++ )
1297 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1298 }
1299
1300 return( 0 );
1301}
1302#endif /* MBEDTLS_CIPHER_MODE_XTS */
1303
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1304#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305/*
1306 * AES-CFB128 buffer encryption/decryption
1307 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1310 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1311 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1313 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314 unsigned char *output )
1315{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1316 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1317 size_t n;
1318
1319 AES_VALIDATE_RET( ctx != NULL );
1320 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1321 mode == MBEDTLS_AES_DECRYPT );
1322 AES_VALIDATE_RET( iv_off != NULL );
1323 AES_VALIDATE_RET( iv != NULL );
1324 AES_VALIDATE_RET( input != NULL );
1325 AES_VALIDATE_RET( output != NULL );
1326
1327 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1329 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1330 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1332 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 {
1334 while( length-- )
1335 {
1336 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1338
1339 c = *input++;
1340 *output++ = (unsigned char)( c ^ iv[n] );
1341 iv[n] = (unsigned char) c;
1342
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1343 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344 }
1345 }
1346 else
1347 {
1348 while( length-- )
1349 {
1350 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1351 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352
1353 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1354
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1355 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1356 }
1357 }
1358
1359 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1360
1361 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1363
1364/*
1365 * AES-CFB8 buffer encryption/decryption
1366 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1367int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1368 int mode,
1369 size_t length,
1370 unsigned char iv[16],
1371 const unsigned char *input,
1372 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1373{
1374 unsigned char c;
1375 unsigned char ov[17];
1376
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1377 AES_VALIDATE_RET( ctx != NULL );
1378 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1379 mode == MBEDTLS_AES_DECRYPT );
1380 AES_VALIDATE_RET( iv != NULL );
1381 AES_VALIDATE_RET( input != NULL );
1382 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1383 while( length-- )
1384 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1385 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1387
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1388 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1389 ov[16] = *input;
1390
1391 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1393 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1394 ov[16] = c;
1395
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1396 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1397 }
1398
1399 return( 0 );
1400}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1401#endif /* MBEDTLS_CIPHER_MODE_CFB */
1402
1403#if defined(MBEDTLS_CIPHER_MODE_OFB)
1404/*
1405 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1406 */
1407int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1408 size_t length,
1409 size_t *iv_off,
1410 unsigned char iv[16],
1411 const unsigned char *input,
1412 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1413{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1414 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1415 size_t n;
1416
1417 AES_VALIDATE_RET( ctx != NULL );
1418 AES_VALIDATE_RET( iv_off != NULL );
1419 AES_VALIDATE_RET( iv != NULL );
1420 AES_VALIDATE_RET( input != NULL );
1421 AES_VALIDATE_RET( output != NULL );
1422
1423 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1424
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1425 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1426 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1427
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1428 while( length-- )
1429 {
1430 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1431 {
1432 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1433 if( ret != 0 )
1434 goto exit;
1435 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1436 *output++ = *input++ ^ iv[n];
1437
1438 n = ( n + 1 ) & 0x0F;
1439 }
1440
1441 *iv_off = n;
1442
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1443exit:
1444 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1445}
1446#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1447
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1448#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1449/*
1450 * AES-CTR buffer encryption/decryption
1451 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1453 size_t length,
1454 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1455 unsigned char nonce_counter[16],
1456 unsigned char stream_block[16],
1457 const unsigned char *input,
1458 unsigned char *output )
1459{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1460 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1461 size_t n;
1462
1463 AES_VALIDATE_RET( ctx != NULL );
1464 AES_VALIDATE_RET( nc_off != NULL );
1465 AES_VALIDATE_RET( nonce_counter != NULL );
1466 AES_VALIDATE_RET( stream_block != NULL );
1467 AES_VALIDATE_RET( input != NULL );
1468 AES_VALIDATE_RET( output != NULL );
1469
1470 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1471
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1472 if ( n > 0x0F )
1473 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1474
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1475 while( length-- )
1476 {
1477 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1478 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1479
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1480 for( i = 16; i > 0; i-- )
1481 if( ++nonce_counter[i - 1] != 0 )
1482 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1483 }
1484 c = *input++;
1485 *output++ = (unsigned char)( c ^ stream_block[n] );
1486
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1487 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1488 }
1489
1490 *nc_off = n;
1491
1492 return( 0 );
1493}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1494#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1499/*
1500 * AES test vectors from:
1501 *
1502 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1503 */
1504static const unsigned char aes_test_ecb_dec[3][16] =
1505{
1506 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1507 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1508 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1509 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1510 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1511 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1512};
1513
1514static const unsigned char aes_test_ecb_enc[3][16] =
1515{
1516 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1517 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1518 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1519 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1520 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1521 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1522};
1523
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1524#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1525static const unsigned char aes_test_cbc_dec[3][16] =
1526{
1527 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1528 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1529 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1530 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1531 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1532 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1533};
1534
1535static const unsigned char aes_test_cbc_enc[3][16] =
1536{
1537 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1538 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1539 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1540 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1541 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1542 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1543};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1546#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547/*
1548 * AES-CFB128 test vectors from:
1549 *
1550 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1551 */
1552static const unsigned char aes_test_cfb128_key[3][32] =
1553{
1554 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1555 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1556 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1557 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1558 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1559 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1560 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1561 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1562 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1563};
1564
1565static const unsigned char aes_test_cfb128_iv[16] =
1566{
1567 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1568 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1569};
1570
1571static const unsigned char aes_test_cfb128_pt[64] =
1572{
1573 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1574 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1575 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1576 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1577 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1578 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1579 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1580 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1581};
1582
1583static const unsigned char aes_test_cfb128_ct[3][64] =
1584{
1585 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1586 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1587 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1588 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1589 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1590 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1591 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1592 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1593 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1594 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1595 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1596 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1597 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1598 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1599 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1600 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1601 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1602 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1603 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1604 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1605 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1606 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1607 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1608 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1609};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1610#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1611
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1612#if defined(MBEDTLS_CIPHER_MODE_OFB)
1613/*
1614 * AES-OFB test vectors from:
1615 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1616 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1617 */
1618static const unsigned char aes_test_ofb_key[3][32] =
1619{
1620 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1621 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1622 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1623 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1624 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1625 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1626 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1627 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1628 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1629};
1630
1631static const unsigned char aes_test_ofb_iv[16] =
1632{
1633 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1634 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1635};
1636
1637static const unsigned char aes_test_ofb_pt[64] =
1638{
1639 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1640 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1641 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1642 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1643 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1644 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1645 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1646 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1647};
1648
1649static const unsigned char aes_test_ofb_ct[3][64] =
1650{
1651 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1652 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1653 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1654 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1655 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1656 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1657 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1658 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1659 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1660 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1661 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1662 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1663 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1664 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1665 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1666 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1667 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1668 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1669 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1670 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1671 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1672 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1673 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1674 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1675};
1676#endif /* MBEDTLS_CIPHER_MODE_OFB */
1677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1679/*
1680 * AES-CTR test vectors from:
1681 *
1682 * http://www.faqs.org/rfcs/rfc3686.html
1683 */
1684
1685static const unsigned char aes_test_ctr_key[3][16] =
1686{
1687 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1688 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1689 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1690 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1691 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1692 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1693};
1694
1695static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1696{
1697 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1699 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1700 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1701 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1702 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1703};
1704
1705static const unsigned char aes_test_ctr_pt[3][48] =
1706{
1707 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1708 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1709
1710 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1711 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1712 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1713 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1714
1715 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1716 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1717 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1718 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1719 0x20, 0x21, 0x22, 0x23 }
1720};
1721
1722static const unsigned char aes_test_ctr_ct[3][48] =
1723{
1724 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1725 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1726 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1727 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1728 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1729 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1730 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1731 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1732 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1733 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1734 0x25, 0xB2, 0x07, 0x2F }
1735};
1736
1737static const int aes_test_ctr_len[3] =
1738 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1739#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1741#if defined(MBEDTLS_CIPHER_MODE_XTS)
1742/*
1743 * AES-XTS test vectors from:
1744 *
1745 * IEEE P1619/D16 Annex B
1746 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1747 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1748 */
1749static const unsigned char aes_test_xts_key[][32] =
1750{
1751 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1755 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1756 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1757 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1758 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1759 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1760 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1761 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1762 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1763};
1764
1765static const unsigned char aes_test_xts_pt32[][32] =
1766{
1767 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1771 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1774 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1775 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1779};
1780
1781static const unsigned char aes_test_xts_ct32[][32] =
1782{
1783 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1784 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1785 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1786 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1787 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1788 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1789 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1790 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1791 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1792 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1793 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1794 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1795};
1796
1797static const unsigned char aes_test_xts_data_unit[][16] =
1798{
1799 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1801 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1803 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1805};
1806
1807#endif /* MBEDTLS_CIPHER_MODE_XTS */
1808
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809/*
1810 * Checkup routine
1811 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1814 int ret = 0, i, j, u, mode;
1815 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816 unsigned char key[32];
1817 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1819#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1821#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1822#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1823 unsigned char prv[16];
1824#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1825#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1826 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1827 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1828#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1829#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1830 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1831#endif
1832#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1833 unsigned char nonce_counter[16];
1834 unsigned char stream_block[16];
1835#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1836 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837
1838 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1839 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840
1841 /*
1842 * ECB mode
1843 */
1844 for( i = 0; i < 6; i++ )
1845 {
1846 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 keybits = 128 + u * 64;
1848 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849
1850 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1851 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1852 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853
1854 memset( buf, 0, 16 );
1855
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1859 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860 }
1861 else
1862 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1863 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1864 aes_tests = aes_test_ecb_enc[u];
1865 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1867 /*
1868 * AES-192 is an optional feature that may be unavailable when
1869 * there is an alternative underlying implementation i.e. when
1870 * MBEDTLS_AES_ALT is defined.
1871 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1872 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1873 {
1874 mbedtls_printf( "skipped\n" );
1875 continue;
1876 }
1877 else if( ret != 0 )
1878 {
1879 goto exit;
1880 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 for( j = 0; j < 10000; j++ )
1883 {
1884 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1885 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1886 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1887 }
1888
1889 if( memcmp( buf, aes_tests, 16 ) != 0 )
1890 {
1891 ret = 1;
1892 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 }
1894
1895 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1896 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897 }
1898
1899 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1900 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1902#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903 /*
1904 * CBC mode
1905 */
1906 for( i = 0; i < 6; i++ )
1907 {
1908 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 keybits = 128 + u * 64;
1910 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911
1912 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1913 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1914 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915
1916 memset( iv , 0, 16 );
1917 memset( prv, 0, 16 );
1918 memset( buf, 0, 16 );
1919
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1922 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1923 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924 }
1925 else
1926 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1927 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1928 aes_tests = aes_test_cbc_enc[u];
1929 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1931 /*
1932 * AES-192 is an optional feature that may be unavailable when
1933 * there is an alternative underlying implementation i.e. when
1934 * MBEDTLS_AES_ALT is defined.
1935 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1936 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1937 {
1938 mbedtls_printf( "skipped\n" );
1939 continue;
1940 }
1941 else if( ret != 0 )
1942 {
1943 goto exit;
1944 }
1945
1946 for( j = 0; j < 10000; j++ )
1947 {
1948 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949 {
1950 unsigned char tmp[16];
1951
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1952 memcpy( tmp, prv, 16 );
1953 memcpy( prv, buf, 16 );
1954 memcpy( buf, tmp, 16 );
1955 }
1956
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1957 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1958 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1959 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1960
1961 }
1962
1963 if( memcmp( buf, aes_tests, 16 ) != 0 )
1964 {
1965 ret = 1;
1966 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 }
1968
1969 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 }
1972
1973 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974 mbedtls_printf( "\n" );
1975#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1977#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1978 /*
1979 * CFB128 mode
1980 */
1981 for( i = 0; i < 6; i++ )
1982 {
1983 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 keybits = 128 + u * 64;
1985 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986
1987 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1988 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1989 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990
1991 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1992 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1993
1994 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1995 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1996 /*
1997 * AES-192 is an optional feature that may be unavailable when
1998 * there is an alternative underlying implementation i.e. when
1999 * MBEDTLS_AES_ALT is defined.
2000 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2001 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 {
2003 mbedtls_printf( "skipped\n" );
2004 continue;
2005 }
2006 else if( ret != 0 )
2007 {
2008 goto exit;
2009 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2012 {
2013 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2014 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015 }
2016 else
2017 {
2018 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 aes_tests = aes_test_cfb128_ct[u];
2020 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2022 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2023 if( ret != 0 )
2024 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2026 if( memcmp( buf, aes_tests, 64 ) != 0 )
2027 {
2028 ret = 1;
2029 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2030 }
2031
2032 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2033 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034 }
2035
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2036 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 mbedtls_printf( "\n" );
2038#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2039
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2040#if defined(MBEDTLS_CIPHER_MODE_OFB)
2041 /*
2042 * OFB mode
2043 */
2044 for( i = 0; i < 6; i++ )
2045 {
2046 u = i >> 1;
2047 keybits = 128 + u * 64;
2048 mode = i & 1;
2049
2050 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2051 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2052 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2053
2054 memcpy( iv, aes_test_ofb_iv, 16 );
2055 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2056
2057 offset = 0;
2058 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2059 /*
2060 * AES-192 is an optional feature that may be unavailable when
2061 * there is an alternative underlying implementation i.e. when
2062 * MBEDTLS_AES_ALT is defined.
2063 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2064 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2065 {
2066 mbedtls_printf( "skipped\n" );
2067 continue;
2068 }
2069 else if( ret != 0 )
2070 {
2071 goto exit;
2072 }
2073
2074 if( mode == MBEDTLS_AES_DECRYPT )
2075 {
2076 memcpy( buf, aes_test_ofb_ct[u], 64 );
2077 aes_tests = aes_test_ofb_pt;
2078 }
2079 else
2080 {
2081 memcpy( buf, aes_test_ofb_pt, 64 );
2082 aes_tests = aes_test_ofb_ct[u];
2083 }
2084
2085 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2086 if( ret != 0 )
2087 goto exit;
2088
2089 if( memcmp( buf, aes_tests, 64 ) != 0 )
2090 {
2091 ret = 1;
2092 goto exit;
2093 }
2094
2095 if( verbose != 0 )
2096 mbedtls_printf( "passed\n" );
2097 }
2098
2099 if( verbose != 0 )
2100 mbedtls_printf( "\n" );
2101#endif /* MBEDTLS_CIPHER_MODE_OFB */
2102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2103#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2104 /*
2105 * CTR mode
2106 */
2107 for( i = 0; i < 6; i++ )
2108 {
2109 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2110 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2111
2112 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2114 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115
2116 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2117 memcpy( key, aes_test_ctr_key[u], 16 );
2118
2119 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2121 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2122
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2123 len = aes_test_ctr_len[u];
2124
2125 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2126 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2127 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2128 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2129 }
2130 else
2131 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2132 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 aes_tests = aes_test_ctr_ct[u];
2134 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2135
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2137 stream_block, buf, buf );
2138 if( ret != 0 )
2139 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2140
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2141 if( memcmp( buf, aes_tests, len ) != 0 )
2142 {
2143 ret = 1;
2144 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2145 }
2146
2147 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2148 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2149 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2150
2151 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2152 mbedtls_printf( "\n" );
2153#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2154
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2155#if defined(MBEDTLS_CIPHER_MODE_XTS)
2156 {
2157 static const int num_tests =
2158 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2159 mbedtls_aes_xts_context ctx_xts;
2160
2161 /*
2162 * XTS mode
2163 */
2164 mbedtls_aes_xts_init( &ctx_xts );
2165
2166 for( i = 0; i < num_tests << 1; i++ )
2167 {
2168 const unsigned char *data_unit;
2169 u = i >> 1;
2170 mode = i & 1;
2171
2172 if( verbose != 0 )
2173 mbedtls_printf( " AES-XTS-128 (%s): ",
2174 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2175
2176 memset( key, 0, sizeof( key ) );
2177 memcpy( key, aes_test_xts_key[u], 32 );
2178 data_unit = aes_test_xts_data_unit[u];
2179
2180 len = sizeof( *aes_test_xts_ct32 );
2181
2182 if( mode == MBEDTLS_AES_DECRYPT )
2183 {
2184 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2185 if( ret != 0)
2186 goto exit;
2187 memcpy( buf, aes_test_xts_ct32[u], len );
2188 aes_tests = aes_test_xts_pt32[u];
2189 }
2190 else
2191 {
2192 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2193 if( ret != 0)
2194 goto exit;
2195 memcpy( buf, aes_test_xts_pt32[u], len );
2196 aes_tests = aes_test_xts_ct32[u];
2197 }
2198
2199
2200 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2201 buf, buf );
2202 if( ret != 0 )
2203 goto exit;
2204
2205 if( memcmp( buf, aes_tests, len ) != 0 )
2206 {
2207 ret = 1;
2208 goto exit;
2209 }
2210
2211 if( verbose != 0 )
2212 mbedtls_printf( "passed\n" );
2213 }
2214
2215 if( verbose != 0 )
2216 mbedtls_printf( "\n" );
2217
2218 mbedtls_aes_xts_free( &ctx_xts );
2219 }
2220#endif /* MBEDTLS_CIPHER_MODE_XTS */
2221
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2222 ret = 0;
2223
2224exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2225 if( ret != 0 && verbose != 0 )
2226 mbedtls_printf( "failed\n" );
2227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2229
2230 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231}
2232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2234
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2235#endif /* MBEDTLS_AES_C */