TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f744bd72eec35005e5d3a4bf1192014d15bef84f / . / library / aes.c
blob: 9ec28690b25347eedffa166529fa8b83d7ee8904 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame^]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame^]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]46 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47 */
48/*
49 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
50 *
51 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
52 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
53 */
54
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]55#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]56#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]59#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]61#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]63#include <string.h>
64
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]65#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]66#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]67#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]68#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]69#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]70#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]71#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]72#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]73#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]74
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]75#if defined(MBEDTLS_SELF_TEST)
76#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]77#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]78#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]79#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80#define mbedtls_printf printf
81#endif /* MBEDTLS_PLATFORM_C */
82#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]83
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]84#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]85
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]86/* Parameter validation macros based on platform_util.h */
87#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]88 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]89#define AES_VALIDATE( cond ) \
90 MBEDTLS_INTERNAL_VALIDATE( cond )
91
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]92/*
93 * 32-bit integer manipulation macros (little endian)
94 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]95#ifndef GET_UINT32_LE
96#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]98 (n) = ( (uint32_t) (b)[(i) ] ) \
99 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
100 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
101 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]102}
103#endif
104
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]105#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]106#define PUT_UINT32_LE(n,b,i) \
107{ \
108 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
109 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
110 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
111 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]112}
113#endif
114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]115#if defined(MBEDTLS_PADLOCK_C) && \
116 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]117static int aes_padlock_ace = -1;
118#endif
119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]120#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]121/*
122 * Forward S-box
123 */
124static const unsigned char FSb[256] =
125{
126 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
127 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
128 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
129 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
130 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
131 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
132 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
133 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
134 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
135 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
136 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
137 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
138 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
139 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
140 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
141 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
142 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
143 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
144 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
145 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
146 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
147 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
148 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
149 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
150 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
151 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
152 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
153 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
154 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
155 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
156 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
157 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
158};
159
160/*
161 * Forward tables
162 */
163#define FT \
164\
165 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
166 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
167 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
168 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
169 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
170 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
171 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
172 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
173 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
174 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
175 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
176 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
177 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
178 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
179 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
180 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
181 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
182 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
183 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
184 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
185 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
186 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
187 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
188 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
189 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
190 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
191 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
192 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
193 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
194 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
195 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
196 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
197 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
198 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
199 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
200 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
201 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
202 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
203 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
204 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
205 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
206 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
207 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
208 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
209 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
210 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
211 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
212 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
213 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
214 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
215 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
216 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
217 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
218 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
219 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
220 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
221 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
222 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
223 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
224 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
225 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
226 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
227 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
228 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
229
230#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]231static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]232#undef V
233
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]234#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]235
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]237static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef V
239
240#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]241static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]242#undef V
243
244#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]245static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]246#undef V
247
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]248#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]249
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]250#undef FT
251
252/*
253 * Reverse S-box
254 */
255static const unsigned char RSb[256] =
256{
257 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
258 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
259 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
260 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
261 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
262 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
263 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
264 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
265 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
266 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
267 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
268 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
269 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
270 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
271 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
272 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
273 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
274 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
275 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
276 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
277 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
278 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
279 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
280 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
281 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
282 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
283 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
284 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
285 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
286 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
287 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
288 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
289};
290
291/*
292 * Reverse tables
293 */
294#define RT \
295\
296 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
297 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
298 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
299 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
300 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
301 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
302 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
303 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
304 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
305 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
306 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
307 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
308 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
309 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
310 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
311 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
312 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
313 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
314 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
315 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
316 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
317 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
318 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
319 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
320 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
321 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
322 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
323 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
324 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
325 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
326 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
327 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
328 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
329 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
330 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
331 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
332 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
333 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
334 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
335 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
336 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
337 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
338 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
339 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
340 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
341 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
342 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
343 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
344 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
345 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
346 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
347 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
348 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
349 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
350 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
351 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
352 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
353 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
354 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
355 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
356 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
357 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
358 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
359 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
360
361#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]362static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363#undef V
364
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]365#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]366
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]368static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]369#undef V
370
371#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]372static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef V
374
375#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]376static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377#undef V
378
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]379#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]380
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381#undef RT
382
383/*
384 * Round constants
385 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387{
388 0x00000001, 0x00000002, 0x00000004, 0x00000008,
389 0x00000010, 0x00000020, 0x00000040, 0x00000080,
390 0x0000001B, 0x00000036
391};
392
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]393#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Forward S-box & tables
397 */
398static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]400#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]401static uint32_t FT1[256];
402static uint32_t FT2[256];
403static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]404#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405
406/*
407 * Reverse S-box & tables
408 */
409static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]411#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]412static uint32_t RT1[256];
413static uint32_t RT2[256];
414static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]415#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416
417/*
418 * Round constants
419 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421
422/*
423 * Tables generation code
424 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]425#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
426#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]427#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
429static int aes_init_done = 0;
430
431static void aes_gen_tables( void )
432{
433 int i, x, y, z;
434 int pow[256];
435 int log[256];
436
437 /*
438 * compute pow and log tables over GF(2^8)
439 */
440 for( i = 0, x = 1; i < 256; i++ )
441 {
442 pow[i] = x;
443 log[x] = i;
444 x = ( x ^ XTIME( x ) ) & 0xFF;
445 }
446
447 /*
448 * calculate the round constants
449 */
450 for( i = 0, x = 1; i < 10; i++ )
451 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]452 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 x = XTIME( x ) & 0xFF;
454 }
455
456 /*
457 * generate the forward and reverse S-boxes
458 */
459 FSb[0x00] = 0x63;
460 RSb[0x63] = 0x00;
461
462 for( i = 1; i < 256; i++ )
463 {
464 x = pow[255 - log[i]];
465
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]466 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
468 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
469 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 x ^= y ^ 0x63;
471
472 FSb[i] = (unsigned char) x;
473 RSb[x] = (unsigned char) i;
474 }
475
476 /*
477 * generate the forward and reverse tables
478 */
479 for( i = 0; i < 256; i++ )
480 {
481 x = FSb[i];
482 y = XTIME( x ) & 0xFF;
483 z = ( y ^ x ) & 0xFF;
484
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]485 FT0[i] = ( (uint32_t) y ) ^
486 ( (uint32_t) x << 8 ) ^
487 ( (uint32_t) x << 16 ) ^
488 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]490#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491 FT1[i] = ROTL8( FT0[i] );
492 FT2[i] = ROTL8( FT1[i] );
493 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]494#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495
496 x = RSb[i];
497
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]498 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
499 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
500 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
501 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]503#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]504 RT1[i] = ROTL8( RT0[i] );
505 RT2[i] = ROTL8( RT1[i] );
506 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]507#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]515#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]516
517#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
518#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
519#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
520
521#define AES_RT0(idx) RT0[idx]
522#define AES_RT1(idx) ROTL8( RT0[idx] )
523#define AES_RT2(idx) ROTL16( RT0[idx] )
524#define AES_RT3(idx) ROTL24( RT0[idx] )
525
526#define AES_FT0(idx) FT0[idx]
527#define AES_FT1(idx) ROTL8( FT0[idx] )
528#define AES_FT2(idx) ROTL16( FT0[idx] )
529#define AES_FT3(idx) ROTL24( FT0[idx] )
530
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]531#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]532
533#define AES_RT0(idx) RT0[idx]
534#define AES_RT1(idx) RT1[idx]
535#define AES_RT2(idx) RT2[idx]
536#define AES_RT3(idx) RT3[idx]
537
538#define AES_FT0(idx) FT0[idx]
539#define AES_FT1(idx) FT1[idx]
540#define AES_FT2(idx) FT2[idx]
541#define AES_FT3(idx) FT3[idx]
542
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]543#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]545void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]546{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]547 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]549 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]550}
551
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]552void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]553{
554 if( ctx == NULL )
555 return;
556
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]557 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]558}
559
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]560#if defined(MBEDTLS_CIPHER_MODE_XTS)
561void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
562{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]563 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]564
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]565 mbedtls_aes_init( &ctx->crypt );
566 mbedtls_aes_init( &ctx->tweak );
567}
568
569void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
570{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]571 if( ctx == NULL )
572 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]574 mbedtls_aes_free( &ctx->crypt );
575 mbedtls_aes_free( &ctx->tweak );
576}
577#endif /* MBEDTLS_CIPHER_MODE_XTS */
578
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579/*
580 * AES key schedule (encryption)
581 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]582#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]584 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]586 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]587 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]589 AES_VALIDATE_RET( ctx != NULL );
590 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]592 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]593 {
594 case 128: ctx->nr = 10; break;
595 case 192: ctx->nr = 12; break;
596 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 }
599
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]600#if !defined(MBEDTLS_AES_ROM_TABLES)
601 if( aes_init_done == 0 )
602 {
603 aes_gen_tables();
604 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]605 }
606#endif
607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]608#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]610 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]611
612 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]613 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]616 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]617
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]618#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]619 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]620 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]621#endif
622
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]623 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626 }
627
628 switch( ctx->nr )
629 {
630 case 10:
631
632 for( i = 0; i < 10; i++, RK += 4 )
633 {
634 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]635 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
636 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
637 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
638 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639
640 RK[5] = RK[1] ^ RK[4];
641 RK[6] = RK[2] ^ RK[5];
642 RK[7] = RK[3] ^ RK[6];
643 }
644 break;
645
646 case 12:
647
648 for( i = 0; i < 8; i++, RK += 6 )
649 {
650 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]651 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
652 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
653 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
654 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
656 RK[7] = RK[1] ^ RK[6];
657 RK[8] = RK[2] ^ RK[7];
658 RK[9] = RK[3] ^ RK[8];
659 RK[10] = RK[4] ^ RK[9];
660 RK[11] = RK[5] ^ RK[10];
661 }
662 break;
663
664 case 14:
665
666 for( i = 0; i < 7; i++, RK += 8 )
667 {
668 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]669 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
670 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
671 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
672 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673
674 RK[9] = RK[1] ^ RK[8];
675 RK[10] = RK[2] ^ RK[9];
676 RK[11] = RK[3] ^ RK[10];
677
678 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]679 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
681 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
682 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]683
684 RK[13] = RK[5] ^ RK[12];
685 RK[14] = RK[6] ^ RK[13];
686 RK[15] = RK[7] ^ RK[14];
687 }
688 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]690
691 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]693#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
695/*
696 * AES key schedule (decryption)
697 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]698#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]700 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]702 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]703 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]704 uint32_t *RK;
705 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]706
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]707 AES_VALIDATE_RET( ctx != NULL );
708 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]714 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]715
716 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]720 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]722 /* Also checks keybits */
723 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]724 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]725
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]726 ctx->nr = cty.nr;
727
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]728#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]729 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]731 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]734 }
735#endif
736
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737 SK = cty.rk + cty.nr * 4;
738
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741 *RK++ = *SK++;
742 *RK++ = *SK++;
743
744 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
745 {
746 for( j = 0; j < 4; j++, SK++ )
747 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]748 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
749 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
750 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
751 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752 }
753 }
754
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757 *RK++ = *SK++;
758 *RK++ = *SK++;
759
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]760exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]761 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]762
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]763 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765
766#if defined(MBEDTLS_CIPHER_MODE_XTS)
767static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
768 unsigned int keybits,
769 const unsigned char **key1,
770 unsigned int *key1bits,
771 const unsigned char **key2,
772 unsigned int *key2bits )
773{
774 const unsigned int half_keybits = keybits / 2;
775 const unsigned int half_keybytes = half_keybits / 8;
776
777 switch( keybits )
778 {
779 case 256: break;
780 case 512: break;
781 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
782 }
783
784 *key1bits = half_keybits;
785 *key2bits = half_keybits;
786 *key1 = &key[0];
787 *key2 = &key[half_keybytes];
788
789 return 0;
790}
791
792int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
793 const unsigned char *key,
794 unsigned int keybits)
795{
796 int ret;
797 const unsigned char *key1, *key2;
798 unsigned int key1bits, key2bits;
799
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]800 AES_VALIDATE_RET( ctx != NULL );
801 AES_VALIDATE_RET( key != NULL );
802
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]803 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
804 &key2, &key2bits );
805 if( ret != 0 )
806 return( ret );
807
808 /* Set the tweak key. Always set tweak key for the encryption mode. */
809 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
810 if( ret != 0 )
811 return( ret );
812
813 /* Set crypt key for encryption. */
814 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
815}
816
817int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
818 const unsigned char *key,
819 unsigned int keybits)
820{
821 int ret;
822 const unsigned char *key1, *key2;
823 unsigned int key1bits, key2bits;
824
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]825 AES_VALIDATE_RET( ctx != NULL );
826 AES_VALIDATE_RET( key != NULL );
827
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]828 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
829 &key2, &key2bits );
830 if( ret != 0 )
831 return( ret );
832
833 /* Set the tweak key. Always set tweak key for encryption. */
834 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
835 if( ret != 0 )
836 return( ret );
837
838 /* Set crypt key for decryption. */
839 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
840}
841#endif /* MBEDTLS_CIPHER_MODE_XTS */
842
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]843#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]845#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
846 do \
847 { \
848 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
849 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
850 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
851 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
852 \
853 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
854 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
855 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
856 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
857 \
858 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
859 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
860 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
861 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
862 \
863 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
864 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
865 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
866 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
867 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]869#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
870 do \
871 { \
872 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
873 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
874 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
875 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
876 \
877 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
878 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
879 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
880 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
881 \
882 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
883 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
884 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
885 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
886 \
887 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
888 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
889 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
890 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
891 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]892
893/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894 * AES-ECB block encryption
895 */
896#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]897int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
898 const unsigned char input[16],
899 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900{
901 int i;
902 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
903
904 RK = ctx->rk;
905
906 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
907 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
908 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
909 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
910
911 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
912 {
913 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
914 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
915 }
916
917 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
918
919 X0 = *RK++ ^ \
920 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
921 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
922 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
923 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
924
925 X1 = *RK++ ^ \
926 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
927 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
928 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
929 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
930
931 X2 = *RK++ ^ \
932 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
933 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
934 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
935 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
936
937 X3 = *RK++ ^ \
938 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
939 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
940 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
941 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
942
943 PUT_UINT32_LE( X0, output, 0 );
944 PUT_UINT32_LE( X1, output, 4 );
945 PUT_UINT32_LE( X2, output, 8 );
946 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]947
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]948 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
949 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
950 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
951 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
952
953 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
954 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
955 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
956 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
957
958 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
959
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]960 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]961}
962#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
963
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]964#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]965void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
966 const unsigned char input[16],
967 unsigned char output[16] )
968{
969 mbedtls_internal_aes_encrypt( ctx, input, output );
970}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]971#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]972
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]973/*
974 * AES-ECB block decryption
975 */
976#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]977int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
978 const unsigned char input[16],
979 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]980{
981 int i;
982 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
983
984 RK = ctx->rk;
985
986 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
987 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
988 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
989 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
990
991 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
992 {
993 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
994 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
995 }
996
997 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
998
999 X0 = *RK++ ^ \
1000 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
1001 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
1002 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
1003 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
1004
1005 X1 = *RK++ ^ \
1006 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
1007 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
1008 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
1009 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
1010
1011 X2 = *RK++ ^ \
1012 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
1013 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
1014 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
1015 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
1016
1017 X3 = *RK++ ^ \
1018 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
1019 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
1020 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
1021 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1022
1023 PUT_UINT32_LE( X0, output, 0 );
1024 PUT_UINT32_LE( X1, output, 4 );
1025 PUT_UINT32_LE( X2, output, 8 );
1026 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1027
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1028 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1029 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1030 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1031 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1032
1033 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1034 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1035 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1036 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1037
1038 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1039
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1040 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1041}
1042#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1043
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1044#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1045void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1046 const unsigned char input[16],
1047 unsigned char output[16] )
1048{
1049 mbedtls_internal_aes_decrypt( ctx, input, output );
1050}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1051#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1052
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1053/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054 * AES-ECB block encryption/decryption
1055 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1057 int mode,
1058 const unsigned char input[16],
1059 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1061 AES_VALIDATE_RET( ctx != NULL );
1062 AES_VALIDATE_RET( input != NULL );
1063 AES_VALIDATE_RET( output != NULL );
1064 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1065 mode == MBEDTLS_AES_DECRYPT );
1066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1068 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1070#endif
1071
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1072#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1073 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1076 return( 0 );
1077
1078 // If padlock data misaligned, we just fall back to
1079 // unaccelerated mode
1080 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081 }
1082#endif
1083
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1084 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1085 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1086 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1087 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1088}
1089
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091/*
1092 * AES-CBC buffer encryption/decryption
1093 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1094int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1096 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1098 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 unsigned char *output )
1100{
1101 int i;
1102 unsigned char temp[16];
1103
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1104 AES_VALIDATE_RET( ctx != NULL );
1105 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1106 mode == MBEDTLS_AES_DECRYPT );
1107 AES_VALIDATE_RET( iv != NULL );
1108 AES_VALIDATE_RET( input != NULL );
1109 AES_VALIDATE_RET( output != NULL );
1110
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1111 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1112 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1114#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1115 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1116 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1117 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1118 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1119
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1120 // If padlock data misaligned, we just fall back to
1121 // unaccelerated mode
1122 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1123 }
1124#endif
1125
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1126 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127 {
1128 while( length > 0 )
1129 {
1130 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1131 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132
1133 for( i = 0; i < 16; i++ )
1134 output[i] = (unsigned char)( output[i] ^ iv[i] );
1135
1136 memcpy( iv, temp, 16 );
1137
1138 input += 16;
1139 output += 16;
1140 length -= 16;
1141 }
1142 }
1143 else
1144 {
1145 while( length > 0 )
1146 {
1147 for( i = 0; i < 16; i++ )
1148 output[i] = (unsigned char)( input[i] ^ iv[i] );
1149
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1150 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1151 memcpy( iv, output, 16 );
1152
1153 input += 16;
1154 output += 16;
1155 length -= 16;
1156 }
1157 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1158
1159 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1160}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1161#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1162
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1163#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1164
1165/* Endianess with 64 bits values */
1166#ifndef GET_UINT64_LE
1167#define GET_UINT64_LE(n,b,i) \
1168{ \
1169 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1170 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1171 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1172 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1173 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1174 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1175 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1176 | ( (uint64_t) (b)[(i) ] ); \
1177}
1178#endif
1179
1180#ifndef PUT_UINT64_LE
1181#define PUT_UINT64_LE(n,b,i) \
1182{ \
1183 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1184 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1185 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1186 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1187 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1188 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1189 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1190 (b)[(i) ] = (unsigned char) ( (n) ); \
1191}
1192#endif
1193
1194typedef unsigned char mbedtls_be128[16];
1195
1196/*
1197 * GF(2^128) multiplication function
1198 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1199 * This function multiplies a field element by x in the polynomial field
1200 * representation. It uses 64-bit word operations to gain speed but compensates
1201 * for machine endianess and hence works correctly on both big and little
1202 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1203 */
1204static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1205 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1206{
1207 uint64_t a, b, ra, rb;
1208
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1209 GET_UINT64_LE( a, x, 0 );
1210 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1211
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1212 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1213 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1214
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1215 PUT_UINT64_LE( ra, r, 0 );
1216 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1217}
1218
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1219/*
1220 * AES-XTS buffer encryption/decryption
1221 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1222int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1223 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1224 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1225 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1226 const unsigned char *input,
1227 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 int ret;
1230 size_t blocks = length / 16;
1231 size_t leftover = length % 16;
1232 unsigned char tweak[16];
1233 unsigned char prev_tweak[16];
1234 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1235
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1236 AES_VALIDATE_RET( ctx != NULL );
1237 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1238 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1239 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1240 AES_VALIDATE_RET( input != NULL );
1241 AES_VALIDATE_RET( output != NULL );
1242
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1243 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1247 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1248 if( length > ( 1 << 20 ) * 16 )
1249 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1250
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1251 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1252 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1253 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1254 if( ret != 0 )
1255 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1256
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1257 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 size_t i;
1260
1261 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1262 {
1263 /* We are on the last block in a decrypt operation that has
1264 * leftover bytes, so we need to use the next tweak for this block,
1265 * and this tweak for the lefover bytes. Save the current tweak for
1266 * the leftovers and then update the current tweak for use on this,
1267 * the last full block. */
1268 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1269 mbedtls_gf128mul_x_ble( tweak, tweak );
1270 }
1271
1272 for( i = 0; i < 16; i++ )
1273 tmp[i] = input[i] ^ tweak[i];
1274
1275 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1276 if( ret != 0 )
1277 return( ret );
1278
1279 for( i = 0; i < 16; i++ )
1280 output[i] = tmp[i] ^ tweak[i];
1281
1282 /* Update the tweak for the next block. */
1283 mbedtls_gf128mul_x_ble( tweak, tweak );
1284
1285 output += 16;
1286 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1287 }
1288
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1290 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1291 /* If we are on the leftover bytes in a decrypt operation, we need to
1292 * use the previous tweak for these bytes (as saved in prev_tweak). */
1293 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1294
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1295 /* We are now on the final part of the data unit, which doesn't divide
1296 * evenly by 16. It's time for ciphertext stealing. */
1297 size_t i;
1298 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1299
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1300 /* Copy ciphertext bytes from the previous block to our output for each
1301 * byte of cyphertext we won't steal. At the same time, copy the
1302 * remainder of the input for this final round (since the loop bounds
1303 * are the same). */
1304 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1305 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1306 output[i] = prev_output[i];
1307 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1308 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1309
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1310 /* Copy ciphertext bytes from the previous block for input in this
1311 * round. */
1312 for( ; i < 16; i++ )
1313 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1314
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1315 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1316 if( ret != 0 )
1317 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1318
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1319 /* Write the result back to the previous block, overriding the previous
1320 * output we copied. */
1321 for( i = 0; i < 16; i++ )
1322 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1323 }
1324
1325 return( 0 );
1326}
1327#endif /* MBEDTLS_CIPHER_MODE_XTS */
1328
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1329#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330/*
1331 * AES-CFB128 buffer encryption/decryption
1332 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1333int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1335 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1336 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1338 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339 unsigned char *output )
1340{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1341 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1342 size_t n;
1343
1344 AES_VALIDATE_RET( ctx != NULL );
1345 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1346 mode == MBEDTLS_AES_DECRYPT );
1347 AES_VALIDATE_RET( iv_off != NULL );
1348 AES_VALIDATE_RET( iv != NULL );
1349 AES_VALIDATE_RET( input != NULL );
1350 AES_VALIDATE_RET( output != NULL );
1351
1352 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1353
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1354 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1355 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358 {
1359 while( length-- )
1360 {
1361 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363
1364 c = *input++;
1365 *output++ = (unsigned char)( c ^ iv[n] );
1366 iv[n] = (unsigned char) c;
1367
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1368 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369 }
1370 }
1371 else
1372 {
1373 while( length-- )
1374 {
1375 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1376 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1377
1378 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1379
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1380 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381 }
1382 }
1383
1384 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1385
1386 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1388
1389/*
1390 * AES-CFB8 buffer encryption/decryption
1391 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1393 int mode,
1394 size_t length,
1395 unsigned char iv[16],
1396 const unsigned char *input,
1397 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1398{
1399 unsigned char c;
1400 unsigned char ov[17];
1401
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1402 AES_VALIDATE_RET( ctx != NULL );
1403 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1404 mode == MBEDTLS_AES_DECRYPT );
1405 AES_VALIDATE_RET( iv != NULL );
1406 AES_VALIDATE_RET( input != NULL );
1407 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1408 while( length-- )
1409 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1410 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1412
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1413 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1414 ov[16] = *input;
1415
1416 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1417
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1418 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1419 ov[16] = c;
1420
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1421 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1422 }
1423
1424 return( 0 );
1425}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1426#endif /* MBEDTLS_CIPHER_MODE_CFB */
1427
1428#if defined(MBEDTLS_CIPHER_MODE_OFB)
1429/*
1430 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1431 */
1432int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1433 size_t length,
1434 size_t *iv_off,
1435 unsigned char iv[16],
1436 const unsigned char *input,
1437 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1438{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1439 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1440 size_t n;
1441
1442 AES_VALIDATE_RET( ctx != NULL );
1443 AES_VALIDATE_RET( iv_off != NULL );
1444 AES_VALIDATE_RET( iv != NULL );
1445 AES_VALIDATE_RET( input != NULL );
1446 AES_VALIDATE_RET( output != NULL );
1447
1448 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1449
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1450 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1451 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1452
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1453 while( length-- )
1454 {
1455 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1456 {
1457 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1458 if( ret != 0 )
1459 goto exit;
1460 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1461 *output++ = *input++ ^ iv[n];
1462
1463 n = ( n + 1 ) & 0x0F;
1464 }
1465
1466 *iv_off = n;
1467
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1468exit:
1469 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1470}
1471#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1474/*
1475 * AES-CTR buffer encryption/decryption
1476 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1477int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1478 size_t length,
1479 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1480 unsigned char nonce_counter[16],
1481 unsigned char stream_block[16],
1482 const unsigned char *input,
1483 unsigned char *output )
1484{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1485 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1486 size_t n;
1487
1488 AES_VALIDATE_RET( ctx != NULL );
1489 AES_VALIDATE_RET( nc_off != NULL );
1490 AES_VALIDATE_RET( nonce_counter != NULL );
1491 AES_VALIDATE_RET( stream_block != NULL );
1492 AES_VALIDATE_RET( input != NULL );
1493 AES_VALIDATE_RET( output != NULL );
1494
1495 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1496
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1497 if ( n > 0x0F )
1498 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1499
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1500 while( length-- )
1501 {
1502 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1504
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1505 for( i = 16; i > 0; i-- )
1506 if( ++nonce_counter[i - 1] != 0 )
1507 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1508 }
1509 c = *input++;
1510 *output++ = (unsigned char)( c ^ stream_block[n] );
1511
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1512 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1513 }
1514
1515 *nc_off = n;
1516
1517 return( 0 );
1518}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1519#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524/*
1525 * AES test vectors from:
1526 *
1527 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1528 */
1529static const unsigned char aes_test_ecb_dec[3][16] =
1530{
1531 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1532 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1533 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1534 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1535 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1536 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1537};
1538
1539static const unsigned char aes_test_ecb_enc[3][16] =
1540{
1541 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1542 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1543 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1544 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1545 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1546 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1547};
1548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1549#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1550static const unsigned char aes_test_cbc_dec[3][16] =
1551{
1552 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1553 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1554 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1555 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1556 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1557 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1558};
1559
1560static const unsigned char aes_test_cbc_enc[3][16] =
1561{
1562 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1563 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1564 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1565 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1566 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1567 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1568};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1569#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1570
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1571#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1572/*
1573 * AES-CFB128 test vectors from:
1574 *
1575 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1576 */
1577static const unsigned char aes_test_cfb128_key[3][32] =
1578{
1579 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1580 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1581 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1582 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1583 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1584 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1585 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1586 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1587 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1588};
1589
1590static const unsigned char aes_test_cfb128_iv[16] =
1591{
1592 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1593 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1594};
1595
1596static const unsigned char aes_test_cfb128_pt[64] =
1597{
1598 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1599 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1600 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1601 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1602 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1603 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1604 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1605 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1606};
1607
1608static const unsigned char aes_test_cfb128_ct[3][64] =
1609{
1610 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1611 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1612 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1613 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1614 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1615 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1616 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1617 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1618 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1619 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1620 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1621 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1622 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1623 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1624 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1625 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1626 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1627 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1628 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1629 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1630 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1631 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1632 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1633 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1634};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1635#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1636
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1637#if defined(MBEDTLS_CIPHER_MODE_OFB)
1638/*
1639 * AES-OFB test vectors from:
1640 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1641 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1642 */
1643static const unsigned char aes_test_ofb_key[3][32] =
1644{
1645 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1646 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1647 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1648 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1649 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1650 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1651 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1652 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1653 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1654};
1655
1656static const unsigned char aes_test_ofb_iv[16] =
1657{
1658 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1659 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1660};
1661
1662static const unsigned char aes_test_ofb_pt[64] =
1663{
1664 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1665 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1666 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1667 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1668 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1669 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1670 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1671 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1672};
1673
1674static const unsigned char aes_test_ofb_ct[3][64] =
1675{
1676 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1677 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1678 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1679 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1680 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1681 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1682 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1683 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1684 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1685 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1686 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1687 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1688 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1689 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1690 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1691 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1692 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1693 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1694 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1695 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1696 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1697 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1698 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1699 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1700};
1701#endif /* MBEDTLS_CIPHER_MODE_OFB */
1702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1703#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1704/*
1705 * AES-CTR test vectors from:
1706 *
1707 * http://www.faqs.org/rfcs/rfc3686.html
1708 */
1709
1710static const unsigned char aes_test_ctr_key[3][16] =
1711{
1712 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1713 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1714 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1715 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1716 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1717 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1718};
1719
1720static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1721{
1722 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1724 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1725 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1726 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1727 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1728};
1729
1730static const unsigned char aes_test_ctr_pt[3][48] =
1731{
1732 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1733 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1734
1735 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1736 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1737 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1738 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1739
1740 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1741 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1742 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1743 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1744 0x20, 0x21, 0x22, 0x23 }
1745};
1746
1747static const unsigned char aes_test_ctr_ct[3][48] =
1748{
1749 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1750 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1751 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1752 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1753 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1754 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1755 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1756 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1757 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1758 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1759 0x25, 0xB2, 0x07, 0x2F }
1760};
1761
1762static const int aes_test_ctr_len[3] =
1763 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1764#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1765
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1766#if defined(MBEDTLS_CIPHER_MODE_XTS)
1767/*
1768 * AES-XTS test vectors from:
1769 *
1770 * IEEE P1619/D16 Annex B
1771 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1772 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1773 */
1774static const unsigned char aes_test_xts_key[][32] =
1775{
1776 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1780 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1781 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1782 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1783 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1784 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1785 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1786 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1787 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1788};
1789
1790static const unsigned char aes_test_xts_pt32[][32] =
1791{
1792 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1796 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1797 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1798 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1799 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1800 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1801 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1802 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1803 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1804};
1805
1806static const unsigned char aes_test_xts_ct32[][32] =
1807{
1808 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1809 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1810 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1811 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1812 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1813 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1814 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1815 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1816 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1817 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1818 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1819 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1820};
1821
1822static const unsigned char aes_test_xts_data_unit[][16] =
1823{
1824 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1826 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1828 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1830};
1831
1832#endif /* MBEDTLS_CIPHER_MODE_XTS */
1833
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834/*
1835 * Checkup routine
1836 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1839 int ret = 0, i, j, u, mode;
1840 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841 unsigned char key[32];
1842 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1843 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1844#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1846#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1848 unsigned char prv[16];
1849#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1850#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1851 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1852 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1853#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1854#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1855 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1856#endif
1857#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1858 unsigned char nonce_counter[16];
1859 unsigned char stream_block[16];
1860#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1861 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862
1863 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
1866 /*
1867 * ECB mode
1868 */
1869 for( i = 0; i < 6; i++ )
1870 {
1871 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1872 keybits = 128 + u * 64;
1873 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
1875 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1877 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878
1879 memset( buf, 0, 16 );
1880
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1881 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1884 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 }
1886 else
1887 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1889 aes_tests = aes_test_ecb_enc[u];
1890 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1892 /*
1893 * AES-192 is an optional feature that may be unavailable when
1894 * there is an alternative underlying implementation i.e. when
1895 * MBEDTLS_AES_ALT is defined.
1896 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1897 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898 {
1899 mbedtls_printf( "skipped\n" );
1900 continue;
1901 }
1902 else if( ret != 0 )
1903 {
1904 goto exit;
1905 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 for( j = 0; j < 10000; j++ )
1908 {
1909 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1910 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1911 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1912 }
1913
1914 if( memcmp( buf, aes_tests, 16 ) != 0 )
1915 {
1916 ret = 1;
1917 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 }
1919
1920 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1921 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 }
1923
1924 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1925 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1927#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928 /*
1929 * CBC mode
1930 */
1931 for( i = 0; i < 6; i++ )
1932 {
1933 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1934 keybits = 128 + u * 64;
1935 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936
1937 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1938 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1939 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1940
1941 memset( iv , 0, 16 );
1942 memset( prv, 0, 16 );
1943 memset( buf, 0, 16 );
1944
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1945 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1947 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1948 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949 }
1950 else
1951 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1953 aes_tests = aes_test_cbc_enc[u];
1954 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1955
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1956 /*
1957 * AES-192 is an optional feature that may be unavailable when
1958 * there is an alternative underlying implementation i.e. when
1959 * MBEDTLS_AES_ALT is defined.
1960 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1961 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1962 {
1963 mbedtls_printf( "skipped\n" );
1964 continue;
1965 }
1966 else if( ret != 0 )
1967 {
1968 goto exit;
1969 }
1970
1971 for( j = 0; j < 10000; j++ )
1972 {
1973 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1974 {
1975 unsigned char tmp[16];
1976
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977 memcpy( tmp, prv, 16 );
1978 memcpy( prv, buf, 16 );
1979 memcpy( buf, tmp, 16 );
1980 }
1981
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1982 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1983 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1984 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1985
1986 }
1987
1988 if( memcmp( buf, aes_tests, 16 ) != 0 )
1989 {
1990 ret = 1;
1991 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992 }
1993
1994 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1995 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996 }
1997
1998 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999 mbedtls_printf( "\n" );
2000#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2002#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003 /*
2004 * CFB128 mode
2005 */
2006 for( i = 0; i < 6; i++ )
2007 {
2008 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2009 keybits = 128 + u * 64;
2010 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011
2012 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2013 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2014 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015
2016 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2017 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018
2019 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2021 /*
2022 * AES-192 is an optional feature that may be unavailable when
2023 * there is an alternative underlying implementation i.e. when
2024 * MBEDTLS_AES_ALT is defined.
2025 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2026 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2027 {
2028 mbedtls_printf( "skipped\n" );
2029 continue;
2030 }
2031 else if( ret != 0 )
2032 {
2033 goto exit;
2034 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2036 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037 {
2038 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2039 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040 }
2041 else
2042 {
2043 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2044 aes_tests = aes_test_cfb128_ct[u];
2045 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2047 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2048 if( ret != 0 )
2049 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2050
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2051 if( memcmp( buf, aes_tests, 64 ) != 0 )
2052 {
2053 ret = 1;
2054 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055 }
2056
2057 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2058 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059 }
2060
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2061 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2062 mbedtls_printf( "\n" );
2063#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2064
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2065#if defined(MBEDTLS_CIPHER_MODE_OFB)
2066 /*
2067 * OFB mode
2068 */
2069 for( i = 0; i < 6; i++ )
2070 {
2071 u = i >> 1;
2072 keybits = 128 + u * 64;
2073 mode = i & 1;
2074
2075 if( verbose != 0 )
2076 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2077 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2078
2079 memcpy( iv, aes_test_ofb_iv, 16 );
2080 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2081
2082 offset = 0;
2083 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2084 /*
2085 * AES-192 is an optional feature that may be unavailable when
2086 * there is an alternative underlying implementation i.e. when
2087 * MBEDTLS_AES_ALT is defined.
2088 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2089 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2090 {
2091 mbedtls_printf( "skipped\n" );
2092 continue;
2093 }
2094 else if( ret != 0 )
2095 {
2096 goto exit;
2097 }
2098
2099 if( mode == MBEDTLS_AES_DECRYPT )
2100 {
2101 memcpy( buf, aes_test_ofb_ct[u], 64 );
2102 aes_tests = aes_test_ofb_pt;
2103 }
2104 else
2105 {
2106 memcpy( buf, aes_test_ofb_pt, 64 );
2107 aes_tests = aes_test_ofb_ct[u];
2108 }
2109
2110 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2111 if( ret != 0 )
2112 goto exit;
2113
2114 if( memcmp( buf, aes_tests, 64 ) != 0 )
2115 {
2116 ret = 1;
2117 goto exit;
2118 }
2119
2120 if( verbose != 0 )
2121 mbedtls_printf( "passed\n" );
2122 }
2123
2124 if( verbose != 0 )
2125 mbedtls_printf( "\n" );
2126#endif /* MBEDTLS_CIPHER_MODE_OFB */
2127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2128#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2129 /*
2130 * CTR mode
2131 */
2132 for( i = 0; i < 6; i++ )
2133 {
2134 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2135 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2136
2137 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2138 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2139 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2140
2141 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2142 memcpy( key, aes_test_ctr_key[u], 16 );
2143
2144 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2145 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2146 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2147
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2148 len = aes_test_ctr_len[u];
2149
2150 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2152 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2153 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2154 }
2155 else
2156 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2157 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2158 aes_tests = aes_test_ctr_ct[u];
2159 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2160
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2161 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2162 stream_block, buf, buf );
2163 if( ret != 0 )
2164 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2165
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2166 if( memcmp( buf, aes_tests, len ) != 0 )
2167 {
2168 ret = 1;
2169 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2170 }
2171
2172 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2173 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2174 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175
2176 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2177 mbedtls_printf( "\n" );
2178#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2179
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2180#if defined(MBEDTLS_CIPHER_MODE_XTS)
2181 {
2182 static const int num_tests =
2183 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2184 mbedtls_aes_xts_context ctx_xts;
2185
2186 /*
2187 * XTS mode
2188 */
2189 mbedtls_aes_xts_init( &ctx_xts );
2190
2191 for( i = 0; i < num_tests << 1; i++ )
2192 {
2193 const unsigned char *data_unit;
2194 u = i >> 1;
2195 mode = i & 1;
2196
2197 if( verbose != 0 )
2198 mbedtls_printf( " AES-XTS-128 (%s): ",
2199 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2200
2201 memset( key, 0, sizeof( key ) );
2202 memcpy( key, aes_test_xts_key[u], 32 );
2203 data_unit = aes_test_xts_data_unit[u];
2204
2205 len = sizeof( *aes_test_xts_ct32 );
2206
2207 if( mode == MBEDTLS_AES_DECRYPT )
2208 {
2209 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2210 if( ret != 0)
2211 goto exit;
2212 memcpy( buf, aes_test_xts_ct32[u], len );
2213 aes_tests = aes_test_xts_pt32[u];
2214 }
2215 else
2216 {
2217 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2218 if( ret != 0)
2219 goto exit;
2220 memcpy( buf, aes_test_xts_pt32[u], len );
2221 aes_tests = aes_test_xts_ct32[u];
2222 }
2223
2224
2225 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2226 buf, buf );
2227 if( ret != 0 )
2228 goto exit;
2229
2230 if( memcmp( buf, aes_tests, len ) != 0 )
2231 {
2232 ret = 1;
2233 goto exit;
2234 }
2235
2236 if( verbose != 0 )
2237 mbedtls_printf( "passed\n" );
2238 }
2239
2240 if( verbose != 0 )
2241 mbedtls_printf( "\n" );
2242
2243 mbedtls_aes_xts_free( &ctx_xts );
2244 }
2245#endif /* MBEDTLS_CIPHER_MODE_XTS */
2246
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2247 ret = 0;
2248
2249exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2250 if( ret != 0 && verbose != 0 )
2251 mbedtls_printf( "failed\n" );
2252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2253 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2254
2255 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2256}
2257
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2258#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2259
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2260#endif /* MBEDTLS_AES_C */