TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fa66c9eba2c2016762fe78c98635f9da14770a5c / . / library / aes.c
blob: 59c5165056be43f2b39fac65761b119d90bca020 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]39#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SELF_TEST)
48#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]49#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#define mbedtls_printf printf
53#endif /* MBEDTLS_PLATFORM_C */
54#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef GET_UINT32_LE
62#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68}
69#endif
70
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]72#define PUT_UINT32_LE(n,b,i) \
73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78}
79#endif
80
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]81#if defined(MBEDTLS_PADLOCK_C) && \
82 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]83static int aes_padlock_ace = -1;
84#endif
85
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]86#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * Forward S-box
89 */
90static const unsigned char FSb[256] =
91{
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
93 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
94 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
95 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
96 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
97 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
98 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
99 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
124};
125
126/*
127 * Forward tables
128 */
129#define FT \
130\
131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
195
196#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]200#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]201
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]214#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]215
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]328static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329#undef V
330
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]331#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]332
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]345#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]346
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef RT
348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353{
354 0x00000001, 0x00000002, 0x00000004, 0x00000008,
355 0x00000010, 0x00000020, 0x00000040, 0x00000080,
356 0x0000001B, 0x00000036
357};
358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]359#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Forward S-box & tables
363 */
364static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]365static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]366#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT1[256];
368static uint32_t FT2[256];
369static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Reverse S-box & tables
374 */
375static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]376static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT1[256];
379static uint32_t RT2[256];
380static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Round constants
385 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387
388/*
389 * Tables generation code
390 */
391#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
392#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
393#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
394
395static int aes_init_done = 0;
396
397static void aes_gen_tables( void )
398{
399 int i, x, y, z;
400 int pow[256];
401 int log[256];
402
403 /*
404 * compute pow and log tables over GF(2^8)
405 */
406 for( i = 0, x = 1; i < 256; i++ )
407 {
408 pow[i] = x;
409 log[x] = i;
410 x = ( x ^ XTIME( x ) ) & 0xFF;
411 }
412
413 /*
414 * calculate the round constants
415 */
416 for( i = 0, x = 1; i < 10; i++ )
417 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419 x = XTIME( x ) & 0xFF;
420 }
421
422 /*
423 * generate the forward and reverse S-boxes
424 */
425 FSb[0x00] = 0x63;
426 RSb[0x63] = 0x00;
427
428 for( i = 1; i < 256; i++ )
429 {
430 x = pow[255 - log[i]];
431
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x ^= y ^ 0x63;
437
438 FSb[i] = (unsigned char) x;
439 RSb[x] = (unsigned char) i;
440 }
441
442 /*
443 * generate the forward and reverse tables
444 */
445 for( i = 0; i < 256; i++ )
446 {
447 x = FSb[i];
448 y = XTIME( x ) & 0xFF;
449 z = ( y ^ x ) & 0xFF;
450
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]451 FT0[i] = ( (uint32_t) y ) ^
452 ( (uint32_t) x << 8 ) ^
453 ( (uint32_t) x << 16 ) ^
454 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]456#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 FT1[i] = ROTL8( FT0[i] );
458 FT2[i] = ROTL8( FT1[i] );
459 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]460#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461
462 x = RSb[i];
463
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
467 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]469#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RT1[i] = ROTL8( RT0[i] );
471 RT2[i] = ROTL8( RT1[i] );
472 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]473#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475}
476
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477#undef ROTL8
478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]481#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]482
483#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
484#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
485#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
486
487#define AES_RT0(idx) RT0[idx]
488#define AES_RT1(idx) ROTL8( RT0[idx] )
489#define AES_RT2(idx) ROTL16( RT0[idx] )
490#define AES_RT3(idx) ROTL24( RT0[idx] )
491
492#define AES_FT0(idx) FT0[idx]
493#define AES_FT1(idx) ROTL8( FT0[idx] )
494#define AES_FT2(idx) ROTL16( FT0[idx] )
495#define AES_FT3(idx) ROTL24( FT0[idx] )
496
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]497#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]498
499#define AES_RT0(idx) RT0[idx]
500#define AES_RT1(idx) RT1[idx]
501#define AES_RT2(idx) RT2[idx]
502#define AES_RT3(idx) RT3[idx]
503
504#define AES_FT0(idx) FT0[idx]
505#define AES_FT1(idx) FT1[idx]
506#define AES_FT2(idx) FT2[idx]
507#define AES_FT3(idx) FT3[idx]
508
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]509#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]512{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514}
515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]516void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]517{
518 if( ctx == NULL )
519 return;
520
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]522}
523
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]524#if defined(MBEDTLS_CIPHER_MODE_XTS)
525void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
526{
527 mbedtls_aes_init( &ctx->crypt );
528 mbedtls_aes_init( &ctx->tweak );
529}
530
531void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
532{
533 mbedtls_aes_free( &ctx->crypt );
534 mbedtls_aes_free( &ctx->tweak );
535}
536#endif /* MBEDTLS_CIPHER_MODE_XTS */
537
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538/*
539 * AES key schedule (encryption)
540 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]541#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]543 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]545 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]546 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]548#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549 if( aes_init_done == 0 )
550 {
551 aes_gen_tables();
552 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]553
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554 }
555#endif
556
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558 {
559 case 128: ctx->nr = 10; break;
560 case 192: ctx->nr = 12; break;
561 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]562 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563 }
564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]566 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]567 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]568
569 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]571 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]573 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]575#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]576 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]577 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]578#endif
579
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]580 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]582 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 }
584
585 switch( ctx->nr )
586 {
587 case 10:
588
589 for( i = 0; i < 10; i++, RK += 4 )
590 {
591 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]592 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
593 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
594 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
595 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596
597 RK[5] = RK[1] ^ RK[4];
598 RK[6] = RK[2] ^ RK[5];
599 RK[7] = RK[3] ^ RK[6];
600 }
601 break;
602
603 case 12:
604
605 for( i = 0; i < 8; i++, RK += 6 )
606 {
607 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[7] = RK[1] ^ RK[6];
614 RK[8] = RK[2] ^ RK[7];
615 RK[9] = RK[3] ^ RK[8];
616 RK[10] = RK[4] ^ RK[9];
617 RK[11] = RK[5] ^ RK[10];
618 }
619 break;
620
621 case 14:
622
623 for( i = 0; i < 7; i++, RK += 8 )
624 {
625 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]626 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
627 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
628 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
629 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630
631 RK[9] = RK[1] ^ RK[8];
632 RK[10] = RK[2] ^ RK[9];
633 RK[11] = RK[3] ^ RK[10];
634
635 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]636 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
637 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
638 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
639 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640
641 RK[13] = RK[5] ^ RK[12];
642 RK[14] = RK[6] ^ RK[13];
643 RK[15] = RK[7] ^ RK[14];
644 }
645 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]647
648 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]649}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]650#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652/*
653 * AES key schedule (decryption)
654 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]655#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]657 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]659 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]660 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]661 uint32_t *RK;
662 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]663
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]664 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]667 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]668 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]669
670 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]672 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]674 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]676 /* Also checks keybits */
677 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]678 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]679
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]680 ctx->nr = cty.nr;
681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]683 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]684 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]686 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]687 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]688 }
689#endif
690
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691 SK = cty.rk + cty.nr * 4;
692
693 *RK++ = *SK++;
694 *RK++ = *SK++;
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697
698 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
699 {
700 for( j = 0; j < 4; j++, SK++ )
701 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]702 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
703 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
704 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
705 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706 }
707 }
708
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]714exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]716
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]717 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718}
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]719
720#if defined(MBEDTLS_CIPHER_MODE_XTS)
721static int mbedtls_aes_xts_setkey( mbedtls_aes_xts_context *ctx,
722 const unsigned char *key,
723 unsigned int keybits,
724 int (*setkey1)( mbedtls_aes_context *ctx,
725 const unsigned char *key,
726 unsigned int keybits ) )
727{
728 const unsigned int key1bits = keybits / 2;
729 const unsigned int key2bits = keybits / 2;
730 const unsigned int key1bytes = key1bits / 8;
731 const unsigned char *key1 = &key[0];
732 const unsigned char *key2 = &key[key1bytes];
733 int ret;
734
735 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
736
737 if( ret )
738 return( ret );
739
740 return( setkey1( &ctx->crypt, key1, key1bits ) );
741}
742
743int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
744 const unsigned char *key,
745 unsigned int keybits)
746{
747 return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_enc );
748}
749
750int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
751 const unsigned char *key,
752 unsigned int keybits)
753{
754 return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_dec );
755}
756#endif /* MBEDTLS_CIPHER_MODE_XTS */
757
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]758#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]759
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]760#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
761{ \
762 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
763 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
764 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
765 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
766 \
767 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
768 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
769 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
770 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
771 \
772 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
773 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
774 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
775 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
776 \
777 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
778 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
779 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
780 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]781}
782
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]783#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
784{ \
785 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
786 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
787 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
788 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
789 \
790 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
791 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
792 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
793 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
794 \
795 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
796 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
797 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
798 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
799 \
800 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
801 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
802 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
803 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804}
805
806/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]807 * AES-ECB block encryption
808 */
809#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]810int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
811 const unsigned char input[16],
812 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]813{
814 int i;
815 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
816
817 RK = ctx->rk;
818
819 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
820 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
821 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
822 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
823
824 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
825 {
826 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
827 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
828 }
829
830 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
831
832 X0 = *RK++ ^ \
833 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
834 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
835 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
836 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
837
838 X1 = *RK++ ^ \
839 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
840 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
841 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
842 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
843
844 X2 = *RK++ ^ \
845 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
846 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
847 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
848 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
849
850 X3 = *RK++ ^ \
851 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
852 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
853 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
854 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
855
856 PUT_UINT32_LE( X0, output, 0 );
857 PUT_UINT32_LE( X1, output, 4 );
858 PUT_UINT32_LE( X2, output, 8 );
859 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]860
861 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]862}
863#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
864
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]865#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]866void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
867 const unsigned char input[16],
868 unsigned char output[16] )
869{
870 mbedtls_internal_aes_encrypt( ctx, input, output );
871}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]872#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]873
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]874/*
875 * AES-ECB block decryption
876 */
877#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]878int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
879 const unsigned char input[16],
880 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]881{
882 int i;
883 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
884
885 RK = ctx->rk;
886
887 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
888 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
889 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
890 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
891
892 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
893 {
894 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
895 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
896 }
897
898 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
899
900 X0 = *RK++ ^ \
901 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
902 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
903 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
904 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
905
906 X1 = *RK++ ^ \
907 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
908 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
909 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
910 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
911
912 X2 = *RK++ ^ \
913 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
914 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
915 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
916 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
917
918 X3 = *RK++ ^ \
919 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
920 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
921 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
922 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
923
924 PUT_UINT32_LE( X0, output, 0 );
925 PUT_UINT32_LE( X1, output, 4 );
926 PUT_UINT32_LE( X2, output, 8 );
927 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]928
929 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]930}
931#endif /* !MBEDTLS_AES_DECRYPT_ALT */
932
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]933#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]934void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
935 const unsigned char input[16],
936 unsigned char output[16] )
937{
938 mbedtls_internal_aes_decrypt( ctx, input, output );
939}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]940#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]941
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]942/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943 * AES-ECB block encryption/decryption
944 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]945int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]946 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]947 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]948 unsigned char output[16] )
949{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]950#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]951 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]953#endif
954
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]956 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]957 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]959 return( 0 );
960
961 // If padlock data misaligned, we just fall back to
962 // unaccelerated mode
963 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]964 }
965#endif
966
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]967 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]968 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]969 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]970 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]971}
972
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]973#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974/*
975 * AES-CBC buffer encryption/decryption
976 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]979 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]981 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 unsigned char *output )
983{
984 int i;
985 unsigned char temp[16];
986
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]987 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]988 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]991 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]993 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]994 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]995
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]996 // If padlock data misaligned, we just fall back to
997 // unaccelerated mode
998 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 }
1000#endif
1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 {
1004 while( length > 0 )
1005 {
1006 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
1009 for( i = 0; i < 16; i++ )
1010 output[i] = (unsigned char)( output[i] ^ iv[i] );
1011
1012 memcpy( iv, temp, 16 );
1013
1014 input += 16;
1015 output += 16;
1016 length -= 16;
1017 }
1018 }
1019 else
1020 {
1021 while( length > 0 )
1022 {
1023 for( i = 0; i < 16; i++ )
1024 output[i] = (unsigned char)( input[i] ^ iv[i] );
1025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 memcpy( iv, output, 16 );
1028
1029 input += 16;
1030 output += 16;
1031 length -= 16;
1032 }
1033 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1034
1035 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040/*
1041 * AES-CFB128 buffer encryption/decryption
1042 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1045 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1046 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1048 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 unsigned char *output )
1050{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1051 int c;
1052 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055 {
1056 while( length-- )
1057 {
1058 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1059 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060
1061 c = *input++;
1062 *output++ = (unsigned char)( c ^ iv[n] );
1063 iv[n] = (unsigned char) c;
1064
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1065 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 }
1067 }
1068 else
1069 {
1070 while( length-- )
1071 {
1072 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074
1075 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1076
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1077 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078 }
1079 }
1080
1081 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1082
1083 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1084}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1085
1086/*
1087 * AES-CFB8 buffer encryption/decryption
1088 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1089int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1090 int mode,
1091 size_t length,
1092 unsigned char iv[16],
1093 const unsigned char *input,
1094 unsigned char *output )
1095{
1096 unsigned char c;
1097 unsigned char ov[17];
1098
1099 while( length-- )
1100 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1101 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1102 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1105 ov[16] = *input;
1106
1107 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1110 ov[16] = c;
1111
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1112 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1113 }
1114
1115 return( 0 );
1116}
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1117#endif /* MBEDTLS_CIPHER_MODE_CFB */
1118
1119#if defined(MBEDTLS_CIPHER_MODE_OFB)
1120/*
1121 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1122 */
1123int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1124 size_t length,
1125 size_t *iv_off,
1126 unsigned char iv[16],
1127 const unsigned char *input,
1128 unsigned char *output )
1129{
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1130 int ret = 0;
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1131 size_t n = *iv_off;
1132
1133 while( length-- )
1134 {
1135 if( n == 0 )
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1136 {
1137 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1138 if( ret != 0 )
1139 goto exit;
1140 }
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1141 *output++ = *input++ ^ iv[n];
1142
1143 n = ( n + 1 ) & 0x0F;
1144 }
1145
1146 *iv_off = n;
1147
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1148exit:
1149 return( ret );
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1150}
1151#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1152
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1153#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1154/*
1155 * AES-CTR buffer encryption/decryption
1156 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1157int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1158 size_t length,
1159 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1160 unsigned char nonce_counter[16],
1161 unsigned char stream_block[16],
1162 const unsigned char *input,
1163 unsigned char *output )
1164{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1165 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1166 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1167
1168 while( length-- )
1169 {
1170 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1171 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1172
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1173 for( i = 16; i > 0; i-- )
1174 if( ++nonce_counter[i - 1] != 0 )
1175 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1176 }
1177 c = *input++;
1178 *output++ = (unsigned char)( c ^ stream_block[n] );
1179
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1180 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1181 }
1182
1183 *nc_off = n;
1184
1185 return( 0 );
1186}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1187#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1188
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1189#if defined(MBEDTLS_CIPHER_MODE_XTS)
1190/*
1191 * AES-XTS buffer encryption/decryption
1192 */
1193
1194/* Multiplication by x in the Galois field of GF(2^n) (aka 2, or left shift) */
1195static void multiply_by_x_gf128( const unsigned char *in, unsigned char *out )
1196{
1197 size_t i;
1198 const unsigned char overflow = in[15] >> 0x07;
1199
1200 /* XXX speed up multiplication by going 32-bit at a time instead of 8-bit
1201 * */
1202 /* Don't we already have functions that can multiply n-bit numbers
1203 * efficiently? bignum... mpi... Maybe AES NI can do this multiplication
1204 * (galois field 128 multiplication by x, or some sort of lfsr))?*/
1205 /* Feedback polynomial: x**128 + x**7 + x**3 + x + 1 (0b10000111)*/
1206 i = 16;
1207 while( --i ) {
1208 const unsigned char carry = in[i - 1] >> 0x07;
1209 out[i] = (in[i] << 1) | carry;
1210 }
1211 out[0] = (in[0] << 1) ^ (overflow ? 0x87 : 0x00);
1212}
1213
1214int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1215 int mode,
1216 size_t length,
1217 const unsigned char data_unit[16],
1218 const unsigned char *input,
1219 unsigned char *output )
1220{
1221 size_t blocks = length / 16;
1222 size_t leftover = length % 16;
1223 unsigned char tweak[16];
1224 unsigned char tweak_tmp[16];
1225 unsigned char tmp[16];
1226
1227 /* Sectors must be at least 16 bytes. */
1228 if( length < 16)
1229 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1230
1231 /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
1232 if( (blocks > 0x100000) || (blocks == 0x100000 && leftover > 0))
1233 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1234
1235 /* Compute the tweak. */
1236 memcpy( tweak, data_unit, sizeof(tweak) );
1237 mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, tweak, tweak );
1238
1239 while( blocks-- ) {
1240 size_t i;
1241
1242 /* XXX Code review: Sucks to have conditionals inside this loop.
1243 * Suggestions as to whether its worth extracting this outside the toop
1244 * are welcome. */
1245 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1246 {
1247 /* We are on the last block in a decrypt operation that has
1248 * leftover bytes, so we need to use the next tweak for this block,
1249 * and this tweak for the lefover bytes. Save the current tweak for
1250 * the leftovers and then update the current tweak for use on this,
1251 * the last full block. */
1252 memcpy( tweak_tmp, tweak, sizeof(tweak));
1253 multiply_by_x_gf128( tweak, tweak );
1254 }
1255
1256 /* XXX Code review: Don't we have any functions to more efficiently xor
1257 * big nums together than byte-by-byte? */
1258 for( i = 0; i < 16; i++ )
1259 tmp[i] = input[i] ^ tweak[i];
1260
1261 mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1262
1263 for( i = 0; i < 16; i++ )
1264 output[i] = tmp[i] ^ tweak[i];
1265
1266 /* Update the tweak for the next block */
1267 multiply_by_x_gf128( tweak, tweak );
1268
1269 output += 16;
1270 input += 16;
1271 }
1272
1273 if( leftover )
1274 {
1275 /* If we are on the leftover bytes in a decrypt operation, we need to
1276 * use the previous tweak for these bytes (as saved in tweak_tmp). */
1277 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? tweak_tmp : tweak;
1278
1279 /* We are now on the final part of the data unit, which doesn't divide
1280 * evenly by 16. It's time for ciphertext stealing. */
1281 size_t i;
1282 unsigned char *prev_output = output - 16;
1283
1284 /* Copy ciphertext bytes from previous block to our output for each
1285 * byte of cyphertext we won't steal. At the same time, the remainder
1286 * of input for this final round (since the loop bounds are the same).
1287 * */
1288 /* XXX if we use faster xor functions later here, we'll likely have to
1289 * break apart the loop. we might not be able to use faster xor, since
1290 * the leftovers could be any number of bytes (not multiples of
1291 * 16) (our faster xor would need to support aligned and unaligned
1292 * sizes) */
1293 for( i = 0; i < leftover; i++ )
1294 {
1295 output[i] = prev_output[i];
1296 tmp[i] = input[i] ^ t[i];
1297 }
1298
1299 /* Copy ciphertext bytes from the previous block for input in this round. */
1300 for( ; i < 16; i++)
1301 tmp[i] = prev_output[i] ^ t[i];
1302
1303 mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1304
1305 /* Write the result back to the previous block, overriding the previous
1306 * output we copied. */
1307 for( i = 0; i < 16; i++ )
1308 prev_output[i] = tmp[i] ^ t[i];
1309 }
1310
1311 return( 0 );
1312}
1313#endif /* MBEDTLS_CIPHER_MODE_XTS */
1314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1317#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318/*
1319 * AES test vectors from:
1320 *
1321 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1322 */
1323static const unsigned char aes_test_ecb_dec[3][16] =
1324{
1325 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1326 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1327 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1328 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1329 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1330 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1331};
1332
1333static const unsigned char aes_test_ecb_enc[3][16] =
1334{
1335 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1336 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1337 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1338 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1339 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1340 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1341};
1342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344static const unsigned char aes_test_cbc_dec[3][16] =
1345{
1346 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1347 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1348 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1349 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1350 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1351 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1352};
1353
1354static const unsigned char aes_test_cbc_enc[3][16] =
1355{
1356 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1357 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1358 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1359 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1360 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1361 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1362};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1366/*
1367 * AES-CFB128 test vectors from:
1368 *
1369 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1370 */
1371static const unsigned char aes_test_cfb128_key[3][32] =
1372{
1373 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1374 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1375 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1376 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1377 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1378 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1379 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1380 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1381 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1382};
1383
1384static const unsigned char aes_test_cfb128_iv[16] =
1385{
1386 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1387 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1388};
1389
1390static const unsigned char aes_test_cfb128_pt[64] =
1391{
1392 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1393 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1394 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1395 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1396 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1397 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1398 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1399 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1400};
1401
1402static const unsigned char aes_test_cfb128_ct[3][64] =
1403{
1404 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1405 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1406 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1407 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1408 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1409 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1410 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1411 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1412 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1413 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1414 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1415 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1416 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1417 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1418 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1419 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1420 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1421 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1422 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1423 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1424 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1425 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1426 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1427 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1428};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1430
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1431#if defined(MBEDTLS_CIPHER_MODE_OFB)
1432/*
1433 * AES-OFB test vectors from:
1434 *
1435 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1436 */
1437static const unsigned char aes_test_ofb_key[3][32] =
1438{
1439 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1440 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1441 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1442 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1443 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1444 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1445 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1446 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1447 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1448};
1449
1450static const unsigned char aes_test_ofb_iv[16] =
1451{
1452 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1453 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1454};
1455
1456static const unsigned char aes_test_ofb_pt[64] =
1457{
1458 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1459 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1460 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1461 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1462 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1463 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1464 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1465 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1466};
1467
1468static const unsigned char aes_test_ofb_ct[3][64] =
1469{
1470 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1471 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1472 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1473 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1474 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1475 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1476 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1477 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1478 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1479 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1480 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1481 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1482 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1483 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1484 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1485 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1486 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1487 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1488 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1489 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1490 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1491 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1492 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1493 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1494};
1495#endif /* MBEDTLS_CIPHER_MODE_OFB */
1496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1498/*
1499 * AES-CTR test vectors from:
1500 *
1501 * http://www.faqs.org/rfcs/rfc3686.html
1502 */
1503
1504static const unsigned char aes_test_ctr_key[3][16] =
1505{
1506 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1507 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1508 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1509 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1510 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1511 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1512};
1513
1514static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1515{
1516 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1517 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1518 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1519 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1520 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1521 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1522};
1523
1524static const unsigned char aes_test_ctr_pt[3][48] =
1525{
1526 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1527 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1528
1529 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1530 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1531 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1532 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1533
1534 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1535 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1536 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1537 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1538 0x20, 0x21, 0x22, 0x23 }
1539};
1540
1541static const unsigned char aes_test_ctr_ct[3][48] =
1542{
1543 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1544 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1545 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1546 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1547 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1548 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1549 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1550 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1551 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1552 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1553 0x25, 0xB2, 0x07, 0x2F }
1554};
1555
1556static const int aes_test_ctr_len[3] =
1557 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1558#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1559
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1560#if defined(MBEDTLS_CIPHER_MODE_XTS)
1561/*
1562 * AES-XTS test vectors from:
1563 *
1564 * IEEE P1619/D16 Annex B
1565 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1566 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1567 */
1568static const unsigned char aes_test_xts_key[][32] =
1569{
1570 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1574 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1575 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1576 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1577 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1578 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1579 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1580 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1581 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1582};
1583
1584static const unsigned char aes_test_xts_pt32[][32] =
1585{
1586 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1587 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1588 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1590 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1591 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1592 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1593 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1594 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1595 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1596 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1597 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1598};
1599
1600static const unsigned char aes_test_xts_ct32[][32] =
1601{
1602 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1603 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1604 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1605 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1606 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1607 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1608 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1609 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1610 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1611 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1612 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1613 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1614};
1615
1616static const unsigned char aes_test_xts_data_unit[][16] =
1617{
1618 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1620 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1622 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1623 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1624};
1625
1626#endif /* MBEDTLS_CIPHER_MODE_XTS */
1627
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1628/*
1629 * Checkup routine
1630 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1631int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1632{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1633 int ret = 0, i, j, u, mode;
1634 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1635 unsigned char key[32];
1636 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1637 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1638#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1639 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1640#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1641#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1642 unsigned char prv[16];
1643#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1645 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1646#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1647#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1648 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1649 unsigned char nonce_counter[16];
1650 unsigned char stream_block[16];
1651#endif
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1652#if defined(MBEDTLS_CIPHER_MODE_XTS)
1653 mbedtls_aes_xts_context ctx_xts;
1654#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656
1657 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1658 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1659
1660 /*
1661 * ECB mode
1662 */
1663 for( i = 0; i < 6; i++ )
1664 {
1665 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1666 keybits = 128 + u * 64;
1667 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668
1669 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1670 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1671 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1672
1673 memset( buf, 0, 16 );
1674
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1675 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1676 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1677 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1678 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1679 }
1680 else
1681 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1682 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1683 aes_tests = aes_test_ecb_enc[u];
1684 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1686 /*
1687 * AES-192 is an optional feature that may be unavailable when
1688 * there is an alternative underlying implementation i.e. when
1689 * MBEDTLS_AES_ALT is defined.
1690 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1691 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1692 {
1693 mbedtls_printf( "skipped\n" );
1694 continue;
1695 }
1696 else if( ret != 0 )
1697 {
1698 goto exit;
1699 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1701 for( j = 0; j < 10000; j++ )
1702 {
1703 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1704 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1705 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1706 }
1707
1708 if( memcmp( buf, aes_tests, 16 ) != 0 )
1709 {
1710 ret = 1;
1711 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1712 }
1713
1714 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1715 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716 }
1717
1718 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1719 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1721#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1722 /*
1723 * CBC mode
1724 */
1725 for( i = 0; i < 6; i++ )
1726 {
1727 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1728 keybits = 128 + u * 64;
1729 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730
1731 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1732 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1733 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734
1735 memset( iv , 0, 16 );
1736 memset( prv, 0, 16 );
1737 memset( buf, 0, 16 );
1738
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1739 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1741 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1742 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1743 }
1744 else
1745 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1746 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1747 aes_tests = aes_test_cbc_enc[u];
1748 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1750 /*
1751 * AES-192 is an optional feature that may be unavailable when
1752 * there is an alternative underlying implementation i.e. when
1753 * MBEDTLS_AES_ALT is defined.
1754 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1755 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1756 {
1757 mbedtls_printf( "skipped\n" );
1758 continue;
1759 }
1760 else if( ret != 0 )
1761 {
1762 goto exit;
1763 }
1764
1765 for( j = 0; j < 10000; j++ )
1766 {
1767 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768 {
1769 unsigned char tmp[16];
1770
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1771 memcpy( tmp, prv, 16 );
1772 memcpy( prv, buf, 16 );
1773 memcpy( buf, tmp, 16 );
1774 }
1775
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1776 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1777 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1778 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1779
1780 }
1781
1782 if( memcmp( buf, aes_tests, 16 ) != 0 )
1783 {
1784 ret = 1;
1785 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786 }
1787
1788 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1789 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 }
1791
1792 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1793 mbedtls_printf( "\n" );
1794#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797 /*
1798 * CFB128 mode
1799 */
1800 for( i = 0; i < 6; i++ )
1801 {
1802 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1803 keybits = 128 + u * 64;
1804 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805
1806 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1807 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1808 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
1810 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1811 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812
1813 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1814 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1815 /*
1816 * AES-192 is an optional feature that may be unavailable when
1817 * there is an alternative underlying implementation i.e. when
1818 * MBEDTLS_AES_ALT is defined.
1819 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1820 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1821 {
1822 mbedtls_printf( "skipped\n" );
1823 continue;
1824 }
1825 else if( ret != 0 )
1826 {
1827 goto exit;
1828 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1830 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831 {
1832 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1833 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1834 }
1835 else
1836 {
1837 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1838 aes_tests = aes_test_cfb128_ct[u];
1839 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1841 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1842 if( ret != 0 )
1843 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 if( memcmp( buf, aes_tests, 64 ) != 0 )
1846 {
1847 ret = 1;
1848 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849 }
1850
1851 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1852 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 }
1854
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1855 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1856 mbedtls_printf( "\n" );
1857#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1858
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1859#if defined(MBEDTLS_CIPHER_MODE_OFB)
1860 /*
1861 * OFB mode
1862 */
1863 for( i = 0; i < 6; i++ )
1864 {
1865 u = i >> 1;
1866 keybits = 128 + u * 64;
1867 mode = i & 1;
1868
1869 if( verbose != 0 )
1870 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1871 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1872
1873 memcpy( iv, aes_test_ofb_iv, 16 );
1874 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1875
1876 offset = 0;
1877 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1878 /*
1879 * AES-192 is an optional feature that may be unavailable when
1880 * there is an alternative underlying implementation i.e. when
1881 * MBEDTLS_AES_ALT is defined.
1882 */
1883 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1884 {
1885 mbedtls_printf( "skipped\n" );
1886 continue;
1887 }
1888 else if( ret != 0 )
1889 {
1890 goto exit;
1891 }
1892
1893 if( mode == MBEDTLS_AES_DECRYPT )
1894 {
1895 memcpy( buf, aes_test_ofb_ct[u], 64 );
1896 aes_tests = aes_test_ofb_pt;
1897 }
1898 else
1899 {
1900 memcpy( buf, aes_test_ofb_pt, 64 );
1901 aes_tests = aes_test_ofb_ct[u];
1902 }
1903
1904 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1905 if( ret != 0 )
1906 goto exit;
1907
1908 if( memcmp( buf, aes_tests, 64 ) != 0 )
1909 {
1910 ret = 1;
1911 goto exit;
1912 }
1913
1914 if( verbose != 0 )
1915 mbedtls_printf( "passed\n" );
1916 }
1917
1918 if( verbose != 0 )
1919 mbedtls_printf( "\n" );
1920#endif /* MBEDTLS_CIPHER_MODE_OFB */
1921
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1922#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1923 /*
1924 * CTR mode
1925 */
1926 for( i = 0; i < 6; i++ )
1927 {
1928 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1929 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1930
1931 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1932 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1933 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1934
1935 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1936 memcpy( key, aes_test_ctr_key[u], 16 );
1937
1938 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1940 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1941
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1942 len = aes_test_ctr_len[u];
1943
1944 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1945 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1946 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1947 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1948 }
1949 else
1950 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1951 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952 aes_tests = aes_test_ctr_ct[u];
1953 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1954
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1955 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1956 stream_block, buf, buf );
1957 if( ret != 0 )
1958 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1959
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1960 if( memcmp( buf, aes_tests, len ) != 0 )
1961 {
1962 ret = 1;
1963 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1964 }
1965
1966 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1968 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969
1970 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971 mbedtls_printf( "\n" );
1972#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1973
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1974#if defined(MBEDTLS_CIPHER_MODE_XTS)
1975 {
1976 static const int num_tests =
1977 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
1978
1979 /*
1980 * XTS mode
1981 */
1982 mbedtls_aes_xts_init( &ctx_xts );
1983
1984 for( i = 0; i < num_tests << 1; i++ )
1985 {
1986 const unsigned char *data_unit;
1987 u = i >> 1;
1988 mode = i & 1;
1989
1990 if( verbose != 0 )
1991 mbedtls_printf( " AES-XTS-128 (%s): ",
1992 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1993
1994 memset( key, 0, sizeof( key ) );
1995 memcpy( key, aes_test_xts_key[u], 32 );
1996 data_unit = aes_test_xts_data_unit[u];
1997
1998 len = sizeof( *aes_test_xts_ct32 );
1999
2000 if( mode == MBEDTLS_AES_DECRYPT )
2001 {
2002 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2003 if( ret )
2004 goto exit;
2005 memcpy( buf, aes_test_xts_ct32[u], len );
2006 aes_tests = aes_test_xts_pt32[u];
2007 }
2008 else
2009 {
2010 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2011 if( ret )
2012 goto exit;
2013 memcpy( buf, aes_test_xts_pt32[u], len );
2014 aes_tests = aes_test_xts_ct32[u];
2015 }
2016
2017
2018 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2019 buf, buf );
2020 if( ret != 0 )
2021 goto exit;
2022
2023 if( memcmp( buf, aes_tests, len ) != 0 )
2024 {
2025 ret = 1;
2026 goto exit;
2027 }
2028
2029 if( verbose != 0 )
2030 mbedtls_printf( "passed\n" );
2031 }
2032
2033 if( verbose != 0 )
2034 mbedtls_printf( "\n" );
2035
2036 mbedtls_aes_xts_free( &ctx_xts );
2037 }
2038#endif /* MBEDTLS_CIPHER_MODE_XTS */
2039
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2040 ret = 0;
2041
2042exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2043 if( ret != 0 && verbose != 0 )
2044 mbedtls_printf( "failed\n" );
2045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2046 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2047
2048 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2049}
2050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2052
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053#endif /* MBEDTLS_AES_C */