TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/armv8_crypto_extensions / . / library / aes.c
blob: 9097c77c24802b3373a945ab0f14b68336f296c1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Hanno Beckere1777192020-08-14 10:29:59 +0100[diff] [blame]36
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]39#endif
Hanno Beckere1777192020-08-14 10:29:59 +0100[diff] [blame]40
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]43#endif
Hanno Beckere1777192020-08-14 10:29:59 +0100[diff] [blame]44
Markku-Juhani O. Saarinen63f21392017-11-20 14:59:12 +0000[diff] [blame]45#if defined(MBEDTLS_ARMV8CE_AES_C)
46#include "mbedtls/armv8ce_aes.h"
47#endif
Hanno Beckere1777192020-08-14 10:29:59 +0100[diff] [blame]48
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]49#if defined(MBEDTLS_SELF_TEST)
50#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]51#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#define mbedtls_printf printf
55#endif /* MBEDTLS_PLATFORM_C */
56#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]57
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]59
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]60/* Parameter validation macros based on platform_util.h */
61#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]62 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]63#define AES_VALIDATE( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE( cond )
65
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * 32-bit integer manipulation macros (little endian)
68 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69#ifndef GET_UINT32_LE
70#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]72 (n) = ( (uint32_t) (b)[(i) ] ) \
73 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
74 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
75 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76}
77#endif
78
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]79#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]80#define PUT_UINT32_LE(n,b,i) \
81{ \
82 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
83 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
84 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
85 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86}
87#endif
88
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#if defined(MBEDTLS_PADLOCK_C) && \
90 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]91static int aes_padlock_ace = -1;
92#endif
93
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]94#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95/*
96 * Forward S-box
97 */
98static const unsigned char FSb[256] =
99{
100 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
101 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
102 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
103 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
104 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
105 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
106 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
107 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
108 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
109 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
110 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
111 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
112 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
113 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
114 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
115 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
116 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
117 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
118 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
119 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
120 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
121 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
122 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
123 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
124 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
125 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
126 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
127 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
128 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
129 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
130 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
131 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
132};
133
134/*
135 * Forward tables
136 */
137#define FT \
138\
139 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
140 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
141 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
142 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
143 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
144 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
145 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
146 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
147 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
148 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
149 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
150 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
151 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
152 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
153 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
154 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
155 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
156 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
157 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
158 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
159 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
160 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
161 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
162 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
163 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
164 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
165 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
166 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
167 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
168 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
169 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
170 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
171 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
172 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
173 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
174 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
175 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
176 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
177 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
178 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
179 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
180 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
181 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
182 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
183 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
184 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
185 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
186 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
187 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
188 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
189 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
190 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
191 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
192 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
193 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
194 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
195 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
196 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
197 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
198 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
199 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
200 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
201 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
202 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
203
204#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]208#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]209
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
218#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]222#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#undef FT
225
226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
264
265/*
266 * Reverse tables
267 */
268#define RT \
269\
270 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
271 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
272 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
273 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
274 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
275 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
276 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
277 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
278 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
279 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
280 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
281 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
282 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
283 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
284 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
285 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
286 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
287 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
288 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
289 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
290 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
291 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
292 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
293 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
294 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
295 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
296 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
297 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
298 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
299 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
300 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
301 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
302 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
303 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
304 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
305 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
306 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
307 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
308 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
309 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
310 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
311 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
312 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
313 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
314 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
315 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
316 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
317 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
318 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
319 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
320 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
321 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
322 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
323 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
324 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
325 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
326 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
327 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
328 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
329 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
330 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
331 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
332 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
333 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
334
335#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]339#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]340
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
349#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]350static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef V
352
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]353#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]354
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355#undef RT
356
357/*
358 * Round constants
359 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361{
362 0x00000001, 0x00000002, 0x00000004, 0x00000008,
363 0x00000010, 0x00000020, 0x00000040, 0x00000080,
364 0x0000001B, 0x00000036
365};
366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]367#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368
369/*
370 * Forward S-box & tables
371 */
372static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]373static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]374#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]375static uint32_t FT1[256];
376static uint32_t FT2[256];
377static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]378#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379
380/*
381 * Reverse S-box & tables
382 */
383static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]385#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RT1[256];
387static uint32_t RT2[256];
388static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]389#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390
391/*
392 * Round constants
393 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Tables generation code
398 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]399#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
400#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]401#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402
403static int aes_init_done = 0;
404
405static void aes_gen_tables( void )
406{
407 int i, x, y, z;
408 int pow[256];
409 int log[256];
410
411 /*
412 * compute pow and log tables over GF(2^8)
413 */
414 for( i = 0, x = 1; i < 256; i++ )
415 {
416 pow[i] = x;
417 log[x] = i;
418 x = ( x ^ XTIME( x ) ) & 0xFF;
419 }
420
421 /*
422 * calculate the round constants
423 */
424 for( i = 0, x = 1; i < 10; i++ )
425 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]426 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427 x = XTIME( x ) & 0xFF;
428 }
429
430 /*
431 * generate the forward and reverse S-boxes
432 */
433 FSb[0x00] = 0x63;
434 RSb[0x63] = 0x00;
435
436 for( i = 1; i < 256; i++ )
437 {
438 x = pow[255 - log[i]];
439
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]440 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
443 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444 x ^= y ^ 0x63;
445
446 FSb[i] = (unsigned char) x;
447 RSb[x] = (unsigned char) i;
448 }
449
450 /*
451 * generate the forward and reverse tables
452 */
453 for( i = 0; i < 256; i++ )
454 {
455 x = FSb[i];
456 y = XTIME( x ) & 0xFF;
457 z = ( y ^ x ) & 0xFF;
458
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]459 FT0[i] = ( (uint32_t) y ) ^
460 ( (uint32_t) x << 8 ) ^
461 ( (uint32_t) x << 16 ) ^
462 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]464#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 FT1[i] = ROTL8( FT0[i] );
466 FT2[i] = ROTL8( FT1[i] );
467 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]468#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
470 x = RSb[i];
471
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]472 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
473 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
474 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
475 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]477#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 RT1[i] = ROTL8( RT0[i] );
479 RT2[i] = ROTL8( RT1[i] );
480 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]481#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 }
483}
484
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]485#undef ROTL8
486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]487#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]489#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]490
491#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
492#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
493#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
494
495#define AES_RT0(idx) RT0[idx]
496#define AES_RT1(idx) ROTL8( RT0[idx] )
497#define AES_RT2(idx) ROTL16( RT0[idx] )
498#define AES_RT3(idx) ROTL24( RT0[idx] )
499
500#define AES_FT0(idx) FT0[idx]
501#define AES_FT1(idx) ROTL8( FT0[idx] )
502#define AES_FT2(idx) ROTL16( FT0[idx] )
503#define AES_FT3(idx) ROTL24( FT0[idx] )
504
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]506
507#define AES_RT0(idx) RT0[idx]
508#define AES_RT1(idx) RT1[idx]
509#define AES_RT2(idx) RT2[idx]
510#define AES_RT3(idx) RT3[idx]
511
512#define AES_FT0(idx) FT0[idx]
513#define AES_FT1(idx) FT1[idx]
514#define AES_FT2(idx) FT2[idx]
515#define AES_FT3(idx) FT3[idx]
516
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]517#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]520{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]521 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]523 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]524}
525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]526void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]527{
528 if( ctx == NULL )
529 return;
530
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]531 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]532}
533
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]534#if defined(MBEDTLS_CIPHER_MODE_XTS)
535void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
536{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]537 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]538
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]539 mbedtls_aes_init( &ctx->crypt );
540 mbedtls_aes_init( &ctx->tweak );
541}
542
543void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
544{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]545 if( ctx == NULL )
546 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]547
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]548 mbedtls_aes_free( &ctx->crypt );
549 mbedtls_aes_free( &ctx->tweak );
550}
551#endif /* MBEDTLS_CIPHER_MODE_XTS */
552
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553/*
554 * AES key schedule (encryption)
555 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]556#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]557int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]558 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]560 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]561 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]563 AES_VALIDATE_RET( ctx != NULL );
564 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]566 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 {
568 case 128: ctx->nr = 10; break;
569 case 192: ctx->nr = 12; break;
570 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]571 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 }
573
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]574#if !defined(MBEDTLS_AES_ROM_TABLES)
575 if( aes_init_done == 0 )
576 {
577 aes_gen_tables();
578 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]579 }
580#endif
581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]582#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585
586 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]595#endif
596
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]597 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]599 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601
602 switch( ctx->nr )
603 {
604 case 10:
605
606 for( i = 0; i < 10; i++, RK += 4 )
607 {
608 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 RK[5] = RK[1] ^ RK[4];
615 RK[6] = RK[2] ^ RK[5];
616 RK[7] = RK[3] ^ RK[6];
617 }
618 break;
619
620 case 12:
621
622 for( i = 0; i < 8; i++, RK += 6 )
623 {
624 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[7] = RK[1] ^ RK[6];
631 RK[8] = RK[2] ^ RK[7];
632 RK[9] = RK[3] ^ RK[8];
633 RK[10] = RK[4] ^ RK[9];
634 RK[11] = RK[5] ^ RK[10];
635 }
636 break;
637
638 case 14:
639
640 for( i = 0; i < 7; i++, RK += 8 )
641 {
642 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 RK[9] = RK[1] ^ RK[8];
649 RK[10] = RK[2] ^ RK[9];
650 RK[11] = RK[3] ^ RK[10];
651
652 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
658 RK[13] = RK[5] ^ RK[12];
659 RK[14] = RK[6] ^ RK[13];
660 RK[15] = RK[7] ^ RK[14];
661 }
662 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]664
665 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]667#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669/*
670 * AES key schedule (decryption)
671 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]672#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]674 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]678 uint32_t *RK;
679 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]681 AES_VALIDATE_RET( ctx != NULL );
682 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]687 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689
690 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]692 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]696 /* Also checks keybits */
697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]699
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]700 ctx->nr = cty.nr;
701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 }
709#endif
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 SK = cty.rk + cty.nr * 4;
712
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717
718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 {
720 for( j = 0; j < 4; j++, SK++ )
721 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 }
728
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]735 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]736
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]774 AES_VALIDATE_RET( ctx != NULL );
775 AES_VALIDATE_RET( key != NULL );
776
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
778 &key2, &key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set the tweak key. Always set tweak key for the encryption mode. */
783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
784 if( ret != 0 )
785 return( ret );
786
787 /* Set crypt key for encryption. */
788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
789}
790
791int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for encryption. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for decryption. */
813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814}
815#endif /* MBEDTLS_CIPHER_MODE_XTS */
816
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]817#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]819#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
820 do \
821 { \
822 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
823 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
824 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
825 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
826 \
827 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
828 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
829 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
830 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
831 \
832 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
833 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
834 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
835 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
836 \
837 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
838 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
839 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
840 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
841 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]843#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
848 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
853 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
858 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
863 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
867/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868 * AES-ECB block encryption
869 */
870#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]871int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
872 const unsigned char input[16],
873 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]874{
875 int i;
876 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
877
878 RK = ctx->rk;
879
880 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
881 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
882 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
883 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
884
885 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
886 {
887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
888 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
889 }
890
891 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
892
893 X0 = *RK++ ^ \
894 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
895 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
896 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
897 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
898
899 X1 = *RK++ ^ \
900 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
901 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
902 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
903 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
904
905 X2 = *RK++ ^ \
906 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
907 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
908 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
909 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
910
911 X3 = *RK++ ^ \
912 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
913 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
914 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
915 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
916
917 PUT_UINT32_LE( X0, output, 0 );
918 PUT_UINT32_LE( X1, output, 4 );
919 PUT_UINT32_LE( X2, output, 8 );
920 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]921
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]922 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
923 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
924 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
925 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
926
927 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
928 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
929 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
930 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
931
932 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
933
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]934 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]935}
936#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
937
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]938#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]939void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
940 const unsigned char input[16],
941 unsigned char output[16] )
942{
943 mbedtls_internal_aes_encrypt( ctx, input, output );
944}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]945#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]946
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]947/*
948 * AES-ECB block decryption
949 */
950#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]951int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
952 const unsigned char input[16],
953 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]954{
955 int i;
956 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
957
958 RK = ctx->rk;
959
960 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
961 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
962 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
963 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
964
965 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
966 {
967 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
968 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
969 }
970
971 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
972
973 X0 = *RK++ ^ \
974 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
975 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
976 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
977 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
978
979 X1 = *RK++ ^ \
980 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
981 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
982 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
983 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
984
985 X2 = *RK++ ^ \
986 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
987 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
988 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
989 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
990
991 X3 = *RK++ ^ \
992 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
993 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
994 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
995 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
996
997 PUT_UINT32_LE( X0, output, 0 );
998 PUT_UINT32_LE( X1, output, 4 );
999 PUT_UINT32_LE( X2, output, 8 );
1000 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1001
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]1002 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1003 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1004 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1005 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1006
1007 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1008 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1009 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1010 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1011
1012 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1013
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1014 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1015}
1016#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1017
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1018#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1019void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1020 const unsigned char input[16],
1021 unsigned char output[16] )
1022{
1023 mbedtls_internal_aes_decrypt( ctx, input, output );
1024}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1025#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1026
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1027/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 * AES-ECB block encryption/decryption
1029 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1031 int mode,
1032 const unsigned char input[16],
1033 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1035 AES_VALIDATE_RET( ctx != NULL );
1036 AES_VALIDATE_RET( input != NULL );
1037 AES_VALIDATE_RET( output != NULL );
1038 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1039 mode == MBEDTLS_AES_DECRYPT );
1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1042 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1044#endif
1045
Markku-Juhani O. Saarinen63f21392017-11-20 14:59:12 +0000[diff] [blame]1046#if defined(MBEDTLS_ARMV8CE_AES_C)
1047 // We don't do runtime checking for ARMv8 Crypto Extensions
1048 return mbedtls_armv8ce_aes_crypt_ecb( ctx, mode, input, output );
1049#endif
1050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1052 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1055 return( 0 );
1056
1057 // If padlock data misaligned, we just fall back to
1058 // unaccelerated mode
1059 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060 }
1061#endif
1062
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1063 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1064 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1065 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1066 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067}
1068
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070/*
1071 * AES-CBC buffer encryption/decryption
1072 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1075 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1077 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078 unsigned char *output )
1079{
1080 int i;
1081 unsigned char temp[16];
1082
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1083 AES_VALIDATE_RET( ctx != NULL );
1084 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1085 mode == MBEDTLS_AES_DECRYPT );
1086 AES_VALIDATE_RET( iv != NULL );
1087 AES_VALIDATE_RET( input != NULL );
1088 AES_VALIDATE_RET( output != NULL );
1089
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1090 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1092
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1093#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1094 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1097 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1098
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1099 // If padlock data misaligned, we just fall back to
1100 // unaccelerated mode
1101 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 }
1103#endif
1104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1105 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106 {
1107 while( length > 0 )
1108 {
1109 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111
1112 for( i = 0; i < 16; i++ )
1113 output[i] = (unsigned char)( output[i] ^ iv[i] );
1114
1115 memcpy( iv, temp, 16 );
1116
1117 input += 16;
1118 output += 16;
1119 length -= 16;
1120 }
1121 }
1122 else
1123 {
1124 while( length > 0 )
1125 {
1126 for( i = 0; i < 16; i++ )
1127 output[i] = (unsigned char)( input[i] ^ iv[i] );
1128
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1129 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1130 memcpy( iv, output, 16 );
1131
1132 input += 16;
1133 output += 16;
1134 length -= 16;
1135 }
1136 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1137
1138 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1140#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1141
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1142#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1143
1144/* Endianess with 64 bits values */
1145#ifndef GET_UINT64_LE
1146#define GET_UINT64_LE(n,b,i) \
1147{ \
1148 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1149 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1150 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1151 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1152 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1153 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1154 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1155 | ( (uint64_t) (b)[(i) ] ); \
1156}
1157#endif
1158
1159#ifndef PUT_UINT64_LE
1160#define PUT_UINT64_LE(n,b,i) \
1161{ \
1162 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1163 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1164 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1165 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1166 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1167 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1168 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1169 (b)[(i) ] = (unsigned char) ( (n) ); \
1170}
1171#endif
1172
1173typedef unsigned char mbedtls_be128[16];
1174
1175/*
1176 * GF(2^128) multiplication function
1177 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1178 * This function multiplies a field element by x in the polynomial field
1179 * representation. It uses 64-bit word operations to gain speed but compensates
1180 * for machine endianess and hence works correctly on both big and little
1181 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1182 */
1183static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1184 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1185{
1186 uint64_t a, b, ra, rb;
1187
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1188 GET_UINT64_LE( a, x, 0 );
1189 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1190
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1191 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1192 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1193
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1194 PUT_UINT64_LE( ra, r, 0 );
1195 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1196}
1197
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1198/*
1199 * AES-XTS buffer encryption/decryption
1200 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1201int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1202 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1203 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1204 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1205 const unsigned char *input,
1206 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1207{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1208 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 size_t blocks = length / 16;
1210 size_t leftover = length % 16;
1211 unsigned char tweak[16];
1212 unsigned char prev_tweak[16];
1213 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1214
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1215 AES_VALIDATE_RET( ctx != NULL );
1216 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1217 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1218 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1219 AES_VALIDATE_RET( input != NULL );
1220 AES_VALIDATE_RET( output != NULL );
1221
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1222 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1223 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1224 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1226 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1227 if( length > ( 1 << 20 ) * 16 )
1228 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1229
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1230 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1231 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1232 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1233 if( ret != 0 )
1234 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1235
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1236 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1237 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 size_t i;
1239
1240 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1241 {
1242 /* We are on the last block in a decrypt operation that has
1243 * leftover bytes, so we need to use the next tweak for this block,
1244 * and this tweak for the lefover bytes. Save the current tweak for
1245 * the leftovers and then update the current tweak for use on this,
1246 * the last full block. */
1247 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1248 mbedtls_gf128mul_x_ble( tweak, tweak );
1249 }
1250
1251 for( i = 0; i < 16; i++ )
1252 tmp[i] = input[i] ^ tweak[i];
1253
1254 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1255 if( ret != 0 )
1256 return( ret );
1257
1258 for( i = 0; i < 16; i++ )
1259 output[i] = tmp[i] ^ tweak[i];
1260
1261 /* Update the tweak for the next block. */
1262 mbedtls_gf128mul_x_ble( tweak, tweak );
1263
1264 output += 16;
1265 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1266 }
1267
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1268 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1269 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1270 /* If we are on the leftover bytes in a decrypt operation, we need to
1271 * use the previous tweak for these bytes (as saved in prev_tweak). */
1272 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1274 /* We are now on the final part of the data unit, which doesn't divide
1275 * evenly by 16. It's time for ciphertext stealing. */
1276 size_t i;
1277 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 /* Copy ciphertext bytes from the previous block to our output for each
1280 * byte of cyphertext we won't steal. At the same time, copy the
1281 * remainder of the input for this final round (since the loop bounds
1282 * are the same). */
1283 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1284 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1285 output[i] = prev_output[i];
1286 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1287 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 /* Copy ciphertext bytes from the previous block for input in this
1290 * round. */
1291 for( ; i < 16; i++ )
1292 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1293
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1294 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1295 if( ret != 0 )
1296 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1297
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1298 /* Write the result back to the previous block, overriding the previous
1299 * output we copied. */
1300 for( i = 0; i < 16; i++ )
1301 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1302 }
1303
1304 return( 0 );
1305}
1306#endif /* MBEDTLS_CIPHER_MODE_XTS */
1307
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1308#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309/*
1310 * AES-CFB128 buffer encryption/decryption
1311 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1312int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1314 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1315 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1317 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 unsigned char *output )
1319{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1320 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1321 size_t n;
1322
1323 AES_VALIDATE_RET( ctx != NULL );
1324 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1325 mode == MBEDTLS_AES_DECRYPT );
1326 AES_VALIDATE_RET( iv_off != NULL );
1327 AES_VALIDATE_RET( iv != NULL );
1328 AES_VALIDATE_RET( input != NULL );
1329 AES_VALIDATE_RET( output != NULL );
1330
1331 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1333 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1334 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1335
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337 {
1338 while( length-- )
1339 {
1340 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
1343 c = *input++;
1344 *output++ = (unsigned char)( c ^ iv[n] );
1345 iv[n] = (unsigned char) c;
1346
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1347 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1348 }
1349 }
1350 else
1351 {
1352 while( length-- )
1353 {
1354 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1356
1357 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1358
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1359 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1360 }
1361 }
1362
1363 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1364
1365 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1366}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1367
1368/*
1369 * AES-CFB8 buffer encryption/decryption
1370 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1371int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1372 int mode,
1373 size_t length,
1374 unsigned char iv[16],
1375 const unsigned char *input,
1376 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1377{
1378 unsigned char c;
1379 unsigned char ov[17];
1380
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1381 AES_VALIDATE_RET( ctx != NULL );
1382 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1383 mode == MBEDTLS_AES_DECRYPT );
1384 AES_VALIDATE_RET( iv != NULL );
1385 AES_VALIDATE_RET( input != NULL );
1386 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1387 while( length-- )
1388 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1389 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1390 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1393 ov[16] = *input;
1394
1395 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1397 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1398 ov[16] = c;
1399
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1400 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1401 }
1402
1403 return( 0 );
1404}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1405#endif /* MBEDTLS_CIPHER_MODE_CFB */
1406
1407#if defined(MBEDTLS_CIPHER_MODE_OFB)
1408/*
1409 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1410 */
1411int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1412 size_t length,
1413 size_t *iv_off,
1414 unsigned char iv[16],
1415 const unsigned char *input,
1416 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1417{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1418 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1419 size_t n;
1420
1421 AES_VALIDATE_RET( ctx != NULL );
1422 AES_VALIDATE_RET( iv_off != NULL );
1423 AES_VALIDATE_RET( iv != NULL );
1424 AES_VALIDATE_RET( input != NULL );
1425 AES_VALIDATE_RET( output != NULL );
1426
1427 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1428
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1429 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1430 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1431
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1432 while( length-- )
1433 {
1434 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1435 {
1436 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1437 if( ret != 0 )
1438 goto exit;
1439 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1440 *output++ = *input++ ^ iv[n];
1441
1442 n = ( n + 1 ) & 0x0F;
1443 }
1444
1445 *iv_off = n;
1446
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1447exit:
1448 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1449}
1450#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1453/*
1454 * AES-CTR buffer encryption/decryption
1455 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1456int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1457 size_t length,
1458 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1459 unsigned char nonce_counter[16],
1460 unsigned char stream_block[16],
1461 const unsigned char *input,
1462 unsigned char *output )
1463{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1464 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1465 size_t n;
1466
1467 AES_VALIDATE_RET( ctx != NULL );
1468 AES_VALIDATE_RET( nc_off != NULL );
1469 AES_VALIDATE_RET( nonce_counter != NULL );
1470 AES_VALIDATE_RET( stream_block != NULL );
1471 AES_VALIDATE_RET( input != NULL );
1472 AES_VALIDATE_RET( output != NULL );
1473
1474 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1475
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1476 if ( n > 0x0F )
1477 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1478
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1479 while( length-- )
1480 {
1481 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1482 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1483
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1484 for( i = 16; i > 0; i-- )
1485 if( ++nonce_counter[i - 1] != 0 )
1486 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1487 }
1488 c = *input++;
1489 *output++ = (unsigned char)( c ^ stream_block[n] );
1490
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1491 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1492 }
1493
1494 *nc_off = n;
1495
1496 return( 0 );
1497}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1498#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1499
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1500#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1502#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503/*
1504 * AES test vectors from:
1505 *
1506 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1507 */
1508static const unsigned char aes_test_ecb_dec[3][16] =
1509{
1510 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1511 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1512 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1513 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1514 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1515 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1516};
1517
1518static const unsigned char aes_test_ecb_enc[3][16] =
1519{
1520 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1521 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1522 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1523 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1524 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1525 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1526};
1527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1528#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1529static const unsigned char aes_test_cbc_dec[3][16] =
1530{
1531 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1532 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1533 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1534 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1535 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1536 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1537};
1538
1539static const unsigned char aes_test_cbc_enc[3][16] =
1540{
1541 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1542 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1543 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1544 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1545 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1546 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1547};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1550#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1551/*
1552 * AES-CFB128 test vectors from:
1553 *
1554 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1555 */
1556static const unsigned char aes_test_cfb128_key[3][32] =
1557{
1558 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1559 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1560 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1561 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1562 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1563 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1564 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1565 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1566 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1567};
1568
1569static const unsigned char aes_test_cfb128_iv[16] =
1570{
1571 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1572 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1573};
1574
1575static const unsigned char aes_test_cfb128_pt[64] =
1576{
1577 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1578 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1579 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1580 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1581 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1582 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1583 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1584 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1585};
1586
1587static const unsigned char aes_test_cfb128_ct[3][64] =
1588{
1589 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1590 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1591 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1592 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1593 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1594 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1595 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1596 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1597 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1598 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1599 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1600 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1601 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1602 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1603 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1604 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1605 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1606 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1607 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1608 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1609 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1610 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1611 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1612 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1613};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1614#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1615
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1616#if defined(MBEDTLS_CIPHER_MODE_OFB)
1617/*
1618 * AES-OFB test vectors from:
1619 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1620 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1621 */
1622static const unsigned char aes_test_ofb_key[3][32] =
1623{
1624 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1625 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1626 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1627 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1628 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1629 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1630 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1631 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1632 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1633};
1634
1635static const unsigned char aes_test_ofb_iv[16] =
1636{
1637 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1638 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1639};
1640
1641static const unsigned char aes_test_ofb_pt[64] =
1642{
1643 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1644 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1645 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1646 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1647 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1648 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1649 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1650 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1651};
1652
1653static const unsigned char aes_test_ofb_ct[3][64] =
1654{
1655 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1656 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1657 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1658 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1659 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1660 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1661 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1662 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1663 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1664 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1665 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1666 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1667 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1668 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1669 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1670 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1671 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1672 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1673 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1674 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1675 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1676 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1677 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1678 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1679};
1680#endif /* MBEDTLS_CIPHER_MODE_OFB */
1681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1682#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1683/*
1684 * AES-CTR test vectors from:
1685 *
1686 * http://www.faqs.org/rfcs/rfc3686.html
1687 */
1688
1689static const unsigned char aes_test_ctr_key[3][16] =
1690{
1691 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1692 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1693 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1694 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1695 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1696 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1697};
1698
1699static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1700{
1701 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1703 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1704 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1705 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1706 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1707};
1708
1709static const unsigned char aes_test_ctr_pt[3][48] =
1710{
1711 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1712 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1713
1714 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1715 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1716 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1717 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1718
1719 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1720 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1721 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1722 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1723 0x20, 0x21, 0x22, 0x23 }
1724};
1725
1726static const unsigned char aes_test_ctr_ct[3][48] =
1727{
1728 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1729 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1730 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1731 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1732 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1733 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1734 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1735 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1736 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1737 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1738 0x25, 0xB2, 0x07, 0x2F }
1739};
1740
1741static const int aes_test_ctr_len[3] =
1742 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1745#if defined(MBEDTLS_CIPHER_MODE_XTS)
1746/*
1747 * AES-XTS test vectors from:
1748 *
1749 * IEEE P1619/D16 Annex B
1750 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1751 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1752 */
1753static const unsigned char aes_test_xts_key[][32] =
1754{
1755 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1759 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1760 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1761 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1762 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1763 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1764 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1765 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1766 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1767};
1768
1769static const unsigned char aes_test_xts_pt32[][32] =
1770{
1771 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1775 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1779 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1783};
1784
1785static const unsigned char aes_test_xts_ct32[][32] =
1786{
1787 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1788 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1789 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1790 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1791 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1792 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1793 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1794 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1795 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1796 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1797 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1798 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1799};
1800
1801static const unsigned char aes_test_xts_data_unit[][16] =
1802{
1803 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1805 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1807 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1809};
1810
1811#endif /* MBEDTLS_CIPHER_MODE_XTS */
1812
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813/*
1814 * Checkup routine
1815 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1816int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 int ret = 0, i, j, u, mode;
1819 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 unsigned char key[32];
1821 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1822 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1823#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1825#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1826#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1827 unsigned char prv[16];
1828#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1829#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1830 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1831 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1832#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1833#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1834 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1835#endif
1836#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1837 unsigned char nonce_counter[16];
1838 unsigned char stream_block[16];
1839#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1840 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841
1842 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1843 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1844
1845 /*
1846 * ECB mode
1847 */
1848 for( i = 0; i < 6; i++ )
1849 {
1850 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1851 keybits = 128 + u * 64;
1852 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853
1854 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1855 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857
1858 memset( buf, 0, 16 );
1859
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1860 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1863 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864 }
1865 else
1866 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1867 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1868 aes_tests = aes_test_ecb_enc[u];
1869 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1870
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1871 /*
1872 * AES-192 is an optional feature that may be unavailable when
1873 * there is an alternative underlying implementation i.e. when
1874 * MBEDTLS_AES_ALT is defined.
1875 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1876 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1877 {
1878 mbedtls_printf( "skipped\n" );
1879 continue;
1880 }
1881 else if( ret != 0 )
1882 {
1883 goto exit;
1884 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1886 for( j = 0; j < 10000; j++ )
1887 {
1888 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1889 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1890 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1891 }
1892
1893 if( memcmp( buf, aes_tests, 16 ) != 0 )
1894 {
1895 ret = 1;
1896 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897 }
1898
1899 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1900 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 }
1902
1903 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1904 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1906#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907 /*
1908 * CBC mode
1909 */
1910 for( i = 0; i < 6; i++ )
1911 {
1912 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1913 keybits = 128 + u * 64;
1914 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915
1916 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1917 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1918 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919
1920 memset( iv , 0, 16 );
1921 memset( prv, 0, 16 );
1922 memset( buf, 0, 16 );
1923
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1924 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1925 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1927 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928 }
1929 else
1930 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1931 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1932 aes_tests = aes_test_cbc_enc[u];
1933 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1935 /*
1936 * AES-192 is an optional feature that may be unavailable when
1937 * there is an alternative underlying implementation i.e. when
1938 * MBEDTLS_AES_ALT is defined.
1939 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1940 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1941 {
1942 mbedtls_printf( "skipped\n" );
1943 continue;
1944 }
1945 else if( ret != 0 )
1946 {
1947 goto exit;
1948 }
1949
1950 for( j = 0; j < 10000; j++ )
1951 {
1952 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 {
1954 unsigned char tmp[16];
1955
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956 memcpy( tmp, prv, 16 );
1957 memcpy( prv, buf, 16 );
1958 memcpy( buf, tmp, 16 );
1959 }
1960
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1961 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1962 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1963 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1964
1965 }
1966
1967 if( memcmp( buf, aes_tests, 16 ) != 0 )
1968 {
1969 ret = 1;
1970 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 }
1972
1973 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1974 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975 }
1976
1977 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1978 mbedtls_printf( "\n" );
1979#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1981#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982 /*
1983 * CFB128 mode
1984 */
1985 for( i = 0; i < 6; i++ )
1986 {
1987 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1988 keybits = 128 + u * 64;
1989 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990
1991 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1992 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994
1995 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1996 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997
1998 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1999 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2000 /*
2001 * AES-192 is an optional feature that may be unavailable when
2002 * there is an alternative underlying implementation i.e. when
2003 * MBEDTLS_AES_ALT is defined.
2004 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2005 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2006 {
2007 mbedtls_printf( "skipped\n" );
2008 continue;
2009 }
2010 else if( ret != 0 )
2011 {
2012 goto exit;
2013 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016 {
2017 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2018 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019 }
2020 else
2021 {
2022 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 aes_tests = aes_test_cfb128_ct[u];
2024 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2026 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2027 if( ret != 0 )
2028 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2030 if( memcmp( buf, aes_tests, 64 ) != 0 )
2031 {
2032 ret = 1;
2033 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034 }
2035
2036 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2037 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 }
2039
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2040 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2041 mbedtls_printf( "\n" );
2042#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2043
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2044#if defined(MBEDTLS_CIPHER_MODE_OFB)
2045 /*
2046 * OFB mode
2047 */
2048 for( i = 0; i < 6; i++ )
2049 {
2050 u = i >> 1;
2051 keybits = 128 + u * 64;
2052 mode = i & 1;
2053
2054 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2055 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2056 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2057
2058 memcpy( iv, aes_test_ofb_iv, 16 );
2059 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2060
2061 offset = 0;
2062 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2063 /*
2064 * AES-192 is an optional feature that may be unavailable when
2065 * there is an alternative underlying implementation i.e. when
2066 * MBEDTLS_AES_ALT is defined.
2067 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2068 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2069 {
2070 mbedtls_printf( "skipped\n" );
2071 continue;
2072 }
2073 else if( ret != 0 )
2074 {
2075 goto exit;
2076 }
2077
2078 if( mode == MBEDTLS_AES_DECRYPT )
2079 {
2080 memcpy( buf, aes_test_ofb_ct[u], 64 );
2081 aes_tests = aes_test_ofb_pt;
2082 }
2083 else
2084 {
2085 memcpy( buf, aes_test_ofb_pt, 64 );
2086 aes_tests = aes_test_ofb_ct[u];
2087 }
2088
2089 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2090 if( ret != 0 )
2091 goto exit;
2092
2093 if( memcmp( buf, aes_tests, 64 ) != 0 )
2094 {
2095 ret = 1;
2096 goto exit;
2097 }
2098
2099 if( verbose != 0 )
2100 mbedtls_printf( "passed\n" );
2101 }
2102
2103 if( verbose != 0 )
2104 mbedtls_printf( "\n" );
2105#endif /* MBEDTLS_CIPHER_MODE_OFB */
2106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2108 /*
2109 * CTR mode
2110 */
2111 for( i = 0; i < 6; i++ )
2112 {
2113 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2114 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115
2116 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2117 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2118 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119
2120 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2121 memcpy( key, aes_test_ctr_key[u], 16 );
2122
2123 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2124 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2125 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2126
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2127 len = aes_test_ctr_len[u];
2128
2129 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2130 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2131 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2132 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2133 }
2134 else
2135 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2136 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2137 aes_tests = aes_test_ctr_ct[u];
2138 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2139
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2140 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2141 stream_block, buf, buf );
2142 if( ret != 0 )
2143 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2144
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2145 if( memcmp( buf, aes_tests, len ) != 0 )
2146 {
2147 ret = 1;
2148 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2149 }
2150
2151 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2152 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2153 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2154
2155 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2156 mbedtls_printf( "\n" );
2157#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2159#if defined(MBEDTLS_CIPHER_MODE_XTS)
2160 {
2161 static const int num_tests =
2162 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2163 mbedtls_aes_xts_context ctx_xts;
2164
2165 /*
2166 * XTS mode
2167 */
2168 mbedtls_aes_xts_init( &ctx_xts );
2169
2170 for( i = 0; i < num_tests << 1; i++ )
2171 {
2172 const unsigned char *data_unit;
2173 u = i >> 1;
2174 mode = i & 1;
2175
2176 if( verbose != 0 )
2177 mbedtls_printf( " AES-XTS-128 (%s): ",
2178 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2179
2180 memset( key, 0, sizeof( key ) );
2181 memcpy( key, aes_test_xts_key[u], 32 );
2182 data_unit = aes_test_xts_data_unit[u];
2183
2184 len = sizeof( *aes_test_xts_ct32 );
2185
2186 if( mode == MBEDTLS_AES_DECRYPT )
2187 {
2188 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2189 if( ret != 0)
2190 goto exit;
2191 memcpy( buf, aes_test_xts_ct32[u], len );
2192 aes_tests = aes_test_xts_pt32[u];
2193 }
2194 else
2195 {
2196 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2197 if( ret != 0)
2198 goto exit;
2199 memcpy( buf, aes_test_xts_pt32[u], len );
2200 aes_tests = aes_test_xts_ct32[u];
2201 }
2202
2203
2204 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2205 buf, buf );
2206 if( ret != 0 )
2207 goto exit;
2208
2209 if( memcmp( buf, aes_tests, len ) != 0 )
2210 {
2211 ret = 1;
2212 goto exit;
2213 }
2214
2215 if( verbose != 0 )
2216 mbedtls_printf( "passed\n" );
2217 }
2218
2219 if( verbose != 0 )
2220 mbedtls_printf( "\n" );
2221
2222 mbedtls_aes_xts_free( &ctx_xts );
2223 }
2224#endif /* MBEDTLS_CIPHER_MODE_XTS */
2225
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2226 ret = 0;
2227
2228exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2229 if( ret != 0 && verbose != 0 )
2230 mbedtls_printf( "failed\n" );
2231
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2233
2234 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235}
2236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2237#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2239#endif /* MBEDTLS_AES_C */