TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-2.16 / . / library / aes.c
blob: af19a3849f103b6fd82f5f8e992cb2c5626b8778 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkútia2947ac2020-08-19 16:37:36 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]64#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]65#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]84/* Parameter validation macros based on platform_util.h */
85#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]87#define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * 32-bit integer manipulation macros (little endian)
92 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93#ifndef GET_UINT32_LE
94#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100}
101#endif
102
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]103#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]104#define PUT_UINT32_LE(n,b,i) \
105{ \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111#endif
112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113#if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]115static int aes_padlock_ace = -1;
116#endif
117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]118#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119/*
120 * Forward S-box
121 */
122static const unsigned char FSb[256] =
123{
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156};
157
158/*
159 * Forward tables
160 */
161#define FT \
162\
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]232#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]235static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#undef V
237
238#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]239static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240#undef V
241
242#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]243static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244#undef V
245
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]246#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]247
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248#undef FT
249
250/*
251 * Reverse S-box
252 */
253static const unsigned char RSb[256] =
254{
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287};
288
289/*
290 * Reverse tables
291 */
292#define RT \
293\
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361#undef V
362
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]363#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]366static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#undef V
368
369#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371#undef V
372
373#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]374static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375#undef V
376
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379#undef RT
380
381/*
382 * Round constants
383 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385{
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389};
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Forward S-box & tables
395 */
396static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]397static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]398#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT1[256];
400static uint32_t FT2[256];
401static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]402#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Reverse S-box & tables
406 */
407static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]408static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]409#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT1[256];
411static uint32_t RT2[256];
412static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]413#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414
415/*
416 * Round constants
417 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
420/*
421 * Tables generation code
422 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]423#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]425#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427static int aes_init_done = 0;
428
429static void aes_gen_tables( void )
430{
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]450 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
494 x = RSb[i];
495
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]501#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 }
507}
508
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509#undef ROTL8
510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]513#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
515#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519#define AES_RT0(idx) RT0[idx]
520#define AES_RT1(idx) ROTL8( RT0[idx] )
521#define AES_RT2(idx) ROTL16( RT0[idx] )
522#define AES_RT3(idx) ROTL24( RT0[idx] )
523
524#define AES_FT0(idx) FT0[idx]
525#define AES_FT1(idx) ROTL8( FT0[idx] )
526#define AES_FT2(idx) ROTL16( FT0[idx] )
527#define AES_FT3(idx) ROTL24( FT0[idx] )
528
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]529#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]530
531#define AES_RT0(idx) RT0[idx]
532#define AES_RT1(idx) RT1[idx]
533#define AES_RT2(idx) RT2[idx]
534#define AES_RT3(idx) RT3[idx]
535
536#define AES_FT0(idx) FT0[idx]
537#define AES_FT1(idx) FT1[idx]
538#define AES_FT2(idx) FT2[idx]
539#define AES_FT3(idx) FT3[idx]
540
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]541#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]544{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]545 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]548}
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]551{
552 if( ctx == NULL )
553 return;
554
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]556}
557
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]558#if defined(MBEDTLS_CIPHER_MODE_XTS)
559void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]561 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]562
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565}
566
567void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]569 if( ctx == NULL )
570 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574}
575#endif /* MBEDTLS_CIPHER_MODE_XTS */
576
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577/*
578 * AES key schedule (encryption)
579 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]580#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]584 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598#if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603 }
604#endif
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]607 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609
610 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]616#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]619#endif
620
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]621 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]688
689 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]691#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693/*
694 * AES key schedule (decryption)
695 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]696#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 uint32_t *RK;
703 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]711 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713
714 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]716 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]722 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]723
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]724 ctx->nr = cty.nr;
725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 }
733#endif
734
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]760
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]761 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762}
gabor-mezei-arm13b8a262020-10-26 11:35:23 +0100[diff] [blame]763#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]764
765#if defined(MBEDTLS_CIPHER_MODE_XTS)
766static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
767 unsigned int keybits,
768 const unsigned char **key1,
769 unsigned int *key1bits,
770 const unsigned char **key2,
771 unsigned int *key2bits )
772{
773 const unsigned int half_keybits = keybits / 2;
774 const unsigned int half_keybytes = half_keybits / 8;
775
776 switch( keybits )
777 {
778 case 256: break;
779 case 512: break;
780 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
781 }
782
783 *key1bits = half_keybits;
784 *key2bits = half_keybits;
785 *key1 = &key[0];
786 *key2 = &key[half_keybytes];
787
788 return 0;
789}
790
791int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
795 int ret;
796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for the encryption mode. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for encryption. */
813 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
814}
815
816int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
817 const unsigned char *key,
818 unsigned int keybits)
819{
820 int ret;
821 const unsigned char *key1, *key2;
822 unsigned int key1bits, key2bits;
823
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]824 AES_VALIDATE_RET( ctx != NULL );
825 AES_VALIDATE_RET( key != NULL );
826
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]827 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
828 &key2, &key2bits );
829 if( ret != 0 )
830 return( ret );
831
832 /* Set the tweak key. Always set tweak key for encryption. */
833 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
834 if( ret != 0 )
835 return( ret );
836
837 /* Set crypt key for decryption. */
838 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
839}
840#endif /* MBEDTLS_CIPHER_MODE_XTS */
841
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]842#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843 do \
844 { \
845 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
847 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
849 \
850 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
852 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
854 \
855 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
857 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
859 \
860 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
862 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
864 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]866#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
867 do \
868 { \
869 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
870 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
871 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
872 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
873 \
874 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
875 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
876 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
877 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
878 \
879 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
880 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
881 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
882 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
883 \
884 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
885 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
886 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
887 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
888 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889
890/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]891 * AES-ECB block encryption
892 */
893#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]894int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
895 const unsigned char input[16],
896 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]897{
898 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]899 uint32_t *RK = ctx->rk;
900 struct
901 {
902 uint32_t X[4];
903 uint32_t Y[4];
904 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]905
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]906 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
907 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
908 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
909 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910
911 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
912 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]913 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
914 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]915 }
916
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]917 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]919 t.X[0] = *RK++ ^ \
920 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
921 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
922 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
923 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]925 t.X[1] = *RK++ ^ \
926 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
927 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
928 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
929 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]930
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]931 t.X[2] = *RK++ ^ \
932 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
933 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
934 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
935 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]936
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]937 t.X[3] = *RK++ ^ \
938 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
939 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
940 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
941 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]942
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]943 PUT_UINT32_LE( t.X[0], output, 0 );
944 PUT_UINT32_LE( t.X[1], output, 4 );
945 PUT_UINT32_LE( t.X[2], output, 8 );
946 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]947
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]948 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]949
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]950 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]951}
952#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
953
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]954#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]955void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
956 const unsigned char input[16],
957 unsigned char output[16] )
958{
959 mbedtls_internal_aes_encrypt( ctx, input, output );
960}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]961#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]962
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]963/*
964 * AES-ECB block decryption
965 */
966#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]967int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
968 const unsigned char input[16],
969 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]970{
971 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]972 uint32_t *RK = ctx->rk;
973 struct
974 {
975 uint32_t X[4];
976 uint32_t Y[4];
977 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]978
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]979 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
980 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
981 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
982 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]983
984 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
985 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]986 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
987 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988 }
989
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]990 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]992 t.X[0] = *RK++ ^ \
993 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
994 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
995 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
996 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]997
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]998 t.X[1] = *RK++ ^ \
999 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
1000 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
1001 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
1002 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1003
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1004 t.X[2] = *RK++ ^ \
1005 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
1006 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
1007 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
1008 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1009
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1010 t.X[3] = *RK++ ^ \
1011 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
1012 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
1013 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
1014 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1015
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1016 PUT_UINT32_LE( t.X[0], output, 0 );
1017 PUT_UINT32_LE( t.X[1], output, 4 );
1018 PUT_UINT32_LE( t.X[2], output, 8 );
1019 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1020
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1021 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1022
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1023 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1024}
1025#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1026
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1027#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1028void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1029 const unsigned char input[16],
1030 unsigned char output[16] )
1031{
1032 mbedtls_internal_aes_decrypt( ctx, input, output );
1033}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1034#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1035
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1036/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037 * AES-ECB block encryption/decryption
1038 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1040 int mode,
1041 const unsigned char input[16],
1042 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1044 AES_VALIDATE_RET( ctx != NULL );
1045 AES_VALIDATE_RET( input != NULL );
1046 AES_VALIDATE_RET( output != NULL );
1047 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1048 mode == MBEDTLS_AES_DECRYPT );
1049
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1051 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1053#endif
1054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1056 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1059 return( 0 );
1060
1061 // If padlock data misaligned, we just fall back to
1062 // unaccelerated mode
1063 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 }
1065#endif
1066
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1067 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1068 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1069 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1070 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071}
1072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074/*
1075 * AES-CBC buffer encryption/decryption
1076 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1079 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1081 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 unsigned char *output )
1083{
1084 int i;
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1085 int ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086 unsigned char temp[16];
1087
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1088 AES_VALIDATE_RET( ctx != NULL );
1089 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1090 mode == MBEDTLS_AES_DECRYPT );
1091 AES_VALIDATE_RET( iv != NULL );
1092 AES_VALIDATE_RET( input != NULL );
1093 AES_VALIDATE_RET( output != NULL );
1094
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1095 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1099 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1102 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1103
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1104 // If padlock data misaligned, we just fall back to
1105 // unaccelerated mode
1106 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 }
1108#endif
1109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 {
1112 while( length > 0 )
1113 {
1114 memcpy( temp, input, 16 );
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1115 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1116 if( ret != 0 )
1117 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1118
1119 for( i = 0; i < 16; i++ )
1120 output[i] = (unsigned char)( output[i] ^ iv[i] );
1121
1122 memcpy( iv, temp, 16 );
1123
1124 input += 16;
1125 output += 16;
1126 length -= 16;
1127 }
1128 }
1129 else
1130 {
1131 while( length > 0 )
1132 {
1133 for( i = 0; i < 16; i++ )
1134 output[i] = (unsigned char)( input[i] ^ iv[i] );
1135
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1136 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1137 if( ret != 0 )
1138 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1139 memcpy( iv, output, 16 );
1140
1141 input += 16;
1142 output += 16;
1143 length -= 16;
1144 }
1145 }
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1146 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1147
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1148exit:
1149 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1150}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1152
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1153#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1154
1155/* Endianess with 64 bits values */
1156#ifndef GET_UINT64_LE
1157#define GET_UINT64_LE(n,b,i) \
1158{ \
1159 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1160 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1161 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1162 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1163 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1164 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1165 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1166 | ( (uint64_t) (b)[(i) ] ); \
1167}
1168#endif
1169
1170#ifndef PUT_UINT64_LE
1171#define PUT_UINT64_LE(n,b,i) \
1172{ \
1173 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1174 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1175 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1176 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1177 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1178 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1179 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1180 (b)[(i) ] = (unsigned char) ( (n) ); \
1181}
1182#endif
1183
1184typedef unsigned char mbedtls_be128[16];
1185
1186/*
1187 * GF(2^128) multiplication function
1188 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1189 * This function multiplies a field element by x in the polynomial field
1190 * representation. It uses 64-bit word operations to gain speed but compensates
1191 * for machine endianess and hence works correctly on both big and little
1192 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1193 */
1194static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1195 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1196{
1197 uint64_t a, b, ra, rb;
1198
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1199 GET_UINT64_LE( a, x, 0 );
1200 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1201
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1202 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1203 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1204
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1205 PUT_UINT64_LE( ra, r, 0 );
1206 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1207}
1208
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1209/*
1210 * AES-XTS buffer encryption/decryption
1211 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1212int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1213 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1214 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1215 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1216 const unsigned char *input,
1217 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 int ret;
1220 size_t blocks = length / 16;
1221 size_t leftover = length % 16;
1222 unsigned char tweak[16];
1223 unsigned char prev_tweak[16];
1224 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1226 AES_VALIDATE_RET( ctx != NULL );
1227 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1228 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1229 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1230 AES_VALIDATE_RET( input != NULL );
1231 AES_VALIDATE_RET( output != NULL );
1232
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1233 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1234 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1235 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1236
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1237 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1238 if( length > ( 1 << 20 ) * 16 )
1239 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1242 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1243 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1244 if( ret != 0 )
1245 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1247 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1248 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1249 size_t i;
1250
1251 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1252 {
1253 /* We are on the last block in a decrypt operation that has
1254 * leftover bytes, so we need to use the next tweak for this block,
1255 * and this tweak for the lefover bytes. Save the current tweak for
1256 * the leftovers and then update the current tweak for use on this,
1257 * the last full block. */
1258 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1259 mbedtls_gf128mul_x_ble( tweak, tweak );
1260 }
1261
1262 for( i = 0; i < 16; i++ )
1263 tmp[i] = input[i] ^ tweak[i];
1264
1265 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1266 if( ret != 0 )
1267 return( ret );
1268
1269 for( i = 0; i < 16; i++ )
1270 output[i] = tmp[i] ^ tweak[i];
1271
1272 /* Update the tweak for the next block. */
1273 mbedtls_gf128mul_x_ble( tweak, tweak );
1274
1275 output += 16;
1276 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277 }
1278
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1280 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1281 /* If we are on the leftover bytes in a decrypt operation, we need to
1282 * use the previous tweak for these bytes (as saved in prev_tweak). */
1283 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1284
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1285 /* We are now on the final part of the data unit, which doesn't divide
1286 * evenly by 16. It's time for ciphertext stealing. */
1287 size_t i;
1288 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1289
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1290 /* Copy ciphertext bytes from the previous block to our output for each
1291 * byte of cyphertext we won't steal. At the same time, copy the
1292 * remainder of the input for this final round (since the loop bounds
1293 * are the same). */
1294 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1295 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1296 output[i] = prev_output[i];
1297 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1298 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1299
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1300 /* Copy ciphertext bytes from the previous block for input in this
1301 * round. */
1302 for( ; i < 16; i++ )
1303 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1304
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1305 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1306 if( ret != 0 )
1307 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1308
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1309 /* Write the result back to the previous block, overriding the previous
1310 * output we copied. */
1311 for( i = 0; i < 16; i++ )
1312 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1313 }
1314
1315 return( 0 );
1316}
1317#endif /* MBEDTLS_CIPHER_MODE_XTS */
1318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320/*
1321 * AES-CFB128 buffer encryption/decryption
1322 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1323int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1325 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1326 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1328 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 unsigned char *output )
1330{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1331 int c;
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1332 int ret;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1333 size_t n;
1334
1335 AES_VALIDATE_RET( ctx != NULL );
1336 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1337 mode == MBEDTLS_AES_DECRYPT );
1338 AES_VALIDATE_RET( iv_off != NULL );
1339 AES_VALIDATE_RET( iv != NULL );
1340 AES_VALIDATE_RET( input != NULL );
1341 AES_VALIDATE_RET( output != NULL );
1342
1343 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1345 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1346 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349 {
1350 while( length-- )
1351 {
1352 if( n == 0 )
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1353 {
1354 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1355 if( ret != 0 )
1356 goto exit;
1357 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1358
1359 c = *input++;
1360 *output++ = (unsigned char)( c ^ iv[n] );
1361 iv[n] = (unsigned char) c;
1362
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1363 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364 }
1365 }
1366 else
1367 {
1368 while( length-- )
1369 {
1370 if( n == 0 )
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1371 {
1372 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1373 if( ret != 0 )
1374 goto exit;
1375 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1376
1377 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1378
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1379 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1380 }
1381 }
1382
1383 *iv_off = n;
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1384 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1385
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1386exit:
1387 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1389
1390/*
1391 * AES-CFB8 buffer encryption/decryption
1392 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1393int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1394 int mode,
1395 size_t length,
1396 unsigned char iv[16],
1397 const unsigned char *input,
1398 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1399{
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1400 int ret;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1401 unsigned char c;
1402 unsigned char ov[17];
1403
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1404 AES_VALIDATE_RET( ctx != NULL );
1405 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1406 mode == MBEDTLS_AES_DECRYPT );
1407 AES_VALIDATE_RET( iv != NULL );
1408 AES_VALIDATE_RET( input != NULL );
1409 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1410 while( length-- )
1411 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1412 memcpy( ov, iv, 16 );
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1413 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1414 if( ret != 0 )
1415 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1416
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1417 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1418 ov[16] = *input;
1419
1420 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1421
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1422 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1423 ov[16] = c;
1424
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1425 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1426 }
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1427 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1428
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1429exit:
1430 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1431}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1432#endif /* MBEDTLS_CIPHER_MODE_CFB */
1433
1434#if defined(MBEDTLS_CIPHER_MODE_OFB)
1435/*
1436 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1437 */
1438int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1439 size_t length,
1440 size_t *iv_off,
1441 unsigned char iv[16],
1442 const unsigned char *input,
1443 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1444{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1445 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1446 size_t n;
1447
1448 AES_VALIDATE_RET( ctx != NULL );
1449 AES_VALIDATE_RET( iv_off != NULL );
1450 AES_VALIDATE_RET( iv != NULL );
1451 AES_VALIDATE_RET( input != NULL );
1452 AES_VALIDATE_RET( output != NULL );
1453
1454 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1455
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1456 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1457 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1458
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1459 while( length-- )
1460 {
1461 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1462 {
1463 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1464 if( ret != 0 )
1465 goto exit;
1466 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1467 *output++ = *input++ ^ iv[n];
1468
1469 n = ( n + 1 ) & 0x0F;
1470 }
1471
1472 *iv_off = n;
1473
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1474exit:
1475 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1476}
1477#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1479#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1480/*
1481 * AES-CTR buffer encryption/decryption
1482 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1483int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1484 size_t length,
1485 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1486 unsigned char nonce_counter[16],
1487 unsigned char stream_block[16],
1488 const unsigned char *input,
1489 unsigned char *output )
1490{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1491 int c, i;
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1492 int ret;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1493 size_t n;
1494
1495 AES_VALIDATE_RET( ctx != NULL );
1496 AES_VALIDATE_RET( nc_off != NULL );
1497 AES_VALIDATE_RET( nonce_counter != NULL );
1498 AES_VALIDATE_RET( stream_block != NULL );
1499 AES_VALIDATE_RET( input != NULL );
1500 AES_VALIDATE_RET( output != NULL );
1501
1502 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1503
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1504 if ( n > 0x0F )
1505 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1506
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1507 while( length-- )
1508 {
1509 if( n == 0 ) {
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1510 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1511 if( ret != 0 )
1512 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1513
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1514 for( i = 16; i > 0; i-- )
1515 if( ++nonce_counter[i - 1] != 0 )
1516 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1517 }
1518 c = *input++;
1519 *output++ = (unsigned char)( c ^ stream_block[n] );
1520
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1521 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1522 }
1523
1524 *nc_off = n;
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1525 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1526
Gilles Peskine621333f2021-07-07 21:08:28 +0200[diff] [blame]1527exit:
1528 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1529}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1532#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1535/*
1536 * AES test vectors from:
1537 *
1538 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1539 */
1540static const unsigned char aes_test_ecb_dec[3][16] =
1541{
1542 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1543 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1544 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1545 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1546 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1547 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1548};
1549
1550static const unsigned char aes_test_ecb_enc[3][16] =
1551{
1552 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1553 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1554 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1555 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1556 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1557 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1558};
1559
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1560#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561static const unsigned char aes_test_cbc_dec[3][16] =
1562{
1563 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1564 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1565 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1566 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1567 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1568 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1569};
1570
1571static const unsigned char aes_test_cbc_enc[3][16] =
1572{
1573 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1574 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1575 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1576 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1577 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1578 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1579};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1580#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1582#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583/*
1584 * AES-CFB128 test vectors from:
1585 *
1586 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1587 */
1588static const unsigned char aes_test_cfb128_key[3][32] =
1589{
1590 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1591 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1592 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1593 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1594 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1595 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1596 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1597 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1598 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1599};
1600
1601static const unsigned char aes_test_cfb128_iv[16] =
1602{
1603 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1604 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1605};
1606
1607static const unsigned char aes_test_cfb128_pt[64] =
1608{
1609 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1610 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1611 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1612 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1613 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1614 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1615 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1616 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1617};
1618
1619static const unsigned char aes_test_cfb128_ct[3][64] =
1620{
1621 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1622 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1623 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1624 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1625 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1626 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1627 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1628 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1629 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1630 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1631 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1632 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1633 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1634 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1635 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1636 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1637 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1638 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1639 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1640 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1641 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1642 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1643 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1644 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1645};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1647
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1648#if defined(MBEDTLS_CIPHER_MODE_OFB)
1649/*
1650 * AES-OFB test vectors from:
1651 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1652 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1653 */
1654static const unsigned char aes_test_ofb_key[3][32] =
1655{
1656 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1657 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1658 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1659 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1660 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1661 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1662 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1663 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1664 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1665};
1666
1667static const unsigned char aes_test_ofb_iv[16] =
1668{
1669 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1670 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1671};
1672
1673static const unsigned char aes_test_ofb_pt[64] =
1674{
1675 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1676 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1677 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1678 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1679 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1680 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1681 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1682 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1683};
1684
1685static const unsigned char aes_test_ofb_ct[3][64] =
1686{
1687 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1688 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1689 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1690 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1691 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1692 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1693 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1694 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1695 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1696 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1697 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1698 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1699 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1700 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1701 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1702 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1703 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1704 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1705 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1706 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1707 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1708 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1709 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1710 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1711};
1712#endif /* MBEDTLS_CIPHER_MODE_OFB */
1713
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1714#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1715/*
1716 * AES-CTR test vectors from:
1717 *
1718 * http://www.faqs.org/rfcs/rfc3686.html
1719 */
1720
1721static const unsigned char aes_test_ctr_key[3][16] =
1722{
1723 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1724 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1725 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1726 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1727 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1728 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1729};
1730
1731static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1732{
1733 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1735 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1736 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1737 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1738 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1739};
1740
1741static const unsigned char aes_test_ctr_pt[3][48] =
1742{
1743 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1744 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1745
1746 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1747 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1748 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1749 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1750
1751 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1752 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1753 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1754 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1755 0x20, 0x21, 0x22, 0x23 }
1756};
1757
1758static const unsigned char aes_test_ctr_ct[3][48] =
1759{
1760 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1761 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1762 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1763 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1764 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1765 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1766 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1767 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1768 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1769 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1770 0x25, 0xB2, 0x07, 0x2F }
1771};
1772
1773static const int aes_test_ctr_len[3] =
1774 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1775#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1777#if defined(MBEDTLS_CIPHER_MODE_XTS)
1778/*
1779 * AES-XTS test vectors from:
1780 *
1781 * IEEE P1619/D16 Annex B
1782 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1783 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1784 */
1785static const unsigned char aes_test_xts_key[][32] =
1786{
1787 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1788 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1791 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1792 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1793 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1794 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1795 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1796 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1797 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1798 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1799};
1800
1801static const unsigned char aes_test_xts_pt32[][32] =
1802{
1803 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1807 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1808 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1809 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1810 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1811 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1812 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1813 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1814 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1815};
1816
1817static const unsigned char aes_test_xts_ct32[][32] =
1818{
1819 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1820 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1821 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1822 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1823 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1824 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1825 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1826 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1827 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1828 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1829 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1830 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1831};
1832
1833static const unsigned char aes_test_xts_data_unit[][16] =
1834{
1835 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1836 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1837 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1838 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1839 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1840 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1841};
1842
1843#endif /* MBEDTLS_CIPHER_MODE_XTS */
1844
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845/*
1846 * Checkup routine
1847 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 int ret = 0, i, j, u, mode;
1851 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 unsigned char key[32];
1853 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1854 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1855#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1857#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1859 unsigned char prv[16];
1860#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1861#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1862 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1863 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1864#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1865#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1866 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1867#endif
1868#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1869 unsigned char nonce_counter[16];
1870 unsigned char stream_block[16];
1871#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1872 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873
1874 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1876
1877 /*
1878 * ECB mode
1879 */
1880 for( i = 0; i < 6; i++ )
1881 {
1882 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 keybits = 128 + u * 64;
1884 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885
1886 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1887 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1888 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889
1890 memset( buf, 0, 16 );
1891
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1894 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1895 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 }
1897 else
1898 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1899 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1900 aes_tests = aes_test_ecb_enc[u];
1901 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1903 /*
1904 * AES-192 is an optional feature that may be unavailable when
1905 * there is an alternative underlying implementation i.e. when
1906 * MBEDTLS_AES_ALT is defined.
1907 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1908 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 {
1910 mbedtls_printf( "skipped\n" );
1911 continue;
1912 }
1913 else if( ret != 0 )
1914 {
1915 goto exit;
1916 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1918 for( j = 0; j < 10000; j++ )
1919 {
1920 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1921 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1922 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1923 }
1924
1925 if( memcmp( buf, aes_tests, 16 ) != 0 )
1926 {
1927 ret = 1;
1928 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1929 }
1930
1931 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1932 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934
1935 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1938#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1939 /*
1940 * CBC mode
1941 */
1942 for( i = 0; i < 6; i++ )
1943 {
1944 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1945 keybits = 128 + u * 64;
1946 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947
1948 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1950 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951
1952 memset( iv , 0, 16 );
1953 memset( prv, 0, 16 );
1954 memset( buf, 0, 16 );
1955
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1956 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1958 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1959 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 }
1961 else
1962 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1964 aes_tests = aes_test_cbc_enc[u];
1965 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1966
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1967 /*
1968 * AES-192 is an optional feature that may be unavailable when
1969 * there is an alternative underlying implementation i.e. when
1970 * MBEDTLS_AES_ALT is defined.
1971 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1972 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1973 {
1974 mbedtls_printf( "skipped\n" );
1975 continue;
1976 }
1977 else if( ret != 0 )
1978 {
1979 goto exit;
1980 }
1981
1982 for( j = 0; j < 10000; j++ )
1983 {
1984 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985 {
1986 unsigned char tmp[16];
1987
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988 memcpy( tmp, prv, 16 );
1989 memcpy( prv, buf, 16 );
1990 memcpy( buf, tmp, 16 );
1991 }
1992
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1994 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1995 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1996
1997 }
1998
1999 if( memcmp( buf, aes_tests, 16 ) != 0 )
2000 {
2001 ret = 1;
2002 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003 }
2004
2005 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2006 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007 }
2008
2009 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2010 mbedtls_printf( "\n" );
2011#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2012
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014 /*
2015 * CFB128 mode
2016 */
2017 for( i = 0; i < 6; i++ )
2018 {
2019 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 keybits = 128 + u * 64;
2021 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022
2023 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2024 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2025 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026
2027 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
2030 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2031 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2032 /*
2033 * AES-192 is an optional feature that may be unavailable when
2034 * there is an alternative underlying implementation i.e. when
2035 * MBEDTLS_AES_ALT is defined.
2036 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2037 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2038 {
2039 mbedtls_printf( "skipped\n" );
2040 continue;
2041 }
2042 else if( ret != 0 )
2043 {
2044 goto exit;
2045 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2047 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048 {
2049 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2050 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051 }
2052 else
2053 {
2054 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2055 aes_tests = aes_test_cfb128_ct[u];
2056 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2058 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2059 if( ret != 0 )
2060 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2062 if( memcmp( buf, aes_tests, 64 ) != 0 )
2063 {
2064 ret = 1;
2065 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2066 }
2067
2068 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2069 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070 }
2071
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2072 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2073 mbedtls_printf( "\n" );
2074#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2075
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2076#if defined(MBEDTLS_CIPHER_MODE_OFB)
2077 /*
2078 * OFB mode
2079 */
2080 for( i = 0; i < 6; i++ )
2081 {
2082 u = i >> 1;
2083 keybits = 128 + u * 64;
2084 mode = i & 1;
2085
2086 if( verbose != 0 )
2087 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2088 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2089
2090 memcpy( iv, aes_test_ofb_iv, 16 );
2091 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2092
2093 offset = 0;
2094 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2095 /*
2096 * AES-192 is an optional feature that may be unavailable when
2097 * there is an alternative underlying implementation i.e. when
2098 * MBEDTLS_AES_ALT is defined.
2099 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2100 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2101 {
2102 mbedtls_printf( "skipped\n" );
2103 continue;
2104 }
2105 else if( ret != 0 )
2106 {
2107 goto exit;
2108 }
2109
2110 if( mode == MBEDTLS_AES_DECRYPT )
2111 {
2112 memcpy( buf, aes_test_ofb_ct[u], 64 );
2113 aes_tests = aes_test_ofb_pt;
2114 }
2115 else
2116 {
2117 memcpy( buf, aes_test_ofb_pt, 64 );
2118 aes_tests = aes_test_ofb_ct[u];
2119 }
2120
2121 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2122 if( ret != 0 )
2123 goto exit;
2124
2125 if( memcmp( buf, aes_tests, 64 ) != 0 )
2126 {
2127 ret = 1;
2128 goto exit;
2129 }
2130
2131 if( verbose != 0 )
2132 mbedtls_printf( "passed\n" );
2133 }
2134
2135 if( verbose != 0 )
2136 mbedtls_printf( "\n" );
2137#endif /* MBEDTLS_CIPHER_MODE_OFB */
2138
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2139#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2140 /*
2141 * CTR mode
2142 */
2143 for( i = 0; i < 6; i++ )
2144 {
2145 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2146 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2147
2148 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2149 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2150 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151
2152 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2153 memcpy( key, aes_test_ctr_key[u], 16 );
2154
2155 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2156 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2157 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2158
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2159 len = aes_test_ctr_len[u];
2160
2161 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2162 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2163 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2164 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2165 }
2166 else
2167 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2168 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2169 aes_tests = aes_test_ctr_ct[u];
2170 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2171
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2172 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2173 stream_block, buf, buf );
2174 if( ret != 0 )
2175 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2176
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2177 if( memcmp( buf, aes_tests, len ) != 0 )
2178 {
2179 ret = 1;
2180 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2181 }
2182
2183 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2184 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2185 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186
2187 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 mbedtls_printf( "\n" );
2189#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2191#if defined(MBEDTLS_CIPHER_MODE_XTS)
2192 {
2193 static const int num_tests =
2194 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2195 mbedtls_aes_xts_context ctx_xts;
2196
2197 /*
2198 * XTS mode
2199 */
2200 mbedtls_aes_xts_init( &ctx_xts );
2201
2202 for( i = 0; i < num_tests << 1; i++ )
2203 {
2204 const unsigned char *data_unit;
2205 u = i >> 1;
2206 mode = i & 1;
2207
2208 if( verbose != 0 )
2209 mbedtls_printf( " AES-XTS-128 (%s): ",
2210 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2211
2212 memset( key, 0, sizeof( key ) );
2213 memcpy( key, aes_test_xts_key[u], 32 );
2214 data_unit = aes_test_xts_data_unit[u];
2215
2216 len = sizeof( *aes_test_xts_ct32 );
2217
2218 if( mode == MBEDTLS_AES_DECRYPT )
2219 {
2220 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2221 if( ret != 0)
2222 goto exit;
2223 memcpy( buf, aes_test_xts_ct32[u], len );
2224 aes_tests = aes_test_xts_pt32[u];
2225 }
2226 else
2227 {
2228 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2229 if( ret != 0)
2230 goto exit;
2231 memcpy( buf, aes_test_xts_pt32[u], len );
2232 aes_tests = aes_test_xts_ct32[u];
2233 }
2234
2235
2236 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2237 buf, buf );
2238 if( ret != 0 )
2239 goto exit;
2240
2241 if( memcmp( buf, aes_tests, len ) != 0 )
2242 {
2243 ret = 1;
2244 goto exit;
2245 }
2246
2247 if( verbose != 0 )
2248 mbedtls_printf( "passed\n" );
2249 }
2250
2251 if( verbose != 0 )
2252 mbedtls_printf( "\n" );
2253
2254 mbedtls_aes_xts_free( &ctx_xts );
2255 }
2256#endif /* MBEDTLS_CIPHER_MODE_XTS */
2257
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2258 ret = 0;
2259
2260exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2261 if( ret != 0 && verbose != 0 )
2262 mbedtls_printf( "failed\n" );
2263
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2264 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2265
2266 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2267}
2268
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271#endif /* MBEDTLS_AES_C */