TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 0fa65aabf0a6a30f7fa06e847d52d81fe8531625 / . / library / aes.c
blob: 97d9e254376cf3acbc8e0cc6f6e141e56687e2d7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]225#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]264#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]265
266/*
267 * Reverse tables
268 */
269#define RT \
270\
271 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
272 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
273 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
274 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
275 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
276 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
277 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
278 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
279 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
280 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
281 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
282 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
283 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
284 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
285 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
286 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
287 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
288 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
289 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
290 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
291 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
292 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
293 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
294 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
295 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
296 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
297 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
298 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
299 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
300 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
301 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
302 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
303 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
304 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
305 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
306 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
307 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
308 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
309 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
310 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
311 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
312 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
313 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
314 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
315 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
316 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
317 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
318 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
319 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
320 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
321 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
322 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
323 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
324 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
325 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
326 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
327 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
328 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
329 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
330 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
331 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
332 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
333 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
334 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
335
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]336#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]341#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]342
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
347#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]348static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef V
350
351#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353#undef V
354
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]355#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]356#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef RT
359
360/*
361 * Round constants
362 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364{
365 0x00000001, 0x00000002, 0x00000004, 0x00000008,
366 0x00000010, 0x00000020, 0x00000040, 0x00000080,
367 0x0000001B, 0x00000036
368};
369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]370#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Forward S-box & tables
374 */
375static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]376static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]378static uint32_t FT1[256];
379static uint32_t FT2[256];
380static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Reverse S-box & tables
385 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]386#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]389#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RT1[256];
391static uint32_t RT2[256];
392static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]393#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]394#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Round constants
398 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]399static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]400
401/*
402 * Tables generation code
403 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]404#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
405#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]406#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407
408static int aes_init_done = 0;
409
410static void aes_gen_tables( void )
411{
412 int i, x, y, z;
413 int pow[256];
414 int log[256];
415
416 /*
417 * compute pow and log tables over GF(2^8)
418 */
419 for( i = 0, x = 1; i < 256; i++ )
420 {
421 pow[i] = x;
422 log[x] = i;
423 x = ( x ^ XTIME( x ) ) & 0xFF;
424 }
425
426 /*
427 * calculate the round constants
428 */
429 for( i = 0, x = 1; i < 10; i++ )
430 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]431 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432 x = XTIME( x ) & 0xFF;
433 }
434
435 /*
436 * generate the forward and reverse S-boxes
437 */
438 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]439#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]441#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 for( i = 1; i < 256; i++ )
444 {
445 x = pow[255 - log[i]];
446
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]447 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
448 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
449 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
450 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x ^= y ^ 0x63;
452
453 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 }
458
459 /*
460 * generate the forward and reverse tables
461 */
462 for( i = 0; i < 256; i++ )
463 {
464 x = FSb[i];
465 y = XTIME( x ) & 0xFF;
466 z = ( y ^ x ) & 0xFF;
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 FT0[i] = ( (uint32_t) y ) ^
469 ( (uint32_t) x << 8 ) ^
470 ( (uint32_t) x << 16 ) ^
471 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]473#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 FT1[i] = ROTL8( FT0[i] );
475 FT2[i] = ROTL8( FT1[i] );
476 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]479#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480 x = RSb[i];
481
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]482 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
483 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
484 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
485 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]487#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488 RT1[i] = ROTL8( RT0[i] );
489 RT2[i] = ROTL8( RT1[i] );
490 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]491#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame^]492#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494}
495
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]496#undef ROTL8
497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]500#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]501
502#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
503#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
504#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) ROTL8( RT0[idx] )
508#define AES_RT2(idx) ROTL16( RT0[idx] )
509#define AES_RT3(idx) ROTL24( RT0[idx] )
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) ROTL8( FT0[idx] )
513#define AES_FT2(idx) ROTL16( FT0[idx] )
514#define AES_FT3(idx) ROTL24( FT0[idx] )
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
518#define AES_RT0(idx) RT0[idx]
519#define AES_RT1(idx) RT1[idx]
520#define AES_RT2(idx) RT2[idx]
521#define AES_RT3(idx) RT3[idx]
522
523#define AES_FT0(idx) FT0[idx]
524#define AES_FT1(idx) FT1[idx]
525#define AES_FT2(idx) FT2[idx]
526#define AES_FT3(idx) FT3[idx]
527
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]528#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]529
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]530void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]532 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]533
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]534 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]535}
536
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]537void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]538{
539 if( ctx == NULL )
540 return;
541
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]542 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]543}
544
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]545#if defined(MBEDTLS_CIPHER_MODE_XTS)
546void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
547{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]548 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]549
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]550 mbedtls_aes_init( &ctx->crypt );
551 mbedtls_aes_init( &ctx->tweak );
552}
553
554void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
555{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]556 if( ctx == NULL )
557 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]558
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]559 mbedtls_aes_free( &ctx->crypt );
560 mbedtls_aes_free( &ctx->tweak );
561}
562#endif /* MBEDTLS_CIPHER_MODE_XTS */
563
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564/*
565 * AES key schedule (encryption)
566 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]567#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]568int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]569 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]571 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]572 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]574 AES_VALIDATE_RET( ctx != NULL );
575 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]577 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]578 {
579 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]580#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 case 192: ctx->nr = 12; break;
582 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]583#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]584 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585 }
586
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]587#if !defined(MBEDTLS_AES_ROM_TABLES)
588 if( aes_init_done == 0 )
589 {
590 aes_gen_tables();
591 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]592 }
593#endif
594
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]596 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]597 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]598
599 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]600 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]601 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]602#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]603 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]604
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]605#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]606 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]607 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]608#endif
609
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]610 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]612 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 }
614
615 switch( ctx->nr )
616 {
617 case 10:
618
619 for( i = 0; i < 10; i++, RK += 4 )
620 {
621 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]622 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
623 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
624 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
625 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626
627 RK[5] = RK[1] ^ RK[4];
628 RK[6] = RK[2] ^ RK[5];
629 RK[7] = RK[3] ^ RK[6];
630 }
631 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]632#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633 case 12:
634
635 for( i = 0; i < 8; i++, RK += 6 )
636 {
637 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]638 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
639 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
640 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
641 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
643 RK[7] = RK[1] ^ RK[6];
644 RK[8] = RK[2] ^ RK[7];
645 RK[9] = RK[3] ^ RK[8];
646 RK[10] = RK[4] ^ RK[9];
647 RK[11] = RK[5] ^ RK[10];
648 }
649 break;
650
651 case 14:
652
653 for( i = 0; i < 7; i++, RK += 8 )
654 {
655 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]656 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
657 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
658 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
659 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660
661 RK[9] = RK[1] ^ RK[8];
662 RK[10] = RK[2] ^ RK[9];
663 RK[11] = RK[3] ^ RK[10];
664
665 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]666 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
667 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
668 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
669 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670
671 RK[13] = RK[5] ^ RK[12];
672 RK[14] = RK[6] ^ RK[13];
673 RK[15] = RK[7] ^ RK[14];
674 }
675 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]676#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]678
679 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]681#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682
683/*
684 * AES key schedule (decryption)
685 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]686#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]688 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]690#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
691 (void) ctx;
692 (void) key;
693 (void) keybits;
694
695 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
696#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]697 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]699 uint32_t *RK;
700 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]702 AES_VALIDATE_RET( ctx != NULL );
703 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]704
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]707#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]708 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]709 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]710
711 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]715 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]717 /* Also checks keybits */
718 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]719 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]720
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]721 ctx->nr = cty.nr;
722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]723#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]724 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]725 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]727 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]729 }
730#endif
731
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732 SK = cty.rk + cty.nr * 4;
733
734 *RK++ = *SK++;
735 *RK++ = *SK++;
736 *RK++ = *SK++;
737 *RK++ = *SK++;
738
739 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
740 {
741 for( j = 0; j < 4; j++, SK++ )
742 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]743 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
744 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
745 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
746 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747 }
748 }
749
750 *RK++ = *SK++;
751 *RK++ = *SK++;
752 *RK++ = *SK++;
753 *RK++ = *SK++;
754
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]755exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]756 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]759#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]761
762#if defined(MBEDTLS_CIPHER_MODE_XTS)
763static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
764 unsigned int keybits,
765 const unsigned char **key1,
766 unsigned int *key1bits,
767 const unsigned char **key2,
768 unsigned int *key2bits )
769{
770 const unsigned int half_keybits = keybits / 2;
771 const unsigned int half_keybytes = half_keybits / 8;
772
773 switch( keybits )
774 {
775 case 256: break;
776 case 512: break;
777 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
778 }
779
780 *key1bits = half_keybits;
781 *key2bits = half_keybits;
782 *key1 = &key[0];
783 *key2 = &key[half_keybytes];
784
785 return 0;
786}
787
788int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
789 const unsigned char *key,
790 unsigned int keybits)
791{
792 int ret;
793 const unsigned char *key1, *key2;
794 unsigned int key1bits, key2bits;
795
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]796 AES_VALIDATE_RET( ctx != NULL );
797 AES_VALIDATE_RET( key != NULL );
798
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]799 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
800 &key2, &key2bits );
801 if( ret != 0 )
802 return( ret );
803
804 /* Set the tweak key. Always set tweak key for the encryption mode. */
805 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
806 if( ret != 0 )
807 return( ret );
808
809 /* Set crypt key for encryption. */
810 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
811}
812
813int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
814 const unsigned char *key,
815 unsigned int keybits)
816{
817 int ret;
818 const unsigned char *key1, *key2;
819 unsigned int key1bits, key2bits;
820
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]821 AES_VALIDATE_RET( ctx != NULL );
822 AES_VALIDATE_RET( key != NULL );
823
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]824 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
825 &key2, &key2bits );
826 if( ret != 0 )
827 return( ret );
828
829 /* Set the tweak key. Always set tweak key for encryption. */
830 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
831 if( ret != 0 )
832 return( ret );
833
834 /* Set crypt key for decryption. */
835 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
836}
837#endif /* MBEDTLS_CIPHER_MODE_XTS */
838
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]839#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]841#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
842 do \
843 { \
844 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
845 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
846 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
847 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
848 \
849 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
850 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
851 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
852 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
853 \
854 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
855 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
856 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
857 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
858 \
859 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
860 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
861 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
862 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
863 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]864
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]865#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
866 do \
867 { \
868 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
869 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
870 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
871 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
872 \
873 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
874 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
875 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
876 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
877 \
878 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
879 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
880 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
881 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
882 \
883 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
884 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
885 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
886 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
887 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]888
889/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]890 * AES-ECB block encryption
891 */
892#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]893int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
894 const unsigned char input[16],
895 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]896{
897 int i;
898 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
899
900 RK = ctx->rk;
901
902 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
903 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
904 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
905 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
906
907 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
908 {
909 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
910 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
911 }
912
913 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
914
915 X0 = *RK++ ^ \
916 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
917 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
918 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
919 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
920
921 X1 = *RK++ ^ \
922 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
923 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
924 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
925 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
926
927 X2 = *RK++ ^ \
928 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
929 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
930 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
931 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
932
933 X3 = *RK++ ^ \
934 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
935 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
936 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
937 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
938
939 PUT_UINT32_LE( X0, output, 0 );
940 PUT_UINT32_LE( X1, output, 4 );
941 PUT_UINT32_LE( X2, output, 8 );
942 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]943
944 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]945}
946#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
947
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]948#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]949void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
950 const unsigned char input[16],
951 unsigned char output[16] )
952{
953 mbedtls_internal_aes_encrypt( ctx, input, output );
954}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]955#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]956
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]957/*
958 * AES-ECB block decryption
959 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]960
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]961#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]962#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]963int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
964 const unsigned char input[16],
965 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]966{
967 int i;
968 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
969
970 RK = ctx->rk;
971
972 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
973 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
974 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
975 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
976
977 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
978 {
979 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
980 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
981 }
982
983 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
984
985 X0 = *RK++ ^ \
986 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
987 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
988 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
989 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
990
991 X1 = *RK++ ^ \
992 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
993 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
994 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
995 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
996
997 X2 = *RK++ ^ \
998 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
999 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
1000 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
1001 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
1002
1003 X3 = *RK++ ^ \
1004 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
1005 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
1006 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
1007 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1008
1009 PUT_UINT32_LE( X0, output, 0 );
1010 PUT_UINT32_LE( X1, output, 4 );
1011 PUT_UINT32_LE( X2, output, 8 );
1012 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1013
1014 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1015}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1016#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1017#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1018
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1019#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1020void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1021 const unsigned char input[16],
1022 unsigned char output[16] )
1023{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1024#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1025 (void) ctx;
1026 (void) input;
1027 (void) output;
1028#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1029 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1030#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1031}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1032#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1033
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1034/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 * AES-ECB block encryption/decryption
1036 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1038 int mode,
1039 const unsigned char input[16],
1040 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1042 AES_VALIDATE_RET( ctx != NULL );
1043 AES_VALIDATE_RET( input != NULL );
1044 AES_VALIDATE_RET( output != NULL );
1045 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1046 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1047 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1048
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1049#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1050 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1052#endif
1053
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1054#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1055 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1058 return( 0 );
1059
1060 // If padlock data misaligned, we just fall back to
1061 // unaccelerated mode
1062 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 }
1064#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1065#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1066 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1067#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1069 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1070 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1071 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1072 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1073#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074}
1075
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1076#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077/*
1078 * AES-CBC buffer encryption/decryption
1079 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1082 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1084 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085 unsigned char *output )
1086{
1087 int i;
1088 unsigned char temp[16];
1089
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1090 AES_VALIDATE_RET( ctx != NULL );
1091 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1092 mode == MBEDTLS_AES_DECRYPT );
1093 AES_VALIDATE_RET( iv != NULL );
1094 AES_VALIDATE_RET( input != NULL );
1095 AES_VALIDATE_RET( output != NULL );
1096
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1097 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1101 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1102 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1103 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1104 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1105
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1106 // If padlock data misaligned, we just fall back to
1107 // unaccelerated mode
1108 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109 }
1110#endif
1111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1112 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1113 {
1114 while( length > 0 )
1115 {
1116 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1117 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1118
1119 for( i = 0; i < 16; i++ )
1120 output[i] = (unsigned char)( output[i] ^ iv[i] );
1121
1122 memcpy( iv, temp, 16 );
1123
1124 input += 16;
1125 output += 16;
1126 length -= 16;
1127 }
1128 }
1129 else
1130 {
1131 while( length > 0 )
1132 {
1133 for( i = 0; i < 16; i++ )
1134 output[i] = (unsigned char)( input[i] ^ iv[i] );
1135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1136 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1137 memcpy( iv, output, 16 );
1138
1139 input += 16;
1140 output += 16;
1141 length -= 16;
1142 }
1143 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1144
1145 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1147#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1148
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1149#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1150
1151/* Endianess with 64 bits values */
1152#ifndef GET_UINT64_LE
1153#define GET_UINT64_LE(n,b,i) \
1154{ \
1155 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1156 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1157 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1158 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1159 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1160 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1161 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1162 | ( (uint64_t) (b)[(i) ] ); \
1163}
1164#endif
1165
1166#ifndef PUT_UINT64_LE
1167#define PUT_UINT64_LE(n,b,i) \
1168{ \
1169 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1170 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1171 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1172 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1173 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1174 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1175 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1176 (b)[(i) ] = (unsigned char) ( (n) ); \
1177}
1178#endif
1179
1180typedef unsigned char mbedtls_be128[16];
1181
1182/*
1183 * GF(2^128) multiplication function
1184 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1185 * This function multiplies a field element by x in the polynomial field
1186 * representation. It uses 64-bit word operations to gain speed but compensates
1187 * for machine endianess and hence works correctly on both big and little
1188 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1189 */
1190static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1191 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1192{
1193 uint64_t a, b, ra, rb;
1194
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1195 GET_UINT64_LE( a, x, 0 );
1196 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1197
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1198 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1199 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1200
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1201 PUT_UINT64_LE( ra, r, 0 );
1202 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1203}
1204
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1205/*
1206 * AES-XTS buffer encryption/decryption
1207 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1208int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1209 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1210 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1211 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1212 const unsigned char *input,
1213 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1214{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1215 int ret;
1216 size_t blocks = length / 16;
1217 size_t leftover = length % 16;
1218 unsigned char tweak[16];
1219 unsigned char prev_tweak[16];
1220 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1221
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1222 AES_VALIDATE_RET( ctx != NULL );
1223 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1224 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1225 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1226 AES_VALIDATE_RET( input != NULL );
1227 AES_VALIDATE_RET( output != NULL );
1228
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1229 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1231 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1232
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1233 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1234 if( length > ( 1 << 20 ) * 16 )
1235 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1236
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1237 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1238 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1239 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1240 if( ret != 0 )
1241 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 size_t i;
1246
1247 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1248 {
1249 /* We are on the last block in a decrypt operation that has
1250 * leftover bytes, so we need to use the next tweak for this block,
1251 * and this tweak for the lefover bytes. Save the current tweak for
1252 * the leftovers and then update the current tweak for use on this,
1253 * the last full block. */
1254 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1255 mbedtls_gf128mul_x_ble( tweak, tweak );
1256 }
1257
1258 for( i = 0; i < 16; i++ )
1259 tmp[i] = input[i] ^ tweak[i];
1260
1261 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1262 if( ret != 0 )
1263 return( ret );
1264
1265 for( i = 0; i < 16; i++ )
1266 output[i] = tmp[i] ^ tweak[i];
1267
1268 /* Update the tweak for the next block. */
1269 mbedtls_gf128mul_x_ble( tweak, tweak );
1270
1271 output += 16;
1272 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273 }
1274
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1275 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1276 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1277 /* If we are on the leftover bytes in a decrypt operation, we need to
1278 * use the previous tweak for these bytes (as saved in prev_tweak). */
1279 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1280
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1281 /* We are now on the final part of the data unit, which doesn't divide
1282 * evenly by 16. It's time for ciphertext stealing. */
1283 size_t i;
1284 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1285
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1286 /* Copy ciphertext bytes from the previous block to our output for each
1287 * byte of cyphertext we won't steal. At the same time, copy the
1288 * remainder of the input for this final round (since the loop bounds
1289 * are the same). */
1290 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1291 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1292 output[i] = prev_output[i];
1293 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1294 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1295
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1296 /* Copy ciphertext bytes from the previous block for input in this
1297 * round. */
1298 for( ; i < 16; i++ )
1299 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1300
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1301 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1302 if( ret != 0 )
1303 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1304
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1305 /* Write the result back to the previous block, overriding the previous
1306 * output we copied. */
1307 for( i = 0; i < 16; i++ )
1308 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1309 }
1310
1311 return( 0 );
1312}
1313#endif /* MBEDTLS_CIPHER_MODE_XTS */
1314
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316/*
1317 * AES-CFB128 buffer encryption/decryption
1318 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1321 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1322 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1324 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 unsigned char *output )
1326{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1327 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1328 size_t n;
1329
1330 AES_VALIDATE_RET( ctx != NULL );
1331 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1332 mode == MBEDTLS_AES_DECRYPT );
1333 AES_VALIDATE_RET( iv_off != NULL );
1334 AES_VALIDATE_RET( iv != NULL );
1335 AES_VALIDATE_RET( input != NULL );
1336 AES_VALIDATE_RET( output != NULL );
1337
1338 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1340 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1341 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1342
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344 {
1345 while( length-- )
1346 {
1347 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349
1350 c = *input++;
1351 *output++ = (unsigned char)( c ^ iv[n] );
1352 iv[n] = (unsigned char) c;
1353
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1354 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 }
1356 }
1357 else
1358 {
1359 while( length-- )
1360 {
1361 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363
1364 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1365
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1366 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367 }
1368 }
1369
1370 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1371
1372 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1374
1375/*
1376 * AES-CFB8 buffer encryption/decryption
1377 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1379 int mode,
1380 size_t length,
1381 unsigned char iv[16],
1382 const unsigned char *input,
1383 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1384{
1385 unsigned char c;
1386 unsigned char ov[17];
1387
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1388 AES_VALIDATE_RET( ctx != NULL );
1389 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1390 mode == MBEDTLS_AES_DECRYPT );
1391 AES_VALIDATE_RET( iv != NULL );
1392 AES_VALIDATE_RET( input != NULL );
1393 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1394 while( length-- )
1395 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1396 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1397 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1398
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1399 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1400 ov[16] = *input;
1401
1402 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1403
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1404 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1405 ov[16] = c;
1406
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1407 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1408 }
1409
1410 return( 0 );
1411}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1412#endif /* MBEDTLS_CIPHER_MODE_CFB */
1413
1414#if defined(MBEDTLS_CIPHER_MODE_OFB)
1415/*
1416 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1417 */
1418int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1419 size_t length,
1420 size_t *iv_off,
1421 unsigned char iv[16],
1422 const unsigned char *input,
1423 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1424{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1425 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1426 size_t n;
1427
1428 AES_VALIDATE_RET( ctx != NULL );
1429 AES_VALIDATE_RET( iv_off != NULL );
1430 AES_VALIDATE_RET( iv != NULL );
1431 AES_VALIDATE_RET( input != NULL );
1432 AES_VALIDATE_RET( output != NULL );
1433
1434 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1435
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1436 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1437 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1438
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1439 while( length-- )
1440 {
1441 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1442 {
1443 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1444 if( ret != 0 )
1445 goto exit;
1446 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1447 *output++ = *input++ ^ iv[n];
1448
1449 n = ( n + 1 ) & 0x0F;
1450 }
1451
1452 *iv_off = n;
1453
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1454exit:
1455 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1456}
1457#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1459#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1460/*
1461 * AES-CTR buffer encryption/decryption
1462 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1463int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1464 size_t length,
1465 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1466 unsigned char nonce_counter[16],
1467 unsigned char stream_block[16],
1468 const unsigned char *input,
1469 unsigned char *output )
1470{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1471 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1472 size_t n;
1473
1474 AES_VALIDATE_RET( ctx != NULL );
1475 AES_VALIDATE_RET( nc_off != NULL );
1476 AES_VALIDATE_RET( nonce_counter != NULL );
1477 AES_VALIDATE_RET( stream_block != NULL );
1478 AES_VALIDATE_RET( input != NULL );
1479 AES_VALIDATE_RET( output != NULL );
1480
1481 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1482
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1483 if ( n > 0x0F )
1484 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1485
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1486 while( length-- )
1487 {
1488 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1489 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1490
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1491 for( i = 16; i > 0; i-- )
1492 if( ++nonce_counter[i - 1] != 0 )
1493 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1494 }
1495 c = *input++;
1496 *output++ = (unsigned char)( c ^ stream_block[n] );
1497
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1498 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1499 }
1500
1501 *nc_off = n;
1502
1503 return( 0 );
1504}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1507#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510/*
1511 * AES test vectors from:
1512 *
1513 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1514 */
1515static const unsigned char aes_test_ecb_dec[3][16] =
1516{
1517 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1518 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1519 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1520 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1521 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1522 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1523};
1524
1525static const unsigned char aes_test_ecb_enc[3][16] =
1526{
1527 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1528 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1529 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1530 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1531 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1532 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1533};
1534
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1535#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1536static const unsigned char aes_test_cbc_dec[3][16] =
1537{
1538 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1539 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1540 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1541 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1542 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1543 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1544};
1545
1546static const unsigned char aes_test_cbc_enc[3][16] =
1547{
1548 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1549 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1550 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1551 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1552 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1553 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1554};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1556
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558/*
1559 * AES-CFB128 test vectors from:
1560 *
1561 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1562 */
1563static const unsigned char aes_test_cfb128_key[3][32] =
1564{
1565 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1566 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1567 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1568 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1569 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1570 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1571 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1572 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1573 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1574};
1575
1576static const unsigned char aes_test_cfb128_iv[16] =
1577{
1578 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1579 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1580};
1581
1582static const unsigned char aes_test_cfb128_pt[64] =
1583{
1584 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1585 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1586 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1587 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1588 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1589 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1590 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1591 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1592};
1593
1594static const unsigned char aes_test_cfb128_ct[3][64] =
1595{
1596 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1597 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1598 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1599 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1600 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1601 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1602 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1603 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1604 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1605 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1606 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1607 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1608 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1609 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1610 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1611 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1612 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1613 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1614 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1615 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1616 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1617 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1618 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1619 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1620};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1621#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1622
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1623#if defined(MBEDTLS_CIPHER_MODE_OFB)
1624/*
1625 * AES-OFB test vectors from:
1626 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1627 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1628 */
1629static const unsigned char aes_test_ofb_key[3][32] =
1630{
1631 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1632 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1633 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1634 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1635 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1636 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1637 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1638 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1639 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1640};
1641
1642static const unsigned char aes_test_ofb_iv[16] =
1643{
1644 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1645 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1646};
1647
1648static const unsigned char aes_test_ofb_pt[64] =
1649{
1650 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1651 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1652 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1653 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1654 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1655 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1656 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1657 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1658};
1659
1660static const unsigned char aes_test_ofb_ct[3][64] =
1661{
1662 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1663 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1664 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1665 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1666 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1667 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1668 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1669 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1670 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1671 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1672 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1673 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1674 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1675 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1676 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1677 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1678 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1679 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1680 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1681 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1682 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1683 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1684 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1685 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1686};
1687#endif /* MBEDTLS_CIPHER_MODE_OFB */
1688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1689#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1690/*
1691 * AES-CTR test vectors from:
1692 *
1693 * http://www.faqs.org/rfcs/rfc3686.html
1694 */
1695
1696static const unsigned char aes_test_ctr_key[3][16] =
1697{
1698 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1699 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1700 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1701 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1702 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1703 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1704};
1705
1706static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1707{
1708 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1710 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1711 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1712 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1713 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1714};
1715
1716static const unsigned char aes_test_ctr_pt[3][48] =
1717{
1718 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1719 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1720
1721 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1722 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1723 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1724 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1725
1726 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1727 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1728 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1729 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1730 0x20, 0x21, 0x22, 0x23 }
1731};
1732
1733static const unsigned char aes_test_ctr_ct[3][48] =
1734{
1735 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1736 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1737 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1738 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1739 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1740 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1741 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1742 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1743 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1744 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1745 0x25, 0xB2, 0x07, 0x2F }
1746};
1747
1748static const int aes_test_ctr_len[3] =
1749 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1750#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1752#if defined(MBEDTLS_CIPHER_MODE_XTS)
1753/*
1754 * AES-XTS test vectors from:
1755 *
1756 * IEEE P1619/D16 Annex B
1757 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1758 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1759 */
1760static const unsigned char aes_test_xts_key[][32] =
1761{
1762 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1766 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1767 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1768 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1769 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1770 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1771 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1772 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1773 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1774};
1775
1776static const unsigned char aes_test_xts_pt32[][32] =
1777{
1778 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1782 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1783 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1784 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1785 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1786 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1787 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1788 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1789 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1790};
1791
1792static const unsigned char aes_test_xts_ct32[][32] =
1793{
1794 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1795 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1796 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1797 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1798 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1799 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1800 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1801 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1802 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1803 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1804 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1805 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1806};
1807
1808static const unsigned char aes_test_xts_data_unit[][16] =
1809{
1810 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1812 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1813 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1814 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1816};
1817
1818#endif /* MBEDTLS_CIPHER_MODE_XTS */
1819
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820/*
1821 * Checkup routine
1822 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1823int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 int ret = 0, i, j, u, mode;
1826 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 unsigned char key[32];
1828 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1829 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1830#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1832#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1834 unsigned char prv[16];
1835#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1836#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1837 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1838 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1839#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1840#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1841 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1842#endif
1843#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1844 unsigned char nonce_counter[16];
1845 unsigned char stream_block[16];
1846#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1849 mbedtls_platform_memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1850 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851
1852 /*
1853 * ECB mode
1854 */
1855 for( i = 0; i < 6; i++ )
1856 {
1857 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 keybits = 128 + u * 64;
1859 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860
1861 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1863 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]1865#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1866 if( keybits > 128 )
1867 {
1868 mbedtls_printf( "skipped\n" );
1869 continue;
1870 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]1871#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
1872
1873#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1874 if( mode == MBEDTLS_AES_DECRYPT )
1875 {
1876 mbedtls_printf( "skipped\n" );
1877 continue;
1878 }
1879#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]1880
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1881 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1885 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1886 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887 }
1888 else
1889 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1890 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1891 aes_tests = aes_test_ecb_enc[u];
1892 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1894 /*
1895 * AES-192 is an optional feature that may be unavailable when
1896 * there is an alternative underlying implementation i.e. when
1897 * MBEDTLS_AES_ALT is defined.
1898 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1899 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 {
1901 mbedtls_printf( "skipped\n" );
1902 continue;
1903 }
1904 else if( ret != 0 )
1905 {
1906 goto exit;
1907 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 for( j = 0; j < 10000; j++ )
1910 {
1911 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1912 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1913 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1914 }
1915
1916 if( memcmp( buf, aes_tests, 16 ) != 0 )
1917 {
1918 ret = 1;
1919 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 }
1921
1922 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1923 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924 }
1925
1926 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1927 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1929#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 /*
1931 * CBC mode
1932 */
1933 for( i = 0; i < 6; i++ )
1934 {
1935 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1936 keybits = 128 + u * 64;
1937 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938
1939 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1940 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1941 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]1943#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1944 if( keybits > 128 )
1945 {
1946 mbedtls_printf( "skipped\n" );
1947 continue;
1948 }
1949#endif
1950
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]1951#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1952 if( mode == MBEDTLS_AES_DECRYPT )
1953 {
1954 mbedtls_printf( "skipped\n" );
1955 continue;
1956 }
1957#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
1958
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1959 mbedtls_platform_memset( iv , 0, 16 );
1960 mbedtls_platform_memset( prv, 0, 16 );
1961 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1962
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1963 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1965 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1966 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1967 }
1968 else
1969 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1970 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1971 aes_tests = aes_test_cbc_enc[u];
1972 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1973
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1974 /*
1975 * AES-192 is an optional feature that may be unavailable when
1976 * there is an alternative underlying implementation i.e. when
1977 * MBEDTLS_AES_ALT is defined.
1978 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1979 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1980 {
1981 mbedtls_printf( "skipped\n" );
1982 continue;
1983 }
1984 else if( ret != 0 )
1985 {
1986 goto exit;
1987 }
1988
1989 for( j = 0; j < 10000; j++ )
1990 {
1991 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992 {
1993 unsigned char tmp[16];
1994
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995 memcpy( tmp, prv, 16 );
1996 memcpy( prv, buf, 16 );
1997 memcpy( buf, tmp, 16 );
1998 }
1999
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2000 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2001 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2002 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003
2004 }
2005
2006 if( memcmp( buf, aes_tests, 16 ) != 0 )
2007 {
2008 ret = 1;
2009 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 }
2011
2012 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014 }
2015
2016 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2017 mbedtls_printf( "\n" );
2018#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2020#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021 /*
2022 * CFB128 mode
2023 */
2024 for( i = 0; i < 6; i++ )
2025 {
2026 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2027 keybits = 128 + u * 64;
2028 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
2030 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2031 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2032 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2034#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2035 if( keybits > 128 )
2036 {
2037 mbedtls_printf( "skipped\n" );
2038 continue;
2039 }
2040#endif
2041
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2042#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2043 if( mode == MBEDTLS_AES_DECRYPT )
2044 {
2045 mbedtls_printf( "skipped\n" );
2046 continue;
2047 }
2048#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2049
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2050 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2051 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2052
2053 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2054 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2055 /*
2056 * AES-192 is an optional feature that may be unavailable when
2057 * there is an alternative underlying implementation i.e. when
2058 * MBEDTLS_AES_ALT is defined.
2059 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2060 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2061 {
2062 mbedtls_printf( "skipped\n" );
2063 continue;
2064 }
2065 else if( ret != 0 )
2066 {
2067 goto exit;
2068 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2069
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2070 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2071 {
2072 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2073 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2074 }
2075 else
2076 {
2077 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2078 aes_tests = aes_test_cfb128_ct[u];
2079 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2080
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2081 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2082 if( ret != 0 )
2083 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2085 if( memcmp( buf, aes_tests, 64 ) != 0 )
2086 {
2087 ret = 1;
2088 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2089 }
2090
2091 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2092 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2093 }
2094
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2095 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2096 mbedtls_printf( "\n" );
2097#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2098
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2099#if defined(MBEDTLS_CIPHER_MODE_OFB)
2100 /*
2101 * OFB mode
2102 */
2103 for( i = 0; i < 6; i++ )
2104 {
2105 u = i >> 1;
2106 keybits = 128 + u * 64;
2107 mode = i & 1;
2108
2109 if( verbose != 0 )
2110 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2111 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2112
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2113#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2114 if( keybits > 128 )
2115 {
2116 mbedtls_printf( "skipped\n" );
2117 continue;
2118 }
2119#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2120
2121#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2122 if( mode == MBEDTLS_AES_DECRYPT )
2123 {
2124 mbedtls_printf( "skipped\n" );
2125 continue;
2126 }
2127#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2128
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2129 memcpy( iv, aes_test_ofb_iv, 16 );
2130 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2131
2132 offset = 0;
2133 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2134 /*
2135 * AES-192 is an optional feature that may be unavailable when
2136 * there is an alternative underlying implementation i.e. when
2137 * MBEDTLS_AES_ALT is defined.
2138 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2139 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2140 {
2141 mbedtls_printf( "skipped\n" );
2142 continue;
2143 }
2144 else if( ret != 0 )
2145 {
2146 goto exit;
2147 }
2148
2149 if( mode == MBEDTLS_AES_DECRYPT )
2150 {
2151 memcpy( buf, aes_test_ofb_ct[u], 64 );
2152 aes_tests = aes_test_ofb_pt;
2153 }
2154 else
2155 {
2156 memcpy( buf, aes_test_ofb_pt, 64 );
2157 aes_tests = aes_test_ofb_ct[u];
2158 }
2159
2160 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2161 if( ret != 0 )
2162 goto exit;
2163
2164 if( memcmp( buf, aes_tests, 64 ) != 0 )
2165 {
2166 ret = 1;
2167 goto exit;
2168 }
2169
2170 if( verbose != 0 )
2171 mbedtls_printf( "passed\n" );
2172 }
2173
2174 if( verbose != 0 )
2175 mbedtls_printf( "\n" );
2176#endif /* MBEDTLS_CIPHER_MODE_OFB */
2177
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2178#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2179 /*
2180 * CTR mode
2181 */
2182 for( i = 0; i < 6; i++ )
2183 {
2184 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2185 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2186
2187 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2189 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2190
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2191#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2192 if( keybits > 128 )
2193 {
2194 mbedtls_printf( "skipped\n" );
2195 continue;
2196 }
2197#endif
2198
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2199#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2200 if( mode == MBEDTLS_AES_DECRYPT )
2201 {
2202 mbedtls_printf( "skipped\n" );
2203 continue;
2204 }
2205#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2206
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2207 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2208 memcpy( key, aes_test_ctr_key[u], 16 );
2209
2210 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2211 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2212 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2213
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2214 len = aes_test_ctr_len[u];
2215
2216 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2217 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2218 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2219 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2220 }
2221 else
2222 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2223 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2224 aes_tests = aes_test_ctr_ct[u];
2225 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2226
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2227 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2228 stream_block, buf, buf );
2229 if( ret != 0 )
2230 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2231
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2232 if( memcmp( buf, aes_tests, len ) != 0 )
2233 {
2234 ret = 1;
2235 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2236 }
2237
2238 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2239 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2240 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2241
2242 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2243 mbedtls_printf( "\n" );
2244#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2246#if defined(MBEDTLS_CIPHER_MODE_XTS)
2247 {
2248 static const int num_tests =
2249 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2250 mbedtls_aes_xts_context ctx_xts;
2251
2252 /*
2253 * XTS mode
2254 */
2255 mbedtls_aes_xts_init( &ctx_xts );
2256
2257 for( i = 0; i < num_tests << 1; i++ )
2258 {
2259 const unsigned char *data_unit;
2260 u = i >> 1;
2261 mode = i & 1;
2262
2263 if( verbose != 0 )
2264 mbedtls_printf( " AES-XTS-128 (%s): ",
2265 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2266
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2267#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2268 if( mode == MBEDTLS_AES_DECRYPT )
2269 {
2270 mbedtls_printf( "skipped\n" );
2271 continue;
2272 }
2273#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2274
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]2275 mbedtls_platform_memset( key, 0, sizeof( key ) );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2276 memcpy( key, aes_test_xts_key[u], 32 );
2277 data_unit = aes_test_xts_data_unit[u];
2278
2279 len = sizeof( *aes_test_xts_ct32 );
2280
2281 if( mode == MBEDTLS_AES_DECRYPT )
2282 {
2283 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2284 if( ret != 0)
2285 goto exit;
2286 memcpy( buf, aes_test_xts_ct32[u], len );
2287 aes_tests = aes_test_xts_pt32[u];
2288 }
2289 else
2290 {
2291 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2292 if( ret != 0)
2293 goto exit;
2294 memcpy( buf, aes_test_xts_pt32[u], len );
2295 aes_tests = aes_test_xts_ct32[u];
2296 }
2297
2298
2299 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2300 buf, buf );
2301 if( ret != 0 )
2302 goto exit;
2303
2304 if( memcmp( buf, aes_tests, len ) != 0 )
2305 {
2306 ret = 1;
2307 goto exit;
2308 }
2309
2310 if( verbose != 0 )
2311 mbedtls_printf( "passed\n" );
2312 }
2313
2314 if( verbose != 0 )
2315 mbedtls_printf( "\n" );
2316
2317 mbedtls_aes_xts_free( &ctx_xts );
2318 }
2319#endif /* MBEDTLS_CIPHER_MODE_XTS */
2320
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2321 ret = 0;
2322
2323exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2324 if( ret != 0 && verbose != 0 )
2325 mbedtls_printf( "failed\n" );
2326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2327 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2328
2329 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2330}
2331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2332#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2333
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2334#endif /* MBEDTLS_AES_C */