TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1480444e8e39c8749c21e7796aeda6e7ac6abd97 / . / library / aes.c
blob: 733aef8e6cf10d2349d9997e961de8badf620236 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]225#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]264#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]265
266/*
267 * Reverse tables
268 */
269#define RT \
270\
271 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
272 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
273 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
274 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
275 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
276 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
277 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
278 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
279 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
280 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
281 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
282 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
283 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
284 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
285 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
286 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
287 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
288 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
289 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
290 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
291 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
292 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
293 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
294 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
295 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
296 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
297 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
298 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
299 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
300 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
301 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
302 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
303 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
304 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
305 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
306 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
307 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
308 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
309 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
310 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
311 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
312 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
313 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
314 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
315 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
316 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
317 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
318 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
319 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
320 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
321 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
322 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
323 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
324 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
325 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
326 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
327 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
328 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
329 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
330 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
331 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
332 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
333 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
334 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
335
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]336#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]340#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]342#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]343
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
352#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]356#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef RT
359
360/*
361 * Round constants
362 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364{
365 0x00000001, 0x00000002, 0x00000004, 0x00000008,
366 0x00000010, 0x00000020, 0x00000040, 0x00000080,
367 0x0000001B, 0x00000036
368};
369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]370#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Forward S-box & tables
374 */
375static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]376static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]378static uint32_t FT1[256];
379static uint32_t FT2[256];
380static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Reverse S-box & tables
385 */
386static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]387static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]388#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]389static uint32_t RT1[256];
390static uint32_t RT2[256];
391static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]392#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]393
394/*
395 * Round constants
396 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398
399/*
400 * Tables generation code
401 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]402#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
403#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]404#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405
406static int aes_init_done = 0;
407
408static void aes_gen_tables( void )
409{
410 int i, x, y, z;
411 int pow[256];
412 int log[256];
413
414 /*
415 * compute pow and log tables over GF(2^8)
416 */
417 for( i = 0, x = 1; i < 256; i++ )
418 {
419 pow[i] = x;
420 log[x] = i;
421 x = ( x ^ XTIME( x ) ) & 0xFF;
422 }
423
424 /*
425 * calculate the round constants
426 */
427 for( i = 0, x = 1; i < 10; i++ )
428 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]429 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430 x = XTIME( x ) & 0xFF;
431 }
432
433 /*
434 * generate the forward and reverse S-boxes
435 */
436 FSb[0x00] = 0x63;
437 RSb[0x63] = 0x00;
438
439 for( i = 1; i < 256; i++ )
440 {
441 x = pow[255 - log[i]];
442
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]443 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
444 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
445 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
446 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x ^= y ^ 0x63;
448
449 FSb[i] = (unsigned char) x;
450 RSb[x] = (unsigned char) i;
451 }
452
453 /*
454 * generate the forward and reverse tables
455 */
456 for( i = 0; i < 256; i++ )
457 {
458 x = FSb[i];
459 y = XTIME( x ) & 0xFF;
460 z = ( y ^ x ) & 0xFF;
461
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]462 FT0[i] = ( (uint32_t) y ) ^
463 ( (uint32_t) x << 8 ) ^
464 ( (uint32_t) x << 16 ) ^
465 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]467#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 FT1[i] = ROTL8( FT0[i] );
469 FT2[i] = ROTL8( FT1[i] );
470 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]471#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
473 x = RSb[i];
474
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]475 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
476 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
477 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
478 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]480#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 RT1[i] = ROTL8( RT0[i] );
482 RT2[i] = ROTL8( RT1[i] );
483 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]484#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]485 }
486}
487
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]488#undef ROTL8
489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]492#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]493
494#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
495#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
496#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
497
498#define AES_RT0(idx) RT0[idx]
499#define AES_RT1(idx) ROTL8( RT0[idx] )
500#define AES_RT2(idx) ROTL16( RT0[idx] )
501#define AES_RT3(idx) ROTL24( RT0[idx] )
502
503#define AES_FT0(idx) FT0[idx]
504#define AES_FT1(idx) ROTL8( FT0[idx] )
505#define AES_FT2(idx) ROTL16( FT0[idx] )
506#define AES_FT3(idx) ROTL24( FT0[idx] )
507
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]508#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509
510#define AES_RT0(idx) RT0[idx]
511#define AES_RT1(idx) RT1[idx]
512#define AES_RT2(idx) RT2[idx]
513#define AES_RT3(idx) RT3[idx]
514
515#define AES_FT0(idx) FT0[idx]
516#define AES_FT1(idx) FT1[idx]
517#define AES_FT2(idx) FT2[idx]
518#define AES_FT3(idx) FT3[idx]
519
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]520#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]524 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]525
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]526 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]527}
528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]530{
531 if( ctx == NULL )
532 return;
533
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]534 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]535}
536
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]537#if defined(MBEDTLS_CIPHER_MODE_XTS)
538void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
539{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]540 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_init( &ctx->crypt );
543 mbedtls_aes_init( &ctx->tweak );
544}
545
546void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
547{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]548 if( ctx == NULL )
549 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]550
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]551 mbedtls_aes_free( &ctx->crypt );
552 mbedtls_aes_free( &ctx->tweak );
553}
554#endif /* MBEDTLS_CIPHER_MODE_XTS */
555
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556/*
557 * AES key schedule (encryption)
558 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]559#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]560int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]561 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]563 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]564 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]566 AES_VALIDATE_RET( ctx != NULL );
567 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]568
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]569 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 {
571 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]572#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 case 192: ctx->nr = 12; break;
574 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]575#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577 }
578
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]579#if !defined(MBEDTLS_AES_ROM_TABLES)
580 if( aes_init_done == 0 )
581 {
582 aes_gen_tables();
583 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]584 }
585#endif
586
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]589 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590
591 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]593 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]595 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]597#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]598 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]599 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]600#endif
601
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]602 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]603 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]604 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605 }
606
607 switch( ctx->nr )
608 {
609 case 10:
610
611 for( i = 0; i < 10; i++, RK += 4 )
612 {
613 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]614 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
615 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
616 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
617 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618
619 RK[5] = RK[1] ^ RK[4];
620 RK[6] = RK[2] ^ RK[5];
621 RK[7] = RK[3] ^ RK[6];
622 }
623 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]624#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625 case 12:
626
627 for( i = 0; i < 8; i++, RK += 6 )
628 {
629 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]630 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
631 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
632 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
633 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]634
635 RK[7] = RK[1] ^ RK[6];
636 RK[8] = RK[2] ^ RK[7];
637 RK[9] = RK[3] ^ RK[8];
638 RK[10] = RK[4] ^ RK[9];
639 RK[11] = RK[5] ^ RK[10];
640 }
641 break;
642
643 case 14:
644
645 for( i = 0; i < 7; i++, RK += 8 )
646 {
647 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]648 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
649 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
650 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
651 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]652
653 RK[9] = RK[1] ^ RK[8];
654 RK[10] = RK[2] ^ RK[9];
655 RK[11] = RK[3] ^ RK[10];
656
657 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]658 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
659 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
660 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
661 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663 RK[13] = RK[5] ^ RK[12];
664 RK[14] = RK[6] ^ RK[13];
665 RK[15] = RK[7] ^ RK[14];
666 }
667 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]668#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]670
671 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]673#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674
675/*
676 * AES key schedule (decryption)
677 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]678#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]679int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]680 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]682#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
683 (void) ctx;
684 (void) key;
685 (void) keybits;
686
687 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
688#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]689 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]691 uint32_t *RK;
692 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]693
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]694 AES_VALIDATE_RET( ctx != NULL );
695 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]696
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]700 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]701 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]702
703 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]705 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]707 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]709 /* Also checks keybits */
710 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]711 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]712
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]713 ctx->nr = cty.nr;
714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]716 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]717 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]718 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]719 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]720 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]721 }
722#endif
723
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724 SK = cty.rk + cty.nr * 4;
725
726 *RK++ = *SK++;
727 *RK++ = *SK++;
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730
731 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
732 {
733 for( j = 0; j < 4; j++, SK++ )
734 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]735 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
736 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
737 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
738 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]739 }
740 }
741
742 *RK++ = *SK++;
743 *RK++ = *SK++;
744 *RK++ = *SK++;
745 *RK++ = *SK++;
746
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]747exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]748 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]749
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]750 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]751#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]753
754#if defined(MBEDTLS_CIPHER_MODE_XTS)
755static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
756 unsigned int keybits,
757 const unsigned char **key1,
758 unsigned int *key1bits,
759 const unsigned char **key2,
760 unsigned int *key2bits )
761{
762 const unsigned int half_keybits = keybits / 2;
763 const unsigned int half_keybytes = half_keybits / 8;
764
765 switch( keybits )
766 {
767 case 256: break;
768 case 512: break;
769 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
770 }
771
772 *key1bits = half_keybits;
773 *key2bits = half_keybits;
774 *key1 = &key[0];
775 *key2 = &key[half_keybytes];
776
777 return 0;
778}
779
780int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
781 const unsigned char *key,
782 unsigned int keybits)
783{
784 int ret;
785 const unsigned char *key1, *key2;
786 unsigned int key1bits, key2bits;
787
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]788 AES_VALIDATE_RET( ctx != NULL );
789 AES_VALIDATE_RET( key != NULL );
790
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]791 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
792 &key2, &key2bits );
793 if( ret != 0 )
794 return( ret );
795
796 /* Set the tweak key. Always set tweak key for the encryption mode. */
797 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
798 if( ret != 0 )
799 return( ret );
800
801 /* Set crypt key for encryption. */
802 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
803}
804
805int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
806 const unsigned char *key,
807 unsigned int keybits)
808{
809 int ret;
810 const unsigned char *key1, *key2;
811 unsigned int key1bits, key2bits;
812
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]813 AES_VALIDATE_RET( ctx != NULL );
814 AES_VALIDATE_RET( key != NULL );
815
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]816 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
817 &key2, &key2bits );
818 if( ret != 0 )
819 return( ret );
820
821 /* Set the tweak key. Always set tweak key for encryption. */
822 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
823 if( ret != 0 )
824 return( ret );
825
826 /* Set crypt key for decryption. */
827 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
828}
829#endif /* MBEDTLS_CIPHER_MODE_XTS */
830
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]831#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]833#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
834 do \
835 { \
836 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
837 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
838 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
839 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
840 \
841 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
842 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
843 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
844 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
845 \
846 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
847 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
848 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
849 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
850 \
851 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
852 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
853 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
854 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
855 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]856
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]857#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
858 do \
859 { \
860 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
861 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
862 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
863 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
864 \
865 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
866 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
867 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
868 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
869 \
870 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
871 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
872 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
873 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
874 \
875 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
876 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
877 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
878 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
879 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880
881/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]882 * AES-ECB block encryption
883 */
884#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]885int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
886 const unsigned char input[16],
887 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]888{
889 int i;
890 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
891
892 RK = ctx->rk;
893
894 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
895 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
896 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
897 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
898
899 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
900 {
901 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
902 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
903 }
904
905 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
906
907 X0 = *RK++ ^ \
908 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
912
913 X1 = *RK++ ^ \
914 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
915 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
916 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
917 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
918
919 X2 = *RK++ ^ \
920 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
921 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
922 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
923 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
924
925 X3 = *RK++ ^ \
926 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
927 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
928 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
929 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
930
931 PUT_UINT32_LE( X0, output, 0 );
932 PUT_UINT32_LE( X1, output, 4 );
933 PUT_UINT32_LE( X2, output, 8 );
934 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]935
936 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937}
938#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
939
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]940#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]941void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
942 const unsigned char input[16],
943 unsigned char output[16] )
944{
945 mbedtls_internal_aes_encrypt( ctx, input, output );
946}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]947#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]948
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]949/*
950 * AES-ECB block decryption
951 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]952
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]953#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]954#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]955int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
956 const unsigned char input[16],
957 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]958{
959 int i;
960 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
961
962 RK = ctx->rk;
963
964 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
965 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
966 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
967 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
968
969 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
970 {
971 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
972 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
973 }
974
975 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
976
977 X0 = *RK++ ^ \
978 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
979 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
980 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
981 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
982
983 X1 = *RK++ ^ \
984 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
985 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
986 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
987 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
988
989 X2 = *RK++ ^ \
990 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
991 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
992 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
993 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
994
995 X3 = *RK++ ^ \
996 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
997 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
998 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
999 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1000
1001 PUT_UINT32_LE( X0, output, 0 );
1002 PUT_UINT32_LE( X1, output, 4 );
1003 PUT_UINT32_LE( X2, output, 8 );
1004 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1005
1006 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1007}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1008#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1009#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1010
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1011#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1012void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1013 const unsigned char input[16],
1014 unsigned char output[16] )
1015{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1016#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1017 (void) ctx;
1018 (void) input;
1019 (void) output;
1020#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1021 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1022#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1023}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1024#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1025
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1026/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 * AES-ECB block encryption/decryption
1028 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1030 int mode,
1031 const unsigned char input[16],
1032 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1034 AES_VALIDATE_RET( ctx != NULL );
1035 AES_VALIDATE_RET( input != NULL );
1036 AES_VALIDATE_RET( output != NULL );
1037 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1038 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1039 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1042 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1044#endif
1045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1047 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1049 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1050 return( 0 );
1051
1052 // If padlock data misaligned, we just fall back to
1053 // unaccelerated mode
1054 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055 }
1056#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1057#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1058 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1059#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1060
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1061 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1062 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1063 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1064 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame^]1065#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066}
1067
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069/*
1070 * AES-CBC buffer encryption/decryption
1071 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1072int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1074 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1076 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1077 unsigned char *output )
1078{
1079 int i;
1080 unsigned char temp[16];
1081
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1082 AES_VALIDATE_RET( ctx != NULL );
1083 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1084 mode == MBEDTLS_AES_DECRYPT );
1085 AES_VALIDATE_RET( iv != NULL );
1086 AES_VALIDATE_RET( input != NULL );
1087 AES_VALIDATE_RET( output != NULL );
1088
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1089 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1091
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1092#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1093 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1095 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1096 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1097
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1098 // If padlock data misaligned, we just fall back to
1099 // unaccelerated mode
1100 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 }
1102#endif
1103
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105 {
1106 while( length > 0 )
1107 {
1108 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110
1111 for( i = 0; i < 16; i++ )
1112 output[i] = (unsigned char)( output[i] ^ iv[i] );
1113
1114 memcpy( iv, temp, 16 );
1115
1116 input += 16;
1117 output += 16;
1118 length -= 16;
1119 }
1120 }
1121 else
1122 {
1123 while( length > 0 )
1124 {
1125 for( i = 0; i < 16; i++ )
1126 output[i] = (unsigned char)( input[i] ^ iv[i] );
1127
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1128 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129 memcpy( iv, output, 16 );
1130
1131 input += 16;
1132 output += 16;
1133 length -= 16;
1134 }
1135 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1136
1137 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1138}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1139#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1140
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1141#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1142
1143/* Endianess with 64 bits values */
1144#ifndef GET_UINT64_LE
1145#define GET_UINT64_LE(n,b,i) \
1146{ \
1147 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1148 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1149 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1150 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1151 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1152 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1153 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1154 | ( (uint64_t) (b)[(i) ] ); \
1155}
1156#endif
1157
1158#ifndef PUT_UINT64_LE
1159#define PUT_UINT64_LE(n,b,i) \
1160{ \
1161 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1162 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1163 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1164 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1165 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1166 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1167 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1168 (b)[(i) ] = (unsigned char) ( (n) ); \
1169}
1170#endif
1171
1172typedef unsigned char mbedtls_be128[16];
1173
1174/*
1175 * GF(2^128) multiplication function
1176 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1177 * This function multiplies a field element by x in the polynomial field
1178 * representation. It uses 64-bit word operations to gain speed but compensates
1179 * for machine endianess and hence works correctly on both big and little
1180 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1181 */
1182static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1183 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1184{
1185 uint64_t a, b, ra, rb;
1186
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1187 GET_UINT64_LE( a, x, 0 );
1188 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1189
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1190 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1191 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1192
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1193 PUT_UINT64_LE( ra, r, 0 );
1194 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1195}
1196
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1197/*
1198 * AES-XTS buffer encryption/decryption
1199 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1200int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1201 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1202 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1203 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1204 const unsigned char *input,
1205 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1207 int ret;
1208 size_t blocks = length / 16;
1209 size_t leftover = length % 16;
1210 unsigned char tweak[16];
1211 unsigned char prev_tweak[16];
1212 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1213
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1214 AES_VALIDATE_RET( ctx != NULL );
1215 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1216 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1217 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1218 AES_VALIDATE_RET( input != NULL );
1219 AES_VALIDATE_RET( output != NULL );
1220
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1221 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1224
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1225 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1226 if( length > ( 1 << 20 ) * 16 )
1227 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1230 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1231 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1232 if( ret != 0 )
1233 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1234
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1235 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1236 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1237 size_t i;
1238
1239 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1240 {
1241 /* We are on the last block in a decrypt operation that has
1242 * leftover bytes, so we need to use the next tweak for this block,
1243 * and this tweak for the lefover bytes. Save the current tweak for
1244 * the leftovers and then update the current tweak for use on this,
1245 * the last full block. */
1246 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1247 mbedtls_gf128mul_x_ble( tweak, tweak );
1248 }
1249
1250 for( i = 0; i < 16; i++ )
1251 tmp[i] = input[i] ^ tweak[i];
1252
1253 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1254 if( ret != 0 )
1255 return( ret );
1256
1257 for( i = 0; i < 16; i++ )
1258 output[i] = tmp[i] ^ tweak[i];
1259
1260 /* Update the tweak for the next block. */
1261 mbedtls_gf128mul_x_ble( tweak, tweak );
1262
1263 output += 16;
1264 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1265 }
1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1268 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1269 /* If we are on the leftover bytes in a decrypt operation, we need to
1270 * use the previous tweak for these bytes (as saved in prev_tweak). */
1271 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 /* We are now on the final part of the data unit, which doesn't divide
1274 * evenly by 16. It's time for ciphertext stealing. */
1275 size_t i;
1276 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1278 /* Copy ciphertext bytes from the previous block to our output for each
1279 * byte of cyphertext we won't steal. At the same time, copy the
1280 * remainder of the input for this final round (since the loop bounds
1281 * are the same). */
1282 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1283 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1284 output[i] = prev_output[i];
1285 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1286 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1287
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1288 /* Copy ciphertext bytes from the previous block for input in this
1289 * round. */
1290 for( ; i < 16; i++ )
1291 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1292
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1293 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1294 if( ret != 0 )
1295 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1296
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1297 /* Write the result back to the previous block, overriding the previous
1298 * output we copied. */
1299 for( i = 0; i < 16; i++ )
1300 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1301 }
1302
1303 return( 0 );
1304}
1305#endif /* MBEDTLS_CIPHER_MODE_XTS */
1306
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308/*
1309 * AES-CFB128 buffer encryption/decryption
1310 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1313 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1314 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1316 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317 unsigned char *output )
1318{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1319 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1320 size_t n;
1321
1322 AES_VALIDATE_RET( ctx != NULL );
1323 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1324 mode == MBEDTLS_AES_DECRYPT );
1325 AES_VALIDATE_RET( iv_off != NULL );
1326 AES_VALIDATE_RET( iv != NULL );
1327 AES_VALIDATE_RET( input != NULL );
1328 AES_VALIDATE_RET( output != NULL );
1329
1330 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1332 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1333 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1334
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 {
1337 while( length-- )
1338 {
1339 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1340 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341
1342 c = *input++;
1343 *output++ = (unsigned char)( c ^ iv[n] );
1344 iv[n] = (unsigned char) c;
1345
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1346 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347 }
1348 }
1349 else
1350 {
1351 while( length-- )
1352 {
1353 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1354 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355
1356 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1357
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1358 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359 }
1360 }
1361
1362 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1363
1364 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1365}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1366
1367/*
1368 * AES-CFB8 buffer encryption/decryption
1369 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1371 int mode,
1372 size_t length,
1373 unsigned char iv[16],
1374 const unsigned char *input,
1375 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1376{
1377 unsigned char c;
1378 unsigned char ov[17];
1379
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1380 AES_VALIDATE_RET( ctx != NULL );
1381 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1382 mode == MBEDTLS_AES_DECRYPT );
1383 AES_VALIDATE_RET( iv != NULL );
1384 AES_VALIDATE_RET( input != NULL );
1385 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386 while( length-- )
1387 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1388 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1389 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1392 ov[16] = *input;
1393
1394 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1395
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1396 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1397 ov[16] = c;
1398
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1399 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1400 }
1401
1402 return( 0 );
1403}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1404#endif /* MBEDTLS_CIPHER_MODE_CFB */
1405
1406#if defined(MBEDTLS_CIPHER_MODE_OFB)
1407/*
1408 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1409 */
1410int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1411 size_t length,
1412 size_t *iv_off,
1413 unsigned char iv[16],
1414 const unsigned char *input,
1415 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1416{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1417 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1418 size_t n;
1419
1420 AES_VALIDATE_RET( ctx != NULL );
1421 AES_VALIDATE_RET( iv_off != NULL );
1422 AES_VALIDATE_RET( iv != NULL );
1423 AES_VALIDATE_RET( input != NULL );
1424 AES_VALIDATE_RET( output != NULL );
1425
1426 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1427
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1428 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1429 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1430
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1431 while( length-- )
1432 {
1433 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1434 {
1435 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1436 if( ret != 0 )
1437 goto exit;
1438 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1439 *output++ = *input++ ^ iv[n];
1440
1441 n = ( n + 1 ) & 0x0F;
1442 }
1443
1444 *iv_off = n;
1445
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1446exit:
1447 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1448}
1449#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1452/*
1453 * AES-CTR buffer encryption/decryption
1454 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1455int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1456 size_t length,
1457 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458 unsigned char nonce_counter[16],
1459 unsigned char stream_block[16],
1460 const unsigned char *input,
1461 unsigned char *output )
1462{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1463 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1464 size_t n;
1465
1466 AES_VALIDATE_RET( ctx != NULL );
1467 AES_VALIDATE_RET( nc_off != NULL );
1468 AES_VALIDATE_RET( nonce_counter != NULL );
1469 AES_VALIDATE_RET( stream_block != NULL );
1470 AES_VALIDATE_RET( input != NULL );
1471 AES_VALIDATE_RET( output != NULL );
1472
1473 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1474
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1475 if ( n > 0x0F )
1476 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1477
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1478 while( length-- )
1479 {
1480 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1481 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1482
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1483 for( i = 16; i > 0; i-- )
1484 if( ++nonce_counter[i - 1] != 0 )
1485 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1486 }
1487 c = *input++;
1488 *output++ = (unsigned char)( c ^ stream_block[n] );
1489
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1490 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1491 }
1492
1493 *nc_off = n;
1494
1495 return( 0 );
1496}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1501#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502/*
1503 * AES test vectors from:
1504 *
1505 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1506 */
1507static const unsigned char aes_test_ecb_dec[3][16] =
1508{
1509 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1510 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1511 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1512 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1513 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1514 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1515};
1516
1517static const unsigned char aes_test_ecb_enc[3][16] =
1518{
1519 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1520 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1521 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1522 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1523 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1524 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1525};
1526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1527#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1528static const unsigned char aes_test_cbc_dec[3][16] =
1529{
1530 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1531 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1532 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1533 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1534 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1535 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1536};
1537
1538static const unsigned char aes_test_cbc_enc[3][16] =
1539{
1540 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1541 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1542 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1543 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1544 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1545 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1546};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1547#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1548
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1549#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1550/*
1551 * AES-CFB128 test vectors from:
1552 *
1553 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1554 */
1555static const unsigned char aes_test_cfb128_key[3][32] =
1556{
1557 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1558 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1559 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1560 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1561 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1562 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1563 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1564 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1565 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1566};
1567
1568static const unsigned char aes_test_cfb128_iv[16] =
1569{
1570 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1571 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1572};
1573
1574static const unsigned char aes_test_cfb128_pt[64] =
1575{
1576 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1577 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1578 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1579 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1580 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1581 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1582 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1583 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1584};
1585
1586static const unsigned char aes_test_cfb128_ct[3][64] =
1587{
1588 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1589 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1590 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1591 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1592 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1593 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1594 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1595 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1596 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1597 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1598 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1599 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1600 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1601 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1602 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1603 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1604 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1605 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1606 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1607 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1608 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1609 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1610 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1611 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1612};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1613#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1614
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1615#if defined(MBEDTLS_CIPHER_MODE_OFB)
1616/*
1617 * AES-OFB test vectors from:
1618 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1619 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1620 */
1621static const unsigned char aes_test_ofb_key[3][32] =
1622{
1623 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1624 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1625 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1626 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1627 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1628 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1629 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1630 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1631 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1632};
1633
1634static const unsigned char aes_test_ofb_iv[16] =
1635{
1636 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1637 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1638};
1639
1640static const unsigned char aes_test_ofb_pt[64] =
1641{
1642 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1643 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1644 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1645 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1646 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1647 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1648 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1649 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1650};
1651
1652static const unsigned char aes_test_ofb_ct[3][64] =
1653{
1654 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1655 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1656 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1657 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1658 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1659 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1660 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1661 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1662 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1663 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1664 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1665 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1666 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1667 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1668 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1669 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1670 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1671 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1672 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1673 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1674 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1675 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1676 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1677 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1678};
1679#endif /* MBEDTLS_CIPHER_MODE_OFB */
1680
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1681#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1682/*
1683 * AES-CTR test vectors from:
1684 *
1685 * http://www.faqs.org/rfcs/rfc3686.html
1686 */
1687
1688static const unsigned char aes_test_ctr_key[3][16] =
1689{
1690 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1691 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1692 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1693 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1694 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1695 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1696};
1697
1698static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1699{
1700 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1702 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1703 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1704 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1705 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1706};
1707
1708static const unsigned char aes_test_ctr_pt[3][48] =
1709{
1710 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1711 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1712
1713 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1714 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1715 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1716 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1717
1718 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1719 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1720 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1721 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1722 0x20, 0x21, 0x22, 0x23 }
1723};
1724
1725static const unsigned char aes_test_ctr_ct[3][48] =
1726{
1727 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1728 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1729 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1730 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1731 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1732 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1733 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1734 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1735 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1736 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1737 0x25, 0xB2, 0x07, 0x2F }
1738};
1739
1740static const int aes_test_ctr_len[3] =
1741 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1742#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1743
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1744#if defined(MBEDTLS_CIPHER_MODE_XTS)
1745/*
1746 * AES-XTS test vectors from:
1747 *
1748 * IEEE P1619/D16 Annex B
1749 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1750 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1751 */
1752static const unsigned char aes_test_xts_key[][32] =
1753{
1754 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1758 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1759 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1761 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1762 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1763 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1764 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1765 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1766};
1767
1768static const unsigned char aes_test_xts_pt32[][32] =
1769{
1770 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1774 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1778 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1779 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1782};
1783
1784static const unsigned char aes_test_xts_ct32[][32] =
1785{
1786 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1787 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1788 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1789 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1790 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1791 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1792 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1793 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1794 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1795 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1796 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1797 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1798};
1799
1800static const unsigned char aes_test_xts_data_unit[][16] =
1801{
1802 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1804 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1806 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1808};
1809
1810#endif /* MBEDTLS_CIPHER_MODE_XTS */
1811
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812/*
1813 * Checkup routine
1814 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1817 int ret = 0, i, j, u, mode;
1818 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819 unsigned char key[32];
1820 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1821 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1822#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1824#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1825#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1826 unsigned char prv[16];
1827#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1828#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1829 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1830 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1831#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1832#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1833 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1834#endif
1835#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1836 unsigned char nonce_counter[16];
1837 unsigned char stream_block[16];
1838#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1839 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1841 mbedtls_platform_memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1843
1844 /*
1845 * ECB mode
1846 */
1847 for( i = 0; i < 6; i++ )
1848 {
1849 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 keybits = 128 + u * 64;
1851 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
1853 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1854 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1855 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]1857#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1858 if( keybits > 128 )
1859 {
1860 mbedtls_printf( "skipped\n" );
1861 continue;
1862 }
1863#endif
1864
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1865 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1867 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1869 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1870 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1871 }
1872 else
1873 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1874 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1875 aes_tests = aes_test_ecb_enc[u];
1876 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1878 /*
1879 * AES-192 is an optional feature that may be unavailable when
1880 * there is an alternative underlying implementation i.e. when
1881 * MBEDTLS_AES_ALT is defined.
1882 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1883 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1884 {
1885 mbedtls_printf( "skipped\n" );
1886 continue;
1887 }
1888 else if( ret != 0 )
1889 {
1890 goto exit;
1891 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 for( j = 0; j < 10000; j++ )
1894 {
1895 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1896 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1897 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898 }
1899
1900 if( memcmp( buf, aes_tests, 16 ) != 0 )
1901 {
1902 ret = 1;
1903 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904 }
1905
1906 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1907 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908 }
1909
1910 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1913#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914 /*
1915 * CBC mode
1916 */
1917 for( i = 0; i < 6; i++ )
1918 {
1919 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 keybits = 128 + u * 64;
1921 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922
1923 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1924 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1925 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]1927#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1928 if( keybits > 128 )
1929 {
1930 mbedtls_printf( "skipped\n" );
1931 continue;
1932 }
1933#endif
1934
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1935 mbedtls_platform_memset( iv , 0, 16 );
1936 mbedtls_platform_memset( prv, 0, 16 );
1937 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1940 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1941 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1942 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1943 }
1944 else
1945 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1946 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1947 aes_tests = aes_test_cbc_enc[u];
1948 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1949
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1950 /*
1951 * AES-192 is an optional feature that may be unavailable when
1952 * there is an alternative underlying implementation i.e. when
1953 * MBEDTLS_AES_ALT is defined.
1954 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1955 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1956 {
1957 mbedtls_printf( "skipped\n" );
1958 continue;
1959 }
1960 else if( ret != 0 )
1961 {
1962 goto exit;
1963 }
1964
1965 for( j = 0; j < 10000; j++ )
1966 {
1967 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968 {
1969 unsigned char tmp[16];
1970
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 memcpy( tmp, prv, 16 );
1972 memcpy( prv, buf, 16 );
1973 memcpy( buf, tmp, 16 );
1974 }
1975
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1977 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1978 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1979
1980 }
1981
1982 if( memcmp( buf, aes_tests, 16 ) != 0 )
1983 {
1984 ret = 1;
1985 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986 }
1987
1988 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1989 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990 }
1991
1992 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1993 mbedtls_printf( "\n" );
1994#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997 /*
1998 * CFB128 mode
1999 */
2000 for( i = 0; i < 6; i++ )
2001 {
2002 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 keybits = 128 + u * 64;
2004 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005
2006 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2008 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2010#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2011 if( keybits > 128 )
2012 {
2013 mbedtls_printf( "skipped\n" );
2014 continue;
2015 }
2016#endif
2017
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020
2021 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2022 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2023 /*
2024 * AES-192 is an optional feature that may be unavailable when
2025 * there is an alternative underlying implementation i.e. when
2026 * MBEDTLS_AES_ALT is defined.
2027 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2028 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2029 {
2030 mbedtls_printf( "skipped\n" );
2031 continue;
2032 }
2033 else if( ret != 0 )
2034 {
2035 goto exit;
2036 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2038 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039 {
2040 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2041 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042 }
2043 else
2044 {
2045 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2046 aes_tests = aes_test_cfb128_ct[u];
2047 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2048
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2049 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2050 if( ret != 0 )
2051 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2052
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2053 if( memcmp( buf, aes_tests, 64 ) != 0 )
2054 {
2055 ret = 1;
2056 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2057 }
2058
2059 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061 }
2062
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2063 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2064 mbedtls_printf( "\n" );
2065#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2066
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2067#if defined(MBEDTLS_CIPHER_MODE_OFB)
2068 /*
2069 * OFB mode
2070 */
2071 for( i = 0; i < 6; i++ )
2072 {
2073 u = i >> 1;
2074 keybits = 128 + u * 64;
2075 mode = i & 1;
2076
2077 if( verbose != 0 )
2078 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2079 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2080
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2081#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2082 if( keybits > 128 )
2083 {
2084 mbedtls_printf( "skipped\n" );
2085 continue;
2086 }
2087#endif
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2088 memcpy( iv, aes_test_ofb_iv, 16 );
2089 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2090
2091 offset = 0;
2092 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2093 /*
2094 * AES-192 is an optional feature that may be unavailable when
2095 * there is an alternative underlying implementation i.e. when
2096 * MBEDTLS_AES_ALT is defined.
2097 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2098 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2099 {
2100 mbedtls_printf( "skipped\n" );
2101 continue;
2102 }
2103 else if( ret != 0 )
2104 {
2105 goto exit;
2106 }
2107
2108 if( mode == MBEDTLS_AES_DECRYPT )
2109 {
2110 memcpy( buf, aes_test_ofb_ct[u], 64 );
2111 aes_tests = aes_test_ofb_pt;
2112 }
2113 else
2114 {
2115 memcpy( buf, aes_test_ofb_pt, 64 );
2116 aes_tests = aes_test_ofb_ct[u];
2117 }
2118
2119 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2120 if( ret != 0 )
2121 goto exit;
2122
2123 if( memcmp( buf, aes_tests, 64 ) != 0 )
2124 {
2125 ret = 1;
2126 goto exit;
2127 }
2128
2129 if( verbose != 0 )
2130 mbedtls_printf( "passed\n" );
2131 }
2132
2133 if( verbose != 0 )
2134 mbedtls_printf( "\n" );
2135#endif /* MBEDTLS_CIPHER_MODE_OFB */
2136
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2137#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 /*
2139 * CTR mode
2140 */
2141 for( i = 0; i < 6; i++ )
2142 {
2143 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2144 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2145
2146 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2148 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2149
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2150#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2151 if( keybits > 128 )
2152 {
2153 mbedtls_printf( "skipped\n" );
2154 continue;
2155 }
2156#endif
2157
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2158 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2159 memcpy( key, aes_test_ctr_key[u], 16 );
2160
2161 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2162 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2163 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2164
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2165 len = aes_test_ctr_len[u];
2166
2167 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2168 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2169 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2170 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2171 }
2172 else
2173 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2174 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2175 aes_tests = aes_test_ctr_ct[u];
2176 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2177
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2178 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2179 stream_block, buf, buf );
2180 if( ret != 0 )
2181 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2182
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2183 if( memcmp( buf, aes_tests, len ) != 0 )
2184 {
2185 ret = 1;
2186 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2187 }
2188
2189 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2190 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2191 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192
2193 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194 mbedtls_printf( "\n" );
2195#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2196
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2197#if defined(MBEDTLS_CIPHER_MODE_XTS)
2198 {
2199 static const int num_tests =
2200 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2201 mbedtls_aes_xts_context ctx_xts;
2202
2203 /*
2204 * XTS mode
2205 */
2206 mbedtls_aes_xts_init( &ctx_xts );
2207
2208 for( i = 0; i < num_tests << 1; i++ )
2209 {
2210 const unsigned char *data_unit;
2211 u = i >> 1;
2212 mode = i & 1;
2213
2214 if( verbose != 0 )
2215 mbedtls_printf( " AES-XTS-128 (%s): ",
2216 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2217
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]2218 mbedtls_platform_memset( key, 0, sizeof( key ) );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2219 memcpy( key, aes_test_xts_key[u], 32 );
2220 data_unit = aes_test_xts_data_unit[u];
2221
2222 len = sizeof( *aes_test_xts_ct32 );
2223
2224 if( mode == MBEDTLS_AES_DECRYPT )
2225 {
2226 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2227 if( ret != 0)
2228 goto exit;
2229 memcpy( buf, aes_test_xts_ct32[u], len );
2230 aes_tests = aes_test_xts_pt32[u];
2231 }
2232 else
2233 {
2234 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2235 if( ret != 0)
2236 goto exit;
2237 memcpy( buf, aes_test_xts_pt32[u], len );
2238 aes_tests = aes_test_xts_ct32[u];
2239 }
2240
2241
2242 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2243 buf, buf );
2244 if( ret != 0 )
2245 goto exit;
2246
2247 if( memcmp( buf, aes_tests, len ) != 0 )
2248 {
2249 ret = 1;
2250 goto exit;
2251 }
2252
2253 if( verbose != 0 )
2254 mbedtls_printf( "passed\n" );
2255 }
2256
2257 if( verbose != 0 )
2258 mbedtls_printf( "\n" );
2259
2260 mbedtls_aes_xts_free( &ctx_xts );
2261 }
2262#endif /* MBEDTLS_CIPHER_MODE_XTS */
2263
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2264 ret = 0;
2265
2266exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2267 if( ret != 0 && verbose != 0 )
2268 mbedtls_printf( "failed\n" );
2269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2270 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2271
2272 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2273}
2274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2275#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2277#endif /* MBEDTLS_AES_C */