TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2b24f4280ff259203ee7124f63f79ac65a85abff / . / library / aes.c
blob: a6e0d75dcde1803eeb4a2ed1066fae78131317e6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]88/*
89 * Data structure for AES round data
90 */
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]91typedef struct {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]92 uint32_t *rk_ptr; /* Round Key */
Arto Kinnunen34139ba2019-12-03 15:43:27 +0200[diff] [blame]93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, Y1, Y2, Y3 */
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]98#define AES_SCA_CM_ROUNDS 5
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]515/**
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]516 * Randomize positions for AES SCA countermeasures if AES countermeasures are
517 * enabled. If countermeasures are not enabled then fill given table with real
518 * data values.
519 *
520 * Dummy rounds are added as follows:
521 * 1. One dummy round added to the initial round key addition (executed in
522 * random order).
523 * 2. Random number of dummy rounds added as first and/or last AES calculation
524 * round. Total number of dummy rounds is AES_SCA_CM_ROUNDS.
525 *
526 * Description of the bytes in the table are as follows:
527 * - 2 bytes for initial round key addition
528 * - remaining bytes for AES calculation with real or dummy data
529 *
530 * Each byte indicates one AES calculation round:
531 * -4 high bit = table to use 0x10 for dummy data, 0x00 real data
532 * -bit 2 = offset for even/odd rounds
533 * -bit 0-1: stop mark (0x03) to indicate calculation end
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]534 *
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]535 * Return Number of additional AES rounds
536 *
537 * Example of the control bytes:
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]538 * 1. No countermeasures enabled and AES-128, only real data (R) used:
539 * | Ri | R | R | R | R | R | R | R | R | R | R |
540 * |0x03|0x04|0x00|0x04|0x00|0x04|0x00|0x04|0x00|0x07|0x03|
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]541 *
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]542 * 2. Countermeasures enabled, 3 (F) dummy rounds in start and 1 at end:
543 * | Fi | Ri | F | F | F | R | R | ... | R | R | R | R | F |
544 * |0x10|0x03 |0x10|0x10|0x10|0x04|0x00| ... |0x04|0x00|0x04|0x03|0x07|
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]545 */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]546static int aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]547{
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]548 int i = 0, j, is_even_pos, dummy_rounds;
549
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]550#if AES_SCA_CM_ROUNDS != 0
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]551 int num;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]552
Jarno Lamsa8f8c0bd2020-01-08 15:07:41 +0200[diff] [blame]553 mbedtls_platform_memset( tbl, 0, tbl_len );
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]554 // get random from 0xfff (each byte will be used separately)
555 num = mbedtls_platform_random_in_range( 0x1000 );
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]556
557 // Randomize execution order of initial round key addition
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]558 if ( ( num & 0x0100 ) == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]559 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]560 tbl[i++] = 0x10; // dummy data
561 tbl[i++] = 0x00 | 0x03; // real data + stop marker
562 } else {
563 tbl[i++] = 0x00; // real data
564 tbl[i++] = 0x10 | 0x03; // dummy data + stop marker
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]565 }
566
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]567 // Randomize number of dummy AES rounds
568 dummy_rounds = AES_SCA_CM_ROUNDS - ( ( num >> 8 ) & 0x01 );
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]569 tbl_len = tbl_len - (AES_SCA_CM_ROUNDS - dummy_rounds);
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]570
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]571 // randomize positions for the dummy rounds
572 num = ( num & 0x00f ) % ( dummy_rounds + 1 );
573
574 // add dummy rounds after initial round key addition (if needed)
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]575 for ( ; i < num + 2; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]576 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]577 tbl[i] = 0x10; // dummy data
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]578 }
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]579
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]580 // add dummy rounds to the end, (AES_SCA_CM_ROUNDS - num) rounds if needed
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]581 for ( j = tbl_len - dummy_rounds + num; j < tbl_len; j++ )
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]582 {
583 tbl[j] = 0x10; // dummy data
584 }
585#else /* AES_SCA_CM_ROUNDS != 0 */
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]586 mbedtls_platform_memset( tbl, 0, tbl_len );
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]587 dummy_rounds = 0;
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]588 j = 0;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]589 tbl[i++] = 0x03; // real data + stop marker for the round key addition
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]590#endif /* AES_SCA_CM_ROUNDS != 0 */
591
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]592 // Fill real AES data to the remaining places
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]593 is_even_pos = 1;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]594 for( ; i < tbl_len; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]595 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]596 if( tbl[i] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]597 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]598 if( is_even_pos == 1 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]599 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]600 tbl[i] = 0x04; // real data, offset for rounds 1,3,5, etc...
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]601 is_even_pos = 0;
602 }
603 else
604 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]605 tbl[i] = 0x00; // real data, offset for rounds 2,4,6,...
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]606 is_even_pos = 1;
607 }
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]608 j = i; // remember the final round position in table
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]609 }
610 }
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]611
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]612 tbl[( tbl_len - 1)] |= 0x03; // Stop marker for the last item in tbl
613 tbl[( j - 1 )] |= 0x03; // stop marker for final - 1 real data
614
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]615 return( dummy_rounds );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]616}
617
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]618#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]619
620#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
621#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
622#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
623
624#define AES_RT0(idx) RT0[idx]
625#define AES_RT1(idx) ROTL8( RT0[idx] )
626#define AES_RT2(idx) ROTL16( RT0[idx] )
627#define AES_RT3(idx) ROTL24( RT0[idx] )
628
629#define AES_FT0(idx) FT0[idx]
630#define AES_FT1(idx) ROTL8( FT0[idx] )
631#define AES_FT2(idx) ROTL16( FT0[idx] )
632#define AES_FT3(idx) ROTL24( FT0[idx] )
633
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]634#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]635
636#define AES_RT0(idx) RT0[idx]
637#define AES_RT1(idx) RT1[idx]
638#define AES_RT2(idx) RT2[idx]
639#define AES_RT3(idx) RT3[idx]
640
641#define AES_FT0(idx) FT0[idx]
642#define AES_FT1(idx) FT1[idx]
643#define AES_FT2(idx) FT2[idx]
644#define AES_FT3(idx) FT3[idx]
645
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]646#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]647
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]648void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]649{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]650 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]651
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]652 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]653}
654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]655void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]656{
657 if( ctx == NULL )
658 return;
659
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]660 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]661}
662
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]663#if defined(MBEDTLS_CIPHER_MODE_XTS)
664void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
665{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]666 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]667
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]668 mbedtls_aes_init( &ctx->crypt );
669 mbedtls_aes_init( &ctx->tweak );
670}
671
672void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
673{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]674 if( ctx == NULL )
675 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]676
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]677 mbedtls_aes_free( &ctx->crypt );
678 mbedtls_aes_free( &ctx->tweak );
679}
680#endif /* MBEDTLS_CIPHER_MODE_XTS */
681
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682/*
683 * AES key schedule (encryption)
684 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]685#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]687 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688{
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]689 unsigned int j = 0;
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]690 unsigned int flow_ctrl = 0;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]691 volatile unsigned int i = 0;
692 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]693 uint32_t *RK;
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]694 uint32_t offset = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]696 AES_VALIDATE_RET( ctx != NULL );
697 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]699 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]700 {
701 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]702#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 case 192: ctx->nr = 12; break;
704 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]705#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]706 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]707 }
708
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]709#if !defined(MBEDTLS_AES_ROM_TABLES)
710 if( aes_init_done == 0 )
711 {
712 aes_gen_tables();
713 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]714 }
715#endif
716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]719 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]720
721 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]722 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]723 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]725 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]727#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]728 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]729 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]730#endif
731
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]732 mbedtls_platform_memset( RK, 0, ( keybits >> 5 ) * 4 );
733 offset = mbedtls_platform_random_in_range( keybits >> 5 );
734
735 for( j = offset; j < ( keybits >> 5 ); j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]736 {
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]737 GET_UINT32_LE( RK[j], key, j << 2 );
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]738 flow_ctrl++;
739 }
740
741 for( j = 0; j < offset; j++ )
742 {
743 GET_UINT32_LE( RK[j], key, j << 2 );
744 flow_ctrl++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745 }
746
747 switch( ctx->nr )
748 {
749 case 10:
750
751 for( i = 0; i < 10; i++, RK += 4 )
752 {
753 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]754 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
755 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
756 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
757 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]758
759 RK[5] = RK[1] ^ RK[4];
760 RK[6] = RK[2] ^ RK[5];
761 RK[7] = RK[3] ^ RK[6];
762 }
763 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]764#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765 case 12:
766
767 for( i = 0; i < 8; i++, RK += 6 )
768 {
769 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]770 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
771 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
772 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
773 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]774
775 RK[7] = RK[1] ^ RK[6];
776 RK[8] = RK[2] ^ RK[7];
777 RK[9] = RK[3] ^ RK[8];
778 RK[10] = RK[4] ^ RK[9];
779 RK[11] = RK[5] ^ RK[10];
780 }
781 break;
782
783 case 14:
784
785 for( i = 0; i < 7; i++, RK += 8 )
786 {
787 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]788 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
789 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
790 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
791 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]792
793 RK[9] = RK[1] ^ RK[8];
794 RK[10] = RK[2] ^ RK[9];
795 RK[11] = RK[3] ^ RK[10];
796
797 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]798 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
799 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
800 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
801 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]802
803 RK[13] = RK[5] ^ RK[12];
804 RK[14] = RK[6] ^ RK[13];
805 RK[15] = RK[7] ^ RK[14];
806 }
807 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]808#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]809 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]810
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]811 ret = 0;
812
813 /* Validate execution path */
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]814 if( ( flow_ctrl == keybits >> 5 ) && ( ( ctx->nr == 10 && i == 10 )
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]815#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
816 || ( ctx->nr == 12 && i == 8 )
817 || ( ctx->nr == 14 && i == 7 )
818#endif
819 ) )
820 {
821 return ret;
822 }
823
824 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]825}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]826#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]827
828/*
829 * AES key schedule (decryption)
830 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]831#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]832int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]833 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]835#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
836 (void) ctx;
837 (void) key;
838 (void) keybits;
839
840 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
841#else /* */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]842 volatile unsigned int i = 0, j = 0;
843 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]844 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]845 uint32_t *RK;
846 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]847
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]848 AES_VALIDATE_RET( ctx != NULL );
849 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]850
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]851 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]853#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]854 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]855 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]856
857 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]858 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]859 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]861 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]863 /* Also checks keybits */
864 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]865 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]866
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]867 ctx->nr = cty.nr;
868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]869#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]870 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]871 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]872 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]873 (const unsigned char *) cty.rk, ctx->nr );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]874 i = 0;
875 j = 4;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]876 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]877 }
878#endif
879
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]880 SK = cty.rk + cty.nr * 4;
881
882 *RK++ = *SK++;
883 *RK++ = *SK++;
884 *RK++ = *SK++;
885 *RK++ = *SK++;
886
887 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
888 {
889 for( j = 0; j < 4; j++, SK++ )
890 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]891 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
892 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
893 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
894 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]895 }
896 }
897
898 *RK++ = *SK++;
899 *RK++ = *SK++;
900 *RK++ = *SK++;
901 *RK++ = *SK++;
902
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]903exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]904 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]905
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]906 if( ret != 0 )
907 {
908 return( ret );
909 }
910 else if( ( i == 0 ) && ( j == 4 ) )
911 {
912 return( ret );
913 }
914 else
915 {
916 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
917 }
918
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]919#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]920}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]921
922#if defined(MBEDTLS_CIPHER_MODE_XTS)
923static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
924 unsigned int keybits,
925 const unsigned char **key1,
926 unsigned int *key1bits,
927 const unsigned char **key2,
928 unsigned int *key2bits )
929{
930 const unsigned int half_keybits = keybits / 2;
931 const unsigned int half_keybytes = half_keybits / 8;
932
933 switch( keybits )
934 {
935 case 256: break;
936 case 512: break;
937 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
938 }
939
940 *key1bits = half_keybits;
941 *key2bits = half_keybits;
942 *key1 = &key[0];
943 *key2 = &key[half_keybytes];
944
945 return 0;
946}
947
948int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
949 const unsigned char *key,
950 unsigned int keybits)
951{
952 int ret;
953 const unsigned char *key1, *key2;
954 unsigned int key1bits, key2bits;
955
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]956 AES_VALIDATE_RET( ctx != NULL );
957 AES_VALIDATE_RET( key != NULL );
958
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]959 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
960 &key2, &key2bits );
961 if( ret != 0 )
962 return( ret );
963
964 /* Set the tweak key. Always set tweak key for the encryption mode. */
965 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
966 if( ret != 0 )
967 return( ret );
968
969 /* Set crypt key for encryption. */
970 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
971}
972
973int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
974 const unsigned char *key,
975 unsigned int keybits)
976{
977 int ret;
978 const unsigned char *key1, *key2;
979 unsigned int key1bits, key2bits;
980
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]981 AES_VALIDATE_RET( ctx != NULL );
982 AES_VALIDATE_RET( key != NULL );
983
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]984 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
985 &key2, &key2bits );
986 if( ret != 0 )
987 return( ret );
988
989 /* Set the tweak key. Always set tweak key for encryption. */
990 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
991 if( ret != 0 )
992 return( ret );
993
994 /* Set crypt key for decryption. */
995 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
996}
997#endif /* MBEDTLS_CIPHER_MODE_XTS */
998
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]999#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1002 * AES-ECB block encryption
1003 */
1004#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1005
1006static uint32_t *aes_fround( uint32_t *R,
1007 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1008 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1009{
1010 *X0 = *R++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^
1011 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^
1012 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^
1013 AES_FT3( ( Y3 >> 24 ) & 0xFF );
1014
1015 *X1 = *R++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^
1016 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^
1017 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^
1018 AES_FT3( ( Y0 >> 24 ) & 0xFF );
1019
1020 *X2 = *R++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^
1021 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^
1022 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^
1023 AES_FT3( ( Y1 >> 24 ) & 0xFF );
1024
1025 *X3 = *R++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^
1026 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^
1027 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^
1028 AES_FT3( ( Y2 >> 24 ) & 0xFF );
1029
1030 return R;
1031}
1032
1033static void aes_fround_final( uint32_t *R,
1034 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1035 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1036{
1037 *X0 = *R++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^
1038 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1039 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1040 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1041
1042 *X1 = *R++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^
1043 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1044 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1045 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1046
1047 *X2 = *R++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^
1048 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1049 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1050 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1051
1052 *X3 = *R++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^
1053 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1054 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1055 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1056}
1057
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1058int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
1059 const unsigned char input[16],
1060 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1061{
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]1062 int i, tindex, offset, stop_mark, dummy_rounds;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1063 aes_r_data_t aes_data_real; // real data
1064#if AES_SCA_CM_ROUNDS != 0
1065 aes_r_data_t aes_data_fake; // fake data
1066#endif /* AES_SCA_CM_ROUNDS != 0 */
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1067 aes_r_data_t *aes_data_ptr; // pointer to real or fake data
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1068 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1069 int round_ctrl_table_len = ctx->nr + 1;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1070 volatile int flow_control;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1071 // control bytes for AES calculation rounds,
1072 // reserve based on max rounds + dummy rounds + 2 (for initial key addition)
1073 uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1074
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1075 aes_data_real.rk_ptr = ctx->rk;
1076 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1077
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1078#if AES_SCA_CM_ROUNDS != 0
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1079 round_ctrl_table_len += ( AES_SCA_CM_ROUNDS + 1 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1080 aes_data_table[1] = &aes_data_fake;
1081 aes_data_fake.rk_ptr = ctx->rk;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1082 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1083 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1084#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1085
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1086 // Get AES calculation control bytes
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1087 dummy_rounds = aes_sca_cm_data_randomize( round_ctrl_table,
1088 round_ctrl_table_len );
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]1089 flow_control = dummy_rounds;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1090
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1091 mbedtls_platform_memset( aes_data_real.xy_values, 0, 16 );
1092 offset = mbedtls_platform_random_in_range( 4 );
1093
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1094 i = offset;
1095 do
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1096 {
1097 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1098 flow_control++;
1099 } while( ( i = ( i + 1 ) % 4 ) != offset );
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1100
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1101 tindex = 0;
1102 do
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1103 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1104 // Get pointer to the real or fake data
1105 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1106 stop_mark = round_ctrl_table[tindex] & 0x03;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1107
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1108 // initial round key addition
1109 for( i = 0; i < 4; i++ )
1110 {
1111 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1112 }
1113 tindex++;
1114 flow_control++;
1115 } while( stop_mark == 0 );
1116
1117 // Calculate AES rounds (9, 11 or 13 rounds) + dummy rounds
1118 do
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1119 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1120 // Get pointer to the real or fake data
1121 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1122 offset = round_ctrl_table[tindex] & 0x04;
1123 stop_mark = round_ctrl_table[tindex] & 0x03;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1124
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1125 aes_data_ptr->rk_ptr = aes_fround( aes_data_ptr->rk_ptr,
1126 &aes_data_ptr->xy_values[0 + offset],
1127 &aes_data_ptr->xy_values[1 + offset],
1128 &aes_data_ptr->xy_values[2 + offset],
1129 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1130 aes_data_ptr->xy_values[4 - offset],
1131 aes_data_ptr->xy_values[5 - offset],
1132 aes_data_ptr->xy_values[6 - offset],
1133 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1134 tindex++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1135 flow_control++;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1136 } while( stop_mark == 0 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1137
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1138 // Calculate final AES round + dummy rounds
1139 do
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1140 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1141 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1142 stop_mark = round_ctrl_table[tindex] & 0x03;
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1143 aes_fround_final( aes_data_ptr->rk_ptr,
1144 &aes_data_ptr->xy_values[0],
1145 &aes_data_ptr->xy_values[1],
1146 &aes_data_ptr->xy_values[2],
1147 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1148 aes_data_ptr->xy_values[4],
1149 aes_data_ptr->xy_values[5],
1150 aes_data_ptr->xy_values[6],
1151 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1152 flow_control++;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1153 tindex++;
1154 } while( stop_mark == 0 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1155
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1156 mbedtls_platform_memset( output, 0, 16 );
1157 offset = mbedtls_platform_random_in_range( 4 );
1158
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1159 i = offset;
1160 do
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1161 {
1162 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1163 flow_control++;
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1164 } while( ( i = ( i + 1 ) % 4 ) != offset );
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1165
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1166 if( flow_control == tindex + dummy_rounds + 8 )
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1167 {
1168 /* Validate control path due possible fault injection */
1169 return 0;
1170 }
1171
1172 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1173}
1174#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1175
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1176#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1177void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1178 const unsigned char input[16],
1179 unsigned char output[16] )
1180{
1181 mbedtls_internal_aes_encrypt( ctx, input, output );
1182}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1183#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1184
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1185/*
1186 * AES-ECB block decryption
1187 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1188
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1189#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1190#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1191
1192static uint32_t *aes_rround( uint32_t *R,
1193 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1194 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1195{
1196 *X0 = *R++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^
1197 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^
1198 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^
1199 AES_RT3( ( Y1 >> 24 ) & 0xFF );
1200
1201 *X1 = *R++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^
1202 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^
1203 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^
1204 AES_RT3( ( Y2 >> 24 ) & 0xFF );
1205
1206 *X2 = *R++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^
1207 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^
1208 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^
1209 AES_RT3( ( Y3 >> 24 ) & 0xFF );
1210
1211 *X3 = *R++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^
1212 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^
1213 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^
1214 AES_RT3( ( Y0 >> 24 ) & 0xFF );
1215 return R;
1216}
1217
1218static void aes_rround_final( uint32_t *R,
1219 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1220 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1221{
1222 *X0 = *R++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^
1223 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1224 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1225 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1226
1227 *X1 = *R++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^
1228 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1229 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1230 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1231
1232 *X2 = *R++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^
1233 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1234 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1235 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1236
1237 *X3 = *R++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^
1238 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1239 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1240 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1241}
1242
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1243int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1244 const unsigned char input[16],
1245 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1246{
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]1247 int i, tindex, offset, stop_mark, dummy_rounds;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1248 aes_r_data_t aes_data_real; // real data
1249#if AES_SCA_CM_ROUNDS != 0
1250 aes_r_data_t aes_data_fake; // fake data
1251#endif /* AES_SCA_CM_ROUNDS != 0 */
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1252 aes_r_data_t *aes_data_ptr; // pointer to real or fake data
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1253 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1254 int round_ctrl_table_len = ctx->nr + 1;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1255 volatile int flow_control;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1256 // control bytes for AES calculation rounds,
1257 // reserve based on max rounds + dummy rounds + 2 (for initial key addition)
1258 uint8_t round_ctrl_table[( 14 + AES_SCA_CM_ROUNDS + 2 )];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1259
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1260 aes_data_real.rk_ptr = ctx->rk;
1261 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1262
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1263#if AES_SCA_CM_ROUNDS != 0
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1264 round_ctrl_table_len += ( AES_SCA_CM_ROUNDS + 1 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1265 aes_data_table[1] = &aes_data_fake;
1266 aes_data_fake.rk_ptr = ctx->rk;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1267 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1268 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1269#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1270
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1271 // Get AES calculation control bytes
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]1272 dummy_rounds = aes_sca_cm_data_randomize( round_ctrl_table,
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1273 round_ctrl_table_len );
Arto Kinnunen98c93af2020-01-14 13:31:03 +0200[diff] [blame]1274 flow_control = dummy_rounds;
1275
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1276 mbedtls_platform_memset( aes_data_real.xy_values, 0, 16 );
1277 offset = mbedtls_platform_random_in_range( 4 );
1278
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1279 i = offset;
1280 do
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1281 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1282 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1283 flow_control++;
1284 } while( ( i = ( i + 1 ) % 4 ) != offset );
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1285
1286 tindex = 0;
1287 do
1288 {
1289 // Get pointer to the real or fake data
1290 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1291 stop_mark = round_ctrl_table[tindex] & 0x03;
1292
1293 // initial round key addition
1294 for( i = 0; i < 4; i++ )
1295 {
1296 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1297 }
1298 tindex++;
1299 flow_control++;
1300 } while( stop_mark == 0 );
1301
1302 // Calculate AES rounds (9, 11 or 13 rounds) + dummy rounds
1303 do
1304 {
1305 // Get pointer to the real or fake data
1306 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1307 offset = round_ctrl_table[tindex] & 0x04;
1308 stop_mark = round_ctrl_table[tindex] & 0x03;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1309
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1310 aes_data_ptr->rk_ptr = aes_rround( aes_data_ptr->rk_ptr,
1311 &aes_data_ptr->xy_values[0 + offset],
1312 &aes_data_ptr->xy_values[1 + offset],
1313 &aes_data_ptr->xy_values[2 + offset],
1314 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1315 aes_data_ptr->xy_values[4 - offset],
1316 aes_data_ptr->xy_values[5 - offset],
1317 aes_data_ptr->xy_values[6 - offset],
1318 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1319 tindex++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1320 flow_control++;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1321 } while( stop_mark == 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1322
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1323 // Calculate final AES round + dummy rounds
1324 do
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1325 {
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1326 aes_data_ptr = aes_data_table[round_ctrl_table[tindex] >> 4];
1327 stop_mark = round_ctrl_table[tindex] & 0x03;
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1328 aes_rround_final( aes_data_ptr->rk_ptr,
1329 &aes_data_ptr->xy_values[0],
1330 &aes_data_ptr->xy_values[1],
1331 &aes_data_ptr->xy_values[2],
1332 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1333 aes_data_ptr->xy_values[4],
1334 aes_data_ptr->xy_values[5],
1335 aes_data_ptr->xy_values[6],
1336 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1337 flow_control++;
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1338 tindex++;
1339 } while( stop_mark == 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1340
Arto Kinnunen2eb678f2020-01-13 16:44:13 +0200[diff] [blame]1341 mbedtls_platform_memset( output, 0, 16 );
1342 offset = mbedtls_platform_random_in_range( 4 );
1343
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1344 i = offset;
1345 do
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1346 {
1347 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1348 flow_control++;
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1349 } while( ( i = ( i + 1 ) % 4 ) != offset );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1350
Arto Kinnunen2b24f422020-01-16 15:04:11 +0200[diff] [blame^]1351 if( flow_control == tindex + dummy_rounds + 8 )
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1352 {
1353 /* Validate control path due possible fault injection */
1354 return 0;
1355 }
1356
1357 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1358}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1359#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1360#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1361
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1362#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1363void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1364 const unsigned char input[16],
1365 unsigned char output[16] )
1366{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1367#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1368 (void) ctx;
1369 (void) input;
1370 (void) output;
1371#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1372 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1373#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1374}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1375#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1376
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1377/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378 * AES-ECB block encryption/decryption
1379 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1381 int mode,
1382 const unsigned char input[16],
1383 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1384{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1385 AES_VALIDATE_RET( ctx != NULL );
1386 AES_VALIDATE_RET( input != NULL );
1387 AES_VALIDATE_RET( output != NULL );
1388 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1389 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1390 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1393 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1394 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1395#endif
1396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1397#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1398 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1399 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1400 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1401 return( 0 );
1402
1403 // If padlock data misaligned, we just fall back to
1404 // unaccelerated mode
1405 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1406 }
1407#endif
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1408
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1409#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1410 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1411#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1413 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1414 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1415 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1416 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1417#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1418}
1419
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1420#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1421/*
1422 * AES-CBC buffer encryption/decryption
1423 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1424int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1425 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1426 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1427 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1428 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1429 unsigned char *output )
1430{
1431 int i;
1432 unsigned char temp[16];
1433
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1434 AES_VALIDATE_RET( ctx != NULL );
1435 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1436 mode == MBEDTLS_AES_DECRYPT );
1437 AES_VALIDATE_RET( iv != NULL );
1438 AES_VALIDATE_RET( input != NULL );
1439 AES_VALIDATE_RET( output != NULL );
1440
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1441 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1443
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1445 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1446 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1447 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1448 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1449
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1450 // If padlock data misaligned, we just fall back to
1451 // unaccelerated mode
1452 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453 }
1454#endif
1455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1456 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1457 {
1458 while( length > 0 )
1459 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1460 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1462
1463 for( i = 0; i < 16; i++ )
1464 output[i] = (unsigned char)( output[i] ^ iv[i] );
1465
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1466 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1467
1468 input += 16;
1469 output += 16;
1470 length -= 16;
1471 }
1472 }
1473 else
1474 {
1475 while( length > 0 )
1476 {
1477 for( i = 0; i < 16; i++ )
1478 output[i] = (unsigned char)( input[i] ^ iv[i] );
1479
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1480 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1481 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482
1483 input += 16;
1484 output += 16;
1485 length -= 16;
1486 }
1487 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1488
1489 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1490}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1493#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1494
1495/* Endianess with 64 bits values */
1496#ifndef GET_UINT64_LE
1497#define GET_UINT64_LE(n,b,i) \
1498{ \
1499 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1500 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1501 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1502 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1503 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1504 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1505 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1506 | ( (uint64_t) (b)[(i) ] ); \
1507}
1508#endif
1509
1510#ifndef PUT_UINT64_LE
1511#define PUT_UINT64_LE(n,b,i) \
1512{ \
1513 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1514 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1515 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1516 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1517 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1518 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1519 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1520 (b)[(i) ] = (unsigned char) ( (n) ); \
1521}
1522#endif
1523
1524typedef unsigned char mbedtls_be128[16];
1525
1526/*
1527 * GF(2^128) multiplication function
1528 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1529 * This function multiplies a field element by x in the polynomial field
1530 * representation. It uses 64-bit word operations to gain speed but compensates
1531 * for machine endianess and hence works correctly on both big and little
1532 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1533 */
1534static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1535 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1536{
1537 uint64_t a, b, ra, rb;
1538
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1539 GET_UINT64_LE( a, x, 0 );
1540 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1541
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1542 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1543 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1544
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1545 PUT_UINT64_LE( ra, r, 0 );
1546 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1547}
1548
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1549/*
1550 * AES-XTS buffer encryption/decryption
1551 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1552int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1553 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1554 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1555 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1556 const unsigned char *input,
1557 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1558{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1559 int ret;
1560 size_t blocks = length / 16;
1561 size_t leftover = length % 16;
1562 unsigned char tweak[16];
1563 unsigned char prev_tweak[16];
1564 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1565
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1566 AES_VALIDATE_RET( ctx != NULL );
1567 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1568 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1569 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1570 AES_VALIDATE_RET( input != NULL );
1571 AES_VALIDATE_RET( output != NULL );
1572
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1573 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1574 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1575 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1576
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1577 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1578 if( length > ( 1 << 20 ) * 16 )
1579 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1580
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1581 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1582 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1583 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1584 if( ret != 0 )
1585 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1586
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1587 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1588 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1589 size_t i;
1590
1591 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1592 {
1593 /* We are on the last block in a decrypt operation that has
1594 * leftover bytes, so we need to use the next tweak for this block,
1595 * and this tweak for the lefover bytes. Save the current tweak for
1596 * the leftovers and then update the current tweak for use on this,
1597 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1598 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1599 mbedtls_gf128mul_x_ble( tweak, tweak );
1600 }
1601
1602 for( i = 0; i < 16; i++ )
1603 tmp[i] = input[i] ^ tweak[i];
1604
1605 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1606 if( ret != 0 )
1607 return( ret );
1608
1609 for( i = 0; i < 16; i++ )
1610 output[i] = tmp[i] ^ tweak[i];
1611
1612 /* Update the tweak for the next block. */
1613 mbedtls_gf128mul_x_ble( tweak, tweak );
1614
1615 output += 16;
1616 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1617 }
1618
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1619 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1620 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1621 /* If we are on the leftover bytes in a decrypt operation, we need to
1622 * use the previous tweak for these bytes (as saved in prev_tweak). */
1623 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1624
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1625 /* We are now on the final part of the data unit, which doesn't divide
1626 * evenly by 16. It's time for ciphertext stealing. */
1627 size_t i;
1628 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1629
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1630 /* Copy ciphertext bytes from the previous block to our output for each
1631 * byte of cyphertext we won't steal. At the same time, copy the
1632 * remainder of the input for this final round (since the loop bounds
1633 * are the same). */
1634 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1635 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1636 output[i] = prev_output[i];
1637 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1638 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1639
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1640 /* Copy ciphertext bytes from the previous block for input in this
1641 * round. */
1642 for( ; i < 16; i++ )
1643 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1644
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1645 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1646 if( ret != 0 )
1647 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1648
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1649 /* Write the result back to the previous block, overriding the previous
1650 * output we copied. */
1651 for( i = 0; i < 16; i++ )
1652 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1653 }
1654
1655 return( 0 );
1656}
1657#endif /* MBEDTLS_CIPHER_MODE_XTS */
1658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1659#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1660/*
1661 * AES-CFB128 buffer encryption/decryption
1662 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1663int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1665 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1666 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1667 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1668 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1669 unsigned char *output )
1670{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1671 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1672 size_t n;
1673
1674 AES_VALIDATE_RET( ctx != NULL );
1675 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1676 mode == MBEDTLS_AES_DECRYPT );
1677 AES_VALIDATE_RET( iv_off != NULL );
1678 AES_VALIDATE_RET( iv != NULL );
1679 AES_VALIDATE_RET( input != NULL );
1680 AES_VALIDATE_RET( output != NULL );
1681
1682 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1683
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1684 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1685 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1687 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1688 {
1689 while( length-- )
1690 {
1691 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1692 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1693
1694 c = *input++;
1695 *output++ = (unsigned char)( c ^ iv[n] );
1696 iv[n] = (unsigned char) c;
1697
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1698 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1699 }
1700 }
1701 else
1702 {
1703 while( length-- )
1704 {
1705 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1706 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1707
1708 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1709
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1710 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1711 }
1712 }
1713
1714 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1715
1716 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1718
1719/*
1720 * AES-CFB8 buffer encryption/decryption
1721 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1722int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1723 int mode,
1724 size_t length,
1725 unsigned char iv[16],
1726 const unsigned char *input,
1727 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1728{
1729 unsigned char c;
1730 unsigned char ov[17];
1731
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1732 AES_VALIDATE_RET( ctx != NULL );
1733 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1734 mode == MBEDTLS_AES_DECRYPT );
1735 AES_VALIDATE_RET( iv != NULL );
1736 AES_VALIDATE_RET( input != NULL );
1737 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1738 while( length-- )
1739 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1740 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1744 ov[16] = *input;
1745
1746 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1747
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1749 ov[16] = c;
1750
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1751 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1752 }
1753
1754 return( 0 );
1755}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1756#endif /* MBEDTLS_CIPHER_MODE_CFB */
1757
1758#if defined(MBEDTLS_CIPHER_MODE_OFB)
1759/*
1760 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1761 */
1762int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1763 size_t length,
1764 size_t *iv_off,
1765 unsigned char iv[16],
1766 const unsigned char *input,
1767 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1768{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1769 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1770 size_t n;
1771
1772 AES_VALIDATE_RET( ctx != NULL );
1773 AES_VALIDATE_RET( iv_off != NULL );
1774 AES_VALIDATE_RET( iv != NULL );
1775 AES_VALIDATE_RET( input != NULL );
1776 AES_VALIDATE_RET( output != NULL );
1777
1778 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1779
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1780 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1781 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1782
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1783 while( length-- )
1784 {
1785 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1786 {
1787 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1788 if( ret != 0 )
1789 goto exit;
1790 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1791 *output++ = *input++ ^ iv[n];
1792
1793 n = ( n + 1 ) & 0x0F;
1794 }
1795
1796 *iv_off = n;
1797
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1798exit:
1799 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1800}
1801#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1802
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1803#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1804/*
1805 * AES-CTR buffer encryption/decryption
1806 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1808 size_t length,
1809 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1810 unsigned char nonce_counter[16],
1811 unsigned char stream_block[16],
1812 const unsigned char *input,
1813 unsigned char *output )
1814{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1815 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1816 size_t n;
1817
1818 AES_VALIDATE_RET( ctx != NULL );
1819 AES_VALIDATE_RET( nc_off != NULL );
1820 AES_VALIDATE_RET( nonce_counter != NULL );
1821 AES_VALIDATE_RET( stream_block != NULL );
1822 AES_VALIDATE_RET( input != NULL );
1823 AES_VALIDATE_RET( output != NULL );
1824
1825 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1826
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]1827 if( n > 0x0F )
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1828 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1829
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1830 while( length-- )
1831 {
1832 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1833 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1834
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1835 for( i = 16; i > 0; i-- )
1836 if( ++nonce_counter[i - 1] != 0 )
1837 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1838 }
1839 c = *input++;
1840 *output++ = (unsigned char)( c ^ stream_block[n] );
1841
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1842 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1843 }
1844
1845 *nc_off = n;
1846
1847 return( 0 );
1848}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1849#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1850
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1851#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1853#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854/*
1855 * AES test vectors from:
1856 *
1857 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1858 */
1859static const unsigned char aes_test_ecb_dec[3][16] =
1860{
1861 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1862 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1863 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1864 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1865 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1866 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1867};
1868
1869static const unsigned char aes_test_ecb_enc[3][16] =
1870{
1871 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1872 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1873 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1874 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1875 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1876 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1877};
1878
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1879#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880static const unsigned char aes_test_cbc_dec[3][16] =
1881{
1882 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1883 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1884 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1885 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1886 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1887 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1888};
1889
1890static const unsigned char aes_test_cbc_enc[3][16] =
1891{
1892 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1893 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1894 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1895 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1896 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1897 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1898};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1899#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1901#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902/*
1903 * AES-CFB128 test vectors from:
1904 *
1905 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1906 */
1907static const unsigned char aes_test_cfb128_key[3][32] =
1908{
1909 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1910 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1911 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1912 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1913 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1914 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1915 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1916 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1917 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1918};
1919
1920static const unsigned char aes_test_cfb128_iv[16] =
1921{
1922 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1923 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1924};
1925
1926static const unsigned char aes_test_cfb128_pt[64] =
1927{
1928 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1929 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1930 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1931 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1932 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1933 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1934 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1935 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1936};
1937
1938static const unsigned char aes_test_cfb128_ct[3][64] =
1939{
1940 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1941 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1942 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1943 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1944 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1945 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1946 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1947 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1948 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1949 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1950 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1951 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1952 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1953 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1954 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1955 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1956 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1957 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1958 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1959 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1960 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1961 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1962 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1963 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1964};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1965#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1966
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1967#if defined(MBEDTLS_CIPHER_MODE_OFB)
1968/*
1969 * AES-OFB test vectors from:
1970 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1971 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1972 */
1973static const unsigned char aes_test_ofb_key[3][32] =
1974{
1975 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1976 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1977 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1978 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1979 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1980 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1981 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1982 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1983 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1984};
1985
1986static const unsigned char aes_test_ofb_iv[16] =
1987{
1988 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1989 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1990};
1991
1992static const unsigned char aes_test_ofb_pt[64] =
1993{
1994 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1995 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1996 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1997 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1998 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1999 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
2000 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
2001 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
2002};
2003
2004static const unsigned char aes_test_ofb_ct[3][64] =
2005{
2006 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
2007 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
2008 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
2009 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
2010 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
2011 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
2012 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
2013 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
2014 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
2015 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
2016 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
2017 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
2018 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
2019 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
2020 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
2021 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
2022 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
2023 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
2024 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
2025 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
2026 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
2027 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
2028 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
2029 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
2030};
2031#endif /* MBEDTLS_CIPHER_MODE_OFB */
2032
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2033#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2034/*
2035 * AES-CTR test vectors from:
2036 *
2037 * http://www.faqs.org/rfcs/rfc3686.html
2038 */
2039
2040static const unsigned char aes_test_ctr_key[3][16] =
2041{
2042 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
2043 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
2044 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
2045 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
2046 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
2047 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
2048};
2049
2050static const unsigned char aes_test_ctr_nonce_counter[3][16] =
2051{
2052 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
2053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
2054 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
2055 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
2056 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
2057 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
2058};
2059
2060static const unsigned char aes_test_ctr_pt[3][48] =
2061{
2062 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
2063 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
2064
2065 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2066 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
2067 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2068 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
2069
2070 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2071 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
2072 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2073 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
2074 0x20, 0x21, 0x22, 0x23 }
2075};
2076
2077static const unsigned char aes_test_ctr_ct[3][48] =
2078{
2079 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
2080 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
2081 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
2082 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
2083 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
2084 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
2085 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
2086 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
2087 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
2088 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
2089 0x25, 0xB2, 0x07, 0x2F }
2090};
2091
2092static const int aes_test_ctr_len[3] =
2093 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2094#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2095
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2096#if defined(MBEDTLS_CIPHER_MODE_XTS)
2097/*
2098 * AES-XTS test vectors from:
2099 *
2100 * IEEE P1619/D16 Annex B
2101 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
2102 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
2103 */
2104static const unsigned char aes_test_xts_key[][32] =
2105{
2106 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2110 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2111 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2112 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2113 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2114 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
2115 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
2116 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2117 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2118};
2119
2120static const unsigned char aes_test_xts_pt32[][32] =
2121{
2122 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2126 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2127 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2128 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2129 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2130 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2131 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2132 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2133 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2134};
2135
2136static const unsigned char aes_test_xts_ct32[][32] =
2137{
2138 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
2139 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
2140 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
2141 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
2142 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
2143 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
2144 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
2145 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
2146 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
2147 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
2148 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
2149 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2150};
2151
2152static const unsigned char aes_test_xts_data_unit[][16] =
2153{
2154 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2155 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2156 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2158 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2160};
2161
2162#endif /* MBEDTLS_CIPHER_MODE_XTS */
2163
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2164/*
2165 * Checkup routine
2166 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2167int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2168{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2169 int ret = 0, i, j, u, mode;
2170 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171 unsigned char key[32];
2172 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2173 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2174#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2176#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2177#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2178 unsigned char prv[16];
2179#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2180#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2181 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2182 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2183#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2184#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2185 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2186#endif
2187#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2188 unsigned char nonce_counter[16];
2189 unsigned char stream_block[16];
2190#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2191 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2193 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2195
2196 /*
2197 * ECB mode
2198 */
2199 for( i = 0; i < 6; i++ )
2200 {
2201 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2202 keybits = 128 + u * 64;
2203 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204
2205 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2206 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2207 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2209#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2210 if( keybits > 128 )
2211 {
2212 mbedtls_printf( "skipped\n" );
2213 continue;
2214 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2215#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2216
2217#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2218 if( mode == MBEDTLS_AES_DECRYPT )
2219 {
2220 mbedtls_printf( "skipped\n" );
2221 continue;
2222 }
2223#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2224
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2225 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2227 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2228 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2229 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2230 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231 }
2232 else
2233 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2234 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2235 aes_tests = aes_test_ecb_enc[u];
2236 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2237
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2238 /*
2239 * AES-192 is an optional feature that may be unavailable when
2240 * there is an alternative underlying implementation i.e. when
2241 * MBEDTLS_AES_ALT is defined.
2242 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2243 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2244 {
2245 mbedtls_printf( "skipped\n" );
2246 continue;
2247 }
2248 else if( ret != 0 )
2249 {
2250 goto exit;
2251 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2252
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2253 for( j = 0; j < 10000; j++ )
2254 {
2255 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2256 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2257 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2258 }
2259
2260 if( memcmp( buf, aes_tests, 16 ) != 0 )
2261 {
2262 ret = 1;
2263 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264 }
2265
2266 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2267 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268 }
2269
2270 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2271 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2272
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2273#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2274 /*
2275 * CBC mode
2276 */
2277 for( i = 0; i < 6; i++ )
2278 {
2279 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2280 keybits = 128 + u * 64;
2281 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2282
2283 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2284 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2285 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2286
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2287#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2288 if( keybits > 128 )
2289 {
2290 mbedtls_printf( "skipped\n" );
2291 continue;
2292 }
2293#endif
2294
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2295#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2296 if( mode == MBEDTLS_AES_DECRYPT )
2297 {
2298 mbedtls_printf( "skipped\n" );
2299 continue;
2300 }
2301#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2302
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2303 memset( iv , 0, 16 );
2304 memset( prv, 0, 16 );
2305 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2306
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2307 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2308 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2309 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2310 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2311 }
2312 else
2313 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2314 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2315 aes_tests = aes_test_cbc_enc[u];
2316 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2318 /*
2319 * AES-192 is an optional feature that may be unavailable when
2320 * there is an alternative underlying implementation i.e. when
2321 * MBEDTLS_AES_ALT is defined.
2322 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2323 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2324 {
2325 mbedtls_printf( "skipped\n" );
2326 continue;
2327 }
2328 else if( ret != 0 )
2329 {
2330 goto exit;
2331 }
2332
2333 for( j = 0; j < 10000; j++ )
2334 {
2335 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2336 {
2337 unsigned char tmp[16];
2338
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2339 memcpy( tmp, prv, 16 );
2340 memcpy( prv, buf, 16 );
2341 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2342 }
2343
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2344 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2345 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2346 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2347
2348 }
2349
2350 if( memcmp( buf, aes_tests, 16 ) != 0 )
2351 {
2352 ret = 1;
2353 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354 }
2355
2356 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2357 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2358 }
2359
2360 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2361 mbedtls_printf( "\n" );
2362#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2363
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2364#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2365 /*
2366 * CFB128 mode
2367 */
2368 for( i = 0; i < 6; i++ )
2369 {
2370 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2371 keybits = 128 + u * 64;
2372 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2373
2374 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2375 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2376 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2377
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2378#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2379 if( keybits > 128 )
2380 {
2381 mbedtls_printf( "skipped\n" );
2382 continue;
2383 }
2384#endif
2385
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2386#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2387 if( mode == MBEDTLS_AES_DECRYPT )
2388 {
2389 mbedtls_printf( "skipped\n" );
2390 continue;
2391 }
2392#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2393
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2394 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2395 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396
2397 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2398 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2399 /*
2400 * AES-192 is an optional feature that may be unavailable when
2401 * there is an alternative underlying implementation i.e. when
2402 * MBEDTLS_AES_ALT is defined.
2403 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2404 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2405 {
2406 mbedtls_printf( "skipped\n" );
2407 continue;
2408 }
2409 else if( ret != 0 )
2410 {
2411 goto exit;
2412 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2413
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2414 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2415 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2416 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2417 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2418 }
2419 else
2420 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2421 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2422 aes_tests = aes_test_cfb128_ct[u];
2423 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2424
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2425 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2426 if( ret != 0 )
2427 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2428
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2429 if( memcmp( buf, aes_tests, 64 ) != 0 )
2430 {
2431 ret = 1;
2432 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2433 }
2434
2435 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2436 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2437 }
2438
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2439 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2440 mbedtls_printf( "\n" );
2441#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2442
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2443#if defined(MBEDTLS_CIPHER_MODE_OFB)
2444 /*
2445 * OFB mode
2446 */
2447 for( i = 0; i < 6; i++ )
2448 {
2449 u = i >> 1;
2450 keybits = 128 + u * 64;
2451 mode = i & 1;
2452
2453 if( verbose != 0 )
2454 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2455 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2456
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2457#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2458 if( keybits > 128 )
2459 {
2460 mbedtls_printf( "skipped\n" );
2461 continue;
2462 }
2463#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2464
2465#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2466 if( mode == MBEDTLS_AES_DECRYPT )
2467 {
2468 mbedtls_printf( "skipped\n" );
2469 continue;
2470 }
2471#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2472
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2473 memcpy( iv, aes_test_ofb_iv, 16 );
2474 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2475
2476 offset = 0;
2477 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2478 /*
2479 * AES-192 is an optional feature that may be unavailable when
2480 * there is an alternative underlying implementation i.e. when
2481 * MBEDTLS_AES_ALT is defined.
2482 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2483 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2484 {
2485 mbedtls_printf( "skipped\n" );
2486 continue;
2487 }
2488 else if( ret != 0 )
2489 {
2490 goto exit;
2491 }
2492
2493 if( mode == MBEDTLS_AES_DECRYPT )
2494 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2495 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2496 aes_tests = aes_test_ofb_pt;
2497 }
2498 else
2499 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2500 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2501 aes_tests = aes_test_ofb_ct[u];
2502 }
2503
2504 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2505 if( ret != 0 )
2506 goto exit;
2507
2508 if( memcmp( buf, aes_tests, 64 ) != 0 )
2509 {
2510 ret = 1;
2511 goto exit;
2512 }
2513
2514 if( verbose != 0 )
2515 mbedtls_printf( "passed\n" );
2516 }
2517
2518 if( verbose != 0 )
2519 mbedtls_printf( "\n" );
2520#endif /* MBEDTLS_CIPHER_MODE_OFB */
2521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2522#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2523 /*
2524 * CTR mode
2525 */
2526 for( i = 0; i < 6; i++ )
2527 {
2528 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2529 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2530
2531 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2532 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2533 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2534
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2535#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2536 if( keybits > 128 )
2537 {
2538 mbedtls_printf( "skipped\n" );
2539 continue;
2540 }
2541#endif
2542
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2543#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2544 if( mode == MBEDTLS_AES_DECRYPT )
2545 {
2546 mbedtls_printf( "skipped\n" );
2547 continue;
2548 }
2549#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2550
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2551 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2552 memcpy( key, aes_test_ctr_key[u], 16 );
2553
2554 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2555 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2556 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2557
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2558 len = aes_test_ctr_len[u];
2559
2560 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2561 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2562 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2563 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2564 }
2565 else
2566 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2567 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2568 aes_tests = aes_test_ctr_ct[u];
2569 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2570
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2571 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2572 stream_block, buf, buf );
2573 if( ret != 0 )
2574 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2575
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2576 if( memcmp( buf, aes_tests, len ) != 0 )
2577 {
2578 ret = 1;
2579 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2580 }
2581
2582 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2583 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2584 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2585
2586 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2587 mbedtls_printf( "\n" );
2588#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2589
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2590#if defined(MBEDTLS_CIPHER_MODE_XTS)
2591 {
2592 static const int num_tests =
2593 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2594 mbedtls_aes_xts_context ctx_xts;
2595
2596 /*
2597 * XTS mode
2598 */
2599 mbedtls_aes_xts_init( &ctx_xts );
2600
2601 for( i = 0; i < num_tests << 1; i++ )
2602 {
2603 const unsigned char *data_unit;
2604 u = i >> 1;
2605 mode = i & 1;
2606
2607 if( verbose != 0 )
2608 mbedtls_printf( " AES-XTS-128 (%s): ",
2609 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2610
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2611#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2612 if( mode == MBEDTLS_AES_DECRYPT )
2613 {
2614 mbedtls_printf( "skipped\n" );
2615 continue;
2616 }
2617#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2618
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2619 memset( key, 0, sizeof( key ) );
2620 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2621 data_unit = aes_test_xts_data_unit[u];
2622
2623 len = sizeof( *aes_test_xts_ct32 );
2624
2625 if( mode == MBEDTLS_AES_DECRYPT )
2626 {
2627 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2628 if( ret != 0)
2629 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2630 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2631 aes_tests = aes_test_xts_pt32[u];
2632 }
2633 else
2634 {
2635 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2636 if( ret != 0)
2637 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2638 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2639 aes_tests = aes_test_xts_ct32[u];
2640 }
2641
2642
2643 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2644 buf, buf );
2645 if( ret != 0 )
2646 goto exit;
2647
2648 if( memcmp( buf, aes_tests, len ) != 0 )
2649 {
2650 ret = 1;
2651 goto exit;
2652 }
2653
2654 if( verbose != 0 )
2655 mbedtls_printf( "passed\n" );
2656 }
2657
2658 if( verbose != 0 )
2659 mbedtls_printf( "\n" );
2660
2661 mbedtls_aes_xts_free( &ctx_xts );
2662 }
2663#endif /* MBEDTLS_CIPHER_MODE_XTS */
2664
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2665 ret = 0;
2666
2667exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2668 if( ret != 0 && verbose != 0 )
2669 mbedtls_printf( "failed\n" );
2670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2671 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2672
2673 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2674}
2675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2676#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2678#endif /* MBEDTLS_AES_C */