TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 28ecfb002f7fa820009e3d55ff034e779cc3f173 / . / library / aes.c
blob: c96f29e313843063cafec1c039e21e3f640477f6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]88/*
89 * Data structure for AES round data
90 */
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]91typedef struct {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]92 uint32_t *rk_ptr; /* Round Key */
Arto Kinnunen34139ba2019-12-03 15:43:27 +0200[diff] [blame]93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, Y1, Y2, Y3 */
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
98#define AES_SCA_CM_ROUNDS 3
99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]515/**
516 * Randomize positions when to use AES SCA countermeasures.
517 * Each byte indicates one AES round as follows:
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]518 * first ( tbl_len - 4 ) bytes are reserved for middle AES rounds:
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]519 * -4 high bit = table to use 0x10 for SCA CM data, 0 otherwise
520 * -4 low bits = offset based on order, 4 for even position, 0 otherwise
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]521 * Last 4 bytes for first(2) and final(2) round calculation
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]522 * -4 high bit = table to use, 0x10 for SCA CM data, otherwise real data
523 * -4 low bits = not used
524 *
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]525 * Return Number of additional AES rounds
526 *
527 * Example of the control bytes:
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]528 * Control data when only real data (R) is used:
529 * | R | R | R | R | R | R | R | R | Start | Final |
530 * |0x04|0x00|0x00|0x04|0x00|0x04|0x00|0x04|0x00|0x00|0x00|0x00|
531 *
532 * Control data with 5 (F) dummy rounds and randomized start and final round:
533 * | R | F | R | F | F | R | R | R | R | R | R | START RF| FINAL FR|
534 * |0x04|0x10|0x04|0x10|0x10|0x00|0x04|0x00|0x04|0x00|0x04|0x00|0x10|0x10|0x00|
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]535 */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]536static int aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]537{
538 int i, is_even_pos;
539#if AES_SCA_CM_ROUNDS != 0
540 int is_unique_number;
541 int num;
542#endif
543
Jarno Lamsa8f8c0bd2020-01-08 15:07:41 +0200[diff] [blame]544 mbedtls_platform_memset( tbl, 0, tbl_len );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]545
546#if AES_SCA_CM_ROUNDS != 0
547 // Randomize SCA CM positions to tbl
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]548 for( i = 0; i < AES_SCA_CM_ROUNDS; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]549 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]550 is_unique_number = 0;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]551 do
552 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]553 is_unique_number++;
554 num = mbedtls_platform_random_in_range( tbl_len - 4 );
555
556 if( is_unique_number > 10 )
557 {
558 // prevent forever loop if random returns constant
559 is_unique_number = 0;
560 tbl[i] = 0x10; // fake data
561 }
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]562
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]563 if( tbl[num] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]564 {
565 is_unique_number = 0;
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]566 tbl[num] = 0x10; // fake data
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]567 }
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]568 } while( is_unique_number != 0 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]569 }
570
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]571 // randomize control data for start and final round
572 for( i = 1; i <= 2; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]573 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]574 num = mbedtls_platform_random_in_range( 0xff );
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]575 if( ( num % 2 ) == 0 )
576 {
577 tbl[tbl_len - ( i * 2 - 0 )] = 0x10; // fake data
578 tbl[tbl_len - ( i * 2 - 1 )] = 0x00; // real data
579 }
580 else
581 {
582 tbl[tbl_len - ( i * 2 - 0 )] = 0x00; // real data
583 tbl[tbl_len - ( i * 2 - 1 )] = 0x10; // fake data
584 }
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]585 }
586#endif /* AES_SCA_CM_ROUNDS != 0 */
587
588 // Fill real AES round data to the remaining places
589 is_even_pos = 1;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]590 for( i = 0; i < tbl_len - 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]591 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]592 if( tbl[i] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]593 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]594 if( is_even_pos == 1 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]595 {
Arto Kinnunen34139ba2019-12-03 15:43:27 +0200[diff] [blame]596 tbl[i] = 0x04; // real data, offset 4
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]597 is_even_pos = 0;
598 }
599 else
600 {
601 tbl[i] = 0x00; // real data, offset 0
602 is_even_pos = 1;
603 }
604 }
605 }
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]606
607 return( AES_SCA_CM_ROUNDS );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]608}
609
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]610#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]611
612#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
613#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
614#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
615
616#define AES_RT0(idx) RT0[idx]
617#define AES_RT1(idx) ROTL8( RT0[idx] )
618#define AES_RT2(idx) ROTL16( RT0[idx] )
619#define AES_RT3(idx) ROTL24( RT0[idx] )
620
621#define AES_FT0(idx) FT0[idx]
622#define AES_FT1(idx) ROTL8( FT0[idx] )
623#define AES_FT2(idx) ROTL16( FT0[idx] )
624#define AES_FT3(idx) ROTL24( FT0[idx] )
625
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]626#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]627
628#define AES_RT0(idx) RT0[idx]
629#define AES_RT1(idx) RT1[idx]
630#define AES_RT2(idx) RT2[idx]
631#define AES_RT3(idx) RT3[idx]
632
633#define AES_FT0(idx) FT0[idx]
634#define AES_FT1(idx) FT1[idx]
635#define AES_FT2(idx) FT2[idx]
636#define AES_FT3(idx) FT3[idx]
637
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]638#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]639
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]640void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]641{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]642 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]643
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]644 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]645}
646
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]647void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]648{
649 if( ctx == NULL )
650 return;
651
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]652 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]653}
654
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]655#if defined(MBEDTLS_CIPHER_MODE_XTS)
656void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
657{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]658 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]659
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]660 mbedtls_aes_init( &ctx->crypt );
661 mbedtls_aes_init( &ctx->tweak );
662}
663
664void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
665{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]666 if( ctx == NULL )
667 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]668
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]669 mbedtls_aes_free( &ctx->crypt );
670 mbedtls_aes_free( &ctx->tweak );
671}
672#endif /* MBEDTLS_CIPHER_MODE_XTS */
673
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674/*
675 * AES key schedule (encryption)
676 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]677#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]679 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680{
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]681 unsigned int j = 0;
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]682 unsigned int flow_ctrl = 0;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]683 volatile unsigned int i = 0;
684 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]685 uint32_t *RK;
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]686 uint32_t offset = 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]688 AES_VALIDATE_RET( ctx != NULL );
689 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]691 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692 {
693 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]694#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695 case 192: ctx->nr = 12; break;
696 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]697#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]698 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699 }
700
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]701#if !defined(MBEDTLS_AES_ROM_TABLES)
702 if( aes_init_done == 0 )
703 {
704 aes_gen_tables();
705 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]706 }
707#endif
708
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]709#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]710 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]711 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]712
713 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]714 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]715 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]717 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]719#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]720 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]721 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]722#endif
723
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]724 mbedtls_platform_memset( RK, 0, ( keybits >> 5 ) * 4 );
725 offset = mbedtls_platform_random_in_range( keybits >> 5 );
726
727 for( j = offset; j < ( keybits >> 5 ); j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 {
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]729 GET_UINT32_LE( RK[j], key, j << 2 );
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]730 flow_ctrl++;
731 }
732
733 for( j = 0; j < offset; j++ )
734 {
735 GET_UINT32_LE( RK[j], key, j << 2 );
736 flow_ctrl++;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737 }
738
739 switch( ctx->nr )
740 {
741 case 10:
742
743 for( i = 0; i < 10; i++, RK += 4 )
744 {
745 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]746 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750
751 RK[5] = RK[1] ^ RK[4];
752 RK[6] = RK[2] ^ RK[5];
753 RK[7] = RK[3] ^ RK[6];
754 }
755 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]756#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757 case 12:
758
759 for( i = 0; i < 8; i++, RK += 6 )
760 {
761 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]762 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
763 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
764 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
765 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]766
767 RK[7] = RK[1] ^ RK[6];
768 RK[8] = RK[2] ^ RK[7];
769 RK[9] = RK[3] ^ RK[8];
770 RK[10] = RK[4] ^ RK[9];
771 RK[11] = RK[5] ^ RK[10];
772 }
773 break;
774
775 case 14:
776
777 for( i = 0; i < 7; i++, RK += 8 )
778 {
779 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]780 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
781 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
782 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
783 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]784
785 RK[9] = RK[1] ^ RK[8];
786 RK[10] = RK[2] ^ RK[9];
787 RK[11] = RK[3] ^ RK[10];
788
789 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]790 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
791 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
792 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
793 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]794
795 RK[13] = RK[5] ^ RK[12];
796 RK[14] = RK[6] ^ RK[13];
797 RK[15] = RK[7] ^ RK[14];
798 }
799 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]800#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]801 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]802
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]803 ret = 0;
804
805 /* Validate execution path */
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]806 if( ( flow_ctrl == keybits >> 5 ) && ( ( ctx->nr == 10 && i == 10 )
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]807#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
808 || ( ctx->nr == 12 && i == 8 )
809 || ( ctx->nr == 14 && i == 7 )
810#endif
811 ) )
812 {
813 return ret;
814 }
815
816 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]818#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819
820/*
821 * AES key schedule (decryption)
822 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]823#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]824int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]825 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]826{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]827#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
828 (void) ctx;
829 (void) key;
830 (void) keybits;
831
832 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
833#else /* */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]834 volatile unsigned int i = 0, j = 0;
835 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]836 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]837 uint32_t *RK;
838 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]839
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]840 AES_VALIDATE_RET( ctx != NULL );
841 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]842
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]843 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]845#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]846 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]847 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]848
849 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]850 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]851 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]852#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]853 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]854
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]855 /* Also checks keybits */
856 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]857 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]858
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]859 ctx->nr = cty.nr;
860
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]861#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]862 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]863 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]864 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]865 (const unsigned char *) cty.rk, ctx->nr );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]866 i = 0;
867 j = 4;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]868 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]869 }
870#endif
871
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]872 SK = cty.rk + cty.nr * 4;
873
874 *RK++ = *SK++;
875 *RK++ = *SK++;
876 *RK++ = *SK++;
877 *RK++ = *SK++;
878
879 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
880 {
881 for( j = 0; j < 4; j++, SK++ )
882 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]883 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
884 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
885 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
886 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]887 }
888 }
889
890 *RK++ = *SK++;
891 *RK++ = *SK++;
892 *RK++ = *SK++;
893 *RK++ = *SK++;
894
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]895exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]896 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]897
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]898 if( ret != 0 )
899 {
900 return( ret );
901 }
902 else if( ( i == 0 ) && ( j == 4 ) )
903 {
904 return( ret );
905 }
906 else
907 {
908 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
909 }
910
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]911#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]913
914#if defined(MBEDTLS_CIPHER_MODE_XTS)
915static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
916 unsigned int keybits,
917 const unsigned char **key1,
918 unsigned int *key1bits,
919 const unsigned char **key2,
920 unsigned int *key2bits )
921{
922 const unsigned int half_keybits = keybits / 2;
923 const unsigned int half_keybytes = half_keybits / 8;
924
925 switch( keybits )
926 {
927 case 256: break;
928 case 512: break;
929 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
930 }
931
932 *key1bits = half_keybits;
933 *key2bits = half_keybits;
934 *key1 = &key[0];
935 *key2 = &key[half_keybytes];
936
937 return 0;
938}
939
940int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
941 const unsigned char *key,
942 unsigned int keybits)
943{
944 int ret;
945 const unsigned char *key1, *key2;
946 unsigned int key1bits, key2bits;
947
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]948 AES_VALIDATE_RET( ctx != NULL );
949 AES_VALIDATE_RET( key != NULL );
950
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]951 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
952 &key2, &key2bits );
953 if( ret != 0 )
954 return( ret );
955
956 /* Set the tweak key. Always set tweak key for the encryption mode. */
957 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
958 if( ret != 0 )
959 return( ret );
960
961 /* Set crypt key for encryption. */
962 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
963}
964
965int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
966 const unsigned char *key,
967 unsigned int keybits)
968{
969 int ret;
970 const unsigned char *key1, *key2;
971 unsigned int key1bits, key2bits;
972
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]973 AES_VALIDATE_RET( ctx != NULL );
974 AES_VALIDATE_RET( key != NULL );
975
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]976 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
977 &key2, &key2bits );
978 if( ret != 0 )
979 return( ret );
980
981 /* Set the tweak key. Always set tweak key for encryption. */
982 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
983 if( ret != 0 )
984 return( ret );
985
986 /* Set crypt key for decryption. */
987 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
988}
989#endif /* MBEDTLS_CIPHER_MODE_XTS */
990
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]993/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]994 * AES-ECB block encryption
995 */
996#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]997
998static uint32_t *aes_fround( uint32_t *R,
999 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1000 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1001{
1002 *X0 = *R++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^
1003 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^
1004 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^
1005 AES_FT3( ( Y3 >> 24 ) & 0xFF );
1006
1007 *X1 = *R++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^
1008 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^
1009 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^
1010 AES_FT3( ( Y0 >> 24 ) & 0xFF );
1011
1012 *X2 = *R++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^
1013 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^
1014 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^
1015 AES_FT3( ( Y1 >> 24 ) & 0xFF );
1016
1017 *X3 = *R++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^
1018 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^
1019 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^
1020 AES_FT3( ( Y2 >> 24 ) & 0xFF );
1021
1022 return R;
1023}
1024
1025static void aes_fround_final( uint32_t *R,
1026 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1027 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1028{
1029 *X0 = *R++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^
1030 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1031 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1032 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1033
1034 *X1 = *R++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^
1035 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1036 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1037 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1038
1039 *X2 = *R++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^
1040 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1041 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1042 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1043
1044 *X3 = *R++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^
1045 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1046 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1047 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1048}
1049
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1050int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
1051 const unsigned char input[16],
1052 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1053{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1054 int i, j, offset, start_fin_loops = 1;
1055 aes_r_data_t aes_data_real; // real data
1056#if AES_SCA_CM_ROUNDS != 0
1057 aes_r_data_t aes_data_fake; // fake data
1058#endif /* AES_SCA_CM_ROUNDS != 0 */
1059 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1060 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1061 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2 + 2;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1062 volatile int flow_control;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1063 // control bytes for AES rounds, reserve based on max ctx->nr
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1064 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 + 2];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1065
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1066 aes_data_real.rk_ptr = ctx->rk;
1067 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1068
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1069#if AES_SCA_CM_ROUNDS != 0
1070 aes_data_table[1] = &aes_data_fake;
1071 aes_data_fake.rk_ptr = ctx->rk;
1072 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1073 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1074 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1075#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1076
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1077 // Get randomized AES calculation control bytes
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1078 flow_control = aes_sca_cm_data_randomize( round_ctrl_table,
1079 round_ctrl_table_len );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1080
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1081 mbedtls_platform_memset( aes_data_real.xy_values, 0, 16 );
1082 offset = mbedtls_platform_random_in_range( 4 );
1083
1084 for( i = offset; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1085 {
1086 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1087 }
1088
1089 for( i = 0; i < offset; i++ )
1090 {
1091 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
1092 }
1093
1094 for( i = 0; i < 4; i++ )
1095 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1096 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1097 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1098 aes_data_ptr =
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1099 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1100 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1101 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1102 }
1103 }
1104
1105 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
1106 {
1107 // Read AES control data
1108 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1109 offset = round_ctrl_table[i] & 0x0f;
1110
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1111 aes_data_ptr->rk_ptr = aes_fround( aes_data_ptr->rk_ptr,
1112 &aes_data_ptr->xy_values[0 + offset],
1113 &aes_data_ptr->xy_values[1 + offset],
1114 &aes_data_ptr->xy_values[2 + offset],
1115 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1116 aes_data_ptr->xy_values[4 - offset],
1117 aes_data_ptr->xy_values[5 - offset],
1118 aes_data_ptr->xy_values[6 - offset],
1119 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1120 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1121 }
1122
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1123 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1124 {
1125 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1126 aes_fround_final( aes_data_ptr->rk_ptr,
1127 &aes_data_ptr->xy_values[0],
1128 &aes_data_ptr->xy_values[1],
1129 &aes_data_ptr->xy_values[2],
1130 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1131 aes_data_ptr->xy_values[4],
1132 aes_data_ptr->xy_values[5],
1133 aes_data_ptr->xy_values[6],
1134 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1135 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1136 }
1137
Jarno Lamsa282db8e2020-01-08 14:53:17 +0200[diff] [blame]1138 mbedtls_platform_memset( output, 0, 16 );
1139 offset = mbedtls_platform_random_in_range( 4 );
1140
1141 for( i = offset; i < 4; i++ )
1142 {
1143 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1144 flow_control++;
1145 }
1146
1147 for( i = 0; i < offset; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1148 {
1149 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1150 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1151 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1152
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1153 if( flow_control == ( AES_SCA_CM_ROUNDS + ( 4 * start_fin_loops ) +
1154 ctx->nr - 1 + AES_SCA_CM_ROUNDS + start_fin_loops + 4 ) )
1155 {
1156 /* Validate control path due possible fault injection */
1157 return 0;
1158 }
1159
1160 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1161}
1162#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1163
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1164#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1165void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1166 const unsigned char input[16],
1167 unsigned char output[16] )
1168{
1169 mbedtls_internal_aes_encrypt( ctx, input, output );
1170}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1171#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1172
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1173/*
1174 * AES-ECB block decryption
1175 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1176
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1177#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1178#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1179
1180static uint32_t *aes_rround( uint32_t *R,
1181 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1182 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1183{
1184 *X0 = *R++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^
1185 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^
1186 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^
1187 AES_RT3( ( Y1 >> 24 ) & 0xFF );
1188
1189 *X1 = *R++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^
1190 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^
1191 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^
1192 AES_RT3( ( Y2 >> 24 ) & 0xFF );
1193
1194 *X2 = *R++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^
1195 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^
1196 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^
1197 AES_RT3( ( Y3 >> 24 ) & 0xFF );
1198
1199 *X3 = *R++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^
1200 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^
1201 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^
1202 AES_RT3( ( Y0 >> 24 ) & 0xFF );
1203 return R;
1204}
1205
1206static void aes_rround_final( uint32_t *R,
1207 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1208 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1209{
1210 *X0 = *R++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^
1211 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1212 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1213 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1214
1215 *X1 = *R++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^
1216 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1217 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1218 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1219
1220 *X2 = *R++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^
1221 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1222 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1223 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1224
1225 *X3 = *R++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^
1226 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1227 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1228 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1229}
1230
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1231int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1232 const unsigned char input[16],
1233 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1234{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1235 int i, j, offset, start_fin_loops = 1;
1236 aes_r_data_t aes_data_real; // real data
1237#if AES_SCA_CM_ROUNDS != 0
1238 aes_r_data_t aes_data_fake; // fake data
1239#endif /* AES_SCA_CM_ROUNDS != 0 */
1240 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1241 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1242 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2 + 2;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1243 // control bytes for AES rounds, reserve based on max ctx->nr
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1244 volatile int flow_control;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1245 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1246
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1247 aes_data_real.rk_ptr = ctx->rk;
1248 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1249
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1250#if AES_SCA_CM_ROUNDS != 0
1251 aes_data_table[1] = &aes_data_fake;
1252 aes_data_fake.rk_ptr = ctx->rk;
1253 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1254 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1255 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1256#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1257
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1258 // Get randomized AES calculation control bytes
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1259 flow_control = aes_sca_cm_data_randomize( round_ctrl_table,
1260 round_ctrl_table_len );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1261
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1262 for( i = 0; i < 4; i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1263 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1264 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1265 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1266 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1267 aes_data_ptr =
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1268 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 4 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1269 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1270 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1271 }
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1272 }
1273
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1274 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1275 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1276 // Read AES control data
1277 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1278 offset = round_ctrl_table[i] & 0x0f;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1279
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1280 aes_data_ptr->rk_ptr = aes_rround( aes_data_ptr->rk_ptr,
1281 &aes_data_ptr->xy_values[0 + offset],
1282 &aes_data_ptr->xy_values[1 + offset],
1283 &aes_data_ptr->xy_values[2 + offset],
1284 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1285 aes_data_ptr->xy_values[4 - offset],
1286 aes_data_ptr->xy_values[5 - offset],
1287 aes_data_ptr->xy_values[6 - offset],
1288 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1289 flow_control++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1290 }
1291
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1292 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1293 {
1294 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1295 aes_rround_final( aes_data_ptr->rk_ptr,
1296 &aes_data_ptr->xy_values[0],
1297 &aes_data_ptr->xy_values[1],
1298 &aes_data_ptr->xy_values[2],
1299 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1300 aes_data_ptr->xy_values[4],
1301 aes_data_ptr->xy_values[5],
1302 aes_data_ptr->xy_values[6],
1303 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1304 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1305 }
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1306
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1307 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1308 {
1309 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1310 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1311 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1312
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1313 if( flow_control == ( AES_SCA_CM_ROUNDS + ( 4 * start_fin_loops ) +
1314 ctx->nr - 1 + AES_SCA_CM_ROUNDS + start_fin_loops + 4 ) )
1315 {
1316 /* Validate control path due possible fault injection */
1317 return 0;
1318 }
1319
1320 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1321}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1322#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1323#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1324
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1325#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1326void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1327 const unsigned char input[16],
1328 unsigned char output[16] )
1329{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1330#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1331 (void) ctx;
1332 (void) input;
1333 (void) output;
1334#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1335 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1336#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1337}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1338#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1339
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1340/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341 * AES-ECB block encryption/decryption
1342 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1344 int mode,
1345 const unsigned char input[16],
1346 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1348 AES_VALIDATE_RET( ctx != NULL );
1349 AES_VALIDATE_RET( input != NULL );
1350 AES_VALIDATE_RET( output != NULL );
1351 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1352 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1353 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1356 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1358#endif
1359
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1361 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1362 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1364 return( 0 );
1365
1366 // If padlock data misaligned, we just fall back to
1367 // unaccelerated mode
1368 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1369 }
1370#endif
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame]1371
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1372#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1373 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1374#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1375
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1376 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1377 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1378 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1379 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1380#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381}
1382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1384/*
1385 * AES-CBC buffer encryption/decryption
1386 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1388 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1389 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1390 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1391 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392 unsigned char *output )
1393{
1394 int i;
1395 unsigned char temp[16];
1396
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1397 AES_VALIDATE_RET( ctx != NULL );
1398 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1399 mode == MBEDTLS_AES_DECRYPT );
1400 AES_VALIDATE_RET( iv != NULL );
1401 AES_VALIDATE_RET( input != NULL );
1402 AES_VALIDATE_RET( output != NULL );
1403
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1404 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1406
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1407#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1408 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1409 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1410 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1411 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1412
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1413 // If padlock data misaligned, we just fall back to
1414 // unaccelerated mode
1415 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1416 }
1417#endif
1418
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1419 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1420 {
1421 while( length > 0 )
1422 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1423 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1424 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1425
1426 for( i = 0; i < 16; i++ )
1427 output[i] = (unsigned char)( output[i] ^ iv[i] );
1428
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1429 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1430
1431 input += 16;
1432 output += 16;
1433 length -= 16;
1434 }
1435 }
1436 else
1437 {
1438 while( length > 0 )
1439 {
1440 for( i = 0; i < 16; i++ )
1441 output[i] = (unsigned char)( input[i] ^ iv[i] );
1442
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1443 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1444 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445
1446 input += 16;
1447 output += 16;
1448 length -= 16;
1449 }
1450 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1451
1452 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1454#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1455
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1456#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1457
1458/* Endianess with 64 bits values */
1459#ifndef GET_UINT64_LE
1460#define GET_UINT64_LE(n,b,i) \
1461{ \
1462 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1463 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1464 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1465 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1466 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1467 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1468 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1469 | ( (uint64_t) (b)[(i) ] ); \
1470}
1471#endif
1472
1473#ifndef PUT_UINT64_LE
1474#define PUT_UINT64_LE(n,b,i) \
1475{ \
1476 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1477 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1478 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1479 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1480 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1481 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1482 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1483 (b)[(i) ] = (unsigned char) ( (n) ); \
1484}
1485#endif
1486
1487typedef unsigned char mbedtls_be128[16];
1488
1489/*
1490 * GF(2^128) multiplication function
1491 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1492 * This function multiplies a field element by x in the polynomial field
1493 * representation. It uses 64-bit word operations to gain speed but compensates
1494 * for machine endianess and hence works correctly on both big and little
1495 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1496 */
1497static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1498 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1499{
1500 uint64_t a, b, ra, rb;
1501
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1502 GET_UINT64_LE( a, x, 0 );
1503 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1504
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1505 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1506 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1507
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1508 PUT_UINT64_LE( ra, r, 0 );
1509 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1510}
1511
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1512/*
1513 * AES-XTS buffer encryption/decryption
1514 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1515int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1516 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1517 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1518 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1519 const unsigned char *input,
1520 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1521{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1522 int ret;
1523 size_t blocks = length / 16;
1524 size_t leftover = length % 16;
1525 unsigned char tweak[16];
1526 unsigned char prev_tweak[16];
1527 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1528
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1529 AES_VALIDATE_RET( ctx != NULL );
1530 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1531 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1532 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1533 AES_VALIDATE_RET( input != NULL );
1534 AES_VALIDATE_RET( output != NULL );
1535
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1536 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1537 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1538 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1539
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1540 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1541 if( length > ( 1 << 20 ) * 16 )
1542 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1543
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1544 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1545 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1546 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1547 if( ret != 0 )
1548 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1549
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1550 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1551 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1552 size_t i;
1553
1554 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1555 {
1556 /* We are on the last block in a decrypt operation that has
1557 * leftover bytes, so we need to use the next tweak for this block,
1558 * and this tweak for the lefover bytes. Save the current tweak for
1559 * the leftovers and then update the current tweak for use on this,
1560 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1561 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1562 mbedtls_gf128mul_x_ble( tweak, tweak );
1563 }
1564
1565 for( i = 0; i < 16; i++ )
1566 tmp[i] = input[i] ^ tweak[i];
1567
1568 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1569 if( ret != 0 )
1570 return( ret );
1571
1572 for( i = 0; i < 16; i++ )
1573 output[i] = tmp[i] ^ tweak[i];
1574
1575 /* Update the tweak for the next block. */
1576 mbedtls_gf128mul_x_ble( tweak, tweak );
1577
1578 output += 16;
1579 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1580 }
1581
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1582 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1583 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1584 /* If we are on the leftover bytes in a decrypt operation, we need to
1585 * use the previous tweak for these bytes (as saved in prev_tweak). */
1586 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1587
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1588 /* We are now on the final part of the data unit, which doesn't divide
1589 * evenly by 16. It's time for ciphertext stealing. */
1590 size_t i;
1591 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1592
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1593 /* Copy ciphertext bytes from the previous block to our output for each
1594 * byte of cyphertext we won't steal. At the same time, copy the
1595 * remainder of the input for this final round (since the loop bounds
1596 * are the same). */
1597 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1598 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1599 output[i] = prev_output[i];
1600 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1601 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1602
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1603 /* Copy ciphertext bytes from the previous block for input in this
1604 * round. */
1605 for( ; i < 16; i++ )
1606 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1607
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1608 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1609 if( ret != 0 )
1610 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1611
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1612 /* Write the result back to the previous block, overriding the previous
1613 * output we copied. */
1614 for( i = 0; i < 16; i++ )
1615 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1616 }
1617
1618 return( 0 );
1619}
1620#endif /* MBEDTLS_CIPHER_MODE_XTS */
1621
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1622#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1623/*
1624 * AES-CFB128 buffer encryption/decryption
1625 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1628 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1629 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1631 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1632 unsigned char *output )
1633{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1634 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1635 size_t n;
1636
1637 AES_VALIDATE_RET( ctx != NULL );
1638 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1639 mode == MBEDTLS_AES_DECRYPT );
1640 AES_VALIDATE_RET( iv_off != NULL );
1641 AES_VALIDATE_RET( iv != NULL );
1642 AES_VALIDATE_RET( input != NULL );
1643 AES_VALIDATE_RET( output != NULL );
1644
1645 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1647 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1648 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1649
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1650 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1651 {
1652 while( length-- )
1653 {
1654 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1656
1657 c = *input++;
1658 *output++ = (unsigned char)( c ^ iv[n] );
1659 iv[n] = (unsigned char) c;
1660
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1661 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1662 }
1663 }
1664 else
1665 {
1666 while( length-- )
1667 {
1668 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1669 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1670
1671 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1672
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1673 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674 }
1675 }
1676
1677 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1678
1679 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1680}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1681
1682/*
1683 * AES-CFB8 buffer encryption/decryption
1684 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1686 int mode,
1687 size_t length,
1688 unsigned char iv[16],
1689 const unsigned char *input,
1690 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1691{
1692 unsigned char c;
1693 unsigned char ov[17];
1694
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1695 AES_VALIDATE_RET( ctx != NULL );
1696 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1697 mode == MBEDTLS_AES_DECRYPT );
1698 AES_VALIDATE_RET( iv != NULL );
1699 AES_VALIDATE_RET( input != NULL );
1700 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1701 while( length-- )
1702 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1703 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1704 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1705
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1706 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1707 ov[16] = *input;
1708
1709 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1710
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1711 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1712 ov[16] = c;
1713
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1714 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1715 }
1716
1717 return( 0 );
1718}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1719#endif /* MBEDTLS_CIPHER_MODE_CFB */
1720
1721#if defined(MBEDTLS_CIPHER_MODE_OFB)
1722/*
1723 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1724 */
1725int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1726 size_t length,
1727 size_t *iv_off,
1728 unsigned char iv[16],
1729 const unsigned char *input,
1730 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1731{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1732 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1733 size_t n;
1734
1735 AES_VALIDATE_RET( ctx != NULL );
1736 AES_VALIDATE_RET( iv_off != NULL );
1737 AES_VALIDATE_RET( iv != NULL );
1738 AES_VALIDATE_RET( input != NULL );
1739 AES_VALIDATE_RET( output != NULL );
1740
1741 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1742
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1743 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1744 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1745
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1746 while( length-- )
1747 {
1748 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1749 {
1750 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1751 if( ret != 0 )
1752 goto exit;
1753 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1754 *output++ = *input++ ^ iv[n];
1755
1756 n = ( n + 1 ) & 0x0F;
1757 }
1758
1759 *iv_off = n;
1760
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1761exit:
1762 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1763}
1764#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1765
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1766#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1767/*
1768 * AES-CTR buffer encryption/decryption
1769 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1770int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1771 size_t length,
1772 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1773 unsigned char nonce_counter[16],
1774 unsigned char stream_block[16],
1775 const unsigned char *input,
1776 unsigned char *output )
1777{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1778 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1779 size_t n;
1780
1781 AES_VALIDATE_RET( ctx != NULL );
1782 AES_VALIDATE_RET( nc_off != NULL );
1783 AES_VALIDATE_RET( nonce_counter != NULL );
1784 AES_VALIDATE_RET( stream_block != NULL );
1785 AES_VALIDATE_RET( input != NULL );
1786 AES_VALIDATE_RET( output != NULL );
1787
1788 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1789
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]1790 if( n > 0x0F )
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1791 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1792
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1793 while( length-- )
1794 {
1795 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1797
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1798 for( i = 16; i > 0; i-- )
1799 if( ++nonce_counter[i - 1] != 0 )
1800 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1801 }
1802 c = *input++;
1803 *output++ = (unsigned char)( c ^ stream_block[n] );
1804
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1805 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1806 }
1807
1808 *nc_off = n;
1809
1810 return( 0 );
1811}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1812#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1813
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1814#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1816#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817/*
1818 * AES test vectors from:
1819 *
1820 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1821 */
1822static const unsigned char aes_test_ecb_dec[3][16] =
1823{
1824 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1825 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1826 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1827 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1828 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1829 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1830};
1831
1832static const unsigned char aes_test_ecb_enc[3][16] =
1833{
1834 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1835 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1836 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1837 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1838 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1839 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1840};
1841
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1842#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1843static const unsigned char aes_test_cbc_dec[3][16] =
1844{
1845 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1846 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1847 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1848 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1849 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1850 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1851};
1852
1853static const unsigned char aes_test_cbc_enc[3][16] =
1854{
1855 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1856 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1857 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1858 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1859 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1860 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1861};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865/*
1866 * AES-CFB128 test vectors from:
1867 *
1868 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1869 */
1870static const unsigned char aes_test_cfb128_key[3][32] =
1871{
1872 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1873 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1874 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1875 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1876 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1877 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1878 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1879 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1880 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1881};
1882
1883static const unsigned char aes_test_cfb128_iv[16] =
1884{
1885 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1886 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1887};
1888
1889static const unsigned char aes_test_cfb128_pt[64] =
1890{
1891 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1892 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1893 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1894 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1895 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1896 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1897 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1898 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1899};
1900
1901static const unsigned char aes_test_cfb128_ct[3][64] =
1902{
1903 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1904 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1905 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1906 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1907 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1908 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1909 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1910 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1911 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1912 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1913 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1914 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1915 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1916 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1917 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1918 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1919 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1920 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1921 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1922 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1923 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1924 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1925 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1926 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1927};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1928#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1929
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1930#if defined(MBEDTLS_CIPHER_MODE_OFB)
1931/*
1932 * AES-OFB test vectors from:
1933 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1934 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1935 */
1936static const unsigned char aes_test_ofb_key[3][32] =
1937{
1938 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1939 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1940 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1941 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1942 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1943 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1944 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1945 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1946 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1947};
1948
1949static const unsigned char aes_test_ofb_iv[16] =
1950{
1951 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1952 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1953};
1954
1955static const unsigned char aes_test_ofb_pt[64] =
1956{
1957 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1958 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1959 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1960 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1961 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1962 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1963 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1964 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1965};
1966
1967static const unsigned char aes_test_ofb_ct[3][64] =
1968{
1969 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1970 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1971 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1972 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1973 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1974 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1975 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1976 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1977 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1978 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1979 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1980 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1981 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1982 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1983 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1984 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1985 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1986 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1987 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1988 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1989 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1990 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1991 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1992 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1993};
1994#endif /* MBEDTLS_CIPHER_MODE_OFB */
1995
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1996#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1997/*
1998 * AES-CTR test vectors from:
1999 *
2000 * http://www.faqs.org/rfcs/rfc3686.html
2001 */
2002
2003static const unsigned char aes_test_ctr_key[3][16] =
2004{
2005 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
2006 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
2007 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
2008 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
2009 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
2010 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
2011};
2012
2013static const unsigned char aes_test_ctr_nonce_counter[3][16] =
2014{
2015 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
2016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
2017 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
2018 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
2019 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
2020 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
2021};
2022
2023static const unsigned char aes_test_ctr_pt[3][48] =
2024{
2025 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
2026 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
2027
2028 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2029 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
2030 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2031 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
2032
2033 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2034 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
2035 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2036 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
2037 0x20, 0x21, 0x22, 0x23 }
2038};
2039
2040static const unsigned char aes_test_ctr_ct[3][48] =
2041{
2042 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
2043 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
2044 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
2045 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
2046 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
2047 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
2048 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
2049 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
2050 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
2051 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
2052 0x25, 0xB2, 0x07, 0x2F }
2053};
2054
2055static const int aes_test_ctr_len[3] =
2056 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2057#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2059#if defined(MBEDTLS_CIPHER_MODE_XTS)
2060/*
2061 * AES-XTS test vectors from:
2062 *
2063 * IEEE P1619/D16 Annex B
2064 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
2065 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
2066 */
2067static const unsigned char aes_test_xts_key[][32] =
2068{
2069 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2070 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2071 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2073 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2074 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2075 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2076 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2077 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
2078 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
2079 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2080 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2081};
2082
2083static const unsigned char aes_test_xts_pt32[][32] =
2084{
2085 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2086 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2089 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2090 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2091 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2092 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2093 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2094 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2095 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2096 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2097};
2098
2099static const unsigned char aes_test_xts_ct32[][32] =
2100{
2101 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
2102 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
2103 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
2104 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
2105 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
2106 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
2107 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
2108 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
2109 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
2110 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
2111 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
2112 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2113};
2114
2115static const unsigned char aes_test_xts_data_unit[][16] =
2116{
2117 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2119 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2120 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2121 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2123};
2124
2125#endif /* MBEDTLS_CIPHER_MODE_XTS */
2126
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2127/*
2128 * Checkup routine
2129 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2130int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2131{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2132 int ret = 0, i, j, u, mode;
2133 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2134 unsigned char key[32];
2135 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2137#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2138 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2139#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2140#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2141 unsigned char prv[16];
2142#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2143#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2144 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2145 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2146#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2147#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2148 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2149#endif
2150#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151 unsigned char nonce_counter[16];
2152 unsigned char stream_block[16];
2153#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2154 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2155
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2156 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2157 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158
2159 /*
2160 * ECB mode
2161 */
2162 for( i = 0; i < 6; i++ )
2163 {
2164 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2165 keybits = 128 + u * 64;
2166 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167
2168 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2169 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2170 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2171
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2172#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2173 if( keybits > 128 )
2174 {
2175 mbedtls_printf( "skipped\n" );
2176 continue;
2177 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2178#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2179
2180#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2181 if( mode == MBEDTLS_AES_DECRYPT )
2182 {
2183 mbedtls_printf( "skipped\n" );
2184 continue;
2185 }
2186#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2187
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2188 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2189
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2190 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2191 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2192 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2193 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194 }
2195 else
2196 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2197 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2198 aes_tests = aes_test_ecb_enc[u];
2199 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2201 /*
2202 * AES-192 is an optional feature that may be unavailable when
2203 * there is an alternative underlying implementation i.e. when
2204 * MBEDTLS_AES_ALT is defined.
2205 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2206 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2207 {
2208 mbedtls_printf( "skipped\n" );
2209 continue;
2210 }
2211 else if( ret != 0 )
2212 {
2213 goto exit;
2214 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2216 for( j = 0; j < 10000; j++ )
2217 {
2218 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2219 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2220 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2221 }
2222
2223 if( memcmp( buf, aes_tests, 16 ) != 0 )
2224 {
2225 ret = 1;
2226 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227 }
2228
2229 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2230 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2231 }
2232
2233 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2234 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2235
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2237 /*
2238 * CBC mode
2239 */
2240 for( i = 0; i < 6; i++ )
2241 {
2242 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2243 keybits = 128 + u * 64;
2244 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245
2246 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2247 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2248 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2250#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2251 if( keybits > 128 )
2252 {
2253 mbedtls_printf( "skipped\n" );
2254 continue;
2255 }
2256#endif
2257
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2258#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2259 if( mode == MBEDTLS_AES_DECRYPT )
2260 {
2261 mbedtls_printf( "skipped\n" );
2262 continue;
2263 }
2264#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2265
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2266 memset( iv , 0, 16 );
2267 memset( prv, 0, 16 );
2268 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2270 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2271 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2272 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2273 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2274 }
2275 else
2276 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2277 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2278 aes_tests = aes_test_cbc_enc[u];
2279 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2280
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2281 /*
2282 * AES-192 is an optional feature that may be unavailable when
2283 * there is an alternative underlying implementation i.e. when
2284 * MBEDTLS_AES_ALT is defined.
2285 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2286 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2287 {
2288 mbedtls_printf( "skipped\n" );
2289 continue;
2290 }
2291 else if( ret != 0 )
2292 {
2293 goto exit;
2294 }
2295
2296 for( j = 0; j < 10000; j++ )
2297 {
2298 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2299 {
2300 unsigned char tmp[16];
2301
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2302 memcpy( tmp, prv, 16 );
2303 memcpy( prv, buf, 16 );
2304 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2305 }
2306
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2307 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2308 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2309 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2310
2311 }
2312
2313 if( memcmp( buf, aes_tests, 16 ) != 0 )
2314 {
2315 ret = 1;
2316 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2317 }
2318
2319 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2320 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2321 }
2322
2323 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2324 mbedtls_printf( "\n" );
2325#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2327#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2328 /*
2329 * CFB128 mode
2330 */
2331 for( i = 0; i < 6; i++ )
2332 {
2333 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2334 keybits = 128 + u * 64;
2335 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2336
2337 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2338 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2339 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2340
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2341#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2342 if( keybits > 128 )
2343 {
2344 mbedtls_printf( "skipped\n" );
2345 continue;
2346 }
2347#endif
2348
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2349#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2350 if( mode == MBEDTLS_AES_DECRYPT )
2351 {
2352 mbedtls_printf( "skipped\n" );
2353 continue;
2354 }
2355#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2356
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2357 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2358 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2359
2360 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2361 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2362 /*
2363 * AES-192 is an optional feature that may be unavailable when
2364 * there is an alternative underlying implementation i.e. when
2365 * MBEDTLS_AES_ALT is defined.
2366 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2367 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2368 {
2369 mbedtls_printf( "skipped\n" );
2370 continue;
2371 }
2372 else if( ret != 0 )
2373 {
2374 goto exit;
2375 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2376
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2377 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2378 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2379 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2380 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2381 }
2382 else
2383 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2384 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2385 aes_tests = aes_test_cfb128_ct[u];
2386 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2387
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2388 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2389 if( ret != 0 )
2390 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2391
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2392 if( memcmp( buf, aes_tests, 64 ) != 0 )
2393 {
2394 ret = 1;
2395 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2396 }
2397
2398 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2399 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2400 }
2401
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2402 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2403 mbedtls_printf( "\n" );
2404#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2405
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2406#if defined(MBEDTLS_CIPHER_MODE_OFB)
2407 /*
2408 * OFB mode
2409 */
2410 for( i = 0; i < 6; i++ )
2411 {
2412 u = i >> 1;
2413 keybits = 128 + u * 64;
2414 mode = i & 1;
2415
2416 if( verbose != 0 )
2417 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2418 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2419
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2420#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2421 if( keybits > 128 )
2422 {
2423 mbedtls_printf( "skipped\n" );
2424 continue;
2425 }
2426#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2427
2428#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2429 if( mode == MBEDTLS_AES_DECRYPT )
2430 {
2431 mbedtls_printf( "skipped\n" );
2432 continue;
2433 }
2434#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2435
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2436 memcpy( iv, aes_test_ofb_iv, 16 );
2437 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2438
2439 offset = 0;
2440 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2441 /*
2442 * AES-192 is an optional feature that may be unavailable when
2443 * there is an alternative underlying implementation i.e. when
2444 * MBEDTLS_AES_ALT is defined.
2445 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2446 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2447 {
2448 mbedtls_printf( "skipped\n" );
2449 continue;
2450 }
2451 else if( ret != 0 )
2452 {
2453 goto exit;
2454 }
2455
2456 if( mode == MBEDTLS_AES_DECRYPT )
2457 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2458 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2459 aes_tests = aes_test_ofb_pt;
2460 }
2461 else
2462 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2463 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2464 aes_tests = aes_test_ofb_ct[u];
2465 }
2466
2467 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2468 if( ret != 0 )
2469 goto exit;
2470
2471 if( memcmp( buf, aes_tests, 64 ) != 0 )
2472 {
2473 ret = 1;
2474 goto exit;
2475 }
2476
2477 if( verbose != 0 )
2478 mbedtls_printf( "passed\n" );
2479 }
2480
2481 if( verbose != 0 )
2482 mbedtls_printf( "\n" );
2483#endif /* MBEDTLS_CIPHER_MODE_OFB */
2484
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2485#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2486 /*
2487 * CTR mode
2488 */
2489 for( i = 0; i < 6; i++ )
2490 {
2491 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2492 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2493
2494 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2495 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2496 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2497
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2498#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2499 if( keybits > 128 )
2500 {
2501 mbedtls_printf( "skipped\n" );
2502 continue;
2503 }
2504#endif
2505
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2506#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2507 if( mode == MBEDTLS_AES_DECRYPT )
2508 {
2509 mbedtls_printf( "skipped\n" );
2510 continue;
2511 }
2512#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2513
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2514 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2515 memcpy( key, aes_test_ctr_key[u], 16 );
2516
2517 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2518 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2519 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2520
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2521 len = aes_test_ctr_len[u];
2522
2523 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2524 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2525 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2526 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2527 }
2528 else
2529 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2530 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2531 aes_tests = aes_test_ctr_ct[u];
2532 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2533
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2534 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2535 stream_block, buf, buf );
2536 if( ret != 0 )
2537 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2538
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2539 if( memcmp( buf, aes_tests, len ) != 0 )
2540 {
2541 ret = 1;
2542 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2543 }
2544
2545 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2546 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2547 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2548
2549 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2550 mbedtls_printf( "\n" );
2551#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2552
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2553#if defined(MBEDTLS_CIPHER_MODE_XTS)
2554 {
2555 static const int num_tests =
2556 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2557 mbedtls_aes_xts_context ctx_xts;
2558
2559 /*
2560 * XTS mode
2561 */
2562 mbedtls_aes_xts_init( &ctx_xts );
2563
2564 for( i = 0; i < num_tests << 1; i++ )
2565 {
2566 const unsigned char *data_unit;
2567 u = i >> 1;
2568 mode = i & 1;
2569
2570 if( verbose != 0 )
2571 mbedtls_printf( " AES-XTS-128 (%s): ",
2572 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2573
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2574#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2575 if( mode == MBEDTLS_AES_DECRYPT )
2576 {
2577 mbedtls_printf( "skipped\n" );
2578 continue;
2579 }
2580#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2581
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2582 memset( key, 0, sizeof( key ) );
2583 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2584 data_unit = aes_test_xts_data_unit[u];
2585
2586 len = sizeof( *aes_test_xts_ct32 );
2587
2588 if( mode == MBEDTLS_AES_DECRYPT )
2589 {
2590 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2591 if( ret != 0)
2592 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2593 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2594 aes_tests = aes_test_xts_pt32[u];
2595 }
2596 else
2597 {
2598 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2599 if( ret != 0)
2600 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2601 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2602 aes_tests = aes_test_xts_ct32[u];
2603 }
2604
2605
2606 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2607 buf, buf );
2608 if( ret != 0 )
2609 goto exit;
2610
2611 if( memcmp( buf, aes_tests, len ) != 0 )
2612 {
2613 ret = 1;
2614 goto exit;
2615 }
2616
2617 if( verbose != 0 )
2618 mbedtls_printf( "passed\n" );
2619 }
2620
2621 if( verbose != 0 )
2622 mbedtls_printf( "\n" );
2623
2624 mbedtls_aes_xts_free( &ctx_xts );
2625 }
2626#endif /* MBEDTLS_CIPHER_MODE_XTS */
2627
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2628 ret = 0;
2629
2630exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2631 if( ret != 0 && verbose != 0 )
2632 mbedtls_printf( "failed\n" );
2633
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2634 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2635
2636 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2637}
2638
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2639#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2640
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2641#endif /* MBEDTLS_AES_C */