TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 380162c34c7a43818968b718a151717350ae7bef / . / library / aes.c
blob: 1c69c974e956587a8f6071398ef8cbece1361861 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]39#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]47#if defined(MBEDTLS_CIPHER_MODE_XEX)
48#include "mbedtls/gf128mul.h"
49#endif
50
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]51#if defined(MBEDTLS_SELF_TEST)
52#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]53#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]54#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]55#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#define mbedtls_printf printf
57#endif /* MBEDTLS_PLATFORM_C */
58#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]59
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]61
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]62/*
63 * 32-bit integer manipulation macros (little endian)
64 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]65#ifndef GET_UINT32_LE
66#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]67{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68 (n) = ( (uint32_t) (b)[(i) ] ) \
69 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
70 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
71 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72}
73#endif
74
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]75#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]76#define PUT_UINT32_LE(n,b,i) \
77{ \
78 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
79 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
80 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
81 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]82}
83#endif
84
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]85#if defined(MBEDTLS_PADLOCK_C) && \
86 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]87static int aes_padlock_ace = -1;
88#endif
89
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]90#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91/*
92 * Forward S-box
93 */
94static const unsigned char FSb[256] =
95{
96 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
97 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
98 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
99 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
100 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
101 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
102 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
103 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
104 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
105 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
106 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
107 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
108 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
109 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
110 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
111 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
112 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
113 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
114 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
115 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
116 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
117 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
118 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
119 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
120 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
121 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
122 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
123 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
124 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
125 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
126 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
127 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
128};
129
130/*
131 * Forward tables
132 */
133#define FT \
134\
135 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
136 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
137 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
138 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
139 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
140 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
141 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
142 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
143 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
144 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
145 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
146 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
147 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
148 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
149 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
150 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
151 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
152 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
153 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
154 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
155 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
156 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
157 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
158 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
159 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
160 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
161 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
162 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
163 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
164 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
165 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
166 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
167 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
168 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
169 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
170 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
171 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
172 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
173 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
174 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
175 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
176 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
177 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
178 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
179 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
180 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
181 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
182 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
183 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
184 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
185 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
186 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
187 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
188 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
189 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
190 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
191 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
192 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
193 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
194 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
195 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
196 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
197 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
198 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
199
200#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]201static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#undef V
203
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]204#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]205
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]218#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]219
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef FT
221
222/*
223 * Reverse S-box
224 */
225static const unsigned char RSb[256] =
226{
227 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
228 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
229 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
230 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
231 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
232 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
233 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
234 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
235 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
236 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
237 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
238 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
239 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
240 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
241 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
242 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
243 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
244 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
245 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
246 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
247 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
248 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
249 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
250 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
251 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
252 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
253 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
254 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
255 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
256 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
257 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
258 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
259};
260
261/*
262 * Reverse tables
263 */
264#define RT \
265\
266 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
267 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
268 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
269 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
270 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
271 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
272 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
273 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
274 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
275 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
276 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
277 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
278 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
279 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
280 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
281 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
282 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
283 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
284 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
285 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
286 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
287 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
288 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
289 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
290 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
291 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
292 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
293 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
294 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
295 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
296 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
297 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
298 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
299 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
300 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
301 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
302 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
303 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
304 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
305 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
306 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
307 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
308 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
309 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
310 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
311 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
312 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
313 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
314 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
315 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
316 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
317 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
318 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
319 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
320 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
321 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
322 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
323 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
324 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
325 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
326 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
327 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
328 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
329 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
330
331#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]332static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#undef V
334
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]335#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]336
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]350
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef RT
352
353/*
354 * Round constants
355 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]356static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]357{
358 0x00000001, 0x00000002, 0x00000004, 0x00000008,
359 0x00000010, 0x00000020, 0x00000040, 0x00000080,
360 0x0000001B, 0x00000036
361};
362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]363#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364
365/*
366 * Forward S-box & tables
367 */
368static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]370#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]371static uint32_t FT1[256];
372static uint32_t FT2[256];
373static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]374#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375
376/*
377 * Reverse S-box & tables
378 */
379static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]381#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]382static uint32_t RT1[256];
383static uint32_t RT2[256];
384static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]385#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Round constants
389 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]391
392/*
393 * Tables generation code
394 */
395#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
396#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
397#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
398
399static int aes_init_done = 0;
400
401static void aes_gen_tables( void )
402{
403 int i, x, y, z;
404 int pow[256];
405 int log[256];
406
407 /*
408 * compute pow and log tables over GF(2^8)
409 */
410 for( i = 0, x = 1; i < 256; i++ )
411 {
412 pow[i] = x;
413 log[x] = i;
414 x = ( x ^ XTIME( x ) ) & 0xFF;
415 }
416
417 /*
418 * calculate the round constants
419 */
420 for( i = 0, x = 1; i < 10; i++ )
421 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]422 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423 x = XTIME( x ) & 0xFF;
424 }
425
426 /*
427 * generate the forward and reverse S-boxes
428 */
429 FSb[0x00] = 0x63;
430 RSb[0x63] = 0x00;
431
432 for( i = 1; i < 256; i++ )
433 {
434 x = pow[255 - log[i]];
435
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]436 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
438 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
439 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 x ^= y ^ 0x63;
441
442 FSb[i] = (unsigned char) x;
443 RSb[x] = (unsigned char) i;
444 }
445
446 /*
447 * generate the forward and reverse tables
448 */
449 for( i = 0; i < 256; i++ )
450 {
451 x = FSb[i];
452 y = XTIME( x ) & 0xFF;
453 z = ( y ^ x ) & 0xFF;
454
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]455 FT0[i] = ( (uint32_t) y ) ^
456 ( (uint32_t) x << 8 ) ^
457 ( (uint32_t) x << 16 ) ^
458 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461 FT1[i] = ROTL8( FT0[i] );
462 FT2[i] = ROTL8( FT1[i] );
463 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]464#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465
466 x = RSb[i];
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
469 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
470 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
471 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]473#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 RT1[i] = ROTL8( RT0[i] );
475 RT2[i] = ROTL8( RT1[i] );
476 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 }
479}
480
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]481#undef ROTL8
482
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]483#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]484
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]485#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]486
487#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
488#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
489#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
490
491#define AES_RT0(idx) RT0[idx]
492#define AES_RT1(idx) ROTL8( RT0[idx] )
493#define AES_RT2(idx) ROTL16( RT0[idx] )
494#define AES_RT3(idx) ROTL24( RT0[idx] )
495
496#define AES_FT0(idx) FT0[idx]
497#define AES_FT1(idx) ROTL8( FT0[idx] )
498#define AES_FT2(idx) ROTL16( FT0[idx] )
499#define AES_FT3(idx) ROTL24( FT0[idx] )
500
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]501#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]502
503#define AES_RT0(idx) RT0[idx]
504#define AES_RT1(idx) RT1[idx]
505#define AES_RT2(idx) RT2[idx]
506#define AES_RT3(idx) RT3[idx]
507
508#define AES_FT0(idx) FT0[idx]
509#define AES_FT1(idx) FT1[idx]
510#define AES_FT2(idx) FT2[idx]
511#define AES_FT3(idx) FT3[idx]
512
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]513#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]516{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]528/*
529 * AES key schedule (encryption)
530 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]531#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]532int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]533 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]534{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]535 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]536 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]538#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539 if( aes_init_done == 0 )
540 {
541 aes_gen_tables();
542 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]543
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544 }
545#endif
546
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]547 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548 {
549 case 128: ctx->nr = 10; break;
550 case 192: ctx->nr = 12; break;
551 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]552 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553 }
554
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]555#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]556 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]557 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]558
559 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]560 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]561 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]563 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]566 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]567 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]568#endif
569
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]570 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]572 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 }
574
575 switch( ctx->nr )
576 {
577 case 10:
578
579 for( i = 0; i < 10; i++, RK += 4 )
580 {
581 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]582 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
583 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
584 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
585 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
587 RK[5] = RK[1] ^ RK[4];
588 RK[6] = RK[2] ^ RK[5];
589 RK[7] = RK[3] ^ RK[6];
590 }
591 break;
592
593 case 12:
594
595 for( i = 0; i < 8; i++, RK += 6 )
596 {
597 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]598 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
599 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
600 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
601 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]602
603 RK[7] = RK[1] ^ RK[6];
604 RK[8] = RK[2] ^ RK[7];
605 RK[9] = RK[3] ^ RK[8];
606 RK[10] = RK[4] ^ RK[9];
607 RK[11] = RK[5] ^ RK[10];
608 }
609 break;
610
611 case 14:
612
613 for( i = 0; i < 7; i++, RK += 8 )
614 {
615 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]616 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
617 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
618 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
619 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620
621 RK[9] = RK[1] ^ RK[8];
622 RK[10] = RK[2] ^ RK[9];
623 RK[11] = RK[3] ^ RK[10];
624
625 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]626 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
627 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
628 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
629 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630
631 RK[13] = RK[5] ^ RK[12];
632 RK[14] = RK[6] ^ RK[13];
633 RK[15] = RK[7] ^ RK[14];
634 }
635 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]637
638 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]640#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642/*
643 * AES key schedule (decryption)
644 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]645#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]647 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]649 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]650 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]651 uint32_t *RK;
652 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]657 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]658 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]659
660 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]661 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]662 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]664 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]666 /* Also checks keybits */
667 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]668 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]669
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]670 ctx->nr = cty.nr;
671
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]673 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]674 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]675 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]676 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]677 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]678 }
679#endif
680
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681 SK = cty.rk + cty.nr * 4;
682
683 *RK++ = *SK++;
684 *RK++ = *SK++;
685 *RK++ = *SK++;
686 *RK++ = *SK++;
687
688 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
689 {
690 for( j = 0; j < 4; j++, SK++ )
691 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]692 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
693 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
694 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
695 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696 }
697 }
698
699 *RK++ = *SK++;
700 *RK++ = *SK++;
701 *RK++ = *SK++;
702 *RK++ = *SK++;
703
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]706
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]709#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]711#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
712{ \
713 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
714 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
715 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
716 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
717 \
718 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
719 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
720 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
721 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
722 \
723 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
724 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
725 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
726 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
727 \
728 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
729 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
730 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
731 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
733
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]734#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
735{ \
736 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
737 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
738 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
739 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
740 \
741 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
742 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
743 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
744 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
745 \
746 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
747 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
748 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
749 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
750 \
751 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
752 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
753 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
754 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755}
756
757/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]758 * AES-ECB block encryption
759 */
760#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]761int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
762 const unsigned char input[16],
763 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]764{
765 int i;
766 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
767
768 RK = ctx->rk;
769
770 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
771 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
772 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
773 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
774
775 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
776 {
777 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
778 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
779 }
780
781 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
782
783 X0 = *RK++ ^ \
784 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
785 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
786 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
787 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
788
789 X1 = *RK++ ^ \
790 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
791 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
792 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
793 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
794
795 X2 = *RK++ ^ \
796 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
797 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
798 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
799 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
800
801 X3 = *RK++ ^ \
802 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
803 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
804 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
805 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
806
807 PUT_UINT32_LE( X0, output, 0 );
808 PUT_UINT32_LE( X1, output, 4 );
809 PUT_UINT32_LE( X2, output, 8 );
810 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]811
812 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]813}
814#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
815
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]816#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]817void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
818 const unsigned char input[16],
819 unsigned char output[16] )
820{
821 mbedtls_internal_aes_encrypt( ctx, input, output );
822}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]823#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]824
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]825/*
826 * AES-ECB block decryption
827 */
828#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]829int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
830 const unsigned char input[16],
831 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]832{
833 int i;
834 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
835
836 RK = ctx->rk;
837
838 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
839 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
840 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
841 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
842
843 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
844 {
845 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
846 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
847 }
848
849 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
850
851 X0 = *RK++ ^ \
852 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
853 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
854 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
855 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
856
857 X1 = *RK++ ^ \
858 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
859 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
860 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
861 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
862
863 X2 = *RK++ ^ \
864 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
865 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
866 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
867 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
868
869 X3 = *RK++ ^ \
870 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
871 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
872 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
873 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
874
875 PUT_UINT32_LE( X0, output, 0 );
876 PUT_UINT32_LE( X1, output, 4 );
877 PUT_UINT32_LE( X2, output, 8 );
878 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]879
880 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]881}
882#endif /* !MBEDTLS_AES_DECRYPT_ALT */
883
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]884#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]885void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
886 const unsigned char input[16],
887 unsigned char output[16] )
888{
889 mbedtls_internal_aes_decrypt( ctx, input, output );
890}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]891#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]892
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]893/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894 * AES-ECB block encryption/decryption
895 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]896int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]897 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]898 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]899 unsigned char output[16] )
900{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]901#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]902 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]903 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]904#endif
905
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]906#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]907 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]908 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]909 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]910 return( 0 );
911
912 // If padlock data misaligned, we just fall back to
913 // unaccelerated mode
914 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915 }
916#endif
917
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]919 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]920 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]921 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922}
923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]924#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]925/*
926 * AES-CBC buffer encryption/decryption
927 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]928int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]929 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]930 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]931 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]932 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]933 unsigned char *output )
934{
935 int i;
936 unsigned char temp[16];
937
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]938 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]939 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]940
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]941#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]942 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]943 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]944 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]945 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]946
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]947 // If padlock data misaligned, we just fall back to
948 // unaccelerated mode
949 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950 }
951#endif
952
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]953 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954 {
955 while( length > 0 )
956 {
957 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]958 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]959
960 for( i = 0; i < 16; i++ )
961 output[i] = (unsigned char)( output[i] ^ iv[i] );
962
963 memcpy( iv, temp, 16 );
964
965 input += 16;
966 output += 16;
967 length -= 16;
968 }
969 }
970 else
971 {
972 while( length > 0 )
973 {
974 for( i = 0; i < 16; i++ )
975 output[i] = (unsigned char)( input[i] ^ iv[i] );
976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978 memcpy( iv, output, 16 );
979
980 input += 16;
981 output += 16;
982 length -= 16;
983 }
984 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]985
986 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]987}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]988#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]990#if defined(MBEDTLS_CIPHER_MODE_XEX)
991/*
992 * AES-XEX buffer encryption/decryption
993 */
994int mbedtls_aes_crypt_xex( mbedtls_aes_context *crypt_ctx,
995 mbedtls_aes_context *tweak_ctx,
996 int mode,
997 size_t length,
998 unsigned char iv[16],
999 const unsigned char *input,
1000 unsigned char *output )
1001{
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1002 union xex_buf128 {
1003 uint8_t u8[16];
1004 uint64_t u64[2];
1005 };
1006
1007 union xex_buf128 scratch;
1008 union xex_buf128 t_buf;
1009 union xex_buf128 *inbuf;
1010 union xex_buf128 *outbuf;
1011
1012 inbuf = (union xex_buf128*)input;
1013 outbuf = (union xex_buf128*)output;
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1014
1015 if( length % 16 )
1016 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1017
1018
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1019 mbedtls_aes_crypt_ecb( tweak_ctx, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1020
1021 goto first;
1022
1023 do
1024 {
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1025 mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1026
1027first:
1028 /* PP <- T xor P */
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1029 scratch.u64[0] = (uint64_t)( inbuf->u64[0] ^ t_buf.u64[0] );
1030 scratch.u64[1] = (uint64_t)( inbuf->u64[1] ^ t_buf.u64[1] );
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1031
1032 /* CC <- E(Key2,PP) */
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1033 mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, outbuf->u8 );
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1034
1035 /* C <- T xor CC */
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1036 outbuf->u64[0] = (uint64_t)( outbuf->u64[0] ^ t_buf.u64[0] );
1037 outbuf->u64[1] = (uint64_t)( outbuf->u64[1] ^ t_buf.u64[1] );
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1038
Aorimn380162c2016-02-02 23:01:09 +0100[diff] [blame^]1039 inbuf += 1;
1040 outbuf += 1;
Aorimn0089d362016-01-31 12:15:51 +0100[diff] [blame]1041 length -= 16;
1042 } while( length > 0 );
1043
1044 return( 0 );
1045}
1046#endif /* MBEDTLS_CIPHER_MODE_XEX */
1047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049/*
1050 * AES-CFB128 buffer encryption/decryption
1051 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1053 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1054 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1055 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1057 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058 unsigned char *output )
1059{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1060 int c;
1061 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 {
1065 while( length-- )
1066 {
1067 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069
1070 c = *input++;
1071 *output++ = (unsigned char)( c ^ iv[n] );
1072 iv[n] = (unsigned char) c;
1073
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1074 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 }
1076 }
1077 else
1078 {
1079 while( length-- )
1080 {
1081 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083
1084 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1085
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1086 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1087 }
1088 }
1089
1090 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1091
1092 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1094
1095/*
1096 * AES-CFB8 buffer encryption/decryption
1097 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1099 int mode,
1100 size_t length,
1101 unsigned char iv[16],
1102 const unsigned char *input,
1103 unsigned char *output )
1104{
1105 unsigned char c;
1106 unsigned char ov[17];
1107
1108 while( length-- )
1109 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1110 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1113 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1114 ov[16] = *input;
1115
1116 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1118 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1119 ov[16] = c;
1120
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1121 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1122 }
1123
1124 return( 0 );
1125}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1126#endif /* MBEDTLS_CIPHER_MODE_CFB */
1127
1128#if defined(MBEDTLS_CIPHER_MODE_OFB)
1129/*
1130 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1131 */
1132int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1133 size_t length,
1134 size_t *iv_off,
1135 unsigned char iv[16],
1136 const unsigned char *input,
1137 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1138{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1139 int ret = 0;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1140 size_t n = *iv_off;
1141
1142 while( length-- )
1143 {
1144 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1145 {
1146 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1147 if( ret != 0 )
1148 goto exit;
1149 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1150 *output++ = *input++ ^ iv[n];
1151
1152 n = ( n + 1 ) & 0x0F;
1153 }
1154
1155 *iv_off = n;
1156
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1157exit:
1158 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1159}
1160#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1161
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1162#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1163/*
1164 * AES-CTR buffer encryption/decryption
1165 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1166int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1167 size_t length,
1168 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1169 unsigned char nonce_counter[16],
1170 unsigned char stream_block[16],
1171 const unsigned char *input,
1172 unsigned char *output )
1173{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1174 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1175 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1176
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1177 if ( n > 0x0F )
1178 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1179
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1180 while( length-- )
1181 {
1182 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1183 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1184
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1185 for( i = 16; i > 0; i-- )
1186 if( ++nonce_counter[i - 1] != 0 )
1187 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1188 }
1189 c = *input++;
1190 *output++ = (unsigned char)( c ^ stream_block[n] );
1191
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1192 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1193 }
1194
1195 *nc_off = n;
1196
1197 return( 0 );
1198}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1199#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1200
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1201#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1203#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1204/*
1205 * AES test vectors from:
1206 *
1207 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1208 */
1209static const unsigned char aes_test_ecb_dec[3][16] =
1210{
1211 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1212 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1213 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1214 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1215 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1216 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1217};
1218
1219static const unsigned char aes_test_ecb_enc[3][16] =
1220{
1221 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1222 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1223 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1224 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1225 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1226 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1227};
1228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1229#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230static const unsigned char aes_test_cbc_dec[3][16] =
1231{
1232 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1233 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1234 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1235 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1236 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1237 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1238};
1239
1240static const unsigned char aes_test_cbc_enc[3][16] =
1241{
1242 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1243 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1244 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1245 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1246 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1247 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1248};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1249#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252/*
1253 * AES-CFB128 test vectors from:
1254 *
1255 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1256 */
1257static const unsigned char aes_test_cfb128_key[3][32] =
1258{
1259 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1260 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1261 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1262 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1263 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1264 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1265 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1266 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1267 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1268};
1269
1270static const unsigned char aes_test_cfb128_iv[16] =
1271{
1272 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1273 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1274};
1275
1276static const unsigned char aes_test_cfb128_pt[64] =
1277{
1278 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1279 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1280 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1281 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1282 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1283 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1284 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1285 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1286};
1287
1288static const unsigned char aes_test_cfb128_ct[3][64] =
1289{
1290 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1291 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1292 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1293 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1294 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1295 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1296 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1297 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1298 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1299 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1300 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1301 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1302 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1303 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1304 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1305 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1306 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1307 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1308 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1309 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1310 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1311 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1312 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1313 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1314};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1315#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1316
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1317#if defined(MBEDTLS_CIPHER_MODE_OFB)
1318/*
1319 * AES-OFB test vectors from:
1320 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1321 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1322 */
1323static const unsigned char aes_test_ofb_key[3][32] =
1324{
1325 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1326 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1327 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1328 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1329 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1330 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1331 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1332 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1333 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1334};
1335
1336static const unsigned char aes_test_ofb_iv[16] =
1337{
1338 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1339 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1340};
1341
1342static const unsigned char aes_test_ofb_pt[64] =
1343{
1344 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1345 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1346 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1347 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1348 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1349 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1350 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1351 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1352};
1353
1354static const unsigned char aes_test_ofb_ct[3][64] =
1355{
1356 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1357 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1358 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1359 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1360 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1361 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1362 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1363 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1364 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1365 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1366 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1367 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1368 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1369 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1370 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1371 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1372 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1373 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1374 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1375 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1376 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1377 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1378 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1379 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1380};
1381#endif /* MBEDTLS_CIPHER_MODE_OFB */
1382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1384/*
1385 * AES-CTR test vectors from:
1386 *
1387 * http://www.faqs.org/rfcs/rfc3686.html
1388 */
1389
1390static const unsigned char aes_test_ctr_key[3][16] =
1391{
1392 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1393 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1394 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1395 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1396 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1397 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1398};
1399
1400static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1401{
1402 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1404 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1405 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1406 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1407 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1408};
1409
1410static const unsigned char aes_test_ctr_pt[3][48] =
1411{
1412 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1413 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1414
1415 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1416 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1417 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1418 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1419
1420 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1421 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1422 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1423 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1424 0x20, 0x21, 0x22, 0x23 }
1425};
1426
1427static const unsigned char aes_test_ctr_ct[3][48] =
1428{
1429 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1430 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1431 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1432 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1433 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1434 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1435 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1436 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1437 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1438 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1439 0x25, 0xB2, 0x07, 0x2F }
1440};
1441
1442static const int aes_test_ctr_len[3] =
1443 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445
1446/*
1447 * Checkup routine
1448 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1449int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1450{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1451 int ret = 0, i, j, u, mode;
1452 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453 unsigned char key[32];
1454 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1455 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1456#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1457 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1458#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1459#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1460 unsigned char prv[16];
1461#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1463 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1464#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1465#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1466 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1467 unsigned char nonce_counter[16];
1468 unsigned char stream_block[16];
1469#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1470 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1471
1472 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474
1475 /*
1476 * ECB mode
1477 */
1478 for( i = 0; i < 6; i++ )
1479 {
1480 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1481 keybits = 128 + u * 64;
1482 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483
1484 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1485 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1486 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1487
1488 memset( buf, 0, 16 );
1489
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1490 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1492 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1493 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1494 }
1495 else
1496 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1497 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1498 aes_tests = aes_test_ecb_enc[u];
1499 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1501 /*
1502 * AES-192 is an optional feature that may be unavailable when
1503 * there is an alternative underlying implementation i.e. when
1504 * MBEDTLS_AES_ALT is defined.
1505 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1506 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1507 {
1508 mbedtls_printf( "skipped\n" );
1509 continue;
1510 }
1511 else if( ret != 0 )
1512 {
1513 goto exit;
1514 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1515
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1516 for( j = 0; j < 10000; j++ )
1517 {
1518 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1519 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1520 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1521 }
1522
1523 if( memcmp( buf, aes_tests, 16 ) != 0 )
1524 {
1525 ret = 1;
1526 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1527 }
1528
1529 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1530 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1531 }
1532
1533 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1535
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1536#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1537 /*
1538 * CBC mode
1539 */
1540 for( i = 0; i < 6; i++ )
1541 {
1542 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1543 keybits = 128 + u * 64;
1544 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545
1546 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1547 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1548 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
1550 memset( iv , 0, 16 );
1551 memset( prv, 0, 16 );
1552 memset( buf, 0, 16 );
1553
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1554 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1555 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1556 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1557 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558 }
1559 else
1560 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1561 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1562 aes_tests = aes_test_cbc_enc[u];
1563 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1564
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1565 /*
1566 * AES-192 is an optional feature that may be unavailable when
1567 * there is an alternative underlying implementation i.e. when
1568 * MBEDTLS_AES_ALT is defined.
1569 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1570 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1571 {
1572 mbedtls_printf( "skipped\n" );
1573 continue;
1574 }
1575 else if( ret != 0 )
1576 {
1577 goto exit;
1578 }
1579
1580 for( j = 0; j < 10000; j++ )
1581 {
1582 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1583 {
1584 unsigned char tmp[16];
1585
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1586 memcpy( tmp, prv, 16 );
1587 memcpy( prv, buf, 16 );
1588 memcpy( buf, tmp, 16 );
1589 }
1590
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1591 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1592 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1593 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1594
1595 }
1596
1597 if( memcmp( buf, aes_tests, 16 ) != 0 )
1598 {
1599 ret = 1;
1600 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1601 }
1602
1603 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1604 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1605 }
1606
1607 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1608 mbedtls_printf( "\n" );
1609#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1610
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1611#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1612 /*
1613 * CFB128 mode
1614 */
1615 for( i = 0; i < 6; i++ )
1616 {
1617 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1618 keybits = 128 + u * 64;
1619 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1620
1621 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1622 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1623 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1624
1625 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1626 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627
1628 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1629 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1630 /*
1631 * AES-192 is an optional feature that may be unavailable when
1632 * there is an alternative underlying implementation i.e. when
1633 * MBEDTLS_AES_ALT is defined.
1634 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1635 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1636 {
1637 mbedtls_printf( "skipped\n" );
1638 continue;
1639 }
1640 else if( ret != 0 )
1641 {
1642 goto exit;
1643 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1644
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1645 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1646 {
1647 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1648 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1649 }
1650 else
1651 {
1652 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1653 aes_tests = aes_test_cfb128_ct[u];
1654 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1655
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1656 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1657 if( ret != 0 )
1658 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1659
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1660 if( memcmp( buf, aes_tests, 64 ) != 0 )
1661 {
1662 ret = 1;
1663 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1664 }
1665
1666 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1667 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1668 }
1669
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1670 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 mbedtls_printf( "\n" );
1672#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1673
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1674#if defined(MBEDTLS_CIPHER_MODE_OFB)
1675 /*
1676 * OFB mode
1677 */
1678 for( i = 0; i < 6; i++ )
1679 {
1680 u = i >> 1;
1681 keybits = 128 + u * 64;
1682 mode = i & 1;
1683
1684 if( verbose != 0 )
1685 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1686 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1687
1688 memcpy( iv, aes_test_ofb_iv, 16 );
1689 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1690
1691 offset = 0;
1692 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1693 /*
1694 * AES-192 is an optional feature that may be unavailable when
1695 * there is an alternative underlying implementation i.e. when
1696 * MBEDTLS_AES_ALT is defined.
1697 */
1698 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1699 {
1700 mbedtls_printf( "skipped\n" );
1701 continue;
1702 }
1703 else if( ret != 0 )
1704 {
1705 goto exit;
1706 }
1707
1708 if( mode == MBEDTLS_AES_DECRYPT )
1709 {
1710 memcpy( buf, aes_test_ofb_ct[u], 64 );
1711 aes_tests = aes_test_ofb_pt;
1712 }
1713 else
1714 {
1715 memcpy( buf, aes_test_ofb_pt, 64 );
1716 aes_tests = aes_test_ofb_ct[u];
1717 }
1718
1719 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1720 if( ret != 0 )
1721 goto exit;
1722
1723 if( memcmp( buf, aes_tests, 64 ) != 0 )
1724 {
1725 ret = 1;
1726 goto exit;
1727 }
1728
1729 if( verbose != 0 )
1730 mbedtls_printf( "passed\n" );
1731 }
1732
1733 if( verbose != 0 )
1734 mbedtls_printf( "\n" );
1735#endif /* MBEDTLS_CIPHER_MODE_OFB */
1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1738 /*
1739 * CTR mode
1740 */
1741 for( i = 0; i < 6; i++ )
1742 {
1743 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1744 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1745
1746 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1748 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1749
1750 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1751 memcpy( key, aes_test_ctr_key[u], 16 );
1752
1753 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1754 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1755 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1756
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1757 len = aes_test_ctr_len[u];
1758
1759 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1760 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1761 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1762 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1763 }
1764 else
1765 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1766 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1767 aes_tests = aes_test_ctr_ct[u];
1768 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1769
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1770 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1771 stream_block, buf, buf );
1772 if( ret != 0 )
1773 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1774
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1775 if( memcmp( buf, aes_tests, len ) != 0 )
1776 {
1777 ret = 1;
1778 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1779 }
1780
1781 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1782 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1783 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784
1785 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1786 mbedtls_printf( "\n" );
1787#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1789 ret = 0;
1790
1791exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1792 if( ret != 0 && verbose != 0 )
1793 mbedtls_printf( "failed\n" );
1794
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1795 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1796
1797 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798}
1799
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1800#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802#endif /* MBEDTLS_AES_C */