TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6ce4988768d7b753777d8c7061da5c48d77687c2 / . / library / aes.c
blob: cdbcba49d7d0e95a35c8d5c2337897aa5f80405f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]88/*
89 * Data structure for AES round data
90 */
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]91typedef struct {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]92 uint32_t *rk_ptr; /* Round Key */
Arto Kinnunen34139ba2019-12-03 15:43:27 +0200[diff] [blame]93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, Y1, Y2, Y3 */
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
98#define AES_SCA_CM_ROUNDS 3
99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]515/**
516 * Randomize positions when to use AES SCA countermeasures.
517 * Each byte indicates one AES round as follows:
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]518 * first ( tbl_len - 4 ) bytes are reserved for middle AES rounds:
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]519 * -4 high bit = table to use 0x10 for SCA CM data, 0 otherwise
520 * -4 low bits = offset based on order, 4 for even position, 0 otherwise
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]521 * Last 4 bytes for first(2) and final(2) round calculation
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]522 * -4 high bit = table to use, 0x10 for SCA CM data, otherwise real data
523 * -4 low bits = not used
524 *
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]525 * Return Number of additional AES rounds
526 *
527 * Example of the control bytes:
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]528 * Control data when only real data (R) is used:
529 * | R | R | R | R | R | R | R | R | Start | Final |
530 * |0x04|0x00|0x00|0x04|0x00|0x04|0x00|0x04|0x00|0x00|0x00|0x00|
531 *
532 * Control data with 5 (F) dummy rounds and randomized start and final round:
533 * | R | F | R | F | F | R | R | R | R | R | R | START RF| FINAL FR|
534 * |0x04|0x10|0x04|0x10|0x10|0x00|0x04|0x00|0x04|0x00|0x04|0x00|0x10|0x10|0x00|
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]535 */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]536static int aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]537{
538 int i, is_even_pos;
539#if AES_SCA_CM_ROUNDS != 0
540 int is_unique_number;
541 int num;
542#endif
543
544 memset( tbl, 0, tbl_len );
545
546#if AES_SCA_CM_ROUNDS != 0
547 // Randomize SCA CM positions to tbl
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]548 for( i = 0; i < AES_SCA_CM_ROUNDS; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]549 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]550 is_unique_number = 0;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]551 do
552 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]553 is_unique_number++;
554 num = mbedtls_platform_random_in_range( tbl_len - 4 );
555
556 if( is_unique_number > 10 )
557 {
558 // prevent forever loop if random returns constant
559 is_unique_number = 0;
560 tbl[i] = 0x10; // fake data
561 }
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]562
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]563 if( tbl[num] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]564 {
565 is_unique_number = 0;
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]566 tbl[num] = 0x10; // fake data
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]567 }
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]568 } while( is_unique_number != 0 );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]569 }
570
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]571 // randomize control data for start and final round
572 for( i = 1; i <= 2; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]573 {
Arto Kinnunen76deef92019-12-05 10:10:31 +0200[diff] [blame]574 num = mbedtls_platform_random_in_range( 0xff );
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]575 if( ( num % 2 ) == 0 )
576 {
577 tbl[tbl_len - ( i * 2 - 0 )] = 0x10; // fake data
578 tbl[tbl_len - ( i * 2 - 1 )] = 0x00; // real data
579 }
580 else
581 {
582 tbl[tbl_len - ( i * 2 - 0 )] = 0x00; // real data
583 tbl[tbl_len - ( i * 2 - 1 )] = 0x10; // fake data
584 }
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]585 }
586#endif /* AES_SCA_CM_ROUNDS != 0 */
587
588 // Fill real AES round data to the remaining places
589 is_even_pos = 1;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]590 for( i = 0; i < tbl_len - 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]591 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]592 if( tbl[i] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]593 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]594 if( is_even_pos == 1 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]595 {
Arto Kinnunen34139ba2019-12-03 15:43:27 +0200[diff] [blame]596 tbl[i] = 0x04; // real data, offset 4
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]597 is_even_pos = 0;
598 }
599 else
600 {
601 tbl[i] = 0x00; // real data, offset 0
602 is_even_pos = 1;
603 }
604 }
605 }
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]606
607 return( AES_SCA_CM_ROUNDS );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]608}
609
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]610#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]611
612#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
613#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
614#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
615
616#define AES_RT0(idx) RT0[idx]
617#define AES_RT1(idx) ROTL8( RT0[idx] )
618#define AES_RT2(idx) ROTL16( RT0[idx] )
619#define AES_RT3(idx) ROTL24( RT0[idx] )
620
621#define AES_FT0(idx) FT0[idx]
622#define AES_FT1(idx) ROTL8( FT0[idx] )
623#define AES_FT2(idx) ROTL16( FT0[idx] )
624#define AES_FT3(idx) ROTL24( FT0[idx] )
625
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]626#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]627
628#define AES_RT0(idx) RT0[idx]
629#define AES_RT1(idx) RT1[idx]
630#define AES_RT2(idx) RT2[idx]
631#define AES_RT3(idx) RT3[idx]
632
633#define AES_FT0(idx) FT0[idx]
634#define AES_FT1(idx) FT1[idx]
635#define AES_FT2(idx) FT2[idx]
636#define AES_FT3(idx) FT3[idx]
637
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]638#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]639
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]640void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]641{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]642 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]643
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]644 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]645}
646
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]647void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]648{
649 if( ctx == NULL )
650 return;
651
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]652 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]653}
654
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]655#if defined(MBEDTLS_CIPHER_MODE_XTS)
656void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
657{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]658 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]659
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]660 mbedtls_aes_init( &ctx->crypt );
661 mbedtls_aes_init( &ctx->tweak );
662}
663
664void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
665{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]666 if( ctx == NULL )
667 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]668
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]669 mbedtls_aes_free( &ctx->crypt );
670 mbedtls_aes_free( &ctx->tweak );
671}
672#endif /* MBEDTLS_CIPHER_MODE_XTS */
673
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674/*
675 * AES key schedule (encryption)
676 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]677#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]679 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680{
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]681 unsigned int j = 0;
682 volatile unsigned int i = 0;
683 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]684 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]686 AES_VALIDATE_RET( ctx != NULL );
687 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]688
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]689 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690 {
691 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]692#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693 case 192: ctx->nr = 12; break;
694 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]695#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697 }
698
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]699#if !defined(MBEDTLS_AES_ROM_TABLES)
700 if( aes_init_done == 0 )
701 {
702 aes_gen_tables();
703 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]704 }
705#endif
706
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]707#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]708 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]709 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]710
711 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]712 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]715 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]718 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]719 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]720#endif
721
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]722 for( j = 0; j < ( keybits >> 5 ); j++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]723 {
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]724 GET_UINT32_LE( RK[j], key, j << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726
727 switch( ctx->nr )
728 {
729 case 10:
730
731 for( i = 0; i < 10; i++, RK += 4 )
732 {
733 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]734 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
735 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
736 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
737 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738
739 RK[5] = RK[1] ^ RK[4];
740 RK[6] = RK[2] ^ RK[5];
741 RK[7] = RK[3] ^ RK[6];
742 }
743 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]744#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]745 case 12:
746
747 for( i = 0; i < 8; i++, RK += 6 )
748 {
749 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]750 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
751 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
752 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
753 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]754
755 RK[7] = RK[1] ^ RK[6];
756 RK[8] = RK[2] ^ RK[7];
757 RK[9] = RK[3] ^ RK[8];
758 RK[10] = RK[4] ^ RK[9];
759 RK[11] = RK[5] ^ RK[10];
760 }
761 break;
762
763 case 14:
764
765 for( i = 0; i < 7; i++, RK += 8 )
766 {
767 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]768 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
769 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
770 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
771 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772
773 RK[9] = RK[1] ^ RK[8];
774 RK[10] = RK[2] ^ RK[9];
775 RK[11] = RK[3] ^ RK[10];
776
777 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]778 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
779 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
780 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
781 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]782
783 RK[13] = RK[5] ^ RK[12];
784 RK[14] = RK[6] ^ RK[13];
785 RK[15] = RK[7] ^ RK[14];
786 }
787 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]788#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]789 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]790
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]791 ret = 0;
792
793 /* Validate execution path */
794 if( ( j == keybits >> 5 ) && ( ( ctx->nr == 10 && i == 10 )
795#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
796 || ( ctx->nr == 12 && i == 8 )
797 || ( ctx->nr == 14 && i == 7 )
798#endif
799 ) )
800 {
801 return ret;
802 }
803
804 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]805}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]806#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]807
808/*
809 * AES key schedule (decryption)
810 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]811#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]812int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]813 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]815#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
816 (void) ctx;
817 (void) key;
818 (void) keybits;
819
820 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
821#else /* */
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]822 volatile unsigned int i = 0, j = 0;
823 volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]824 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]825 uint32_t *RK;
826 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]827
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]828 AES_VALIDATE_RET( ctx != NULL );
829 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]831 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]832
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]833#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]834 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]835 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]836
837 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]838 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]839 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]841 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]843 /* Also checks keybits */
844 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]845 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]846
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]847 ctx->nr = cty.nr;
848
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]849#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]850 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]851 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]852 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]853 (const unsigned char *) cty.rk, ctx->nr );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]854 i = 0;
855 j = 4;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]856 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]857 }
858#endif
859
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860 SK = cty.rk + cty.nr * 4;
861
862 *RK++ = *SK++;
863 *RK++ = *SK++;
864 *RK++ = *SK++;
865 *RK++ = *SK++;
866
867 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
868 {
869 for( j = 0; j < 4; j++, SK++ )
870 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]871 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
872 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
873 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
874 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]875 }
876 }
877
878 *RK++ = *SK++;
879 *RK++ = *SK++;
880 *RK++ = *SK++;
881 *RK++ = *SK++;
882
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]883exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]884 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]885
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]886 if( ret != 0 )
887 {
888 return( ret );
889 }
890 else if( ( i == 0 ) && ( j == 4 ) )
891 {
892 return( ret );
893 }
894 else
895 {
896 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
897 }
898
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]899#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]900}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]901
902#if defined(MBEDTLS_CIPHER_MODE_XTS)
903static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
904 unsigned int keybits,
905 const unsigned char **key1,
906 unsigned int *key1bits,
907 const unsigned char **key2,
908 unsigned int *key2bits )
909{
910 const unsigned int half_keybits = keybits / 2;
911 const unsigned int half_keybytes = half_keybits / 8;
912
913 switch( keybits )
914 {
915 case 256: break;
916 case 512: break;
917 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
918 }
919
920 *key1bits = half_keybits;
921 *key2bits = half_keybits;
922 *key1 = &key[0];
923 *key2 = &key[half_keybytes];
924
925 return 0;
926}
927
928int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
929 const unsigned char *key,
930 unsigned int keybits)
931{
932 int ret;
933 const unsigned char *key1, *key2;
934 unsigned int key1bits, key2bits;
935
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]936 AES_VALIDATE_RET( ctx != NULL );
937 AES_VALIDATE_RET( key != NULL );
938
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]939 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
940 &key2, &key2bits );
941 if( ret != 0 )
942 return( ret );
943
944 /* Set the tweak key. Always set tweak key for the encryption mode. */
945 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
946 if( ret != 0 )
947 return( ret );
948
949 /* Set crypt key for encryption. */
950 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
951}
952
953int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
954 const unsigned char *key,
955 unsigned int keybits)
956{
957 int ret;
958 const unsigned char *key1, *key2;
959 unsigned int key1bits, key2bits;
960
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]961 AES_VALIDATE_RET( ctx != NULL );
962 AES_VALIDATE_RET( key != NULL );
963
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]964 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
965 &key2, &key2bits );
966 if( ret != 0 )
967 return( ret );
968
969 /* Set the tweak key. Always set tweak key for encryption. */
970 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
971 if( ret != 0 )
972 return( ret );
973
974 /* Set crypt key for decryption. */
975 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
976}
977#endif /* MBEDTLS_CIPHER_MODE_XTS */
978
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]979#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]982 * AES-ECB block encryption
983 */
984#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]985
986static uint32_t *aes_fround( uint32_t *R,
987 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
988 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
989{
990 *X0 = *R++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^
991 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^
992 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^
993 AES_FT3( ( Y3 >> 24 ) & 0xFF );
994
995 *X1 = *R++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^
996 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^
997 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^
998 AES_FT3( ( Y0 >> 24 ) & 0xFF );
999
1000 *X2 = *R++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^
1001 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^
1002 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^
1003 AES_FT3( ( Y1 >> 24 ) & 0xFF );
1004
1005 *X3 = *R++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^
1006 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^
1007 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^
1008 AES_FT3( ( Y2 >> 24 ) & 0xFF );
1009
1010 return R;
1011}
1012
1013static void aes_fround_final( uint32_t *R,
1014 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1015 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1016{
1017 *X0 = *R++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^
1018 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1019 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1020 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1021
1022 *X1 = *R++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^
1023 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1024 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1025 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1026
1027 *X2 = *R++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^
1028 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1029 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1030 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1031
1032 *X3 = *R++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^
1033 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1034 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1035 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1036}
1037
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1038int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
1039 const unsigned char input[16],
1040 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1041{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1042 int i, j, offset, start_fin_loops = 1;
1043 aes_r_data_t aes_data_real; // real data
1044#if AES_SCA_CM_ROUNDS != 0
1045 aes_r_data_t aes_data_fake; // fake data
1046#endif /* AES_SCA_CM_ROUNDS != 0 */
1047 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1048 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1049 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2 + 2;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1050 volatile int flow_control;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1051 // control bytes for AES rounds, reserve based on max ctx->nr
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1052 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 + 2];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1053
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1054 aes_data_real.rk_ptr = ctx->rk;
1055 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1056
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1057#if AES_SCA_CM_ROUNDS != 0
1058 aes_data_table[1] = &aes_data_fake;
1059 aes_data_fake.rk_ptr = ctx->rk;
1060 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1061 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1062 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1063#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1064
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1065 // Get randomized AES calculation control bytes
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1066 flow_control = aes_sca_cm_data_randomize( round_ctrl_table,
1067 round_ctrl_table_len );
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1068
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1069 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1070 {
1071 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1072 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1073 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1074 aes_data_ptr =
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1075 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1076 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1077 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1078 }
1079 }
1080
1081 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
1082 {
1083 // Read AES control data
1084 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1085 offset = round_ctrl_table[i] & 0x0f;
1086
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1087 aes_data_ptr->rk_ptr = aes_fround( aes_data_ptr->rk_ptr,
1088 &aes_data_ptr->xy_values[0 + offset],
1089 &aes_data_ptr->xy_values[1 + offset],
1090 &aes_data_ptr->xy_values[2 + offset],
1091 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1092 aes_data_ptr->xy_values[4 - offset],
1093 aes_data_ptr->xy_values[5 - offset],
1094 aes_data_ptr->xy_values[6 - offset],
1095 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1096 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1097 }
1098
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1099 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1100 {
1101 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1102 aes_fround_final( aes_data_ptr->rk_ptr,
1103 &aes_data_ptr->xy_values[0],
1104 &aes_data_ptr->xy_values[1],
1105 &aes_data_ptr->xy_values[2],
1106 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1107 aes_data_ptr->xy_values[4],
1108 aes_data_ptr->xy_values[5],
1109 aes_data_ptr->xy_values[6],
1110 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1111 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1112 }
1113
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1114 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1115 {
1116 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1117 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1118 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1119
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1120 if( flow_control == ( AES_SCA_CM_ROUNDS + ( 4 * start_fin_loops ) +
1121 ctx->nr - 1 + AES_SCA_CM_ROUNDS + start_fin_loops + 4 ) )
1122 {
1123 /* Validate control path due possible fault injection */
1124 return 0;
1125 }
1126
1127 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1128}
1129#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1130
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1131#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1132void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1133 const unsigned char input[16],
1134 unsigned char output[16] )
1135{
1136 mbedtls_internal_aes_encrypt( ctx, input, output );
1137}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1138#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1139
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1140/*
1141 * AES-ECB block decryption
1142 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1143
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1144#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1145#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1146
1147static uint32_t *aes_rround( uint32_t *R,
1148 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1149 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1150{
1151 *X0 = *R++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^
1152 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^
1153 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^
1154 AES_RT3( ( Y1 >> 24 ) & 0xFF );
1155
1156 *X1 = *R++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^
1157 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^
1158 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^
1159 AES_RT3( ( Y2 >> 24 ) & 0xFF );
1160
1161 *X2 = *R++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^
1162 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^
1163 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^
1164 AES_RT3( ( Y3 >> 24 ) & 0xFF );
1165
1166 *X3 = *R++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^
1167 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^
1168 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^
1169 AES_RT3( ( Y0 >> 24 ) & 0xFF );
1170 return R;
1171}
1172
1173static void aes_rround_final( uint32_t *R,
1174 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1175 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1176{
1177 *X0 = *R++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^
1178 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1179 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1180 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1181
1182 *X1 = *R++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^
1183 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1184 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1185 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1186
1187 *X2 = *R++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^
1188 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1189 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1190 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1191
1192 *X3 = *R++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^
1193 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1194 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1195 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1196}
1197
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1198int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1199 const unsigned char input[16],
1200 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1201{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1202 int i, j, offset, start_fin_loops = 1;
1203 aes_r_data_t aes_data_real; // real data
1204#if AES_SCA_CM_ROUNDS != 0
1205 aes_r_data_t aes_data_fake; // fake data
1206#endif /* AES_SCA_CM_ROUNDS != 0 */
1207 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1208 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1209 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2 + 2;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1210 // control bytes for AES rounds, reserve based on max ctx->nr
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1211 volatile int flow_control;
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1212 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1213
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1214 aes_data_real.rk_ptr = ctx->rk;
1215 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1216
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1217#if AES_SCA_CM_ROUNDS != 0
1218 aes_data_table[1] = &aes_data_fake;
1219 aes_data_fake.rk_ptr = ctx->rk;
1220 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1221 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1222 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1223#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1224
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1225 // Get randomized AES calculation control bytes
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1226 flow_control = aes_sca_cm_data_randomize( round_ctrl_table,
1227 round_ctrl_table_len );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1228
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1229 for( i = 0; i < 4; i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1230 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1231 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1232 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1233 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1234 aes_data_ptr =
Arto Kinnunenf44f7d42019-12-04 15:19:50 +0200[diff] [blame]1235 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 4 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1236 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1237 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1238 }
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1239 }
1240
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1241 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1242 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1243 // Read AES control data
1244 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1245 offset = round_ctrl_table[i] & 0x0f;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1246
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1247 aes_data_ptr->rk_ptr = aes_rround( aes_data_ptr->rk_ptr,
1248 &aes_data_ptr->xy_values[0 + offset],
1249 &aes_data_ptr->xy_values[1 + offset],
1250 &aes_data_ptr->xy_values[2 + offset],
1251 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1252 aes_data_ptr->xy_values[4 - offset],
1253 aes_data_ptr->xy_values[5 - offset],
1254 aes_data_ptr->xy_values[6 - offset],
1255 aes_data_ptr->xy_values[7 - offset] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1256 flow_control++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1257 }
1258
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1259 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1260 {
1261 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1262 aes_rround_final( aes_data_ptr->rk_ptr,
1263 &aes_data_ptr->xy_values[0],
1264 &aes_data_ptr->xy_values[1],
1265 &aes_data_ptr->xy_values[2],
1266 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1267 aes_data_ptr->xy_values[4],
1268 aes_data_ptr->xy_values[5],
1269 aes_data_ptr->xy_values[6],
1270 aes_data_ptr->xy_values[7] );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1271 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1272 }
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1273
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1274 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1275 {
1276 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1277 flow_control++;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1278 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1279
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1280 if( flow_control == ( AES_SCA_CM_ROUNDS + ( 4 * start_fin_loops ) +
1281 ctx->nr - 1 + AES_SCA_CM_ROUNDS + start_fin_loops + 4 ) )
1282 {
1283 /* Validate control path due possible fault injection */
1284 return 0;
1285 }
1286
1287 return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1288}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1289#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1290#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1291
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1292#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1293void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1294 const unsigned char input[16],
1295 unsigned char output[16] )
1296{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1297#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1298 (void) ctx;
1299 (void) input;
1300 (void) output;
1301#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1302 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1303#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1304}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1305#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1306
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1307/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 * AES-ECB block encryption/decryption
1309 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1310int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1311 int mode,
1312 const unsigned char input[16],
1313 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1315 AES_VALIDATE_RET( ctx != NULL );
1316 AES_VALIDATE_RET( input != NULL );
1317 AES_VALIDATE_RET( output != NULL );
1318 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1319 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1320 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1322#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1323 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1324 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1325#endif
1326
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1328 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1331 return( 0 );
1332
1333 // If padlock data misaligned, we just fall back to
1334 // unaccelerated mode
1335 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 }
1337#endif
Arto Kinnunen6ce49882019-12-03 13:56:06 +0200[diff] [blame^]1338
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1339#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1340 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1341#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1343 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1344 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1345 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1346 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1347#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1348}
1349
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1350#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351/*
1352 * AES-CBC buffer encryption/decryption
1353 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1354int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1356 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1357 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1358 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1359 unsigned char *output )
1360{
1361 int i;
1362 unsigned char temp[16];
1363
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1364 AES_VALIDATE_RET( ctx != NULL );
1365 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1366 mode == MBEDTLS_AES_DECRYPT );
1367 AES_VALIDATE_RET( iv != NULL );
1368 AES_VALIDATE_RET( input != NULL );
1369 AES_VALIDATE_RET( output != NULL );
1370
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1371 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1373
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1374#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1375 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1376 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1378 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1379
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1380 // If padlock data misaligned, we just fall back to
1381 // unaccelerated mode
1382 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1383 }
1384#endif
1385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1387 {
1388 while( length > 0 )
1389 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1390 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1392
1393 for( i = 0; i < 16; i++ )
1394 output[i] = (unsigned char)( output[i] ^ iv[i] );
1395
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1396 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1397
1398 input += 16;
1399 output += 16;
1400 length -= 16;
1401 }
1402 }
1403 else
1404 {
1405 while( length > 0 )
1406 {
1407 for( i = 0; i < 16; i++ )
1408 output[i] = (unsigned char)( input[i] ^ iv[i] );
1409
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1410 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1411 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412
1413 input += 16;
1414 output += 16;
1415 length -= 16;
1416 }
1417 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1418
1419 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1420}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1421#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1423#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1424
1425/* Endianess with 64 bits values */
1426#ifndef GET_UINT64_LE
1427#define GET_UINT64_LE(n,b,i) \
1428{ \
1429 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1430 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1431 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1432 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1433 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1434 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1435 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1436 | ( (uint64_t) (b)[(i) ] ); \
1437}
1438#endif
1439
1440#ifndef PUT_UINT64_LE
1441#define PUT_UINT64_LE(n,b,i) \
1442{ \
1443 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1444 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1445 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1446 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1447 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1448 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1449 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1450 (b)[(i) ] = (unsigned char) ( (n) ); \
1451}
1452#endif
1453
1454typedef unsigned char mbedtls_be128[16];
1455
1456/*
1457 * GF(2^128) multiplication function
1458 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1459 * This function multiplies a field element by x in the polynomial field
1460 * representation. It uses 64-bit word operations to gain speed but compensates
1461 * for machine endianess and hence works correctly on both big and little
1462 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1463 */
1464static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1465 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1466{
1467 uint64_t a, b, ra, rb;
1468
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1469 GET_UINT64_LE( a, x, 0 );
1470 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1471
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1472 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1473 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1474
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1475 PUT_UINT64_LE( ra, r, 0 );
1476 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1477}
1478
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1479/*
1480 * AES-XTS buffer encryption/decryption
1481 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1482int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1483 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1484 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1485 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1486 const unsigned char *input,
1487 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1488{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1489 int ret;
1490 size_t blocks = length / 16;
1491 size_t leftover = length % 16;
1492 unsigned char tweak[16];
1493 unsigned char prev_tweak[16];
1494 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1495
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1496 AES_VALIDATE_RET( ctx != NULL );
1497 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1498 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1499 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1500 AES_VALIDATE_RET( input != NULL );
1501 AES_VALIDATE_RET( output != NULL );
1502
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1503 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1504 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1505 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1506
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1507 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1508 if( length > ( 1 << 20 ) * 16 )
1509 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1510
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1511 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1512 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1513 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1514 if( ret != 0 )
1515 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1516
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1517 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1518 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1519 size_t i;
1520
1521 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1522 {
1523 /* We are on the last block in a decrypt operation that has
1524 * leftover bytes, so we need to use the next tweak for this block,
1525 * and this tweak for the lefover bytes. Save the current tweak for
1526 * the leftovers and then update the current tweak for use on this,
1527 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1528 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1529 mbedtls_gf128mul_x_ble( tweak, tweak );
1530 }
1531
1532 for( i = 0; i < 16; i++ )
1533 tmp[i] = input[i] ^ tweak[i];
1534
1535 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1536 if( ret != 0 )
1537 return( ret );
1538
1539 for( i = 0; i < 16; i++ )
1540 output[i] = tmp[i] ^ tweak[i];
1541
1542 /* Update the tweak for the next block. */
1543 mbedtls_gf128mul_x_ble( tweak, tweak );
1544
1545 output += 16;
1546 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1547 }
1548
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1549 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1550 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1551 /* If we are on the leftover bytes in a decrypt operation, we need to
1552 * use the previous tweak for these bytes (as saved in prev_tweak). */
1553 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1554
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1555 /* We are now on the final part of the data unit, which doesn't divide
1556 * evenly by 16. It's time for ciphertext stealing. */
1557 size_t i;
1558 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1559
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1560 /* Copy ciphertext bytes from the previous block to our output for each
1561 * byte of cyphertext we won't steal. At the same time, copy the
1562 * remainder of the input for this final round (since the loop bounds
1563 * are the same). */
1564 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1565 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1566 output[i] = prev_output[i];
1567 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1568 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1569
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1570 /* Copy ciphertext bytes from the previous block for input in this
1571 * round. */
1572 for( ; i < 16; i++ )
1573 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1574
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1575 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1576 if( ret != 0 )
1577 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1578
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1579 /* Write the result back to the previous block, overriding the previous
1580 * output we copied. */
1581 for( i = 0; i < 16; i++ )
1582 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1583 }
1584
1585 return( 0 );
1586}
1587#endif /* MBEDTLS_CIPHER_MODE_XTS */
1588
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1589#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1590/*
1591 * AES-CFB128 buffer encryption/decryption
1592 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1593int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1594 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1595 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1596 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1597 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1598 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1599 unsigned char *output )
1600{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1601 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1602 size_t n;
1603
1604 AES_VALIDATE_RET( ctx != NULL );
1605 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1606 mode == MBEDTLS_AES_DECRYPT );
1607 AES_VALIDATE_RET( iv_off != NULL );
1608 AES_VALIDATE_RET( iv != NULL );
1609 AES_VALIDATE_RET( input != NULL );
1610 AES_VALIDATE_RET( output != NULL );
1611
1612 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1613
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1614 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1615 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1617 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1618 {
1619 while( length-- )
1620 {
1621 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1622 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1623
1624 c = *input++;
1625 *output++ = (unsigned char)( c ^ iv[n] );
1626 iv[n] = (unsigned char) c;
1627
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1628 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1629 }
1630 }
1631 else
1632 {
1633 while( length-- )
1634 {
1635 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1637
1638 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1639
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1640 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1641 }
1642 }
1643
1644 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1645
1646 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1647}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1648
1649/*
1650 * AES-CFB8 buffer encryption/decryption
1651 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1652int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1653 int mode,
1654 size_t length,
1655 unsigned char iv[16],
1656 const unsigned char *input,
1657 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1658{
1659 unsigned char c;
1660 unsigned char ov[17];
1661
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1662 AES_VALIDATE_RET( ctx != NULL );
1663 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1664 mode == MBEDTLS_AES_DECRYPT );
1665 AES_VALIDATE_RET( iv != NULL );
1666 AES_VALIDATE_RET( input != NULL );
1667 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1668 while( length-- )
1669 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1670 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1672
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1673 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1674 ov[16] = *input;
1675
1676 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1678 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1679 ov[16] = c;
1680
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1681 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1682 }
1683
1684 return( 0 );
1685}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1686#endif /* MBEDTLS_CIPHER_MODE_CFB */
1687
1688#if defined(MBEDTLS_CIPHER_MODE_OFB)
1689/*
1690 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1691 */
1692int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1693 size_t length,
1694 size_t *iv_off,
1695 unsigned char iv[16],
1696 const unsigned char *input,
1697 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1698{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1699 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1700 size_t n;
1701
1702 AES_VALIDATE_RET( ctx != NULL );
1703 AES_VALIDATE_RET( iv_off != NULL );
1704 AES_VALIDATE_RET( iv != NULL );
1705 AES_VALIDATE_RET( input != NULL );
1706 AES_VALIDATE_RET( output != NULL );
1707
1708 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1709
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1710 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1711 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1712
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1713 while( length-- )
1714 {
1715 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1716 {
1717 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1718 if( ret != 0 )
1719 goto exit;
1720 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1721 *output++ = *input++ ^ iv[n];
1722
1723 n = ( n + 1 ) & 0x0F;
1724 }
1725
1726 *iv_off = n;
1727
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1728exit:
1729 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1730}
1731#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1732
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1733#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1734/*
1735 * AES-CTR buffer encryption/decryption
1736 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1738 size_t length,
1739 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1740 unsigned char nonce_counter[16],
1741 unsigned char stream_block[16],
1742 const unsigned char *input,
1743 unsigned char *output )
1744{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1745 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1746 size_t n;
1747
1748 AES_VALIDATE_RET( ctx != NULL );
1749 AES_VALIDATE_RET( nc_off != NULL );
1750 AES_VALIDATE_RET( nonce_counter != NULL );
1751 AES_VALIDATE_RET( stream_block != NULL );
1752 AES_VALIDATE_RET( input != NULL );
1753 AES_VALIDATE_RET( output != NULL );
1754
1755 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1756
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame]1757 if( n > 0x0F )
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1758 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1759
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1760 while( length-- )
1761 {
1762 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1763 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1764
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1765 for( i = 16; i > 0; i-- )
1766 if( ++nonce_counter[i - 1] != 0 )
1767 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1768 }
1769 c = *input++;
1770 *output++ = (unsigned char)( c ^ stream_block[n] );
1771
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1772 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1773 }
1774
1775 *nc_off = n;
1776
1777 return( 0 );
1778}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1779#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1780
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784/*
1785 * AES test vectors from:
1786 *
1787 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1788 */
1789static const unsigned char aes_test_ecb_dec[3][16] =
1790{
1791 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1792 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1793 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1794 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1795 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1796 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1797};
1798
1799static const unsigned char aes_test_ecb_enc[3][16] =
1800{
1801 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1802 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1803 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1804 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1805 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1806 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1807};
1808
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1809#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1810static const unsigned char aes_test_cbc_dec[3][16] =
1811{
1812 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1813 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1814 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1815 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1816 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1817 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1818};
1819
1820static const unsigned char aes_test_cbc_enc[3][16] =
1821{
1822 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1823 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1824 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1825 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1826 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1827 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1828};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1829#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832/*
1833 * AES-CFB128 test vectors from:
1834 *
1835 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1836 */
1837static const unsigned char aes_test_cfb128_key[3][32] =
1838{
1839 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1840 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1841 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1842 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1843 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1844 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1845 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1846 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1847 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1848};
1849
1850static const unsigned char aes_test_cfb128_iv[16] =
1851{
1852 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1853 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1854};
1855
1856static const unsigned char aes_test_cfb128_pt[64] =
1857{
1858 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1859 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1860 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1861 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1862 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1863 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1864 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1865 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1866};
1867
1868static const unsigned char aes_test_cfb128_ct[3][64] =
1869{
1870 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1871 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1872 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1873 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1874 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1875 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1876 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1877 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1878 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1879 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1880 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1881 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1882 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1883 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1884 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1885 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1886 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1887 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1888 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1889 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1890 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1891 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1892 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1893 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1894};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1895#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1896
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1897#if defined(MBEDTLS_CIPHER_MODE_OFB)
1898/*
1899 * AES-OFB test vectors from:
1900 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1901 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1902 */
1903static const unsigned char aes_test_ofb_key[3][32] =
1904{
1905 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1906 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1907 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1908 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1909 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1910 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1911 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1912 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1913 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1914};
1915
1916static const unsigned char aes_test_ofb_iv[16] =
1917{
1918 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1919 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1920};
1921
1922static const unsigned char aes_test_ofb_pt[64] =
1923{
1924 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1925 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1926 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1927 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1928 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1929 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1930 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1931 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1932};
1933
1934static const unsigned char aes_test_ofb_ct[3][64] =
1935{
1936 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1937 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1938 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1939 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1940 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1941 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1942 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1943 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1944 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1945 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1946 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1947 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1948 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1949 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1950 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1951 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1952 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1953 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1954 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1955 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1956 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1957 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1958 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1959 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1960};
1961#endif /* MBEDTLS_CIPHER_MODE_OFB */
1962
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1964/*
1965 * AES-CTR test vectors from:
1966 *
1967 * http://www.faqs.org/rfcs/rfc3686.html
1968 */
1969
1970static const unsigned char aes_test_ctr_key[3][16] =
1971{
1972 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1973 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1974 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1975 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1976 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1977 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1978};
1979
1980static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1981{
1982 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1983 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1984 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1985 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1986 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1987 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1988};
1989
1990static const unsigned char aes_test_ctr_pt[3][48] =
1991{
1992 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1993 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1994
1995 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1996 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1997 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1998 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1999
2000 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
2001 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
2002 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
2003 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
2004 0x20, 0x21, 0x22, 0x23 }
2005};
2006
2007static const unsigned char aes_test_ctr_ct[3][48] =
2008{
2009 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
2010 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
2011 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
2012 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
2013 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
2014 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
2015 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
2016 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
2017 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
2018 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
2019 0x25, 0xB2, 0x07, 0x2F }
2020};
2021
2022static const int aes_test_ctr_len[3] =
2023 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2024#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2026#if defined(MBEDTLS_CIPHER_MODE_XTS)
2027/*
2028 * AES-XTS test vectors from:
2029 *
2030 * IEEE P1619/D16 Annex B
2031 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
2032 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
2033 */
2034static const unsigned char aes_test_xts_key[][32] =
2035{
2036 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2040 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2041 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
2042 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2043 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2044 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
2045 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
2046 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
2047 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
2048};
2049
2050static const unsigned char aes_test_xts_pt32[][32] =
2051{
2052 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2055 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2056 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2057 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2058 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2059 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2060 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2061 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2062 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
2063 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
2064};
2065
2066static const unsigned char aes_test_xts_ct32[][32] =
2067{
2068 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
2069 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
2070 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
2071 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
2072 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
2073 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
2074 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
2075 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
2076 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
2077 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
2078 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
2079 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2080};
2081
2082static const unsigned char aes_test_xts_data_unit[][16] =
2083{
2084 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2086 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2087 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2088 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2089 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2090};
2091
2092#endif /* MBEDTLS_CIPHER_MODE_XTS */
2093
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2094/*
2095 * Checkup routine
2096 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2097int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2098{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2099 int ret = 0, i, j, u, mode;
2100 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101 unsigned char key[32];
2102 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2104#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2106#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2108 unsigned char prv[16];
2109#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2110#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2111 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2112 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2113#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2114#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2115 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2116#endif
2117#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2118 unsigned char nonce_counter[16];
2119 unsigned char stream_block[16];
2120#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2122
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2123 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2124 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2125
2126 /*
2127 * ECB mode
2128 */
2129 for( i = 0; i < 6; i++ )
2130 {
2131 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2132 keybits = 128 + u * 64;
2133 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2134
2135 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2137 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2138
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2139#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2140 if( keybits > 128 )
2141 {
2142 mbedtls_printf( "skipped\n" );
2143 continue;
2144 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2145#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2146
2147#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2148 if( mode == MBEDTLS_AES_DECRYPT )
2149 {
2150 mbedtls_printf( "skipped\n" );
2151 continue;
2152 }
2153#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2154
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2155 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2157 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2159 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2160 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161 }
2162 else
2163 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2164 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2165 aes_tests = aes_test_ecb_enc[u];
2166 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2168 /*
2169 * AES-192 is an optional feature that may be unavailable when
2170 * there is an alternative underlying implementation i.e. when
2171 * MBEDTLS_AES_ALT is defined.
2172 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2173 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2174 {
2175 mbedtls_printf( "skipped\n" );
2176 continue;
2177 }
2178 else if( ret != 0 )
2179 {
2180 goto exit;
2181 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2182
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2183 for( j = 0; j < 10000; j++ )
2184 {
2185 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2186 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2187 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2188 }
2189
2190 if( memcmp( buf, aes_tests, 16 ) != 0 )
2191 {
2192 ret = 1;
2193 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194 }
2195
2196 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198 }
2199
2200 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2201 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2202
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2203#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 /*
2205 * CBC mode
2206 */
2207 for( i = 0; i < 6; i++ )
2208 {
2209 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2210 keybits = 128 + u * 64;
2211 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2212
2213 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2214 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2215 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2216
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2217#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2218 if( keybits > 128 )
2219 {
2220 mbedtls_printf( "skipped\n" );
2221 continue;
2222 }
2223#endif
2224
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2225#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2226 if( mode == MBEDTLS_AES_DECRYPT )
2227 {
2228 mbedtls_printf( "skipped\n" );
2229 continue;
2230 }
2231#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2232
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2233 memset( iv , 0, 16 );
2234 memset( prv, 0, 16 );
2235 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2237 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2239 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2240 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2241 }
2242 else
2243 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2244 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2245 aes_tests = aes_test_cbc_enc[u];
2246 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2248 /*
2249 * AES-192 is an optional feature that may be unavailable when
2250 * there is an alternative underlying implementation i.e. when
2251 * MBEDTLS_AES_ALT is defined.
2252 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2253 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2254 {
2255 mbedtls_printf( "skipped\n" );
2256 continue;
2257 }
2258 else if( ret != 0 )
2259 {
2260 goto exit;
2261 }
2262
2263 for( j = 0; j < 10000; j++ )
2264 {
2265 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2266 {
2267 unsigned char tmp[16];
2268
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2269 memcpy( tmp, prv, 16 );
2270 memcpy( prv, buf, 16 );
2271 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2272 }
2273
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2274 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2275 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2276 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2277
2278 }
2279
2280 if( memcmp( buf, aes_tests, 16 ) != 0 )
2281 {
2282 ret = 1;
2283 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2284 }
2285
2286 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2287 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2288 }
2289
2290 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2291 mbedtls_printf( "\n" );
2292#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2293
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2294#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2295 /*
2296 * CFB128 mode
2297 */
2298 for( i = 0; i < 6; i++ )
2299 {
2300 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2301 keybits = 128 + u * 64;
2302 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2303
2304 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2305 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2306 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2307
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2308#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2309 if( keybits > 128 )
2310 {
2311 mbedtls_printf( "skipped\n" );
2312 continue;
2313 }
2314#endif
2315
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2316#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2317 if( mode == MBEDTLS_AES_DECRYPT )
2318 {
2319 mbedtls_printf( "skipped\n" );
2320 continue;
2321 }
2322#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2323
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2324 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2325 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2326
2327 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2328 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2329 /*
2330 * AES-192 is an optional feature that may be unavailable when
2331 * there is an alternative underlying implementation i.e. when
2332 * MBEDTLS_AES_ALT is defined.
2333 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2334 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2335 {
2336 mbedtls_printf( "skipped\n" );
2337 continue;
2338 }
2339 else if( ret != 0 )
2340 {
2341 goto exit;
2342 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2343
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2344 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2345 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2346 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2347 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2348 }
2349 else
2350 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2351 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2352 aes_tests = aes_test_cfb128_ct[u];
2353 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2354
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2355 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2356 if( ret != 0 )
2357 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2358
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2359 if( memcmp( buf, aes_tests, 64 ) != 0 )
2360 {
2361 ret = 1;
2362 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2363 }
2364
2365 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2366 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2367 }
2368
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2369 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2370 mbedtls_printf( "\n" );
2371#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2372
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2373#if defined(MBEDTLS_CIPHER_MODE_OFB)
2374 /*
2375 * OFB mode
2376 */
2377 for( i = 0; i < 6; i++ )
2378 {
2379 u = i >> 1;
2380 keybits = 128 + u * 64;
2381 mode = i & 1;
2382
2383 if( verbose != 0 )
2384 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2385 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2386
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2387#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2388 if( keybits > 128 )
2389 {
2390 mbedtls_printf( "skipped\n" );
2391 continue;
2392 }
2393#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2394
2395#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2396 if( mode == MBEDTLS_AES_DECRYPT )
2397 {
2398 mbedtls_printf( "skipped\n" );
2399 continue;
2400 }
2401#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2402
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2403 memcpy( iv, aes_test_ofb_iv, 16 );
2404 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2405
2406 offset = 0;
2407 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2408 /*
2409 * AES-192 is an optional feature that may be unavailable when
2410 * there is an alternative underlying implementation i.e. when
2411 * MBEDTLS_AES_ALT is defined.
2412 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2413 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2414 {
2415 mbedtls_printf( "skipped\n" );
2416 continue;
2417 }
2418 else if( ret != 0 )
2419 {
2420 goto exit;
2421 }
2422
2423 if( mode == MBEDTLS_AES_DECRYPT )
2424 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2425 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2426 aes_tests = aes_test_ofb_pt;
2427 }
2428 else
2429 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2430 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2431 aes_tests = aes_test_ofb_ct[u];
2432 }
2433
2434 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2435 if( ret != 0 )
2436 goto exit;
2437
2438 if( memcmp( buf, aes_tests, 64 ) != 0 )
2439 {
2440 ret = 1;
2441 goto exit;
2442 }
2443
2444 if( verbose != 0 )
2445 mbedtls_printf( "passed\n" );
2446 }
2447
2448 if( verbose != 0 )
2449 mbedtls_printf( "\n" );
2450#endif /* MBEDTLS_CIPHER_MODE_OFB */
2451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2452#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2453 /*
2454 * CTR mode
2455 */
2456 for( i = 0; i < 6; i++ )
2457 {
2458 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2459 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2460
2461 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2462 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2463 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2464
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2465#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2466 if( keybits > 128 )
2467 {
2468 mbedtls_printf( "skipped\n" );
2469 continue;
2470 }
2471#endif
2472
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2473#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2474 if( mode == MBEDTLS_AES_DECRYPT )
2475 {
2476 mbedtls_printf( "skipped\n" );
2477 continue;
2478 }
2479#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2480
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2481 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2482 memcpy( key, aes_test_ctr_key[u], 16 );
2483
2484 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2485 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2486 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2487
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2488 len = aes_test_ctr_len[u];
2489
2490 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2491 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2492 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2493 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2494 }
2495 else
2496 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2497 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2498 aes_tests = aes_test_ctr_ct[u];
2499 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2500
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2501 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2502 stream_block, buf, buf );
2503 if( ret != 0 )
2504 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2505
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2506 if( memcmp( buf, aes_tests, len ) != 0 )
2507 {
2508 ret = 1;
2509 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2510 }
2511
2512 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2513 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2514 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2515
2516 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2517 mbedtls_printf( "\n" );
2518#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2519
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2520#if defined(MBEDTLS_CIPHER_MODE_XTS)
2521 {
2522 static const int num_tests =
2523 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2524 mbedtls_aes_xts_context ctx_xts;
2525
2526 /*
2527 * XTS mode
2528 */
2529 mbedtls_aes_xts_init( &ctx_xts );
2530
2531 for( i = 0; i < num_tests << 1; i++ )
2532 {
2533 const unsigned char *data_unit;
2534 u = i >> 1;
2535 mode = i & 1;
2536
2537 if( verbose != 0 )
2538 mbedtls_printf( " AES-XTS-128 (%s): ",
2539 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2540
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2541#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2542 if( mode == MBEDTLS_AES_DECRYPT )
2543 {
2544 mbedtls_printf( "skipped\n" );
2545 continue;
2546 }
2547#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2548
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2549 memset( key, 0, sizeof( key ) );
2550 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2551 data_unit = aes_test_xts_data_unit[u];
2552
2553 len = sizeof( *aes_test_xts_ct32 );
2554
2555 if( mode == MBEDTLS_AES_DECRYPT )
2556 {
2557 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2558 if( ret != 0)
2559 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2560 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2561 aes_tests = aes_test_xts_pt32[u];
2562 }
2563 else
2564 {
2565 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2566 if( ret != 0)
2567 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2568 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2569 aes_tests = aes_test_xts_ct32[u];
2570 }
2571
2572
2573 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2574 buf, buf );
2575 if( ret != 0 )
2576 goto exit;
2577
2578 if( memcmp( buf, aes_tests, len ) != 0 )
2579 {
2580 ret = 1;
2581 goto exit;
2582 }
2583
2584 if( verbose != 0 )
2585 mbedtls_printf( "passed\n" );
2586 }
2587
2588 if( verbose != 0 )
2589 mbedtls_printf( "\n" );
2590
2591 mbedtls_aes_xts_free( &ctx_xts );
2592 }
2593#endif /* MBEDTLS_CIPHER_MODE_XTS */
2594
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2595 ret = 0;
2596
2597exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2598 if( ret != 0 && verbose != 0 )
2599 mbedtls_printf( "failed\n" );
2600
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2601 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2602
2603 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2604}
2605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2606#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2607
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2608#endif /* MBEDTLS_AES_C */