TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 7543901b6a471ef354ac19c0444fd94b21110eb7 / . / library / aes.c
blob: 909b4c557ffc3f96ea34df0d98c08451787c06e0 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]88/*
89 * Data structure for AES round data
90 */
91typedef struct _aes_r_data_s {
92 uint32_t *rk_ptr; /* Round Key */
93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, U1, Y2, Y3 */
94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
98#define AES_SCA_CM_ROUNDS 3
99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]515/**
516 * Randomize positions when to use AES SCA countermeasures.
517 * Each byte indicates one AES round as follows:
518 * first ( tbl_len - 2 ) bytes are reserved for AES rounds
519 * -4 high bit = table to use 0x10 for SCA CM data, 0 otherwise
520 * -4 low bits = offset based on order, 4 for even position, 0 otherwise
521 * Last 2 bytes for first/final round calculation
522 * -4 high bit = table to use, 0x10 for SCA CM data, otherwise real data
523 * -4 low bits = not used
524 *
525 */
526static void aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
527{
528 int i, is_even_pos;
529#if AES_SCA_CM_ROUNDS != 0
530 int is_unique_number;
531 int num;
532#endif
533
534 memset( tbl, 0, tbl_len );
535
536#if AES_SCA_CM_ROUNDS != 0
537 // Randomize SCA CM positions to tbl
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]538 for( i = 0; i < AES_SCA_CM_ROUNDS; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]539 {
540 do {
541 is_unique_number = 1;
542/* TODO - Use proper random. This is now ONLY FOR TESTING as mbedtls_platform_random_in_range is alwyays returning 0 */
543 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % (tbl_len - 2);
544
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame^]545 if( tbl[num] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]546 {
547 is_unique_number = 0;
548 tbl[num] = 0x10;
549 }
550 } while ( is_unique_number == 1 );
551 }
552
553 // Fill start/final round control data
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]554 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % 0xff;
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame^]555 if( ( num % 2 ) == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]556 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]557 tbl[tbl_len - 2] = 0x10;
558 tbl[tbl_len - 1] = 0x0;
559 }
560 else
561 {
562 tbl[tbl_len - 2] = 0x00;
563 tbl[tbl_len - 1] = 0x10;
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]564 }
565#endif /* AES_SCA_CM_ROUNDS != 0 */
566
567 // Fill real AES round data to the remaining places
568 is_even_pos = 1;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]569 for( i = 0; i < tbl_len - 2; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]570 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame^]571 if( tbl[i] == 0 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]572 {
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame^]573 if( is_even_pos == 1 )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]574 {
575 tbl[i] = 0x04; // real data, offset 0
576 is_even_pos = 0;
577 }
578 else
579 {
580 tbl[i] = 0x00; // real data, offset 0
581 is_even_pos = 1;
582 }
583 }
584 }
585}
586
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]587#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]588
589#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
590#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
591#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
592
593#define AES_RT0(idx) RT0[idx]
594#define AES_RT1(idx) ROTL8( RT0[idx] )
595#define AES_RT2(idx) ROTL16( RT0[idx] )
596#define AES_RT3(idx) ROTL24( RT0[idx] )
597
598#define AES_FT0(idx) FT0[idx]
599#define AES_FT1(idx) ROTL8( FT0[idx] )
600#define AES_FT2(idx) ROTL16( FT0[idx] )
601#define AES_FT3(idx) ROTL24( FT0[idx] )
602
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]603#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]604
605#define AES_RT0(idx) RT0[idx]
606#define AES_RT1(idx) RT1[idx]
607#define AES_RT2(idx) RT2[idx]
608#define AES_RT3(idx) RT3[idx]
609
610#define AES_FT0(idx) FT0[idx]
611#define AES_FT1(idx) FT1[idx]
612#define AES_FT2(idx) FT2[idx]
613#define AES_FT3(idx) FT3[idx]
614
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]615#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]616
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]617void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]618{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]619 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]620
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]621 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]622}
623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]624void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]625{
626 if( ctx == NULL )
627 return;
628
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]629 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]630}
631
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]632#if defined(MBEDTLS_CIPHER_MODE_XTS)
633void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
634{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]635 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]636
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]637 mbedtls_aes_init( &ctx->crypt );
638 mbedtls_aes_init( &ctx->tweak );
639}
640
641void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
642{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]643 if( ctx == NULL )
644 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]645
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]646 mbedtls_aes_free( &ctx->crypt );
647 mbedtls_aes_free( &ctx->tweak );
648}
649#endif /* MBEDTLS_CIPHER_MODE_XTS */
650
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651/*
652 * AES key schedule (encryption)
653 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]654#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]655int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]656 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]658 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]659 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]661 AES_VALIDATE_RET( ctx != NULL );
662 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]664 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 {
666 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]667#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668 case 192: ctx->nr = 12; break;
669 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]670#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]672 }
673
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]674#if !defined(MBEDTLS_AES_ROM_TABLES)
675 if( aes_init_done == 0 )
676 {
677 aes_gen_tables();
678 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]679 }
680#endif
681
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]684 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]685
686 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]690 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]691
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]692#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]693 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]694 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]695#endif
696
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]697 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]698 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]699 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]700 }
701
702 switch( ctx->nr )
703 {
704 case 10:
705
706 for( i = 0; i < 10; i++, RK += 4 )
707 {
708 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]709 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
710 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
711 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
712 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713
714 RK[5] = RK[1] ^ RK[4];
715 RK[6] = RK[2] ^ RK[5];
716 RK[7] = RK[3] ^ RK[6];
717 }
718 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]719#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 case 12:
721
722 for( i = 0; i < 8; i++, RK += 6 )
723 {
724 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]725 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
726 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
727 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
728 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]729
730 RK[7] = RK[1] ^ RK[6];
731 RK[8] = RK[2] ^ RK[7];
732 RK[9] = RK[3] ^ RK[8];
733 RK[10] = RK[4] ^ RK[9];
734 RK[11] = RK[5] ^ RK[10];
735 }
736 break;
737
738 case 14:
739
740 for( i = 0; i < 7; i++, RK += 8 )
741 {
742 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]743 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
744 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
745 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
746 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]747
748 RK[9] = RK[1] ^ RK[8];
749 RK[10] = RK[2] ^ RK[9];
750 RK[11] = RK[3] ^ RK[10];
751
752 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]753 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
754 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
755 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
756 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757
758 RK[13] = RK[5] ^ RK[12];
759 RK[14] = RK[6] ^ RK[13];
760 RK[15] = RK[7] ^ RK[14];
761 }
762 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]763#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]764 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]765
766 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]768#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]769
770/*
771 * AES key schedule (decryption)
772 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]773#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]774int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]775 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]776{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]777#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
778 (void) ctx;
779 (void) key;
780 (void) keybits;
781
782 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
783#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]784 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]785 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]786 uint32_t *RK;
787 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]788
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]789 AES_VALIDATE_RET( ctx != NULL );
790 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]791
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]792 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]793
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]794#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]795 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]796 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]797
798 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]799 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]800 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]801#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]802 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]803
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]804 /* Also checks keybits */
805 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]806 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]807
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]808 ctx->nr = cty.nr;
809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]811 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]812 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]813 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]814 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]815 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]816 }
817#endif
818
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]819 SK = cty.rk + cty.nr * 4;
820
821 *RK++ = *SK++;
822 *RK++ = *SK++;
823 *RK++ = *SK++;
824 *RK++ = *SK++;
825
826 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
827 {
828 for( j = 0; j < 4; j++, SK++ )
829 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]830 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
831 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
832 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
833 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834 }
835 }
836
837 *RK++ = *SK++;
838 *RK++ = *SK++;
839 *RK++ = *SK++;
840 *RK++ = *SK++;
841
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]842exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]843 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]844
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]845 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]846#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]847}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]848
849#if defined(MBEDTLS_CIPHER_MODE_XTS)
850static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
851 unsigned int keybits,
852 const unsigned char **key1,
853 unsigned int *key1bits,
854 const unsigned char **key2,
855 unsigned int *key2bits )
856{
857 const unsigned int half_keybits = keybits / 2;
858 const unsigned int half_keybytes = half_keybits / 8;
859
860 switch( keybits )
861 {
862 case 256: break;
863 case 512: break;
864 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
865 }
866
867 *key1bits = half_keybits;
868 *key2bits = half_keybits;
869 *key1 = &key[0];
870 *key2 = &key[half_keybytes];
871
872 return 0;
873}
874
875int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
876 const unsigned char *key,
877 unsigned int keybits)
878{
879 int ret;
880 const unsigned char *key1, *key2;
881 unsigned int key1bits, key2bits;
882
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]883 AES_VALIDATE_RET( ctx != NULL );
884 AES_VALIDATE_RET( key != NULL );
885
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]886 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
887 &key2, &key2bits );
888 if( ret != 0 )
889 return( ret );
890
891 /* Set the tweak key. Always set tweak key for the encryption mode. */
892 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
893 if( ret != 0 )
894 return( ret );
895
896 /* Set crypt key for encryption. */
897 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
898}
899
900int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
901 const unsigned char *key,
902 unsigned int keybits)
903{
904 int ret;
905 const unsigned char *key1, *key2;
906 unsigned int key1bits, key2bits;
907
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]908 AES_VALIDATE_RET( ctx != NULL );
909 AES_VALIDATE_RET( key != NULL );
910
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]911 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
912 &key2, &key2bits );
913 if( ret != 0 )
914 return( ret );
915
916 /* Set the tweak key. Always set tweak key for encryption. */
917 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
918 if( ret != 0 )
919 return( ret );
920
921 /* Set crypt key for decryption. */
922 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
923}
924#endif /* MBEDTLS_CIPHER_MODE_XTS */
925
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]926#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]927
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]928/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]929 * AES-ECB block encryption
930 */
931#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]932
933static uint32_t *aes_fround( uint32_t *R,
934 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
935 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
936{
937 *X0 = *R++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^
938 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^
939 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^
940 AES_FT3( ( Y3 >> 24 ) & 0xFF );
941
942 *X1 = *R++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^
943 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^
944 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^
945 AES_FT3( ( Y0 >> 24 ) & 0xFF );
946
947 *X2 = *R++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^
948 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^
949 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^
950 AES_FT3( ( Y1 >> 24 ) & 0xFF );
951
952 *X3 = *R++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^
953 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^
954 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^
955 AES_FT3( ( Y2 >> 24 ) & 0xFF );
956
957 return R;
958}
959
960static void aes_fround_final( uint32_t *R,
961 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
962 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
963{
964 *X0 = *R++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^
965 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
966 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
967 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
968
969 *X1 = *R++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^
970 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
971 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
972 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
973
974 *X2 = *R++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^
975 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
976 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
977 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
978
979 *X3 = *R++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^
980 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
981 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
982 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
983}
984
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]985int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
986 const unsigned char input[16],
987 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]989 int i, j, offset, start_fin_loops = 1;
990 aes_r_data_t aes_data_real; // real data
991#if AES_SCA_CM_ROUNDS != 0
992 aes_r_data_t aes_data_fake; // fake data
993#endif /* AES_SCA_CM_ROUNDS != 0 */
994 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
995 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
996 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
997 // control bytes for AES rounds, reserve based on max ctx->nr
998 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]999
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1000 aes_data_real.rk_ptr = ctx->rk;
1001 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1002
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1003#if AES_SCA_CM_ROUNDS != 0
1004 aes_data_table[1] = &aes_data_fake;
1005 aes_data_fake.rk_ptr = ctx->rk;
1006 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1007 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1008 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1009#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1010
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1011 // Get randomized AES calculation control bytes
1012 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
1013
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1014 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1015 {
1016 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1017 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1018 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1019 aes_data_ptr =
1020 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1021 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1022 }
1023 }
1024
1025 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
1026 {
1027 // Read AES control data
1028 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1029 offset = round_ctrl_table[i] & 0x0f;
1030
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1031 aes_data_ptr->rk_ptr = aes_fround( aes_data_ptr->rk_ptr,
1032 &aes_data_ptr->xy_values[0 + offset],
1033 &aes_data_ptr->xy_values[1 + offset],
1034 &aes_data_ptr->xy_values[2 + offset],
1035 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1036 aes_data_ptr->xy_values[4 - offset],
1037 aes_data_ptr->xy_values[5 - offset],
1038 aes_data_ptr->xy_values[6 - offset],
1039 aes_data_ptr->xy_values[7 - offset] );
1040 }
1041
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1042 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1043 {
1044 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1045 aes_fround_final( aes_data_ptr->rk_ptr,
1046 &aes_data_ptr->xy_values[0],
1047 &aes_data_ptr->xy_values[1],
1048 &aes_data_ptr->xy_values[2],
1049 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1050 aes_data_ptr->xy_values[4],
1051 aes_data_ptr->xy_values[5],
1052 aes_data_ptr->xy_values[6],
1053 aes_data_ptr->xy_values[7] );
1054 }
1055
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1056 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1057 {
1058 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1059 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1060
1061 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1062}
1063#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1064
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1065#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1066void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1067 const unsigned char input[16],
1068 unsigned char output[16] )
1069{
1070 mbedtls_internal_aes_encrypt( ctx, input, output );
1071}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1072#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1073
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1074/*
1075 * AES-ECB block decryption
1076 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1077
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1078#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1079#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1080
1081static uint32_t *aes_rround( uint32_t *R,
1082 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1083 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1084{
1085 *X0 = *R++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^
1086 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^
1087 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^
1088 AES_RT3( ( Y1 >> 24 ) & 0xFF );
1089
1090 *X1 = *R++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^
1091 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^
1092 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^
1093 AES_RT3( ( Y2 >> 24 ) & 0xFF );
1094
1095 *X2 = *R++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^
1096 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^
1097 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^
1098 AES_RT3( ( Y3 >> 24 ) & 0xFF );
1099
1100 *X3 = *R++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^
1101 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^
1102 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^
1103 AES_RT3( ( Y0 >> 24 ) & 0xFF );
1104 return R;
1105}
1106
1107static void aes_rround_final( uint32_t *R,
1108 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1109 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1110{
1111 *X0 = *R++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^
1112 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1113 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1114 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1115
1116 *X1 = *R++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^
1117 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1118 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1119 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1120
1121 *X2 = *R++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^
1122 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1123 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1124 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1125
1126 *X3 = *R++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^
1127 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1128 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1129 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1130}
1131
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1132int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1133 const unsigned char input[16],
1134 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1135{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1136 int i, j, offset, start_fin_loops = 1;
1137 aes_r_data_t aes_data_real; // real data
1138#if AES_SCA_CM_ROUNDS != 0
1139 aes_r_data_t aes_data_fake; // fake data
1140#endif /* AES_SCA_CM_ROUNDS != 0 */
1141 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1142 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
1143 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
1144 // control bytes for AES rounds, reserve based on max ctx->nr
1145 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1146
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1147 aes_data_real.rk_ptr = ctx->rk;
1148 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1149
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1150#if AES_SCA_CM_ROUNDS != 0
1151 aes_data_table[1] = &aes_data_fake;
1152 aes_data_fake.rk_ptr = ctx->rk;
1153 start_fin_loops = 2;
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1154 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1155 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1156#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1157
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1158 // Get randomized AES calculation control bytes
1159 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1160
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1161 for( i = 0; i < 4; i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1162 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1163 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1164 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1165 {
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1166 aes_data_ptr =
1167 aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1168 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1169 }
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1170 }
1171
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1172 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1173 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1174 // Read AES control data
1175 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1176 offset = round_ctrl_table[i] & 0x0f;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1177
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1178 aes_data_ptr->rk_ptr = aes_rround( aes_data_ptr->rk_ptr,
1179 &aes_data_ptr->xy_values[0 + offset],
1180 &aes_data_ptr->xy_values[1 + offset],
1181 &aes_data_ptr->xy_values[2 + offset],
1182 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1183 aes_data_ptr->xy_values[4 - offset],
1184 aes_data_ptr->xy_values[5 - offset],
1185 aes_data_ptr->xy_values[6 - offset],
1186 aes_data_ptr->xy_values[7 - offset] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1187 }
1188
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1189 for( j = 0; j < start_fin_loops; j++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1190 {
1191 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame]1192 aes_rround_final( aes_data_ptr->rk_ptr,
1193 &aes_data_ptr->xy_values[0],
1194 &aes_data_ptr->xy_values[1],
1195 &aes_data_ptr->xy_values[2],
1196 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1197 aes_data_ptr->xy_values[4],
1198 aes_data_ptr->xy_values[5],
1199 aes_data_ptr->xy_values[6],
1200 aes_data_ptr->xy_values[7] );
1201 }
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1202
Arto Kinnunen425137a2019-11-29 15:53:09 +0200[diff] [blame]1203 for( i = 0; i < 4; i++ )
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1204 {
1205 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1206 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1207
1208 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1209}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1210#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1211#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1212
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1213#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1214void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1215 const unsigned char input[16],
1216 unsigned char output[16] )
1217{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1218#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1219 (void) ctx;
1220 (void) input;
1221 (void) output;
1222#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1223 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1224#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1225}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1226#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1227
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1228/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229 * AES-ECB block encryption/decryption
1230 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1232 int mode,
1233 const unsigned char input[16],
1234 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1235{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1236 AES_VALIDATE_RET( ctx != NULL );
1237 AES_VALIDATE_RET( input != NULL );
1238 AES_VALIDATE_RET( output != NULL );
1239 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1240 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1241 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1242
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1243#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1244 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1245 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1246#endif
1247
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1248#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1249 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1250 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1252 return( 0 );
1253
1254 // If padlock data misaligned, we just fall back to
1255 // unaccelerated mode
1256 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257 }
1258#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1259#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1260 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1261#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1263 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1264 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1265 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1266 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1267#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1268}
1269
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1270#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271/*
1272 * AES-CBC buffer encryption/decryption
1273 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1274int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1275 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1276 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1278 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1279 unsigned char *output )
1280{
1281 int i;
1282 unsigned char temp[16];
1283
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1284 AES_VALIDATE_RET( ctx != NULL );
1285 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1286 mode == MBEDTLS_AES_DECRYPT );
1287 AES_VALIDATE_RET( iv != NULL );
1288 AES_VALIDATE_RET( input != NULL );
1289 AES_VALIDATE_RET( output != NULL );
1290
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1291 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1292 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1293
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1294#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1295 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1298 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1299
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1300 // If padlock data misaligned, we just fall back to
1301 // unaccelerated mode
1302 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 }
1304#endif
1305
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 {
1308 while( length > 0 )
1309 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1310 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312
1313 for( i = 0; i < 16; i++ )
1314 output[i] = (unsigned char)( output[i] ^ iv[i] );
1315
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1316 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317
1318 input += 16;
1319 output += 16;
1320 length -= 16;
1321 }
1322 }
1323 else
1324 {
1325 while( length > 0 )
1326 {
1327 for( i = 0; i < 16; i++ )
1328 output[i] = (unsigned char)( input[i] ^ iv[i] );
1329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1331 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332
1333 input += 16;
1334 output += 16;
1335 length -= 16;
1336 }
1337 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1338
1339 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1340}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1343#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1344
1345/* Endianess with 64 bits values */
1346#ifndef GET_UINT64_LE
1347#define GET_UINT64_LE(n,b,i) \
1348{ \
1349 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1350 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1351 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1352 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1353 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1354 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1355 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1356 | ( (uint64_t) (b)[(i) ] ); \
1357}
1358#endif
1359
1360#ifndef PUT_UINT64_LE
1361#define PUT_UINT64_LE(n,b,i) \
1362{ \
1363 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1364 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1365 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1366 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1367 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1368 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1369 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1370 (b)[(i) ] = (unsigned char) ( (n) ); \
1371}
1372#endif
1373
1374typedef unsigned char mbedtls_be128[16];
1375
1376/*
1377 * GF(2^128) multiplication function
1378 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1379 * This function multiplies a field element by x in the polynomial field
1380 * representation. It uses 64-bit word operations to gain speed but compensates
1381 * for machine endianess and hence works correctly on both big and little
1382 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1383 */
1384static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1385 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1386{
1387 uint64_t a, b, ra, rb;
1388
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1389 GET_UINT64_LE( a, x, 0 );
1390 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1391
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1392 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1393 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1394
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1395 PUT_UINT64_LE( ra, r, 0 );
1396 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1397}
1398
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1399/*
1400 * AES-XTS buffer encryption/decryption
1401 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1402int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1403 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1404 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1405 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1406 const unsigned char *input,
1407 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1408{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1409 int ret;
1410 size_t blocks = length / 16;
1411 size_t leftover = length % 16;
1412 unsigned char tweak[16];
1413 unsigned char prev_tweak[16];
1414 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1415
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1416 AES_VALIDATE_RET( ctx != NULL );
1417 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1418 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1419 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1420 AES_VALIDATE_RET( input != NULL );
1421 AES_VALIDATE_RET( output != NULL );
1422
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1423 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1424 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1425 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1426
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1427 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1428 if( length > ( 1 << 20 ) * 16 )
1429 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1430
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1431 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1432 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1433 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1434 if( ret != 0 )
1435 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1436
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1437 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1438 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1439 size_t i;
1440
1441 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1442 {
1443 /* We are on the last block in a decrypt operation that has
1444 * leftover bytes, so we need to use the next tweak for this block,
1445 * and this tweak for the lefover bytes. Save the current tweak for
1446 * the leftovers and then update the current tweak for use on this,
1447 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1448 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1449 mbedtls_gf128mul_x_ble( tweak, tweak );
1450 }
1451
1452 for( i = 0; i < 16; i++ )
1453 tmp[i] = input[i] ^ tweak[i];
1454
1455 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1456 if( ret != 0 )
1457 return( ret );
1458
1459 for( i = 0; i < 16; i++ )
1460 output[i] = tmp[i] ^ tweak[i];
1461
1462 /* Update the tweak for the next block. */
1463 mbedtls_gf128mul_x_ble( tweak, tweak );
1464
1465 output += 16;
1466 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1467 }
1468
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1469 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1470 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1471 /* If we are on the leftover bytes in a decrypt operation, we need to
1472 * use the previous tweak for these bytes (as saved in prev_tweak). */
1473 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1474
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1475 /* We are now on the final part of the data unit, which doesn't divide
1476 * evenly by 16. It's time for ciphertext stealing. */
1477 size_t i;
1478 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1479
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1480 /* Copy ciphertext bytes from the previous block to our output for each
1481 * byte of cyphertext we won't steal. At the same time, copy the
1482 * remainder of the input for this final round (since the loop bounds
1483 * are the same). */
1484 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1485 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1486 output[i] = prev_output[i];
1487 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1488 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1489
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1490 /* Copy ciphertext bytes from the previous block for input in this
1491 * round. */
1492 for( ; i < 16; i++ )
1493 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1494
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1495 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1496 if( ret != 0 )
1497 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1498
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1499 /* Write the result back to the previous block, overriding the previous
1500 * output we copied. */
1501 for( i = 0; i < 16; i++ )
1502 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1503 }
1504
1505 return( 0 );
1506}
1507#endif /* MBEDTLS_CIPHER_MODE_XTS */
1508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1509#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510/*
1511 * AES-CFB128 buffer encryption/decryption
1512 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1514 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1515 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1516 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1517 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1518 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1519 unsigned char *output )
1520{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1521 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1522 size_t n;
1523
1524 AES_VALIDATE_RET( ctx != NULL );
1525 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1526 mode == MBEDTLS_AES_DECRYPT );
1527 AES_VALIDATE_RET( iv_off != NULL );
1528 AES_VALIDATE_RET( iv != NULL );
1529 AES_VALIDATE_RET( input != NULL );
1530 AES_VALIDATE_RET( output != NULL );
1531
1532 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1534 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1535 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1536
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1537 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538 {
1539 while( length-- )
1540 {
1541 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1542 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543
1544 c = *input++;
1545 *output++ = (unsigned char)( c ^ iv[n] );
1546 iv[n] = (unsigned char) c;
1547
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1548 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549 }
1550 }
1551 else
1552 {
1553 while( length-- )
1554 {
1555 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1556 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1557
1558 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1559
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1560 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561 }
1562 }
1563
1564 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1565
1566 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1567}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1568
1569/*
1570 * AES-CFB8 buffer encryption/decryption
1571 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1572int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1573 int mode,
1574 size_t length,
1575 unsigned char iv[16],
1576 const unsigned char *input,
1577 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1578{
1579 unsigned char c;
1580 unsigned char ov[17];
1581
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1582 AES_VALIDATE_RET( ctx != NULL );
1583 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1584 mode == MBEDTLS_AES_DECRYPT );
1585 AES_VALIDATE_RET( iv != NULL );
1586 AES_VALIDATE_RET( input != NULL );
1587 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1588 while( length-- )
1589 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1590 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1591 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1593 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1594 ov[16] = *input;
1595
1596 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1597
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1598 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1599 ov[16] = c;
1600
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1601 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1602 }
1603
1604 return( 0 );
1605}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1606#endif /* MBEDTLS_CIPHER_MODE_CFB */
1607
1608#if defined(MBEDTLS_CIPHER_MODE_OFB)
1609/*
1610 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1611 */
1612int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1613 size_t length,
1614 size_t *iv_off,
1615 unsigned char iv[16],
1616 const unsigned char *input,
1617 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1618{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1619 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1620 size_t n;
1621
1622 AES_VALIDATE_RET( ctx != NULL );
1623 AES_VALIDATE_RET( iv_off != NULL );
1624 AES_VALIDATE_RET( iv != NULL );
1625 AES_VALIDATE_RET( input != NULL );
1626 AES_VALIDATE_RET( output != NULL );
1627
1628 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1629
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1630 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1631 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1632
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1633 while( length-- )
1634 {
1635 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1636 {
1637 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1638 if( ret != 0 )
1639 goto exit;
1640 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1641 *output++ = *input++ ^ iv[n];
1642
1643 n = ( n + 1 ) & 0x0F;
1644 }
1645
1646 *iv_off = n;
1647
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1648exit:
1649 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1650}
1651#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1652
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1653#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1654/*
1655 * AES-CTR buffer encryption/decryption
1656 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1658 size_t length,
1659 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1660 unsigned char nonce_counter[16],
1661 unsigned char stream_block[16],
1662 const unsigned char *input,
1663 unsigned char *output )
1664{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1665 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1666 size_t n;
1667
1668 AES_VALIDATE_RET( ctx != NULL );
1669 AES_VALIDATE_RET( nc_off != NULL );
1670 AES_VALIDATE_RET( nonce_counter != NULL );
1671 AES_VALIDATE_RET( stream_block != NULL );
1672 AES_VALIDATE_RET( input != NULL );
1673 AES_VALIDATE_RET( output != NULL );
1674
1675 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1676
Arto Kinnunen75439012019-12-03 14:12:10 +0200[diff] [blame^]1677 if( n > 0x0F )
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1678 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1679
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1680 while( length-- )
1681 {
1682 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1683 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1684
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1685 for( i = 16; i > 0; i-- )
1686 if( ++nonce_counter[i - 1] != 0 )
1687 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1688 }
1689 c = *input++;
1690 *output++ = (unsigned char)( c ^ stream_block[n] );
1691
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1692 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1693 }
1694
1695 *nc_off = n;
1696
1697 return( 0 );
1698}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1699#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1701#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1702
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1703#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1704/*
1705 * AES test vectors from:
1706 *
1707 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1708 */
1709static const unsigned char aes_test_ecb_dec[3][16] =
1710{
1711 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1712 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1713 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1714 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1715 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1716 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1717};
1718
1719static const unsigned char aes_test_ecb_enc[3][16] =
1720{
1721 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1722 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1723 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1724 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1725 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1726 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1727};
1728
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1729#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730static const unsigned char aes_test_cbc_dec[3][16] =
1731{
1732 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1733 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1734 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1735 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1736 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1737 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1738};
1739
1740static const unsigned char aes_test_cbc_enc[3][16] =
1741{
1742 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1743 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1744 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1745 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1746 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1747 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1748};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1749#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1750
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1751#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752/*
1753 * AES-CFB128 test vectors from:
1754 *
1755 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1756 */
1757static const unsigned char aes_test_cfb128_key[3][32] =
1758{
1759 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1760 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1761 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1762 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1763 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1764 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1765 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1766 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1767 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1768};
1769
1770static const unsigned char aes_test_cfb128_iv[16] =
1771{
1772 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1773 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1774};
1775
1776static const unsigned char aes_test_cfb128_pt[64] =
1777{
1778 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1779 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1780 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1781 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1782 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1783 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1784 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1785 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1786};
1787
1788static const unsigned char aes_test_cfb128_ct[3][64] =
1789{
1790 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1791 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1792 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1793 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1794 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1795 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1796 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1797 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1798 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1799 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1800 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1801 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1802 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1803 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1804 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1805 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1806 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1807 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1808 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1809 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1810 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1811 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1812 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1813 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1814};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1816
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1817#if defined(MBEDTLS_CIPHER_MODE_OFB)
1818/*
1819 * AES-OFB test vectors from:
1820 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1821 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1822 */
1823static const unsigned char aes_test_ofb_key[3][32] =
1824{
1825 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1826 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1827 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1828 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1829 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1830 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1831 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1832 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1833 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1834};
1835
1836static const unsigned char aes_test_ofb_iv[16] =
1837{
1838 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1839 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1840};
1841
1842static const unsigned char aes_test_ofb_pt[64] =
1843{
1844 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1845 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1846 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1847 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1848 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1849 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1850 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1851 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1852};
1853
1854static const unsigned char aes_test_ofb_ct[3][64] =
1855{
1856 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1857 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1858 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1859 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1860 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1861 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1862 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1863 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1864 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1865 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1866 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1867 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1868 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1869 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1870 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1871 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1872 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1873 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1874 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1875 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1876 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1877 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1878 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1879 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1880};
1881#endif /* MBEDTLS_CIPHER_MODE_OFB */
1882
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1883#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1884/*
1885 * AES-CTR test vectors from:
1886 *
1887 * http://www.faqs.org/rfcs/rfc3686.html
1888 */
1889
1890static const unsigned char aes_test_ctr_key[3][16] =
1891{
1892 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1893 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1894 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1895 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1896 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1897 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1898};
1899
1900static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1901{
1902 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1903 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1904 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1905 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1906 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1907 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1908};
1909
1910static const unsigned char aes_test_ctr_pt[3][48] =
1911{
1912 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1913 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1914
1915 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1916 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1917 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1918 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1919
1920 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1921 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1922 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1923 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1924 0x20, 0x21, 0x22, 0x23 }
1925};
1926
1927static const unsigned char aes_test_ctr_ct[3][48] =
1928{
1929 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1930 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1931 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1932 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1933 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1934 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1935 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1936 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1937 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1938 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1939 0x25, 0xB2, 0x07, 0x2F }
1940};
1941
1942static const int aes_test_ctr_len[3] =
1943 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1944#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1946#if defined(MBEDTLS_CIPHER_MODE_XTS)
1947/*
1948 * AES-XTS test vectors from:
1949 *
1950 * IEEE P1619/D16 Annex B
1951 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1952 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1953 */
1954static const unsigned char aes_test_xts_key[][32] =
1955{
1956 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1959 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1960 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1961 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1962 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1963 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1964 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1965 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1966 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1967 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1968};
1969
1970static const unsigned char aes_test_xts_pt32[][32] =
1971{
1972 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1973 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1976 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1977 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1978 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1979 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1980 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1981 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1982 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1983 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1984};
1985
1986static const unsigned char aes_test_xts_ct32[][32] =
1987{
1988 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1989 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1990 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1991 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1992 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1993 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1994 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1995 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1996 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1997 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1998 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1999 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2000};
2001
2002static const unsigned char aes_test_xts_data_unit[][16] =
2003{
2004 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2005 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2006 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2007 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2008 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2010};
2011
2012#endif /* MBEDTLS_CIPHER_MODE_XTS */
2013
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014/*
2015 * Checkup routine
2016 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2017int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 int ret = 0, i, j, u, mode;
2020 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021 unsigned char key[32];
2022 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2024#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2026#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2027#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2028 unsigned char prv[16];
2029#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2030#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2031 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2032 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2033#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2034#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2035 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2036#endif
2037#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2038 unsigned char nonce_counter[16];
2039 unsigned char stream_block[16];
2040#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2041 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2043 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2044 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2045
2046 /*
2047 * ECB mode
2048 */
2049 for( i = 0; i < 6; i++ )
2050 {
2051 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2052 keybits = 128 + u * 64;
2053 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
2055 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2056 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2057 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2059#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2060 if( keybits > 128 )
2061 {
2062 mbedtls_printf( "skipped\n" );
2063 continue;
2064 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2065#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2066
2067#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2068 if( mode == MBEDTLS_AES_DECRYPT )
2069 {
2070 mbedtls_printf( "skipped\n" );
2071 continue;
2072 }
2073#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2074
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2075 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2076
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2077 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2078 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2079 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2080 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2081 }
2082 else
2083 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2084 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2085 aes_tests = aes_test_ecb_enc[u];
2086 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2087
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2088 /*
2089 * AES-192 is an optional feature that may be unavailable when
2090 * there is an alternative underlying implementation i.e. when
2091 * MBEDTLS_AES_ALT is defined.
2092 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2093 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2094 {
2095 mbedtls_printf( "skipped\n" );
2096 continue;
2097 }
2098 else if( ret != 0 )
2099 {
2100 goto exit;
2101 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2102
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 for( j = 0; j < 10000; j++ )
2104 {
2105 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2106 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2107 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2108 }
2109
2110 if( memcmp( buf, aes_tests, 16 ) != 0 )
2111 {
2112 ret = 1;
2113 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2114 }
2115
2116 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2117 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118 }
2119
2120 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2123#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124 /*
2125 * CBC mode
2126 */
2127 for( i = 0; i < 6; i++ )
2128 {
2129 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2130 keybits = 128 + u * 64;
2131 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2132
2133 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2134 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2135 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2136
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2137#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2138 if( keybits > 128 )
2139 {
2140 mbedtls_printf( "skipped\n" );
2141 continue;
2142 }
2143#endif
2144
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2145#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2146 if( mode == MBEDTLS_AES_DECRYPT )
2147 {
2148 mbedtls_printf( "skipped\n" );
2149 continue;
2150 }
2151#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2152
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2153 memset( iv , 0, 16 );
2154 memset( prv, 0, 16 );
2155 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2156
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2157 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2159 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2160 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161 }
2162 else
2163 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2164 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2165 aes_tests = aes_test_cbc_enc[u];
2166 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2167
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2168 /*
2169 * AES-192 is an optional feature that may be unavailable when
2170 * there is an alternative underlying implementation i.e. when
2171 * MBEDTLS_AES_ALT is defined.
2172 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2173 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2174 {
2175 mbedtls_printf( "skipped\n" );
2176 continue;
2177 }
2178 else if( ret != 0 )
2179 {
2180 goto exit;
2181 }
2182
2183 for( j = 0; j < 10000; j++ )
2184 {
2185 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2186 {
2187 unsigned char tmp[16];
2188
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2189 memcpy( tmp, prv, 16 );
2190 memcpy( prv, buf, 16 );
2191 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2192 }
2193
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2194 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2195 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2196 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2197
2198 }
2199
2200 if( memcmp( buf, aes_tests, 16 ) != 0 )
2201 {
2202 ret = 1;
2203 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2204 }
2205
2206 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2207 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2208 }
2209
2210 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2211 mbedtls_printf( "\n" );
2212#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2214#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215 /*
2216 * CFB128 mode
2217 */
2218 for( i = 0; i < 6; i++ )
2219 {
2220 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2221 keybits = 128 + u * 64;
2222 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2223
2224 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2225 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2226 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2228#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2229 if( keybits > 128 )
2230 {
2231 mbedtls_printf( "skipped\n" );
2232 continue;
2233 }
2234#endif
2235
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2236#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2237 if( mode == MBEDTLS_AES_DECRYPT )
2238 {
2239 mbedtls_printf( "skipped\n" );
2240 continue;
2241 }
2242#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2243
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2244 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2245 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246
2247 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2248 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2249 /*
2250 * AES-192 is an optional feature that may be unavailable when
2251 * there is an alternative underlying implementation i.e. when
2252 * MBEDTLS_AES_ALT is defined.
2253 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2254 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2255 {
2256 mbedtls_printf( "skipped\n" );
2257 continue;
2258 }
2259 else if( ret != 0 )
2260 {
2261 goto exit;
2262 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2263
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2264 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2265 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2266 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2267 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2268 }
2269 else
2270 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2271 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2272 aes_tests = aes_test_cfb128_ct[u];
2273 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2274
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2275 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2276 if( ret != 0 )
2277 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2278
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2279 if( memcmp( buf, aes_tests, 64 ) != 0 )
2280 {
2281 ret = 1;
2282 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2283 }
2284
2285 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2286 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2287 }
2288
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2289 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2290 mbedtls_printf( "\n" );
2291#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2292
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2293#if defined(MBEDTLS_CIPHER_MODE_OFB)
2294 /*
2295 * OFB mode
2296 */
2297 for( i = 0; i < 6; i++ )
2298 {
2299 u = i >> 1;
2300 keybits = 128 + u * 64;
2301 mode = i & 1;
2302
2303 if( verbose != 0 )
2304 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2305 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2306
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2307#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2308 if( keybits > 128 )
2309 {
2310 mbedtls_printf( "skipped\n" );
2311 continue;
2312 }
2313#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2314
2315#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2316 if( mode == MBEDTLS_AES_DECRYPT )
2317 {
2318 mbedtls_printf( "skipped\n" );
2319 continue;
2320 }
2321#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2322
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2323 memcpy( iv, aes_test_ofb_iv, 16 );
2324 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2325
2326 offset = 0;
2327 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2328 /*
2329 * AES-192 is an optional feature that may be unavailable when
2330 * there is an alternative underlying implementation i.e. when
2331 * MBEDTLS_AES_ALT is defined.
2332 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2333 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2334 {
2335 mbedtls_printf( "skipped\n" );
2336 continue;
2337 }
2338 else if( ret != 0 )
2339 {
2340 goto exit;
2341 }
2342
2343 if( mode == MBEDTLS_AES_DECRYPT )
2344 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2345 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2346 aes_tests = aes_test_ofb_pt;
2347 }
2348 else
2349 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2350 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2351 aes_tests = aes_test_ofb_ct[u];
2352 }
2353
2354 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2355 if( ret != 0 )
2356 goto exit;
2357
2358 if( memcmp( buf, aes_tests, 64 ) != 0 )
2359 {
2360 ret = 1;
2361 goto exit;
2362 }
2363
2364 if( verbose != 0 )
2365 mbedtls_printf( "passed\n" );
2366 }
2367
2368 if( verbose != 0 )
2369 mbedtls_printf( "\n" );
2370#endif /* MBEDTLS_CIPHER_MODE_OFB */
2371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2372#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2373 /*
2374 * CTR mode
2375 */
2376 for( i = 0; i < 6; i++ )
2377 {
2378 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2379 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2380
2381 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2382 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2383 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2384
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2385#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2386 if( keybits > 128 )
2387 {
2388 mbedtls_printf( "skipped\n" );
2389 continue;
2390 }
2391#endif
2392
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2393#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2394 if( mode == MBEDTLS_AES_DECRYPT )
2395 {
2396 mbedtls_printf( "skipped\n" );
2397 continue;
2398 }
2399#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2400
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2401 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2402 memcpy( key, aes_test_ctr_key[u], 16 );
2403
2404 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2405 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2406 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2407
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2408 len = aes_test_ctr_len[u];
2409
2410 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2411 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2412 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2413 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2414 }
2415 else
2416 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2417 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2418 aes_tests = aes_test_ctr_ct[u];
2419 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2420
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2421 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2422 stream_block, buf, buf );
2423 if( ret != 0 )
2424 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2425
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2426 if( memcmp( buf, aes_tests, len ) != 0 )
2427 {
2428 ret = 1;
2429 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2430 }
2431
2432 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2433 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2434 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2435
2436 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2437 mbedtls_printf( "\n" );
2438#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2439
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2440#if defined(MBEDTLS_CIPHER_MODE_XTS)
2441 {
2442 static const int num_tests =
2443 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2444 mbedtls_aes_xts_context ctx_xts;
2445
2446 /*
2447 * XTS mode
2448 */
2449 mbedtls_aes_xts_init( &ctx_xts );
2450
2451 for( i = 0; i < num_tests << 1; i++ )
2452 {
2453 const unsigned char *data_unit;
2454 u = i >> 1;
2455 mode = i & 1;
2456
2457 if( verbose != 0 )
2458 mbedtls_printf( " AES-XTS-128 (%s): ",
2459 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2460
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2461#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2462 if( mode == MBEDTLS_AES_DECRYPT )
2463 {
2464 mbedtls_printf( "skipped\n" );
2465 continue;
2466 }
2467#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2468
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2469 memset( key, 0, sizeof( key ) );
2470 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2471 data_unit = aes_test_xts_data_unit[u];
2472
2473 len = sizeof( *aes_test_xts_ct32 );
2474
2475 if( mode == MBEDTLS_AES_DECRYPT )
2476 {
2477 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2478 if( ret != 0)
2479 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2480 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2481 aes_tests = aes_test_xts_pt32[u];
2482 }
2483 else
2484 {
2485 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2486 if( ret != 0)
2487 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2488 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2489 aes_tests = aes_test_xts_ct32[u];
2490 }
2491
2492
2493 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2494 buf, buf );
2495 if( ret != 0 )
2496 goto exit;
2497
2498 if( memcmp( buf, aes_tests, len ) != 0 )
2499 {
2500 ret = 1;
2501 goto exit;
2502 }
2503
2504 if( verbose != 0 )
2505 mbedtls_printf( "passed\n" );
2506 }
2507
2508 if( verbose != 0 )
2509 mbedtls_printf( "\n" );
2510
2511 mbedtls_aes_xts_free( &ctx_xts );
2512 }
2513#endif /* MBEDTLS_CIPHER_MODE_XTS */
2514
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2515 ret = 0;
2516
2517exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2518 if( ret != 0 && verbose != 0 )
2519 mbedtls_printf( "failed\n" );
2520
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2521 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2522
2523 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2524}
2525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2526#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2527
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2528#endif /* MBEDTLS_AES_C */