TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 6d71944f0decef38b35c610ce950a16788c3e411 / . / library / aes.c
blob: af13d63104e3f7af76c93f8ca58bba79e96b05fb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#if defined(MBEDTLS_PADLOCK_C) && \
61 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]62static int aes_padlock_ace = -1;
63#endif
64
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]65#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * Forward S-box
68 */
69static const unsigned char FSb[256] =
70{
71 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
72 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
73 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
74 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
75 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
76 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
77 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
78 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
79 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
80 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
81 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
82 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
83 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
84 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
85 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
86 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
87 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
88 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
89 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
90 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
91 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
92 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
93 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
94 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
95 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
96 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
97 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
98 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
99 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
100 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
101 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
102 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
103};
104
105/*
106 * Forward tables
107 */
108#define FT \
109\
110 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
111 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
112 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
113 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
114 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
115 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
116 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
117 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
118 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
119 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
120 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
121 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
122 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
123 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
124 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
125 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
126 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
127 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
128 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
129 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
130 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
131 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
132 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
133 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
134 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
135 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
136 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
137 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
138 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
139 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
140 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
141 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
142 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
143 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
144 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
145 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
146 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
147 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
148 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
149 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
150 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
151 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
152 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
153 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
154 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
155 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
156 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
157 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
158 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
159 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
160 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
161 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
162 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
163 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
164 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
165 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
166 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
167 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
168 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
169 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
170 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
171 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
172 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
173 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
174
175#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]176static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]177#undef V
178
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]179#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]180
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]182static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183#undef V
184
185#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]186static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
189#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]190static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]193#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]194
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef FT
196
197/*
198 * Reverse S-box
199 */
200static const unsigned char RSb[256] =
201{
202 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234};
235
236/*
237 * Reverse tables
238 */
239#define RT \
240\
241 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]307static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308#undef V
309
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]310#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]311
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]313static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314#undef V
315
316#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318#undef V
319
320#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]321static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322#undef V
323
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]324#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]325
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326#undef RT
327
328/*
329 * Round constants
330 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]331static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332{
333 0x00000001, 0x00000002, 0x00000004, 0x00000008,
334 0x00000010, 0x00000020, 0x00000040, 0x00000080,
335 0x0000001B, 0x00000036
336};
337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339
340/*
341 * Forward S-box & tables
342 */
343static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]344static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]345#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351/*
352 * Reverse S-box & tables
353 */
354static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]355static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static uint32_t RT1[256];
358static uint32_t RT2[256];
359static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]360#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
362/*
363 * Round constants
364 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367/*
368 * Tables generation code
369 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]370#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
371#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]372#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374static int aes_init_done = 0;
375
376static void aes_gen_tables( void )
377{
378 int i, x, y, z;
379 int pow[256];
380 int log[256];
381
382 /*
383 * compute pow and log tables over GF(2^8)
384 */
385 for( i = 0, x = 1; i < 256; i++ )
386 {
387 pow[i] = x;
388 log[x] = i;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]389 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 }
391
392 /*
393 * calculate the round constants
394 */
395 for( i = 0, x = 1; i < 10; i++ )
396 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397 RCON[i] = (uint32_t) x;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]398 x = MBEDTLS_BYTE_0( XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399 }
400
401 /*
402 * generate the forward and reverse S-boxes
403 */
404 FSb[0x00] = 0x63;
405 RSb[0x63] = 0x00;
406
407 for( i = 1; i < 256; i++ )
408 {
409 x = pow[255 - log[i]];
410
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]411 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
412 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
413 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
414 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 x ^= y ^ 0x63;
416
417 FSb[i] = (unsigned char) x;
418 RSb[x] = (unsigned char) i;
419 }
420
421 /*
422 * generate the forward and reverse tables
423 */
424 for( i = 0; i < 256; i++ )
425 {
426 x = FSb[i];
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]427 y = MBEDTLS_BYTE_0( XTIME( x ) );
428 z = MBEDTLS_BYTE_0( y ^ x );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]430 FT0[i] = ( (uint32_t) y ) ^
431 ( (uint32_t) x << 8 ) ^
432 ( (uint32_t) x << 16 ) ^
433 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]435#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 FT1[i] = ROTL8( FT0[i] );
437 FT2[i] = ROTL8( FT1[i] );
438 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]439#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440
441 x = RSb[i];
442
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]443 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
444 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
445 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
446 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]448#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 RT1[i] = ROTL8( RT0[i] );
450 RT2[i] = ROTL8( RT1[i] );
451 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]452#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 }
454}
455
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]456#undef ROTL8
457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]458#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]461
462#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
463#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
464#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
465
466#define AES_RT0(idx) RT0[idx]
467#define AES_RT1(idx) ROTL8( RT0[idx] )
468#define AES_RT2(idx) ROTL16( RT0[idx] )
469#define AES_RT3(idx) ROTL24( RT0[idx] )
470
471#define AES_FT0(idx) FT0[idx]
472#define AES_FT1(idx) ROTL8( FT0[idx] )
473#define AES_FT2(idx) ROTL16( FT0[idx] )
474#define AES_FT3(idx) ROTL24( FT0[idx] )
475
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]476#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477
478#define AES_RT0(idx) RT0[idx]
479#define AES_RT1(idx) RT1[idx]
480#define AES_RT2(idx) RT2[idx]
481#define AES_RT3(idx) RT3[idx]
482
483#define AES_FT0(idx) FT0[idx]
484#define AES_FT1(idx) FT1[idx]
485#define AES_FT2(idx) FT2[idx]
486#define AES_FT3(idx) FT3[idx]
487
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]488#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]491{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]492 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495}
496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]497void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]498{
499 if( ctx == NULL )
500 return;
501
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]502 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]503}
504
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]505#if defined(MBEDTLS_CIPHER_MODE_XTS)
506void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
507{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]508 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]509
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]510 mbedtls_aes_init( &ctx->crypt );
511 mbedtls_aes_init( &ctx->tweak );
512}
513
514void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
515{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]516 if( ctx == NULL )
517 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]518
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]519 mbedtls_aes_free( &ctx->crypt );
520 mbedtls_aes_free( &ctx->tweak );
521}
522#endif /* MBEDTLS_CIPHER_MODE_XTS */
523
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524/*
525 * AES key schedule (encryption)
526 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]527#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]528int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]529 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]531 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]532 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]534 AES_VALIDATE_RET( ctx != NULL );
535 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]537 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538 {
539 case 128: ctx->nr = 10; break;
540 case 192: ctx->nr = 12; break;
541 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]543 }
544
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]545#if !defined(MBEDTLS_AES_ROM_TABLES)
546 if( aes_init_done == 0 )
547 {
548 aes_gen_tables();
549 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]550 }
551#endif
552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]553#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]554 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]555 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]556
557 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]558 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]559 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]560#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]561 ctx->rk_offset = 0;
562 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]564#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]565 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]566 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]567#endif
568
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]569 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]570 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]571 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 }
573
574 switch( ctx->nr )
575 {
576 case 10:
577
578 for( i = 0; i < 10; i++, RK += 4 )
579 {
580 RK[4] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]581 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
582 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
583 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
584 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
586 RK[5] = RK[1] ^ RK[4];
587 RK[6] = RK[2] ^ RK[5];
588 RK[7] = RK[3] ^ RK[6];
589 }
590 break;
591
592 case 12:
593
594 for( i = 0; i < 8; i++, RK += 6 )
595 {
596 RK[6] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]597 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
598 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
599 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
600 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601
602 RK[7] = RK[1] ^ RK[6];
603 RK[8] = RK[2] ^ RK[7];
604 RK[9] = RK[3] ^ RK[8];
605 RK[10] = RK[4] ^ RK[9];
606 RK[11] = RK[5] ^ RK[10];
607 }
608 break;
609
610 case 14:
611
612 for( i = 0; i < 7; i++, RK += 8 )
613 {
614 RK[8] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]615 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
616 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
617 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
618 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619
620 RK[9] = RK[1] ^ RK[8];
621 RK[10] = RK[2] ^ RK[9];
622 RK[11] = RK[3] ^ RK[10];
623
624 RK[12] = RK[4] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]625 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
626 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
627 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
628 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[13] = RK[5] ^ RK[12];
631 RK[14] = RK[6] ^ RK[13];
632 RK[15] = RK[7] ^ RK[14];
633 }
634 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]636
637 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]638}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]639#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640
641/*
642 * AES key schedule (decryption)
643 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]644#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]645int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]646 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]648 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]649 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]650 uint32_t *RK;
651 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]652
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]653 AES_VALIDATE_RET( ctx != NULL );
654 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]659 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]660 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]661
662 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]663 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]664 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]666 ctx->rk_offset = 0;
667 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]669 /* Also checks keybits */
670 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]671 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]672
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]673 ctx->nr = cty.nr;
674
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]675#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]676 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]677 {
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]678 mbedtls_aesni_inverse_key( (unsigned char *) RK,
679 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]681 }
682#endif
683
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]684 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
686 *RK++ = *SK++;
687 *RK++ = *SK++;
688 *RK++ = *SK++;
689 *RK++ = *SK++;
690
691 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
692 {
693 for( j = 0; j < 4; j++, SK++ )
694 {
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]695 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
696 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
697 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
698 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699 }
700 }
701
702 *RK++ = *SK++;
703 *RK++ = *SK++;
704 *RK++ = *SK++;
705 *RK++ = *SK++;
706
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]709
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]710 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]712#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]713
714#if defined(MBEDTLS_CIPHER_MODE_XTS)
715static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
716 unsigned int keybits,
717 const unsigned char **key1,
718 unsigned int *key1bits,
719 const unsigned char **key2,
720 unsigned int *key2bits )
721{
722 const unsigned int half_keybits = keybits / 2;
723 const unsigned int half_keybytes = half_keybits / 8;
724
725 switch( keybits )
726 {
727 case 256: break;
728 case 512: break;
729 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
730 }
731
732 *key1bits = half_keybits;
733 *key2bits = half_keybits;
734 *key1 = &key[0];
735 *key2 = &key[half_keybytes];
736
737 return 0;
738}
739
740int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
741 const unsigned char *key,
742 unsigned int keybits)
743{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]744 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]745 const unsigned char *key1, *key2;
746 unsigned int key1bits, key2bits;
747
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]748 AES_VALIDATE_RET( ctx != NULL );
749 AES_VALIDATE_RET( key != NULL );
750
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]751 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
752 &key2, &key2bits );
753 if( ret != 0 )
754 return( ret );
755
756 /* Set the tweak key. Always set tweak key for the encryption mode. */
757 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
758 if( ret != 0 )
759 return( ret );
760
761 /* Set crypt key for encryption. */
762 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
763}
764
765int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
768{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]769 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
772
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
775
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for encryption. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for decryption. */
787 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
788}
789#endif /* MBEDTLS_CIPHER_MODE_XTS */
790
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]791#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
792 do \
793 { \
794 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
795 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
796 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
797 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
798 \
799 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
800 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
801 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
802 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
803 \
804 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
805 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
806 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
807 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
808 \
809 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
810 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
811 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
812 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]815#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
816 do \
817 { \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]818 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
819 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
820 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
821 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]822 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]823 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
824 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
825 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
826 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]827 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]828 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
829 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
830 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
831 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]832 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]833 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
834 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
835 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
836 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]837 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]838
839/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]840 * AES-ECB block encryption
841 */
842#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]843int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
844 const unsigned char input[16],
845 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]846{
847 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]848 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]849 struct
850 {
851 uint32_t X[4];
852 uint32_t Y[4];
853 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]854
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]855 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
856 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
857 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
858 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]859
860 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
861 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]862 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
863 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]864 }
865
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]866 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]868 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]869 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
870 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
871 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
872 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]873
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]874 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]875 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
876 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
877 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
878 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]879
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]880 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]881 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
882 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
883 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
884 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]885
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]886 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]887 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
888 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
889 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
890 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]891
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]892 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
893 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
894 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
895 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]896
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]897 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]898
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]899 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900}
901#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
902
903/*
904 * AES-ECB block decryption
905 */
906#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]907int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
908 const unsigned char input[16],
909 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910{
911 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]912 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]913 struct
914 {
915 uint32_t X[4];
916 uint32_t Y[4];
917 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]919 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
920 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
921 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
922 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]923
924 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
925 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]926 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
927 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]928 }
929
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]930 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]932 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]933 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
934 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
935 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
936 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]938 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]939 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
940 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
941 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
942 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]943
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]944 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]945 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
946 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
947 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
948 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]949
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]950 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]951 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
952 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
953 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
954 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]955
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]956 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
957 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
958 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
959 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]960
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]961 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]962
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]963 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]964}
965#endif /* !MBEDTLS_AES_DECRYPT_ALT */
966
967/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968 * AES-ECB block encryption/decryption
969 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]970int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]971 int mode,
972 const unsigned char input[16],
973 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]975 AES_VALIDATE_RET( ctx != NULL );
976 AES_VALIDATE_RET( input != NULL );
977 AES_VALIDATE_RET( output != NULL );
978 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
979 mode == MBEDTLS_AES_DECRYPT );
980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]982 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]984#endif
985
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]986#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]987 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]989 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]990 return( 0 );
991
992 // If padlock data misaligned, we just fall back to
993 // unaccelerated mode
994 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995 }
996#endif
997
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]998 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]999 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1000 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1001 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002}
1003
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1004#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005/*
1006 * AES-CBC buffer encryption/decryption
1007 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1010 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1012 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013 unsigned char *output )
1014{
1015 int i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1016 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 unsigned char temp[16];
1018
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1019 AES_VALIDATE_RET( ctx != NULL );
1020 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1021 mode == MBEDTLS_AES_DECRYPT );
1022 AES_VALIDATE_RET( iv != NULL );
1023 AES_VALIDATE_RET( input != NULL );
1024 AES_VALIDATE_RET( output != NULL );
1025
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1026 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1028
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]1030 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1033 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1034
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1035 // If padlock data misaligned, we just fall back to
1036 // unaccelerated mode
1037 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038 }
1039#endif
1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042 {
1043 while( length > 0 )
1044 {
1045 memcpy( temp, input, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1046 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1047 if( ret != 0 )
1048 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049
1050 for( i = 0; i < 16; i++ )
1051 output[i] = (unsigned char)( output[i] ^ iv[i] );
1052
1053 memcpy( iv, temp, 16 );
1054
1055 input += 16;
1056 output += 16;
1057 length -= 16;
1058 }
1059 }
1060 else
1061 {
1062 while( length > 0 )
1063 {
1064 for( i = 0; i < 16; i++ )
1065 output[i] = (unsigned char)( input[i] ^ iv[i] );
1066
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1067 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1068 if( ret != 0 )
1069 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 memcpy( iv, output, 16 );
1071
1072 input += 16;
1073 output += 16;
1074 length -= 16;
1075 }
1076 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1077 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1078
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1079exit:
1080 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1084#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1085
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1086typedef unsigned char mbedtls_be128[16];
1087
1088/*
1089 * GF(2^128) multiplication function
1090 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1091 * This function multiplies a field element by x in the polynomial field
1092 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1093 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1094 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1095 */
1096static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1097 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1098{
1099 uint64_t a, b, ra, rb;
1100
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1101 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1102 b = MBEDTLS_GET_UINT64_LE( x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1103
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1104 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1105 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1106
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1107 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1108 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1109}
1110
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1111/*
1112 * AES-XTS buffer encryption/decryption
1113 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1114int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1115 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1116 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1117 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1118 const unsigned char *input,
1119 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1120{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1121 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1122 size_t blocks = length / 16;
1123 size_t leftover = length % 16;
1124 unsigned char tweak[16];
1125 unsigned char prev_tweak[16];
1126 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1127
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1128 AES_VALIDATE_RET( ctx != NULL );
1129 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1130 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1131 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1132 AES_VALIDATE_RET( input != NULL );
1133 AES_VALIDATE_RET( output != NULL );
1134
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1135 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1136 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1137 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1138
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1139 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1140 if( length > ( 1 << 20 ) * 16 )
1141 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1142
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1143 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1144 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1145 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1146 if( ret != 0 )
1147 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1148
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1149 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1150 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1151 size_t i;
1152
1153 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1154 {
1155 /* We are on the last block in a decrypt operation that has
1156 * leftover bytes, so we need to use the next tweak for this block,
1157 * and this tweak for the lefover bytes. Save the current tweak for
1158 * the leftovers and then update the current tweak for use on this,
1159 * the last full block. */
1160 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1161 mbedtls_gf128mul_x_ble( tweak, tweak );
1162 }
1163
1164 for( i = 0; i < 16; i++ )
1165 tmp[i] = input[i] ^ tweak[i];
1166
1167 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1168 if( ret != 0 )
1169 return( ret );
1170
1171 for( i = 0; i < 16; i++ )
1172 output[i] = tmp[i] ^ tweak[i];
1173
1174 /* Update the tweak for the next block. */
1175 mbedtls_gf128mul_x_ble( tweak, tweak );
1176
1177 output += 16;
1178 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1179 }
1180
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1181 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1182 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1183 /* If we are on the leftover bytes in a decrypt operation, we need to
1184 * use the previous tweak for these bytes (as saved in prev_tweak). */
1185 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1186
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1187 /* We are now on the final part of the data unit, which doesn't divide
1188 * evenly by 16. It's time for ciphertext stealing. */
1189 size_t i;
1190 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1192 /* Copy ciphertext bytes from the previous block to our output for each
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1193 * byte of ciphertext we won't steal. At the same time, copy the
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1194 * remainder of the input for this final round (since the loop bounds
1195 * are the same). */
1196 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1197 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1198 output[i] = prev_output[i];
1199 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1200 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1201
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 /* Copy ciphertext bytes from the previous block for input in this
1203 * round. */
1204 for( ; i < 16; i++ )
1205 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1207 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1208 if( ret != 0 )
1209 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1211 /* Write the result back to the previous block, overriding the previous
1212 * output we copied. */
1213 for( i = 0; i < 16; i++ )
1214 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1215 }
1216
1217 return( 0 );
1218}
1219#endif /* MBEDTLS_CIPHER_MODE_XTS */
1220
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1221#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1222/*
1223 * AES-CFB128 buffer encryption/decryption
1224 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1225int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1227 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1228 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1230 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1231 unsigned char *output )
1232{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1233 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1234 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1235 size_t n;
1236
1237 AES_VALIDATE_RET( ctx != NULL );
1238 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1239 mode == MBEDTLS_AES_DECRYPT );
1240 AES_VALIDATE_RET( iv_off != NULL );
1241 AES_VALIDATE_RET( iv != NULL );
1242 AES_VALIDATE_RET( input != NULL );
1243 AES_VALIDATE_RET( output != NULL );
1244
1245 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1246
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1247 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1248 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1249
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1250 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 {
1252 while( length-- )
1253 {
1254 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1255 {
1256 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1257 if( ret != 0 )
1258 goto exit;
1259 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1260
1261 c = *input++;
1262 *output++ = (unsigned char)( c ^ iv[n] );
1263 iv[n] = (unsigned char) c;
1264
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1265 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266 }
1267 }
1268 else
1269 {
1270 while( length-- )
1271 {
1272 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1273 {
1274 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1275 if( ret != 0 )
1276 goto exit;
1277 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278
1279 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1280
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1281 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1282 }
1283 }
1284
1285 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1286 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1287
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1288exit:
1289 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1291
1292/*
1293 * AES-CFB8 buffer encryption/decryption
1294 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1295int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1296 int mode,
1297 size_t length,
1298 unsigned char iv[16],
1299 const unsigned char *input,
1300 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1301{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1303 unsigned char c;
1304 unsigned char ov[17];
1305
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1306 AES_VALIDATE_RET( ctx != NULL );
1307 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1308 mode == MBEDTLS_AES_DECRYPT );
1309 AES_VALIDATE_RET( iv != NULL );
1310 AES_VALIDATE_RET( input != NULL );
1311 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1312 while( length-- )
1313 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1314 memcpy( ov, iv, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1315 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1316 if( ret != 0 )
1317 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1320 ov[16] = *input;
1321
1322 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1324 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1325 ov[16] = c;
1326
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1327 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1328 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1329 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1330
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1331exit:
1332 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1333}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1334#endif /* MBEDTLS_CIPHER_MODE_CFB */
1335
1336#if defined(MBEDTLS_CIPHER_MODE_OFB)
1337/*
1338 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1339 */
1340int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1341 size_t length,
1342 size_t *iv_off,
1343 unsigned char iv[16],
1344 const unsigned char *input,
1345 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1346{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1347 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1348 size_t n;
1349
1350 AES_VALIDATE_RET( ctx != NULL );
1351 AES_VALIDATE_RET( iv_off != NULL );
1352 AES_VALIDATE_RET( iv != NULL );
1353 AES_VALIDATE_RET( input != NULL );
1354 AES_VALIDATE_RET( output != NULL );
1355
1356 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1357
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1358 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1359 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1360
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1361 while( length-- )
1362 {
1363 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1364 {
1365 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1366 if( ret != 0 )
1367 goto exit;
1368 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1369 *output++ = *input++ ^ iv[n];
1370
1371 n = ( n + 1 ) & 0x0F;
1372 }
1373
1374 *iv_off = n;
1375
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1376exit:
1377 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1378}
1379#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1382/*
1383 * AES-CTR buffer encryption/decryption
1384 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1386 size_t length,
1387 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1388 unsigned char nonce_counter[16],
1389 unsigned char stream_block[16],
1390 const unsigned char *input,
1391 unsigned char *output )
1392{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1393 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1394 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1395 size_t n;
1396
1397 AES_VALIDATE_RET( ctx != NULL );
1398 AES_VALIDATE_RET( nc_off != NULL );
1399 AES_VALIDATE_RET( nonce_counter != NULL );
1400 AES_VALIDATE_RET( stream_block != NULL );
1401 AES_VALIDATE_RET( input != NULL );
1402 AES_VALIDATE_RET( output != NULL );
1403
1404 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1405
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1406 if ( n > 0x0F )
1407 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1408
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1409 while( length-- )
1410 {
1411 if( n == 0 ) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1412 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1413 if( ret != 0 )
1414 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1415
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1416 for( i = 16; i > 0; i-- )
1417 if( ++nonce_counter[i - 1] != 0 )
1418 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1419 }
1420 c = *input++;
1421 *output++ = (unsigned char)( c ^ stream_block[n] );
1422
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1423 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1424 }
1425
1426 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1427 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1428
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1429exit:
1430 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1431}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1433
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1434#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1435
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1436#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437/*
1438 * AES test vectors from:
1439 *
1440 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1441 */
1442static const unsigned char aes_test_ecb_dec[3][16] =
1443{
1444 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1445 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1446 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1447 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1448 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1449 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1450};
1451
1452static const unsigned char aes_test_ecb_enc[3][16] =
1453{
1454 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1455 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1456 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1457 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1458 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1459 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1460};
1461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1463static const unsigned char aes_test_cbc_dec[3][16] =
1464{
1465 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1466 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1467 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1468 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1469 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1470 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1471};
1472
1473static const unsigned char aes_test_cbc_enc[3][16] =
1474{
1475 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1476 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1477 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1478 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1479 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1480 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1481};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1482#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1484#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485/*
1486 * AES-CFB128 test vectors from:
1487 *
1488 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1489 */
1490static const unsigned char aes_test_cfb128_key[3][32] =
1491{
1492 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1493 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1494 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1495 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1496 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1497 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1498 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1499 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1500 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1501};
1502
1503static const unsigned char aes_test_cfb128_iv[16] =
1504{
1505 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1506 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1507};
1508
1509static const unsigned char aes_test_cfb128_pt[64] =
1510{
1511 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1512 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1513 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1514 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1515 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1516 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1517 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1518 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1519};
1520
1521static const unsigned char aes_test_cfb128_ct[3][64] =
1522{
1523 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1524 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1525 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1526 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1527 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1528 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1529 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1530 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1531 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1532 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1533 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1534 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1535 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1536 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1537 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1538 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1539 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1540 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1541 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1542 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1543 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1544 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1545 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1546 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1547};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1549
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1550#if defined(MBEDTLS_CIPHER_MODE_OFB)
1551/*
1552 * AES-OFB test vectors from:
1553 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1554 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1555 */
1556static const unsigned char aes_test_ofb_key[3][32] =
1557{
1558 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1559 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1560 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1561 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1562 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1563 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1564 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1565 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1566 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1567};
1568
1569static const unsigned char aes_test_ofb_iv[16] =
1570{
1571 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1572 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1573};
1574
1575static const unsigned char aes_test_ofb_pt[64] =
1576{
1577 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1578 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1579 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1580 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1581 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1582 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1583 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1584 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1585};
1586
1587static const unsigned char aes_test_ofb_ct[3][64] =
1588{
1589 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1590 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1591 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1592 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1593 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1594 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1595 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1596 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1597 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1598 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1599 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1600 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1601 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1602 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1603 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1604 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1605 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1606 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1607 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1608 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1609 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1610 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1611 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1612 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1613};
1614#endif /* MBEDTLS_CIPHER_MODE_OFB */
1615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1616#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1617/*
1618 * AES-CTR test vectors from:
1619 *
1620 * http://www.faqs.org/rfcs/rfc3686.html
1621 */
1622
1623static const unsigned char aes_test_ctr_key[3][16] =
1624{
1625 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1626 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1627 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1628 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1629 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1630 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1631};
1632
1633static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1634{
1635 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1637 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1638 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1639 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1640 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1641};
1642
1643static const unsigned char aes_test_ctr_pt[3][48] =
1644{
1645 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1646 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1647
1648 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1649 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1650 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1651 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1652
1653 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1654 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1655 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1656 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1657 0x20, 0x21, 0x22, 0x23 }
1658};
1659
1660static const unsigned char aes_test_ctr_ct[3][48] =
1661{
1662 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1663 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1664 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1665 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1666 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1667 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1668 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1669 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1670 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1671 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1672 0x25, 0xB2, 0x07, 0x2F }
1673};
1674
1675static const int aes_test_ctr_len[3] =
1676 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1679#if defined(MBEDTLS_CIPHER_MODE_XTS)
1680/*
1681 * AES-XTS test vectors from:
1682 *
1683 * IEEE P1619/D16 Annex B
1684 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1685 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1686 */
1687static const unsigned char aes_test_xts_key[][32] =
1688{
1689 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1693 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1694 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1695 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1696 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1697 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1698 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1699 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1700 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1701};
1702
1703static const unsigned char aes_test_xts_pt32[][32] =
1704{
1705 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1709 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1710 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1711 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1712 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1713 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1714 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1715 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1716 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1717};
1718
1719static const unsigned char aes_test_xts_ct32[][32] =
1720{
1721 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1722 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1723 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1724 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1725 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1726 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1727 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1728 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1729 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1730 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1731 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1732 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1733};
1734
1735static const unsigned char aes_test_xts_data_unit[][16] =
1736{
1737 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1739 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1741 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1743};
1744
1745#endif /* MBEDTLS_CIPHER_MODE_XTS */
1746
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747/*
1748 * Checkup routine
1749 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1750int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1752 int ret = 0, i, j, u, mode;
1753 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754 unsigned char key[32];
1755 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1756 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1757#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1758 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1759#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1760#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1761 unsigned char prv[16];
1762#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1763#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1764 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1765 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1766#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1767#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1768 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1769#endif
1770#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1771 unsigned char nonce_counter[16];
1772 unsigned char stream_block[16];
1773#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1774 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1775
1776 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1777 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778
1779 /*
1780 * ECB mode
1781 */
1782 for( i = 0; i < 6; i++ )
1783 {
1784 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1785 keybits = 128 + u * 64;
1786 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787
1788 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1789 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1790 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1791
1792 memset( buf, 0, 16 );
1793
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1794 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1796 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1797 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 }
1799 else
1800 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1801 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1802 aes_tests = aes_test_ecb_enc[u];
1803 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1805 /*
1806 * AES-192 is an optional feature that may be unavailable when
1807 * there is an alternative underlying implementation i.e. when
1808 * MBEDTLS_AES_ALT is defined.
1809 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1810 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1811 {
1812 mbedtls_printf( "skipped\n" );
1813 continue;
1814 }
1815 else if( ret != 0 )
1816 {
1817 goto exit;
1818 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1820 for( j = 0; j < 10000; j++ )
1821 {
1822 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1823 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1824 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 }
1826
1827 if( memcmp( buf, aes_tests, 16 ) != 0 )
1828 {
1829 ret = 1;
1830 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831 }
1832
1833 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1834 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835 }
1836
1837 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1838 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1840#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841 /*
1842 * CBC mode
1843 */
1844 for( i = 0; i < 6; i++ )
1845 {
1846 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 keybits = 128 + u * 64;
1848 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849
1850 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1851 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1852 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853
1854 memset( iv , 0, 16 );
1855 memset( prv, 0, 16 );
1856 memset( buf, 0, 16 );
1857
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1860 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1861 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862 }
1863 else
1864 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1866 aes_tests = aes_test_cbc_enc[u];
1867 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1869 /*
1870 * AES-192 is an optional feature that may be unavailable when
1871 * there is an alternative underlying implementation i.e. when
1872 * MBEDTLS_AES_ALT is defined.
1873 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1874 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1875 {
1876 mbedtls_printf( "skipped\n" );
1877 continue;
1878 }
1879 else if( ret != 0 )
1880 {
1881 goto exit;
1882 }
1883
1884 for( j = 0; j < 10000; j++ )
1885 {
1886 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887 {
1888 unsigned char tmp[16];
1889
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890 memcpy( tmp, prv, 16 );
1891 memcpy( prv, buf, 16 );
1892 memcpy( buf, tmp, 16 );
1893 }
1894
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1895 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1896 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1897 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898
1899 }
1900
1901 if( memcmp( buf, aes_tests, 16 ) != 0 )
1902 {
1903 ret = 1;
1904 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905 }
1906
1907 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909 }
1910
1911 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1912 mbedtls_printf( "\n" );
1913#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1915#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 /*
1917 * CFB128 mode
1918 */
1919 for( i = 0; i < 6; i++ )
1920 {
1921 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1922 keybits = 128 + u * 64;
1923 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924
1925 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1926 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1927 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928
1929 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1930 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931
1932 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1933 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1934 /*
1935 * AES-192 is an optional feature that may be unavailable when
1936 * there is an alternative underlying implementation i.e. when
1937 * MBEDTLS_AES_ALT is defined.
1938 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1939 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1940 {
1941 mbedtls_printf( "skipped\n" );
1942 continue;
1943 }
1944 else if( ret != 0 )
1945 {
1946 goto exit;
1947 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950 {
1951 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953 }
1954 else
1955 {
1956 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1957 aes_tests = aes_test_cfb128_ct[u];
1958 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1959
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1960 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1961 if( ret != 0 )
1962 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1963
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1964 if( memcmp( buf, aes_tests, 64 ) != 0 )
1965 {
1966 ret = 1;
1967 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968 }
1969
1970 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1971 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1972 }
1973
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1974 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1975 mbedtls_printf( "\n" );
1976#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1977
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1978#if defined(MBEDTLS_CIPHER_MODE_OFB)
1979 /*
1980 * OFB mode
1981 */
1982 for( i = 0; i < 6; i++ )
1983 {
1984 u = i >> 1;
1985 keybits = 128 + u * 64;
1986 mode = i & 1;
1987
1988 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1989 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1990 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1991
1992 memcpy( iv, aes_test_ofb_iv, 16 );
1993 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1994
1995 offset = 0;
1996 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1997 /*
1998 * AES-192 is an optional feature that may be unavailable when
1999 * there is an alternative underlying implementation i.e. when
2000 * MBEDTLS_AES_ALT is defined.
2001 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2002 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2003 {
2004 mbedtls_printf( "skipped\n" );
2005 continue;
2006 }
2007 else if( ret != 0 )
2008 {
2009 goto exit;
2010 }
2011
2012 if( mode == MBEDTLS_AES_DECRYPT )
2013 {
2014 memcpy( buf, aes_test_ofb_ct[u], 64 );
2015 aes_tests = aes_test_ofb_pt;
2016 }
2017 else
2018 {
2019 memcpy( buf, aes_test_ofb_pt, 64 );
2020 aes_tests = aes_test_ofb_ct[u];
2021 }
2022
2023 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2024 if( ret != 0 )
2025 goto exit;
2026
2027 if( memcmp( buf, aes_tests, 64 ) != 0 )
2028 {
2029 ret = 1;
2030 goto exit;
2031 }
2032
2033 if( verbose != 0 )
2034 mbedtls_printf( "passed\n" );
2035 }
2036
2037 if( verbose != 0 )
2038 mbedtls_printf( "\n" );
2039#endif /* MBEDTLS_CIPHER_MODE_OFB */
2040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2041#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2042 /*
2043 * CTR mode
2044 */
2045 for( i = 0; i < 6; i++ )
2046 {
2047 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2048 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2049
2050 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2051 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2052 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2053
2054 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2055 memcpy( key, aes_test_ctr_key[u], 16 );
2056
2057 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2058 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2059 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2060
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2061 len = aes_test_ctr_len[u];
2062
2063 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2064 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2065 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2066 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2067 }
2068 else
2069 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2070 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2071 aes_tests = aes_test_ctr_ct[u];
2072 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2073
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2074 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2075 stream_block, buf, buf );
2076 if( ret != 0 )
2077 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2078
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2079 if( memcmp( buf, aes_tests, len ) != 0 )
2080 {
2081 ret = 1;
2082 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2083 }
2084
2085 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2086 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2087 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2088
2089 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2090 mbedtls_printf( "\n" );
2091#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2092
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2093#if defined(MBEDTLS_CIPHER_MODE_XTS)
2094 {
2095 static const int num_tests =
2096 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2097 mbedtls_aes_xts_context ctx_xts;
2098
2099 /*
2100 * XTS mode
2101 */
2102 mbedtls_aes_xts_init( &ctx_xts );
2103
2104 for( i = 0; i < num_tests << 1; i++ )
2105 {
2106 const unsigned char *data_unit;
2107 u = i >> 1;
2108 mode = i & 1;
2109
2110 if( verbose != 0 )
2111 mbedtls_printf( " AES-XTS-128 (%s): ",
2112 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2113
2114 memset( key, 0, sizeof( key ) );
2115 memcpy( key, aes_test_xts_key[u], 32 );
2116 data_unit = aes_test_xts_data_unit[u];
2117
2118 len = sizeof( *aes_test_xts_ct32 );
2119
2120 if( mode == MBEDTLS_AES_DECRYPT )
2121 {
2122 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2123 if( ret != 0)
2124 goto exit;
2125 memcpy( buf, aes_test_xts_ct32[u], len );
2126 aes_tests = aes_test_xts_pt32[u];
2127 }
2128 else
2129 {
2130 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2131 if( ret != 0)
2132 goto exit;
2133 memcpy( buf, aes_test_xts_pt32[u], len );
2134 aes_tests = aes_test_xts_ct32[u];
2135 }
2136
2137
2138 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2139 buf, buf );
2140 if( ret != 0 )
2141 goto exit;
2142
2143 if( memcmp( buf, aes_tests, len ) != 0 )
2144 {
2145 ret = 1;
2146 goto exit;
2147 }
2148
2149 if( verbose != 0 )
2150 mbedtls_printf( "passed\n" );
2151 }
2152
2153 if( verbose != 0 )
2154 mbedtls_printf( "\n" );
2155
2156 mbedtls_aes_xts_free( &ctx_xts );
2157 }
2158#endif /* MBEDTLS_CIPHER_MODE_XTS */
2159
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2160 ret = 0;
2161
2162exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2163 if( ret != 0 && verbose != 0 )
2164 mbedtls_printf( "failed\n" );
2165
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2166 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2167
2168 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169}
2170
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2171#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2172
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2173#endif /* MBEDTLS_AES_C */