TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 77b9cfcea92934dc2f48e9747c0a3b60f7d703bf / . / library / aes.c
blob: 2672cdfd4f4f31853cede6a85074560c917ba54f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]398#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
399#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]400#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]568#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]569 case 192: ctx->nr = 12; break;
570 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]571#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]572 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]573 }
574
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]575#if !defined(MBEDTLS_AES_ROM_TABLES)
576 if( aes_init_done == 0 )
577 {
578 aes_gen_tables();
579 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]580 }
581#endif
582
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]583#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]585 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]586
587 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]591 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]593#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]594 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]595 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]596#endif
597
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]598 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]600 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]601 }
602
603 switch( ctx->nr )
604 {
605 case 10:
606
607 for( i = 0; i < 10; i++, RK += 4 )
608 {
609 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]610 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
612 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
613 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614
615 RK[5] = RK[1] ^ RK[4];
616 RK[6] = RK[2] ^ RK[5];
617 RK[7] = RK[3] ^ RK[6];
618 }
619 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]620#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]621 case 12:
622
623 for( i = 0; i < 8; i++, RK += 6 )
624 {
625 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]626 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
628 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
629 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630
631 RK[7] = RK[1] ^ RK[6];
632 RK[8] = RK[2] ^ RK[7];
633 RK[9] = RK[3] ^ RK[8];
634 RK[10] = RK[4] ^ RK[9];
635 RK[11] = RK[5] ^ RK[10];
636 }
637 break;
638
639 case 14:
640
641 for( i = 0; i < 7; i++, RK += 8 )
642 {
643 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]644 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
646 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
647 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648
649 RK[9] = RK[1] ^ RK[8];
650 RK[10] = RK[2] ^ RK[9];
651 RK[11] = RK[3] ^ RK[10];
652
653 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]654 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
657 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658
659 RK[13] = RK[5] ^ RK[12];
660 RK[14] = RK[6] ^ RK[13];
661 RK[15] = RK[7] ^ RK[14];
662 }
663 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]664#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]666
667 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]669#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]670
671/*
672 * AES key schedule (decryption)
673 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]674#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]675int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]676 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]678 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]679 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]680 uint32_t *RK;
681 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]682
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]683 AES_VALIDATE_RET( ctx != NULL );
684 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]688#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]690 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691
692 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]693 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]696 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]697
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 /* Also checks keybits */
699 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]701
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]702 ctx->nr = cty.nr;
703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]705 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]707 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]709 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]710 }
711#endif
712
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]713 SK = cty.rk + cty.nr * 4;
714
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717 *RK++ = *SK++;
718 *RK++ = *SK++;
719
720 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
721 {
722 for( j = 0; j < 4; j++, SK++ )
723 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]724 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
725 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
726 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
727 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 }
729 }
730
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733 *RK++ = *SK++;
734 *RK++ = *SK++;
735
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]736exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]737 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]738
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]739 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]740}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]741
742#if defined(MBEDTLS_CIPHER_MODE_XTS)
743static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
744 unsigned int keybits,
745 const unsigned char **key1,
746 unsigned int *key1bits,
747 const unsigned char **key2,
748 unsigned int *key2bits )
749{
750 const unsigned int half_keybits = keybits / 2;
751 const unsigned int half_keybytes = half_keybits / 8;
752
753 switch( keybits )
754 {
755 case 256: break;
756 case 512: break;
757 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
758 }
759
760 *key1bits = half_keybits;
761 *key2bits = half_keybits;
762 *key1 = &key[0];
763 *key2 = &key[half_keybytes];
764
765 return 0;
766}
767
768int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
769 const unsigned char *key,
770 unsigned int keybits)
771{
772 int ret;
773 const unsigned char *key1, *key2;
774 unsigned int key1bits, key2bits;
775
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]776 AES_VALIDATE_RET( ctx != NULL );
777 AES_VALIDATE_RET( key != NULL );
778
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]779 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
780 &key2, &key2bits );
781 if( ret != 0 )
782 return( ret );
783
784 /* Set the tweak key. Always set tweak key for the encryption mode. */
785 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
786 if( ret != 0 )
787 return( ret );
788
789 /* Set crypt key for encryption. */
790 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
791}
792
793int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
794 const unsigned char *key,
795 unsigned int keybits)
796{
797 int ret;
798 const unsigned char *key1, *key2;
799 unsigned int key1bits, key2bits;
800
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]801 AES_VALIDATE_RET( ctx != NULL );
802 AES_VALIDATE_RET( key != NULL );
803
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]804 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
805 &key2, &key2bits );
806 if( ret != 0 )
807 return( ret );
808
809 /* Set the tweak key. Always set tweak key for encryption. */
810 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
811 if( ret != 0 )
812 return( ret );
813
814 /* Set crypt key for decryption. */
815 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
816}
817#endif /* MBEDTLS_CIPHER_MODE_XTS */
818
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]819#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]820
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]821#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
822 do \
823 { \
824 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
825 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
826 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
827 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
828 \
829 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
830 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
831 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
832 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
833 \
834 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
835 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
836 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
837 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
838 \
839 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
840 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
841 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
842 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
843 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]844
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]845#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
846 do \
847 { \
848 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
849 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
850 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
851 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
852 \
853 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
854 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
855 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
856 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
857 \
858 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
859 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
860 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
861 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
862 \
863 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
864 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
865 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
866 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
867 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]868
869/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]870 * AES-ECB block encryption
871 */
872#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]873int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
874 const unsigned char input[16],
875 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]876{
877 int i;
878 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
879
880 RK = ctx->rk;
881
882 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
883 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
884 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
885 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
886
887 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
888 {
889 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
890 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
891 }
892
893 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
894
895 X0 = *RK++ ^ \
896 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
897 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
898 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
899 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
900
901 X1 = *RK++ ^ \
902 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
903 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
904 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
905 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
906
907 X2 = *RK++ ^ \
908 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
912
913 X3 = *RK++ ^ \
914 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
915 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
916 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
917 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
918
919 PUT_UINT32_LE( X0, output, 0 );
920 PUT_UINT32_LE( X1, output, 4 );
921 PUT_UINT32_LE( X2, output, 8 );
922 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]923
924 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]925}
926#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
927
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]928#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]929void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
930 const unsigned char input[16],
931 unsigned char output[16] )
932{
933 mbedtls_internal_aes_encrypt( ctx, input, output );
934}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]935#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]936
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937/*
938 * AES-ECB block decryption
939 */
940#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]941int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
942 const unsigned char input[16],
943 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]944{
945 int i;
946 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
947
948 RK = ctx->rk;
949
950 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
951 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
952 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
953 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
954
955 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
956 {
957 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
958 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
959 }
960
961 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
962
963 X0 = *RK++ ^ \
964 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
965 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
966 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
967 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
968
969 X1 = *RK++ ^ \
970 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
971 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
972 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
973 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
974
975 X2 = *RK++ ^ \
976 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
977 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
978 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
979 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
980
981 X3 = *RK++ ^ \
982 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
983 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
984 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
985 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
986
987 PUT_UINT32_LE( X0, output, 0 );
988 PUT_UINT32_LE( X1, output, 4 );
989 PUT_UINT32_LE( X2, output, 8 );
990 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]991
992 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]993}
994#endif /* !MBEDTLS_AES_DECRYPT_ALT */
995
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]996#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]997void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
998 const unsigned char input[16],
999 unsigned char output[16] )
1000{
1001 mbedtls_internal_aes_decrypt( ctx, input, output );
1002}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1003#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1004
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1005/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1006 * AES-ECB block encryption/decryption
1007 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1009 int mode,
1010 const unsigned char input[16],
1011 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1012{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1013 AES_VALIDATE_RET( ctx != NULL );
1014 AES_VALIDATE_RET( input != NULL );
1015 AES_VALIDATE_RET( output != NULL );
1016 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1017 mode == MBEDTLS_AES_DECRYPT );
1018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1019#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1020 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1022#endif
1023
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1025 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1027 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1028 return( 0 );
1029
1030 // If padlock data misaligned, we just fall back to
1031 // unaccelerated mode
1032 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033 }
1034#endif
1035
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1036 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1037 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1038 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1039 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040}
1041
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043/*
1044 * AES-CBC buffer encryption/decryption
1045 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1048 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1050 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 unsigned char *output )
1052{
1053 int i;
1054 unsigned char temp[16];
1055
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1056 AES_VALIDATE_RET( ctx != NULL );
1057 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1058 mode == MBEDTLS_AES_DECRYPT );
1059 AES_VALIDATE_RET( iv != NULL );
1060 AES_VALIDATE_RET( input != NULL );
1061 AES_VALIDATE_RET( output != NULL );
1062
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1063 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1065
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1067 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1069 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1070 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1071
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1072 // If padlock data misaligned, we just fall back to
1073 // unaccelerated mode
1074 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075 }
1076#endif
1077
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 {
1080 while( length > 0 )
1081 {
1082 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1083 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1084
1085 for( i = 0; i < 16; i++ )
1086 output[i] = (unsigned char)( output[i] ^ iv[i] );
1087
1088 memcpy( iv, temp, 16 );
1089
1090 input += 16;
1091 output += 16;
1092 length -= 16;
1093 }
1094 }
1095 else
1096 {
1097 while( length > 0 )
1098 {
1099 for( i = 0; i < 16; i++ )
1100 output[i] = (unsigned char)( input[i] ^ iv[i] );
1101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1102 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1103 memcpy( iv, output, 16 );
1104
1105 input += 16;
1106 output += 16;
1107 length -= 16;
1108 }
1109 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1110
1111 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1112}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1113#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1114
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1115#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1116
1117/* Endianess with 64 bits values */
1118#ifndef GET_UINT64_LE
1119#define GET_UINT64_LE(n,b,i) \
1120{ \
1121 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1122 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1123 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1124 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1125 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1126 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1127 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1128 | ( (uint64_t) (b)[(i) ] ); \
1129}
1130#endif
1131
1132#ifndef PUT_UINT64_LE
1133#define PUT_UINT64_LE(n,b,i) \
1134{ \
1135 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1136 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1137 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1138 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1139 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1140 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1141 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1142 (b)[(i) ] = (unsigned char) ( (n) ); \
1143}
1144#endif
1145
1146typedef unsigned char mbedtls_be128[16];
1147
1148/*
1149 * GF(2^128) multiplication function
1150 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1151 * This function multiplies a field element by x in the polynomial field
1152 * representation. It uses 64-bit word operations to gain speed but compensates
1153 * for machine endianess and hence works correctly on both big and little
1154 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1155 */
1156static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1157 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1158{
1159 uint64_t a, b, ra, rb;
1160
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1161 GET_UINT64_LE( a, x, 0 );
1162 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1163
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1164 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1165 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1166
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1167 PUT_UINT64_LE( ra, r, 0 );
1168 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1169}
1170
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1171/*
1172 * AES-XTS buffer encryption/decryption
1173 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1174int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1175 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1176 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1177 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1178 const unsigned char *input,
1179 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1180{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1181 int ret;
1182 size_t blocks = length / 16;
1183 size_t leftover = length % 16;
1184 unsigned char tweak[16];
1185 unsigned char prev_tweak[16];
1186 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1187
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1188 AES_VALIDATE_RET( ctx != NULL );
1189 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1190 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1191 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1192 AES_VALIDATE_RET( input != NULL );
1193 AES_VALIDATE_RET( output != NULL );
1194
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1195 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1196 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1197 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1198
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1199 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1200 if( length > ( 1 << 20 ) * 16 )
1201 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1202
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1203 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1204 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1205 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1206 if( ret != 0 )
1207 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1208
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1210 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1211 size_t i;
1212
1213 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1214 {
1215 /* We are on the last block in a decrypt operation that has
1216 * leftover bytes, so we need to use the next tweak for this block,
1217 * and this tweak for the lefover bytes. Save the current tweak for
1218 * the leftovers and then update the current tweak for use on this,
1219 * the last full block. */
1220 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1221 mbedtls_gf128mul_x_ble( tweak, tweak );
1222 }
1223
1224 for( i = 0; i < 16; i++ )
1225 tmp[i] = input[i] ^ tweak[i];
1226
1227 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1228 if( ret != 0 )
1229 return( ret );
1230
1231 for( i = 0; i < 16; i++ )
1232 output[i] = tmp[i] ^ tweak[i];
1233
1234 /* Update the tweak for the next block. */
1235 mbedtls_gf128mul_x_ble( tweak, tweak );
1236
1237 output += 16;
1238 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1239 }
1240
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 /* If we are on the leftover bytes in a decrypt operation, we need to
1244 * use the previous tweak for these bytes (as saved in prev_tweak). */
1245 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1247 /* We are now on the final part of the data unit, which doesn't divide
1248 * evenly by 16. It's time for ciphertext stealing. */
1249 size_t i;
1250 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1251
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1252 /* Copy ciphertext bytes from the previous block to our output for each
1253 * byte of cyphertext we won't steal. At the same time, copy the
1254 * remainder of the input for this final round (since the loop bounds
1255 * are the same). */
1256 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1258 output[i] = prev_output[i];
1259 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1260 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1261
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1262 /* Copy ciphertext bytes from the previous block for input in this
1263 * round. */
1264 for( ; i < 16; i++ )
1265 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1268 if( ret != 0 )
1269 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1270
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1271 /* Write the result back to the previous block, overriding the previous
1272 * output we copied. */
1273 for( i = 0; i < 16; i++ )
1274 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1275 }
1276
1277 return( 0 );
1278}
1279#endif /* MBEDTLS_CIPHER_MODE_XTS */
1280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1282/*
1283 * AES-CFB128 buffer encryption/decryption
1284 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1285int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1287 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1288 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1290 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1291 unsigned char *output )
1292{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1293 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1294 size_t n;
1295
1296 AES_VALIDATE_RET( ctx != NULL );
1297 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1298 mode == MBEDTLS_AES_DECRYPT );
1299 AES_VALIDATE_RET( iv_off != NULL );
1300 AES_VALIDATE_RET( iv != NULL );
1301 AES_VALIDATE_RET( input != NULL );
1302 AES_VALIDATE_RET( output != NULL );
1303
1304 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1306 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1307 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1308
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1309 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310 {
1311 while( length-- )
1312 {
1313 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1314 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315
1316 c = *input++;
1317 *output++ = (unsigned char)( c ^ iv[n] );
1318 iv[n] = (unsigned char) c;
1319
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1320 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321 }
1322 }
1323 else
1324 {
1325 while( length-- )
1326 {
1327 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1328 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1329
1330 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1331
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1332 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333 }
1334 }
1335
1336 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1337
1338 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1339}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1340
1341/*
1342 * AES-CFB8 buffer encryption/decryption
1343 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1344int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1345 int mode,
1346 size_t length,
1347 unsigned char iv[16],
1348 const unsigned char *input,
1349 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1350{
1351 unsigned char c;
1352 unsigned char ov[17];
1353
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1354 AES_VALIDATE_RET( ctx != NULL );
1355 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1356 mode == MBEDTLS_AES_DECRYPT );
1357 AES_VALIDATE_RET( iv != NULL );
1358 AES_VALIDATE_RET( input != NULL );
1359 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1360 while( length-- )
1361 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1362 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1366 ov[16] = *input;
1367
1368 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371 ov[16] = c;
1372
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1373 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1374 }
1375
1376 return( 0 );
1377}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1378#endif /* MBEDTLS_CIPHER_MODE_CFB */
1379
1380#if defined(MBEDTLS_CIPHER_MODE_OFB)
1381/*
1382 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1383 */
1384int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1385 size_t length,
1386 size_t *iv_off,
1387 unsigned char iv[16],
1388 const unsigned char *input,
1389 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1390{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1391 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1392 size_t n;
1393
1394 AES_VALIDATE_RET( ctx != NULL );
1395 AES_VALIDATE_RET( iv_off != NULL );
1396 AES_VALIDATE_RET( iv != NULL );
1397 AES_VALIDATE_RET( input != NULL );
1398 AES_VALIDATE_RET( output != NULL );
1399
1400 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1401
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1402 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1403 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1404
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1405 while( length-- )
1406 {
1407 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1408 {
1409 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1410 if( ret != 0 )
1411 goto exit;
1412 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1413 *output++ = *input++ ^ iv[n];
1414
1415 n = ( n + 1 ) & 0x0F;
1416 }
1417
1418 *iv_off = n;
1419
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1420exit:
1421 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1422}
1423#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1424
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1425#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1426/*
1427 * AES-CTR buffer encryption/decryption
1428 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1429int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1430 size_t length,
1431 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1432 unsigned char nonce_counter[16],
1433 unsigned char stream_block[16],
1434 const unsigned char *input,
1435 unsigned char *output )
1436{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1437 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1438 size_t n;
1439
1440 AES_VALIDATE_RET( ctx != NULL );
1441 AES_VALIDATE_RET( nc_off != NULL );
1442 AES_VALIDATE_RET( nonce_counter != NULL );
1443 AES_VALIDATE_RET( stream_block != NULL );
1444 AES_VALIDATE_RET( input != NULL );
1445 AES_VALIDATE_RET( output != NULL );
1446
1447 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1448
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1449 if ( n > 0x0F )
1450 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1451
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1452 while( length-- )
1453 {
1454 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1455 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1456
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1457 for( i = 16; i > 0; i-- )
1458 if( ++nonce_counter[i - 1] != 0 )
1459 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1460 }
1461 c = *input++;
1462 *output++ = (unsigned char)( c ^ stream_block[n] );
1463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1464 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1465 }
1466
1467 *nc_off = n;
1468
1469 return( 0 );
1470}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1472
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1473#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1475#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1476/*
1477 * AES test vectors from:
1478 *
1479 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1480 */
1481static const unsigned char aes_test_ecb_dec[3][16] =
1482{
1483 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1484 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1485 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1486 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1487 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1488 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1489};
1490
1491static const unsigned char aes_test_ecb_enc[3][16] =
1492{
1493 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1494 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1495 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1496 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1497 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1498 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1499};
1500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1501#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502static const unsigned char aes_test_cbc_dec[3][16] =
1503{
1504 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1505 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1506 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1507 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1508 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1509 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1510};
1511
1512static const unsigned char aes_test_cbc_enc[3][16] =
1513{
1514 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1515 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1516 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1517 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1518 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1519 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1520};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1521#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524/*
1525 * AES-CFB128 test vectors from:
1526 *
1527 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1528 */
1529static const unsigned char aes_test_cfb128_key[3][32] =
1530{
1531 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1532 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1533 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1534 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1535 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1536 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1537 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1538 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1539 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1540};
1541
1542static const unsigned char aes_test_cfb128_iv[16] =
1543{
1544 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1545 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1546};
1547
1548static const unsigned char aes_test_cfb128_pt[64] =
1549{
1550 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1551 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1552 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1553 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1554 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1555 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1556 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1557 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1558};
1559
1560static const unsigned char aes_test_cfb128_ct[3][64] =
1561{
1562 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1563 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1564 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1565 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1566 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1567 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1568 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1569 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1570 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1571 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1572 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1573 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1574 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1575 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1576 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1577 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1578 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1579 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1580 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1581 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1582 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1583 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1584 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1585 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1586};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1587#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1588
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1589#if defined(MBEDTLS_CIPHER_MODE_OFB)
1590/*
1591 * AES-OFB test vectors from:
1592 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1593 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1594 */
1595static const unsigned char aes_test_ofb_key[3][32] =
1596{
1597 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1598 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1599 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1600 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1601 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1602 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1603 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1604 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1605 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1606};
1607
1608static const unsigned char aes_test_ofb_iv[16] =
1609{
1610 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1611 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1612};
1613
1614static const unsigned char aes_test_ofb_pt[64] =
1615{
1616 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1617 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1618 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1619 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1620 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1621 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1622 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1623 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1624};
1625
1626static const unsigned char aes_test_ofb_ct[3][64] =
1627{
1628 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1629 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1630 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1631 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1632 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1633 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1634 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1635 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1636 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1637 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1638 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1639 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1640 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1641 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1642 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1643 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1644 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1645 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1646 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1647 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1648 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1649 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1650 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1651 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1652};
1653#endif /* MBEDTLS_CIPHER_MODE_OFB */
1654
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1655#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1656/*
1657 * AES-CTR test vectors from:
1658 *
1659 * http://www.faqs.org/rfcs/rfc3686.html
1660 */
1661
1662static const unsigned char aes_test_ctr_key[3][16] =
1663{
1664 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1665 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1666 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1667 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1668 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1669 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1670};
1671
1672static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1673{
1674 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1676 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1677 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1678 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1679 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1680};
1681
1682static const unsigned char aes_test_ctr_pt[3][48] =
1683{
1684 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1685 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1686
1687 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1688 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1689 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1690 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1691
1692 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1693 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1694 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1695 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1696 0x20, 0x21, 0x22, 0x23 }
1697};
1698
1699static const unsigned char aes_test_ctr_ct[3][48] =
1700{
1701 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1702 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1703 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1704 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1705 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1706 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1707 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1708 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1709 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1710 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1711 0x25, 0xB2, 0x07, 0x2F }
1712};
1713
1714static const int aes_test_ctr_len[3] =
1715 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1716#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1718#if defined(MBEDTLS_CIPHER_MODE_XTS)
1719/*
1720 * AES-XTS test vectors from:
1721 *
1722 * IEEE P1619/D16 Annex B
1723 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1724 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1725 */
1726static const unsigned char aes_test_xts_key[][32] =
1727{
1728 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1732 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1733 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1734 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1735 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1736 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1737 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1738 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1739 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1740};
1741
1742static const unsigned char aes_test_xts_pt32[][32] =
1743{
1744 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1748 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1749 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1752 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1753 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1754 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1755 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1756};
1757
1758static const unsigned char aes_test_xts_ct32[][32] =
1759{
1760 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1761 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1762 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1763 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1764 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1765 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1766 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1767 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1768 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1769 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1770 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1771 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1772};
1773
1774static const unsigned char aes_test_xts_data_unit[][16] =
1775{
1776 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1778 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1780 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1782};
1783
1784#endif /* MBEDTLS_CIPHER_MODE_XTS */
1785
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786/*
1787 * Checkup routine
1788 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1789int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1791 int ret = 0, i, j, u, mode;
1792 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1793 unsigned char key[32];
1794 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1795 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1796#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1798#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1800 unsigned char prv[16];
1801#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1802#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1803 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1804 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1805#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1806#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1807 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1808#endif
1809#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1810 unsigned char nonce_counter[16];
1811 unsigned char stream_block[16];
1812#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1813 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1815 mbedtls_platform_memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1816 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817
1818 /*
1819 * ECB mode
1820 */
1821 for( i = 0; i < 6; i++ )
1822 {
1823 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 keybits = 128 + u * 64;
1825 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826
1827 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1828 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1829 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]1831#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1832 if( keybits > 128 )
1833 {
1834 mbedtls_printf( "skipped\n" );
1835 continue;
1836 }
1837#endif
1838
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1839 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1840
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1841 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1843 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1844 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 }
1846 else
1847 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1849 aes_tests = aes_test_ecb_enc[u];
1850 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1852 /*
1853 * AES-192 is an optional feature that may be unavailable when
1854 * there is an alternative underlying implementation i.e. when
1855 * MBEDTLS_AES_ALT is defined.
1856 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1857 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1858 {
1859 mbedtls_printf( "skipped\n" );
1860 continue;
1861 }
1862 else if( ret != 0 )
1863 {
1864 goto exit;
1865 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1867 for( j = 0; j < 10000; j++ )
1868 {
1869 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1870 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1871 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1872 }
1873
1874 if( memcmp( buf, aes_tests, 16 ) != 0 )
1875 {
1876 ret = 1;
1877 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878 }
1879
1880 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1881 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882 }
1883
1884 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1887#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888 /*
1889 * CBC mode
1890 */
1891 for( i = 0; i < 6; i++ )
1892 {
1893 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1894 keybits = 128 + u * 64;
1895 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896
1897 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1899 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]1901#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1902 if( keybits > 128 )
1903 {
1904 mbedtls_printf( "skipped\n" );
1905 continue;
1906 }
1907#endif
1908
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]1909 mbedtls_platform_memset( iv , 0, 16 );
1910 mbedtls_platform_memset( prv, 0, 16 );
1911 mbedtls_platform_memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1913 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1915 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1916 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917 }
1918 else
1919 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1921 aes_tests = aes_test_cbc_enc[u];
1922 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1924 /*
1925 * AES-192 is an optional feature that may be unavailable when
1926 * there is an alternative underlying implementation i.e. when
1927 * MBEDTLS_AES_ALT is defined.
1928 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1929 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1930 {
1931 mbedtls_printf( "skipped\n" );
1932 continue;
1933 }
1934 else if( ret != 0 )
1935 {
1936 goto exit;
1937 }
1938
1939 for( j = 0; j < 10000; j++ )
1940 {
1941 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942 {
1943 unsigned char tmp[16];
1944
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 memcpy( tmp, prv, 16 );
1946 memcpy( prv, buf, 16 );
1947 memcpy( buf, tmp, 16 );
1948 }
1949
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1950 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1951 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1952 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1953
1954 }
1955
1956 if( memcmp( buf, aes_tests, 16 ) != 0 )
1957 {
1958 ret = 1;
1959 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 }
1961
1962 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964 }
1965
1966 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 mbedtls_printf( "\n" );
1968#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 /*
1972 * CFB128 mode
1973 */
1974 for( i = 0; i < 6; i++ )
1975 {
1976 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1977 keybits = 128 + u * 64;
1978 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979
1980 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1982 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]1984#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1985 if( keybits > 128 )
1986 {
1987 mbedtls_printf( "skipped\n" );
1988 continue;
1989 }
1990#endif
1991
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994
1995 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1996 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1997 /*
1998 * AES-192 is an optional feature that may be unavailable when
1999 * there is an alternative underlying implementation i.e. when
2000 * MBEDTLS_AES_ALT is defined.
2001 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2002 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 {
2004 mbedtls_printf( "skipped\n" );
2005 continue;
2006 }
2007 else if( ret != 0 )
2008 {
2009 goto exit;
2010 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2012 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 {
2014 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2016 }
2017 else
2018 {
2019 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 aes_tests = aes_test_cfb128_ct[u];
2021 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2024 if( ret != 0 )
2025 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2027 if( memcmp( buf, aes_tests, 64 ) != 0 )
2028 {
2029 ret = 1;
2030 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031 }
2032
2033 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2034 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035 }
2036
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2037 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2038 mbedtls_printf( "\n" );
2039#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2040
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2041#if defined(MBEDTLS_CIPHER_MODE_OFB)
2042 /*
2043 * OFB mode
2044 */
2045 for( i = 0; i < 6; i++ )
2046 {
2047 u = i >> 1;
2048 keybits = 128 + u * 64;
2049 mode = i & 1;
2050
2051 if( verbose != 0 )
2052 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2053 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2054
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]2055#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2056 if( keybits > 128 )
2057 {
2058 mbedtls_printf( "skipped\n" );
2059 continue;
2060 }
2061#endif
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2062 memcpy( iv, aes_test_ofb_iv, 16 );
2063 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2064
2065 offset = 0;
2066 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2067 /*
2068 * AES-192 is an optional feature that may be unavailable when
2069 * there is an alternative underlying implementation i.e. when
2070 * MBEDTLS_AES_ALT is defined.
2071 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2072 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2073 {
2074 mbedtls_printf( "skipped\n" );
2075 continue;
2076 }
2077 else if( ret != 0 )
2078 {
2079 goto exit;
2080 }
2081
2082 if( mode == MBEDTLS_AES_DECRYPT )
2083 {
2084 memcpy( buf, aes_test_ofb_ct[u], 64 );
2085 aes_tests = aes_test_ofb_pt;
2086 }
2087 else
2088 {
2089 memcpy( buf, aes_test_ofb_pt, 64 );
2090 aes_tests = aes_test_ofb_ct[u];
2091 }
2092
2093 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2094 if( ret != 0 )
2095 goto exit;
2096
2097 if( memcmp( buf, aes_tests, 64 ) != 0 )
2098 {
2099 ret = 1;
2100 goto exit;
2101 }
2102
2103 if( verbose != 0 )
2104 mbedtls_printf( "passed\n" );
2105 }
2106
2107 if( verbose != 0 )
2108 mbedtls_printf( "\n" );
2109#endif /* MBEDTLS_CIPHER_MODE_OFB */
2110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2112 /*
2113 * CTR mode
2114 */
2115 for( i = 0; i < 6; i++ )
2116 {
2117 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2118 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119
2120 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2122 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2123
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame^]2124#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2125 if( keybits > 128 )
2126 {
2127 mbedtls_printf( "skipped\n" );
2128 continue;
2129 }
2130#endif
2131
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2132 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2133 memcpy( key, aes_test_ctr_key[u], 16 );
2134
2135 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2137 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2139 len = aes_test_ctr_len[u];
2140
2141 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2142 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2143 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2144 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2145 }
2146 else
2147 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2148 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2149 aes_tests = aes_test_ctr_ct[u];
2150 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2151
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2152 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2153 stream_block, buf, buf );
2154 if( ret != 0 )
2155 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2156
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2157 if( memcmp( buf, aes_tests, len ) != 0 )
2158 {
2159 ret = 1;
2160 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2161 }
2162
2163 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2164 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2165 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2166
2167 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2168 mbedtls_printf( "\n" );
2169#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2170
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2171#if defined(MBEDTLS_CIPHER_MODE_XTS)
2172 {
2173 static const int num_tests =
2174 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2175 mbedtls_aes_xts_context ctx_xts;
2176
2177 /*
2178 * XTS mode
2179 */
2180 mbedtls_aes_xts_init( &ctx_xts );
2181
2182 for( i = 0; i < num_tests << 1; i++ )
2183 {
2184 const unsigned char *data_unit;
2185 u = i >> 1;
2186 mode = i & 1;
2187
2188 if( verbose != 0 )
2189 mbedtls_printf( " AES-XTS-128 (%s): ",
2190 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2191
Manuel Pégourié-Gonnard7a346b82019-10-02 14:47:01 +0200[diff] [blame]2192 mbedtls_platform_memset( key, 0, sizeof( key ) );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2193 memcpy( key, aes_test_xts_key[u], 32 );
2194 data_unit = aes_test_xts_data_unit[u];
2195
2196 len = sizeof( *aes_test_xts_ct32 );
2197
2198 if( mode == MBEDTLS_AES_DECRYPT )
2199 {
2200 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2201 if( ret != 0)
2202 goto exit;
2203 memcpy( buf, aes_test_xts_ct32[u], len );
2204 aes_tests = aes_test_xts_pt32[u];
2205 }
2206 else
2207 {
2208 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2209 if( ret != 0)
2210 goto exit;
2211 memcpy( buf, aes_test_xts_pt32[u], len );
2212 aes_tests = aes_test_xts_ct32[u];
2213 }
2214
2215
2216 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2217 buf, buf );
2218 if( ret != 0 )
2219 goto exit;
2220
2221 if( memcmp( buf, aes_tests, len ) != 0 )
2222 {
2223 ret = 1;
2224 goto exit;
2225 }
2226
2227 if( verbose != 0 )
2228 mbedtls_printf( "passed\n" );
2229 }
2230
2231 if( verbose != 0 )
2232 mbedtls_printf( "\n" );
2233
2234 mbedtls_aes_xts_free( &ctx_xts );
2235 }
2236#endif /* MBEDTLS_CIPHER_MODE_XTS */
2237
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2238 ret = 0;
2239
2240exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2241 if( ret != 0 && verbose != 0 )
2242 mbedtls_printf( "failed\n" );
2243
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2244 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2245
2246 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247}
2248
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2249#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2251#endif /* MBEDTLS_AES_C */