TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 91ee76380c30332567925a0f6864b3656e18af9c / . / library / aes.c
blob: 183cedc2eed2517c1f38a6d4999c37fb6816b77a [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkútia2947ac2020-08-19 16:37:36 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]64#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]65#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]84/* Parameter validation macros based on platform_util.h */
85#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]87#define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * 32-bit integer manipulation macros (little endian)
92 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93#ifndef GET_UINT32_LE
94#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100}
101#endif
102
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]103#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]104#define PUT_UINT32_LE(n,b,i) \
105{ \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111#endif
112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113#if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]115static int aes_padlock_ace = -1;
116#endif
117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]118#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119/*
120 * Forward S-box
121 */
122static const unsigned char FSb[256] =
123{
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156};
157
158/*
159 * Forward tables
160 */
161#define FT \
162\
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]232#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]235static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#undef V
237
238#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]239static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240#undef V
241
242#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]243static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244#undef V
245
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]246#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]247
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248#undef FT
249
250/*
251 * Reverse S-box
252 */
253static const unsigned char RSb[256] =
254{
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287};
288
289/*
290 * Reverse tables
291 */
292#define RT \
293\
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361#undef V
362
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]363#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]366static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#undef V
368
369#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371#undef V
372
373#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]374static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375#undef V
376
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379#undef RT
380
381/*
382 * Round constants
383 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385{
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389};
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Forward S-box & tables
395 */
396static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]397static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]398#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT1[256];
400static uint32_t FT2[256];
401static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]402#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Reverse S-box & tables
406 */
407static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]408static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]409#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT1[256];
411static uint32_t RT2[256];
412static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]413#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414
415/*
416 * Round constants
417 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
420/*
421 * Tables generation code
422 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]423#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]425#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427static int aes_init_done = 0;
428
429static void aes_gen_tables( void )
430{
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]450 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
494 x = RSb[i];
495
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]501#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 }
507}
508
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509#undef ROTL8
510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]513#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
515#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519#define AES_RT0(idx) RT0[idx]
520#define AES_RT1(idx) ROTL8( RT0[idx] )
521#define AES_RT2(idx) ROTL16( RT0[idx] )
522#define AES_RT3(idx) ROTL24( RT0[idx] )
523
524#define AES_FT0(idx) FT0[idx]
525#define AES_FT1(idx) ROTL8( FT0[idx] )
526#define AES_FT2(idx) ROTL16( FT0[idx] )
527#define AES_FT3(idx) ROTL24( FT0[idx] )
528
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]529#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]530
531#define AES_RT0(idx) RT0[idx]
532#define AES_RT1(idx) RT1[idx]
533#define AES_RT2(idx) RT2[idx]
534#define AES_RT3(idx) RT3[idx]
535
536#define AES_FT0(idx) FT0[idx]
537#define AES_FT1(idx) FT1[idx]
538#define AES_FT2(idx) FT2[idx]
539#define AES_FT3(idx) FT3[idx]
540
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]541#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]544{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]545 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]548}
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]551{
552 if( ctx == NULL )
553 return;
554
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]556}
557
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]558#if defined(MBEDTLS_CIPHER_MODE_XTS)
559void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]561 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]562
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565}
566
567void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]569 if( ctx == NULL )
570 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574}
575#endif /* MBEDTLS_CIPHER_MODE_XTS */
576
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577/*
578 * AES key schedule (encryption)
579 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]580#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]584 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598#if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603 }
604#endif
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]607 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609
610 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]616#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]619#endif
620
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]621 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]688
689 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]691#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693/*
694 * AES key schedule (decryption)
695 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]696#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 uint32_t *RK;
703 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]711 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713
714 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]716 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]722 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]723
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]724 ctx->nr = cty.nr;
725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 }
733#endif
734
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]760
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]761 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]763
764#if defined(MBEDTLS_CIPHER_MODE_XTS)
765static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
766 unsigned int keybits,
767 const unsigned char **key1,
768 unsigned int *key1bits,
769 const unsigned char **key2,
770 unsigned int *key2bits )
771{
772 const unsigned int half_keybits = keybits / 2;
773 const unsigned int half_keybytes = half_keybits / 8;
774
775 switch( keybits )
776 {
777 case 256: break;
778 case 512: break;
779 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
780 }
781
782 *key1bits = half_keybits;
783 *key2bits = half_keybits;
784 *key1 = &key[0];
785 *key2 = &key[half_keybytes];
786
787 return 0;
788}
789
790int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for the encryption mode. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for encryption. */
812 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
813}
814
815int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
816 const unsigned char *key,
817 unsigned int keybits)
818{
819 int ret;
820 const unsigned char *key1, *key2;
821 unsigned int key1bits, key2bits;
822
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]823 AES_VALIDATE_RET( ctx != NULL );
824 AES_VALIDATE_RET( key != NULL );
825
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]826 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
827 &key2, &key2bits );
828 if( ret != 0 )
829 return( ret );
830
831 /* Set the tweak key. Always set tweak key for encryption. */
832 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
833 if( ret != 0 )
834 return( ret );
835
836 /* Set crypt key for decryption. */
837 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
838}
839#endif /* MBEDTLS_CIPHER_MODE_XTS */
840
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]841#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]843#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
848 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
853 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
858 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
863 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]867#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
868 do \
869 { \
870 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
871 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
872 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
873 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
874 \
875 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
876 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
877 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
878 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
879 \
880 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
881 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
882 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
883 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
884 \
885 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
886 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
887 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
888 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
889 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]890
891/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892 * AES-ECB block encryption
893 */
894#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]895int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
896 const unsigned char input[16],
897 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]898{
899 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]900 uint32_t *RK = ctx->rk;
901 struct
902 {
903 uint32_t X[4];
904 uint32_t Y[4];
905 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]906
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]907 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
908 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
909 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
910 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]911
912 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
913 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]914 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
915 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]916 }
917
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]918 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]920 t.X[0] = *RK++ ^ \
921 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
922 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
923 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
924 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]925
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]926 t.X[1] = *RK++ ^ \
927 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
928 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
929 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
930 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]932 t.X[2] = *RK++ ^ \
933 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
934 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
935 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
936 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]938 t.X[3] = *RK++ ^ \
939 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
940 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
941 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
942 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]943
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]944 PUT_UINT32_LE( t.X[0], output, 0 );
945 PUT_UINT32_LE( t.X[1], output, 4 );
946 PUT_UINT32_LE( t.X[2], output, 8 );
947 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]948
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]949 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]950
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]951 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]952}
953#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
954
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]955#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]956void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
957 const unsigned char input[16],
958 unsigned char output[16] )
959{
960 mbedtls_internal_aes_encrypt( ctx, input, output );
961}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]962#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]963
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]964/*
965 * AES-ECB block decryption
966 */
967#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]968int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
969 const unsigned char input[16],
970 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]971{
972 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]973 uint32_t *RK = ctx->rk;
974 struct
975 {
976 uint32_t X[4];
977 uint32_t Y[4];
978 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]979
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]980 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
981 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
982 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
983 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]984
985 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
986 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]987 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
988 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]989 }
990
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]991 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]992
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]993 t.X[0] = *RK++ ^ \
994 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
995 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
996 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
997 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]998
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]999 t.X[1] = *RK++ ^ \
1000 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
1001 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
1002 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
1003 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1004
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]1005 t.X[2] = *RK++ ^ \
1006 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
1007 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
1008 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
1009 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1010
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]1011 t.X[3] = *RK++ ^ \
1012 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
1013 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
1014 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
1015 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1016
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]1017 PUT_UINT32_LE( t.X[0], output, 0 );
1018 PUT_UINT32_LE( t.X[1], output, 4 );
1019 PUT_UINT32_LE( t.X[2], output, 8 );
1020 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1021
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame^]1022 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1023
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1024 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1025}
1026#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1027
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1028#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1029void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1030 const unsigned char input[16],
1031 unsigned char output[16] )
1032{
1033 mbedtls_internal_aes_decrypt( ctx, input, output );
1034}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1035#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1036
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1037/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038 * AES-ECB block encryption/decryption
1039 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1041 int mode,
1042 const unsigned char input[16],
1043 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1045 AES_VALIDATE_RET( ctx != NULL );
1046 AES_VALIDATE_RET( input != NULL );
1047 AES_VALIDATE_RET( output != NULL );
1048 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1049 mode == MBEDTLS_AES_DECRYPT );
1050
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1052 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1053 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1054#endif
1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1057 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1059 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1060 return( 0 );
1061
1062 // If padlock data misaligned, we just fall back to
1063 // unaccelerated mode
1064 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 }
1066#endif
1067
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1068 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1069 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1070 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1071 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072}
1073
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1074#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1075/*
1076 * AES-CBC buffer encryption/decryption
1077 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1080 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1082 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083 unsigned char *output )
1084{
1085 int i;
1086 unsigned char temp[16];
1087
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1088 AES_VALIDATE_RET( ctx != NULL );
1089 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1090 mode == MBEDTLS_AES_DECRYPT );
1091 AES_VALIDATE_RET( iv != NULL );
1092 AES_VALIDATE_RET( input != NULL );
1093 AES_VALIDATE_RET( output != NULL );
1094
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1095 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1097
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1099 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1102 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1103
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1104 // If padlock data misaligned, we just fall back to
1105 // unaccelerated mode
1106 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107 }
1108#endif
1109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111 {
1112 while( length > 0 )
1113 {
1114 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1115 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1116
1117 for( i = 0; i < 16; i++ )
1118 output[i] = (unsigned char)( output[i] ^ iv[i] );
1119
1120 memcpy( iv, temp, 16 );
1121
1122 input += 16;
1123 output += 16;
1124 length -= 16;
1125 }
1126 }
1127 else
1128 {
1129 while( length > 0 )
1130 {
1131 for( i = 0; i < 16; i++ )
1132 output[i] = (unsigned char)( input[i] ^ iv[i] );
1133
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1134 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1135 memcpy( iv, output, 16 );
1136
1137 input += 16;
1138 output += 16;
1139 length -= 16;
1140 }
1141 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1142
1143 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1144}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1145#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1146
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1147#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1148
1149/* Endianess with 64 bits values */
1150#ifndef GET_UINT64_LE
1151#define GET_UINT64_LE(n,b,i) \
1152{ \
1153 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1154 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1155 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1156 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1157 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1158 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1159 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1160 | ( (uint64_t) (b)[(i) ] ); \
1161}
1162#endif
1163
1164#ifndef PUT_UINT64_LE
1165#define PUT_UINT64_LE(n,b,i) \
1166{ \
1167 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1168 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1169 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1170 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1171 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1172 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1173 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1174 (b)[(i) ] = (unsigned char) ( (n) ); \
1175}
1176#endif
1177
1178typedef unsigned char mbedtls_be128[16];
1179
1180/*
1181 * GF(2^128) multiplication function
1182 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1183 * This function multiplies a field element by x in the polynomial field
1184 * representation. It uses 64-bit word operations to gain speed but compensates
1185 * for machine endianess and hence works correctly on both big and little
1186 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1187 */
1188static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1189 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1190{
1191 uint64_t a, b, ra, rb;
1192
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1193 GET_UINT64_LE( a, x, 0 );
1194 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1195
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1196 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1197 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1198
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1199 PUT_UINT64_LE( ra, r, 0 );
1200 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1201}
1202
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1203/*
1204 * AES-XTS buffer encryption/decryption
1205 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1206int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1207 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1208 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1209 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1210 const unsigned char *input,
1211 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1212{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1213 int ret;
1214 size_t blocks = length / 16;
1215 size_t leftover = length % 16;
1216 unsigned char tweak[16];
1217 unsigned char prev_tweak[16];
1218 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1219
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1220 AES_VALIDATE_RET( ctx != NULL );
1221 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1222 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1223 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1224 AES_VALIDATE_RET( input != NULL );
1225 AES_VALIDATE_RET( output != NULL );
1226
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1227 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1228 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1231 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1232 if( length > ( 1 << 20 ) * 16 )
1233 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1234
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1235 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1236 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1237 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 if( ret != 0 )
1239 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 size_t i;
1244
1245 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1246 {
1247 /* We are on the last block in a decrypt operation that has
1248 * leftover bytes, so we need to use the next tweak for this block,
1249 * and this tweak for the lefover bytes. Save the current tweak for
1250 * the leftovers and then update the current tweak for use on this,
1251 * the last full block. */
1252 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1253 mbedtls_gf128mul_x_ble( tweak, tweak );
1254 }
1255
1256 for( i = 0; i < 16; i++ )
1257 tmp[i] = input[i] ^ tweak[i];
1258
1259 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1260 if( ret != 0 )
1261 return( ret );
1262
1263 for( i = 0; i < 16; i++ )
1264 output[i] = tmp[i] ^ tweak[i];
1265
1266 /* Update the tweak for the next block. */
1267 mbedtls_gf128mul_x_ble( tweak, tweak );
1268
1269 output += 16;
1270 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1271 }
1272
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1274 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1275 /* If we are on the leftover bytes in a decrypt operation, we need to
1276 * use the previous tweak for these bytes (as saved in prev_tweak). */
1277 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 /* We are now on the final part of the data unit, which doesn't divide
1280 * evenly by 16. It's time for ciphertext stealing. */
1281 size_t i;
1282 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1283
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1284 /* Copy ciphertext bytes from the previous block to our output for each
1285 * byte of cyphertext we won't steal. At the same time, copy the
1286 * remainder of the input for this final round (since the loop bounds
1287 * are the same). */
1288 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1289 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1290 output[i] = prev_output[i];
1291 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1292 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1293
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1294 /* Copy ciphertext bytes from the previous block for input in this
1295 * round. */
1296 for( ; i < 16; i++ )
1297 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1298
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1299 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1300 if( ret != 0 )
1301 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1302
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1303 /* Write the result back to the previous block, overriding the previous
1304 * output we copied. */
1305 for( i = 0; i < 16; i++ )
1306 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1307 }
1308
1309 return( 0 );
1310}
1311#endif /* MBEDTLS_CIPHER_MODE_XTS */
1312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314/*
1315 * AES-CFB128 buffer encryption/decryption
1316 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1317int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1319 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1320 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1322 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323 unsigned char *output )
1324{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1325 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1326 size_t n;
1327
1328 AES_VALIDATE_RET( ctx != NULL );
1329 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1330 mode == MBEDTLS_AES_DECRYPT );
1331 AES_VALIDATE_RET( iv_off != NULL );
1332 AES_VALIDATE_RET( iv != NULL );
1333 AES_VALIDATE_RET( input != NULL );
1334 AES_VALIDATE_RET( output != NULL );
1335
1336 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1338 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1339 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1340
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 {
1343 while( length-- )
1344 {
1345 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1347
1348 c = *input++;
1349 *output++ = (unsigned char)( c ^ iv[n] );
1350 iv[n] = (unsigned char) c;
1351
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1352 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1353 }
1354 }
1355 else
1356 {
1357 while( length-- )
1358 {
1359 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361
1362 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1363
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1364 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1365 }
1366 }
1367
1368 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1369
1370 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1372
1373/*
1374 * AES-CFB8 buffer encryption/decryption
1375 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1376int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1377 int mode,
1378 size_t length,
1379 unsigned char iv[16],
1380 const unsigned char *input,
1381 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1382{
1383 unsigned char c;
1384 unsigned char ov[17];
1385
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1386 AES_VALIDATE_RET( ctx != NULL );
1387 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1388 mode == MBEDTLS_AES_DECRYPT );
1389 AES_VALIDATE_RET( iv != NULL );
1390 AES_VALIDATE_RET( input != NULL );
1391 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1392 while( length-- )
1393 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1394 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1395 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1396
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1397 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1398 ov[16] = *input;
1399
1400 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1401
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1403 ov[16] = c;
1404
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1405 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1406 }
1407
1408 return( 0 );
1409}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1410#endif /* MBEDTLS_CIPHER_MODE_CFB */
1411
1412#if defined(MBEDTLS_CIPHER_MODE_OFB)
1413/*
1414 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1415 */
1416int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1417 size_t length,
1418 size_t *iv_off,
1419 unsigned char iv[16],
1420 const unsigned char *input,
1421 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1422{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1423 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1424 size_t n;
1425
1426 AES_VALIDATE_RET( ctx != NULL );
1427 AES_VALIDATE_RET( iv_off != NULL );
1428 AES_VALIDATE_RET( iv != NULL );
1429 AES_VALIDATE_RET( input != NULL );
1430 AES_VALIDATE_RET( output != NULL );
1431
1432 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1433
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1434 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1435 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1436
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1437 while( length-- )
1438 {
1439 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1440 {
1441 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1442 if( ret != 0 )
1443 goto exit;
1444 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1445 *output++ = *input++ ^ iv[n];
1446
1447 n = ( n + 1 ) & 0x0F;
1448 }
1449
1450 *iv_off = n;
1451
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1452exit:
1453 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1454}
1455#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1457#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1458/*
1459 * AES-CTR buffer encryption/decryption
1460 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1462 size_t length,
1463 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1464 unsigned char nonce_counter[16],
1465 unsigned char stream_block[16],
1466 const unsigned char *input,
1467 unsigned char *output )
1468{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1469 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1470 size_t n;
1471
1472 AES_VALIDATE_RET( ctx != NULL );
1473 AES_VALIDATE_RET( nc_off != NULL );
1474 AES_VALIDATE_RET( nonce_counter != NULL );
1475 AES_VALIDATE_RET( stream_block != NULL );
1476 AES_VALIDATE_RET( input != NULL );
1477 AES_VALIDATE_RET( output != NULL );
1478
1479 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1480
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1481 if ( n > 0x0F )
1482 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1483
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1484 while( length-- )
1485 {
1486 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1487 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1488
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1489 for( i = 16; i > 0; i-- )
1490 if( ++nonce_counter[i - 1] != 0 )
1491 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1492 }
1493 c = *input++;
1494 *output++ = (unsigned char)( c ^ stream_block[n] );
1495
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1496 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1497 }
1498
1499 *nc_off = n;
1500
1501 return( 0 );
1502}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1504
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1507#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1508/*
1509 * AES test vectors from:
1510 *
1511 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1512 */
1513static const unsigned char aes_test_ecb_dec[3][16] =
1514{
1515 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1516 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1517 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1518 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1519 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1520 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1521};
1522
1523static const unsigned char aes_test_ecb_enc[3][16] =
1524{
1525 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1526 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1527 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1528 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1529 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1530 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1531};
1532
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1533#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1534static const unsigned char aes_test_cbc_dec[3][16] =
1535{
1536 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1537 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1538 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1539 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1540 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1541 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1542};
1543
1544static const unsigned char aes_test_cbc_enc[3][16] =
1545{
1546 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1547 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1548 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1549 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1550 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1551 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1552};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1553#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1554
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1556/*
1557 * AES-CFB128 test vectors from:
1558 *
1559 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1560 */
1561static const unsigned char aes_test_cfb128_key[3][32] =
1562{
1563 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1564 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1565 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1566 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1567 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1568 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1569 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1570 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1571 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1572};
1573
1574static const unsigned char aes_test_cfb128_iv[16] =
1575{
1576 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1577 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1578};
1579
1580static const unsigned char aes_test_cfb128_pt[64] =
1581{
1582 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1583 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1584 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1585 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1586 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1587 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1588 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1589 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1590};
1591
1592static const unsigned char aes_test_cfb128_ct[3][64] =
1593{
1594 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1595 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1596 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1597 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1598 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1599 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1600 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1601 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1602 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1603 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1604 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1605 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1606 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1607 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1608 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1609 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1610 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1611 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1612 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1613 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1614 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1615 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1616 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1617 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1618};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1619#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1620
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1621#if defined(MBEDTLS_CIPHER_MODE_OFB)
1622/*
1623 * AES-OFB test vectors from:
1624 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1625 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1626 */
1627static const unsigned char aes_test_ofb_key[3][32] =
1628{
1629 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1630 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1631 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1632 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1633 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1634 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1635 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1636 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1637 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1638};
1639
1640static const unsigned char aes_test_ofb_iv[16] =
1641{
1642 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1643 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1644};
1645
1646static const unsigned char aes_test_ofb_pt[64] =
1647{
1648 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1649 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1650 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1651 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1652 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1653 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1654 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1655 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1656};
1657
1658static const unsigned char aes_test_ofb_ct[3][64] =
1659{
1660 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1661 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1662 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1663 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1664 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1665 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1666 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1667 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1668 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1669 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1670 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1671 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1672 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1673 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1674 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1675 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1676 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1677 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1678 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1679 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1680 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1681 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1682 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1683 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1684};
1685#endif /* MBEDTLS_CIPHER_MODE_OFB */
1686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1687#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1688/*
1689 * AES-CTR test vectors from:
1690 *
1691 * http://www.faqs.org/rfcs/rfc3686.html
1692 */
1693
1694static const unsigned char aes_test_ctr_key[3][16] =
1695{
1696 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1697 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1698 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1699 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1700 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1701 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1702};
1703
1704static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1705{
1706 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1707 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1708 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1709 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1710 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1711 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1712};
1713
1714static const unsigned char aes_test_ctr_pt[3][48] =
1715{
1716 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1717 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1718
1719 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1720 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1721 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1722 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1723
1724 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1725 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1726 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1727 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1728 0x20, 0x21, 0x22, 0x23 }
1729};
1730
1731static const unsigned char aes_test_ctr_ct[3][48] =
1732{
1733 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1734 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1735 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1736 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1737 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1738 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1739 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1740 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1741 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1742 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1743 0x25, 0xB2, 0x07, 0x2F }
1744};
1745
1746static const int aes_test_ctr_len[3] =
1747 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1748#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1749
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1750#if defined(MBEDTLS_CIPHER_MODE_XTS)
1751/*
1752 * AES-XTS test vectors from:
1753 *
1754 * IEEE P1619/D16 Annex B
1755 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1756 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1757 */
1758static const unsigned char aes_test_xts_key[][32] =
1759{
1760 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1764 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1765 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1766 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1767 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1768 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1769 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1770 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1771 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1772};
1773
1774static const unsigned char aes_test_xts_pt32[][32] =
1775{
1776 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1780 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1783 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1784 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1785 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1786 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1787 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1788};
1789
1790static const unsigned char aes_test_xts_ct32[][32] =
1791{
1792 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1793 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1794 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1795 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1796 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1797 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1798 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1799 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1800 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1801 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1802 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1803 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1804};
1805
1806static const unsigned char aes_test_xts_data_unit[][16] =
1807{
1808 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1810 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1812 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1813 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1814};
1815
1816#endif /* MBEDTLS_CIPHER_MODE_XTS */
1817
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818/*
1819 * Checkup routine
1820 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1821int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1823 int ret = 0, i, j, u, mode;
1824 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1825 unsigned char key[32];
1826 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1827 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1828#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1830#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1832 unsigned char prv[16];
1833#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1834#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1835 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1836 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1837#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1838#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1839 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1840#endif
1841#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1842 unsigned char nonce_counter[16];
1843 unsigned char stream_block[16];
1844#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1845 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846
1847 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1848 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849
1850 /*
1851 * ECB mode
1852 */
1853 for( i = 0; i < 6; i++ )
1854 {
1855 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 keybits = 128 + u * 64;
1857 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858
1859 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1860 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1861 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862
1863 memset( buf, 0, 16 );
1864
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1866 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1867 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1868 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869 }
1870 else
1871 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1872 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1873 aes_tests = aes_test_ecb_enc[u];
1874 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1876 /*
1877 * AES-192 is an optional feature that may be unavailable when
1878 * there is an alternative underlying implementation i.e. when
1879 * MBEDTLS_AES_ALT is defined.
1880 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1881 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 {
1883 mbedtls_printf( "skipped\n" );
1884 continue;
1885 }
1886 else if( ret != 0 )
1887 {
1888 goto exit;
1889 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1891 for( j = 0; j < 10000; j++ )
1892 {
1893 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1894 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1895 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1896 }
1897
1898 if( memcmp( buf, aes_tests, 16 ) != 0 )
1899 {
1900 ret = 1;
1901 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902 }
1903
1904 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1905 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906 }
1907
1908 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1909 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 /*
1913 * CBC mode
1914 */
1915 for( i = 0; i < 6; i++ )
1916 {
1917 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1918 keybits = 128 + u * 64;
1919 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920
1921 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1922 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1923 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1924
1925 memset( iv , 0, 16 );
1926 memset( prv, 0, 16 );
1927 memset( buf, 0, 16 );
1928
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1929 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1930 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1931 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1932 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934 else
1935 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1936 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1937 aes_tests = aes_test_cbc_enc[u];
1938 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1939
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1940 /*
1941 * AES-192 is an optional feature that may be unavailable when
1942 * there is an alternative underlying implementation i.e. when
1943 * MBEDTLS_AES_ALT is defined.
1944 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1945 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1946 {
1947 mbedtls_printf( "skipped\n" );
1948 continue;
1949 }
1950 else if( ret != 0 )
1951 {
1952 goto exit;
1953 }
1954
1955 for( j = 0; j < 10000; j++ )
1956 {
1957 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1958 {
1959 unsigned char tmp[16];
1960
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1961 memcpy( tmp, prv, 16 );
1962 memcpy( prv, buf, 16 );
1963 memcpy( buf, tmp, 16 );
1964 }
1965
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1966 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1967 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1968 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1969
1970 }
1971
1972 if( memcmp( buf, aes_tests, 16 ) != 0 )
1973 {
1974 ret = 1;
1975 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1976 }
1977
1978 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1979 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1980 }
1981
1982 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1983 mbedtls_printf( "\n" );
1984#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1986#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987 /*
1988 * CFB128 mode
1989 */
1990 for( i = 0; i < 6; i++ )
1991 {
1992 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 keybits = 128 + u * 64;
1994 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1995
1996 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1997 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1998 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1999
2000 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2002
2003 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2004 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2005 /*
2006 * AES-192 is an optional feature that may be unavailable when
2007 * there is an alternative underlying implementation i.e. when
2008 * MBEDTLS_AES_ALT is defined.
2009 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2010 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 {
2012 mbedtls_printf( "skipped\n" );
2013 continue;
2014 }
2015 else if( ret != 0 )
2016 {
2017 goto exit;
2018 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2021 {
2022 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2024 }
2025 else
2026 {
2027 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 aes_tests = aes_test_cfb128_ct[u];
2029 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2030
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2031 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2032 if( ret != 0 )
2033 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2035 if( memcmp( buf, aes_tests, 64 ) != 0 )
2036 {
2037 ret = 1;
2038 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2039 }
2040
2041 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2042 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043 }
2044
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2045 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2046 mbedtls_printf( "\n" );
2047#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2048
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2049#if defined(MBEDTLS_CIPHER_MODE_OFB)
2050 /*
2051 * OFB mode
2052 */
2053 for( i = 0; i < 6; i++ )
2054 {
2055 u = i >> 1;
2056 keybits = 128 + u * 64;
2057 mode = i & 1;
2058
2059 if( verbose != 0 )
2060 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2061 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2062
2063 memcpy( iv, aes_test_ofb_iv, 16 );
2064 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2065
2066 offset = 0;
2067 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2068 /*
2069 * AES-192 is an optional feature that may be unavailable when
2070 * there is an alternative underlying implementation i.e. when
2071 * MBEDTLS_AES_ALT is defined.
2072 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2073 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2074 {
2075 mbedtls_printf( "skipped\n" );
2076 continue;
2077 }
2078 else if( ret != 0 )
2079 {
2080 goto exit;
2081 }
2082
2083 if( mode == MBEDTLS_AES_DECRYPT )
2084 {
2085 memcpy( buf, aes_test_ofb_ct[u], 64 );
2086 aes_tests = aes_test_ofb_pt;
2087 }
2088 else
2089 {
2090 memcpy( buf, aes_test_ofb_pt, 64 );
2091 aes_tests = aes_test_ofb_ct[u];
2092 }
2093
2094 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2095 if( ret != 0 )
2096 goto exit;
2097
2098 if( memcmp( buf, aes_tests, 64 ) != 0 )
2099 {
2100 ret = 1;
2101 goto exit;
2102 }
2103
2104 if( verbose != 0 )
2105 mbedtls_printf( "passed\n" );
2106 }
2107
2108 if( verbose != 0 )
2109 mbedtls_printf( "\n" );
2110#endif /* MBEDTLS_CIPHER_MODE_OFB */
2111
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2113 /*
2114 * CTR mode
2115 */
2116 for( i = 0; i < 6; i++ )
2117 {
2118 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2119 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2120
2121 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2123 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124
2125 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2126 memcpy( key, aes_test_ctr_key[u], 16 );
2127
2128 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2129 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2130 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2131
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2132 len = aes_test_ctr_len[u];
2133
2134 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2135 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2136 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2137 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 }
2139 else
2140 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2141 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2142 aes_tests = aes_test_ctr_ct[u];
2143 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2144
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2145 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2146 stream_block, buf, buf );
2147 if( ret != 0 )
2148 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2149
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2150 if( memcmp( buf, aes_tests, len ) != 0 )
2151 {
2152 ret = 1;
2153 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2154 }
2155
2156 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2157 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2158 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159
2160 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2161 mbedtls_printf( "\n" );
2162#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2163
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2164#if defined(MBEDTLS_CIPHER_MODE_XTS)
2165 {
2166 static const int num_tests =
2167 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2168 mbedtls_aes_xts_context ctx_xts;
2169
2170 /*
2171 * XTS mode
2172 */
2173 mbedtls_aes_xts_init( &ctx_xts );
2174
2175 for( i = 0; i < num_tests << 1; i++ )
2176 {
2177 const unsigned char *data_unit;
2178 u = i >> 1;
2179 mode = i & 1;
2180
2181 if( verbose != 0 )
2182 mbedtls_printf( " AES-XTS-128 (%s): ",
2183 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2184
2185 memset( key, 0, sizeof( key ) );
2186 memcpy( key, aes_test_xts_key[u], 32 );
2187 data_unit = aes_test_xts_data_unit[u];
2188
2189 len = sizeof( *aes_test_xts_ct32 );
2190
2191 if( mode == MBEDTLS_AES_DECRYPT )
2192 {
2193 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2194 if( ret != 0)
2195 goto exit;
2196 memcpy( buf, aes_test_xts_ct32[u], len );
2197 aes_tests = aes_test_xts_pt32[u];
2198 }
2199 else
2200 {
2201 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2202 if( ret != 0)
2203 goto exit;
2204 memcpy( buf, aes_test_xts_pt32[u], len );
2205 aes_tests = aes_test_xts_ct32[u];
2206 }
2207
2208
2209 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2210 buf, buf );
2211 if( ret != 0 )
2212 goto exit;
2213
2214 if( memcmp( buf, aes_tests, len ) != 0 )
2215 {
2216 ret = 1;
2217 goto exit;
2218 }
2219
2220 if( verbose != 0 )
2221 mbedtls_printf( "passed\n" );
2222 }
2223
2224 if( verbose != 0 )
2225 mbedtls_printf( "\n" );
2226
2227 mbedtls_aes_xts_free( &ctx_xts );
2228 }
2229#endif /* MBEDTLS_CIPHER_MODE_XTS */
2230
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2231 ret = 0;
2232
2233exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2234 if( ret != 0 && verbose != 0 )
2235 mbedtls_printf( "failed\n" );
2236
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2237 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2238
2239 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2240}
2241
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2242#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2243
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2244#endif /* MBEDTLS_AES_C */