TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 95db3012c8d97b3ca7ff848ff4c9c1a30a7c8de7 / . / library / aes.c
blob: b538664c5b6e6d18d90f13d06e00e924c9bb06b2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
659 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame^]733#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]734
735#if defined(MBEDTLS_CIPHER_MODE_XTS)
736static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
737 unsigned int keybits,
738 const unsigned char **key1,
739 unsigned int *key1bits,
740 const unsigned char **key2,
741 unsigned int *key2bits )
742{
743 const unsigned int half_keybits = keybits / 2;
744 const unsigned int half_keybytes = half_keybits / 8;
745
746 switch( keybits )
747 {
748 case 256: break;
749 case 512: break;
750 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
751 }
752
753 *key1bits = half_keybits;
754 *key2bits = half_keybits;
755 *key1 = &key[0];
756 *key2 = &key[half_keybytes];
757
758 return 0;
759}
760
761int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
762 const unsigned char *key,
763 unsigned int keybits)
764{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]765 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]766 const unsigned char *key1, *key2;
767 unsigned int key1bits, key2bits;
768
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]769 AES_VALIDATE_RET( ctx != NULL );
770 AES_VALIDATE_RET( key != NULL );
771
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]772 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
773 &key2, &key2bits );
774 if( ret != 0 )
775 return( ret );
776
777 /* Set the tweak key. Always set tweak key for the encryption mode. */
778 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set crypt key for encryption. */
783 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
784}
785
786int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
787 const unsigned char *key,
788 unsigned int keybits)
789{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]790 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]791 const unsigned char *key1, *key2;
792 unsigned int key1bits, key2bits;
793
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]794 AES_VALIDATE_RET( ctx != NULL );
795 AES_VALIDATE_RET( key != NULL );
796
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]797 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
798 &key2, &key2bits );
799 if( ret != 0 )
800 return( ret );
801
802 /* Set the tweak key. Always set tweak key for encryption. */
803 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set crypt key for decryption. */
808 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
809}
810#endif /* MBEDTLS_CIPHER_MODE_XTS */
811
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]812#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
813 do \
814 { \
815 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
816 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
817 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
818 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
819 \
820 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
821 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
824 \
825 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
826 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
829 \
830 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
831 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
834 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]836#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
837 do \
838 { \
839 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
840 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
841 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
842 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
843 \
844 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
845 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
846 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
847 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
848 \
849 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
850 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
851 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
852 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
853 \
854 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
855 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
856 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
857 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
858 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859
860/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]861 * AES-ECB block encryption
862 */
863#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]864int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
865 const unsigned char input[16],
866 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867{
868 int i;
869 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
870
871 RK = ctx->rk;
872
873 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
874 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
875 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
876 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
877
878 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
879 {
880 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
881 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
882 }
883
884 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
885
886 X0 = *RK++ ^ \
887 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
888 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
889 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
890 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
891
892 X1 = *RK++ ^ \
893 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
894 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
895 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
896 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
897
898 X2 = *RK++ ^ \
899 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
900 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
901 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
902 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
903
904 X3 = *RK++ ^ \
905 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
906 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
907 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
908 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
909
910 PUT_UINT32_LE( X0, output, 0 );
911 PUT_UINT32_LE( X1, output, 4 );
912 PUT_UINT32_LE( X2, output, 8 );
913 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]914
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]915 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
916 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
917 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
918 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
919
920 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
921 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
922 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
923 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
924
925 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
926
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]927 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]928}
929#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
930
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]931#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]932void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
933 const unsigned char input[16],
934 unsigned char output[16] )
935{
936 mbedtls_internal_aes_encrypt( ctx, input, output );
937}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]938#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]939
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]940/*
941 * AES-ECB block decryption
942 */
943#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]944int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
945 const unsigned char input[16],
946 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]947{
948 int i;
949 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
950
951 RK = ctx->rk;
952
953 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
954 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
955 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
956 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
957
958 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
959 {
960 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
961 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
962 }
963
964 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
965
966 X0 = *RK++ ^ \
967 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
968 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
969 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
970 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
971
972 X1 = *RK++ ^ \
973 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
974 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
975 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
976 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
977
978 X2 = *RK++ ^ \
979 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
980 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
981 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
982 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
983
984 X3 = *RK++ ^ \
985 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
986 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
987 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
988 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
989
990 PUT_UINT32_LE( X0, output, 0 );
991 PUT_UINT32_LE( X1, output, 4 );
992 PUT_UINT32_LE( X2, output, 8 );
993 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]994
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]995 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
996 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
997 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
998 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
999
1000 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1001 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1002 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1003 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1004
1005 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1006
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1007 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1008}
1009#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1010
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1011#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1012void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1013 const unsigned char input[16],
1014 unsigned char output[16] )
1015{
1016 mbedtls_internal_aes_decrypt( ctx, input, output );
1017}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1018#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1019
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1020/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021 * AES-ECB block encryption/decryption
1022 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1024 int mode,
1025 const unsigned char input[16],
1026 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1028 AES_VALIDATE_RET( ctx != NULL );
1029 AES_VALIDATE_RET( input != NULL );
1030 AES_VALIDATE_RET( output != NULL );
1031 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1032 mode == MBEDTLS_AES_DECRYPT );
1033
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1034#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1035 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1036 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1037#endif
1038
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1040 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1043 return( 0 );
1044
1045 // If padlock data misaligned, we just fall back to
1046 // unaccelerated mode
1047 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 }
1049#endif
1050
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1051 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1052 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1053 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1054 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055}
1056
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058/*
1059 * AES-CBC buffer encryption/decryption
1060 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1063 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1065 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1066 unsigned char *output )
1067{
1068 int i;
1069 unsigned char temp[16];
1070
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1071 AES_VALIDATE_RET( ctx != NULL );
1072 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1073 mode == MBEDTLS_AES_DECRYPT );
1074 AES_VALIDATE_RET( iv != NULL );
1075 AES_VALIDATE_RET( input != NULL );
1076 AES_VALIDATE_RET( output != NULL );
1077
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1078 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1079 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1080
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1081#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1082 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1085 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1086
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1087 // If padlock data misaligned, we just fall back to
1088 // unaccelerated mode
1089 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090 }
1091#endif
1092
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1093 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1094 {
1095 while( length > 0 )
1096 {
1097 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1098 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099
1100 for( i = 0; i < 16; i++ )
1101 output[i] = (unsigned char)( output[i] ^ iv[i] );
1102
1103 memcpy( iv, temp, 16 );
1104
1105 input += 16;
1106 output += 16;
1107 length -= 16;
1108 }
1109 }
1110 else
1111 {
1112 while( length > 0 )
1113 {
1114 for( i = 0; i < 16; i++ )
1115 output[i] = (unsigned char)( input[i] ^ iv[i] );
1116
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1117 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1118 memcpy( iv, output, 16 );
1119
1120 input += 16;
1121 output += 16;
1122 length -= 16;
1123 }
1124 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1125
1126 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1127}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1128#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1129
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1130#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1131
1132/* Endianess with 64 bits values */
1133#ifndef GET_UINT64_LE
1134#define GET_UINT64_LE(n,b,i) \
1135{ \
1136 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1137 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1138 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1139 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1140 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1141 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1142 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1143 | ( (uint64_t) (b)[(i) ] ); \
1144}
1145#endif
1146
1147#ifndef PUT_UINT64_LE
1148#define PUT_UINT64_LE(n,b,i) \
1149{ \
1150 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1151 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1152 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1153 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1154 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1155 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1156 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1157 (b)[(i) ] = (unsigned char) ( (n) ); \
1158}
1159#endif
1160
1161typedef unsigned char mbedtls_be128[16];
1162
1163/*
1164 * GF(2^128) multiplication function
1165 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1166 * This function multiplies a field element by x in the polynomial field
1167 * representation. It uses 64-bit word operations to gain speed but compensates
1168 * for machine endianess and hence works correctly on both big and little
1169 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1170 */
1171static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1172 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1173{
1174 uint64_t a, b, ra, rb;
1175
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1176 GET_UINT64_LE( a, x, 0 );
1177 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1178
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1179 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1180 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1181
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1182 PUT_UINT64_LE( ra, r, 0 );
1183 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1184}
1185
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1186/*
1187 * AES-XTS buffer encryption/decryption
1188 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1189int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1190 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1191 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1192 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1193 const unsigned char *input,
1194 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1195{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1196 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1197 size_t blocks = length / 16;
1198 size_t leftover = length % 16;
1199 unsigned char tweak[16];
1200 unsigned char prev_tweak[16];
1201 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1202
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1203 AES_VALIDATE_RET( ctx != NULL );
1204 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1205 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1206 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1207 AES_VALIDATE_RET( input != NULL );
1208 AES_VALIDATE_RET( output != NULL );
1209
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1210 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1211 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1212 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1213
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1214 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1215 if( length > ( 1 << 20 ) * 16 )
1216 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1217
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1218 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1219 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1220 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1221 if( ret != 0 )
1222 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1223
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1224 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1226 size_t i;
1227
1228 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1229 {
1230 /* We are on the last block in a decrypt operation that has
1231 * leftover bytes, so we need to use the next tweak for this block,
1232 * and this tweak for the lefover bytes. Save the current tweak for
1233 * the leftovers and then update the current tweak for use on this,
1234 * the last full block. */
1235 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1236 mbedtls_gf128mul_x_ble( tweak, tweak );
1237 }
1238
1239 for( i = 0; i < 16; i++ )
1240 tmp[i] = input[i] ^ tweak[i];
1241
1242 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1243 if( ret != 0 )
1244 return( ret );
1245
1246 for( i = 0; i < 16; i++ )
1247 output[i] = tmp[i] ^ tweak[i];
1248
1249 /* Update the tweak for the next block. */
1250 mbedtls_gf128mul_x_ble( tweak, tweak );
1251
1252 output += 16;
1253 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1254 }
1255
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1256 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1258 /* If we are on the leftover bytes in a decrypt operation, we need to
1259 * use the previous tweak for these bytes (as saved in prev_tweak). */
1260 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1261
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1262 /* We are now on the final part of the data unit, which doesn't divide
1263 * evenly by 16. It's time for ciphertext stealing. */
1264 size_t i;
1265 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 /* Copy ciphertext bytes from the previous block to our output for each
1268 * byte of cyphertext we won't steal. At the same time, copy the
1269 * remainder of the input for this final round (since the loop bounds
1270 * are the same). */
1271 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 output[i] = prev_output[i];
1274 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1275 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1276
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1277 /* Copy ciphertext bytes from the previous block for input in this
1278 * round. */
1279 for( ; i < 16; i++ )
1280 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1281
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1282 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1283 if( ret != 0 )
1284 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1285
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1286 /* Write the result back to the previous block, overriding the previous
1287 * output we copied. */
1288 for( i = 0; i < 16; i++ )
1289 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1290 }
1291
1292 return( 0 );
1293}
1294#endif /* MBEDTLS_CIPHER_MODE_XTS */
1295
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1296#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297/*
1298 * AES-CFB128 buffer encryption/decryption
1299 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1300int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1302 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1303 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1305 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1306 unsigned char *output )
1307{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1308 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1309 size_t n;
1310
1311 AES_VALIDATE_RET( ctx != NULL );
1312 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1313 mode == MBEDTLS_AES_DECRYPT );
1314 AES_VALIDATE_RET( iv_off != NULL );
1315 AES_VALIDATE_RET( iv != NULL );
1316 AES_VALIDATE_RET( input != NULL );
1317 AES_VALIDATE_RET( output != NULL );
1318
1319 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1321 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1322 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1323
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1324 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 {
1326 while( length-- )
1327 {
1328 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1329 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330
1331 c = *input++;
1332 *output++ = (unsigned char)( c ^ iv[n] );
1333 iv[n] = (unsigned char) c;
1334
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1335 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336 }
1337 }
1338 else
1339 {
1340 while( length-- )
1341 {
1342 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1343 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1344
1345 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1346
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1347 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1348 }
1349 }
1350
1351 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1352
1353 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1355
1356/*
1357 * AES-CFB8 buffer encryption/decryption
1358 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1360 int mode,
1361 size_t length,
1362 unsigned char iv[16],
1363 const unsigned char *input,
1364 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1365{
1366 unsigned char c;
1367 unsigned char ov[17];
1368
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1369 AES_VALIDATE_RET( ctx != NULL );
1370 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1371 mode == MBEDTLS_AES_DECRYPT );
1372 AES_VALIDATE_RET( iv != NULL );
1373 AES_VALIDATE_RET( input != NULL );
1374 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1375 while( length-- )
1376 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1377 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1378 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1380 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1381 ov[16] = *input;
1382
1383 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386 ov[16] = c;
1387
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1388 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1389 }
1390
1391 return( 0 );
1392}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1393#endif /* MBEDTLS_CIPHER_MODE_CFB */
1394
1395#if defined(MBEDTLS_CIPHER_MODE_OFB)
1396/*
1397 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1398 */
1399int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1400 size_t length,
1401 size_t *iv_off,
1402 unsigned char iv[16],
1403 const unsigned char *input,
1404 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1405{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1406 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1407 size_t n;
1408
1409 AES_VALIDATE_RET( ctx != NULL );
1410 AES_VALIDATE_RET( iv_off != NULL );
1411 AES_VALIDATE_RET( iv != NULL );
1412 AES_VALIDATE_RET( input != NULL );
1413 AES_VALIDATE_RET( output != NULL );
1414
1415 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1416
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1417 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1418 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1419
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1420 while( length-- )
1421 {
1422 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1423 {
1424 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1425 if( ret != 0 )
1426 goto exit;
1427 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1428 *output++ = *input++ ^ iv[n];
1429
1430 n = ( n + 1 ) & 0x0F;
1431 }
1432
1433 *iv_off = n;
1434
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1435exit:
1436 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1437}
1438#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1439
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1441/*
1442 * AES-CTR buffer encryption/decryption
1443 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1445 size_t length,
1446 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1447 unsigned char nonce_counter[16],
1448 unsigned char stream_block[16],
1449 const unsigned char *input,
1450 unsigned char *output )
1451{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1452 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1453 size_t n;
1454
1455 AES_VALIDATE_RET( ctx != NULL );
1456 AES_VALIDATE_RET( nc_off != NULL );
1457 AES_VALIDATE_RET( nonce_counter != NULL );
1458 AES_VALIDATE_RET( stream_block != NULL );
1459 AES_VALIDATE_RET( input != NULL );
1460 AES_VALIDATE_RET( output != NULL );
1461
1462 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1463
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1464 if ( n > 0x0F )
1465 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1466
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1467 while( length-- )
1468 {
1469 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1470 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1471
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1472 for( i = 16; i > 0; i-- )
1473 if( ++nonce_counter[i - 1] != 0 )
1474 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1475 }
1476 c = *input++;
1477 *output++ = (unsigned char)( c ^ stream_block[n] );
1478
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1479 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1480 }
1481
1482 *nc_off = n;
1483
1484 return( 0 );
1485}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1487
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1488#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1490#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491/*
1492 * AES test vectors from:
1493 *
1494 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1495 */
1496static const unsigned char aes_test_ecb_dec[3][16] =
1497{
1498 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1499 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1500 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1501 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1502 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1503 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1504};
1505
1506static const unsigned char aes_test_ecb_enc[3][16] =
1507{
1508 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1509 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1510 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1511 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1512 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1513 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1514};
1515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1516#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1517static const unsigned char aes_test_cbc_dec[3][16] =
1518{
1519 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1520 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1521 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1522 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1523 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1524 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1525};
1526
1527static const unsigned char aes_test_cbc_enc[3][16] =
1528{
1529 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1530 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1531 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1532 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1533 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1534 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1535};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1536#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1538#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1539/*
1540 * AES-CFB128 test vectors from:
1541 *
1542 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1543 */
1544static const unsigned char aes_test_cfb128_key[3][32] =
1545{
1546 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1547 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1548 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1549 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1550 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1551 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1552 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1553 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1554 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1555};
1556
1557static const unsigned char aes_test_cfb128_iv[16] =
1558{
1559 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1560 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1561};
1562
1563static const unsigned char aes_test_cfb128_pt[64] =
1564{
1565 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1566 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1567 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1568 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1569 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1570 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1571 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1572 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1573};
1574
1575static const unsigned char aes_test_cfb128_ct[3][64] =
1576{
1577 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1578 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1579 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1580 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1581 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1582 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1583 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1584 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1585 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1586 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1587 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1588 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1589 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1590 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1591 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1592 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1593 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1594 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1595 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1596 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1597 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1598 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1599 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1600 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1601};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1602#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1603
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1604#if defined(MBEDTLS_CIPHER_MODE_OFB)
1605/*
1606 * AES-OFB test vectors from:
1607 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1608 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1609 */
1610static const unsigned char aes_test_ofb_key[3][32] =
1611{
1612 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1613 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1614 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1615 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1616 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1617 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1618 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1619 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1620 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1621};
1622
1623static const unsigned char aes_test_ofb_iv[16] =
1624{
1625 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1626 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1627};
1628
1629static const unsigned char aes_test_ofb_pt[64] =
1630{
1631 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1632 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1633 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1634 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1635 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1636 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1637 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1638 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1639};
1640
1641static const unsigned char aes_test_ofb_ct[3][64] =
1642{
1643 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1644 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1645 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1646 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1647 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1648 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1649 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1650 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1651 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1652 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1653 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1654 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1655 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1656 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1657 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1658 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1659 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1660 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1661 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1662 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1663 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1664 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1665 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1666 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1667};
1668#endif /* MBEDTLS_CIPHER_MODE_OFB */
1669
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1670#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1671/*
1672 * AES-CTR test vectors from:
1673 *
1674 * http://www.faqs.org/rfcs/rfc3686.html
1675 */
1676
1677static const unsigned char aes_test_ctr_key[3][16] =
1678{
1679 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1680 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1681 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1682 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1683 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1684 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1685};
1686
1687static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1688{
1689 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1691 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1692 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1693 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1694 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1695};
1696
1697static const unsigned char aes_test_ctr_pt[3][48] =
1698{
1699 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1700 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1701
1702 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1703 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1704 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1705 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1706
1707 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1708 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1709 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1710 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1711 0x20, 0x21, 0x22, 0x23 }
1712};
1713
1714static const unsigned char aes_test_ctr_ct[3][48] =
1715{
1716 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1717 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1718 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1719 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1720 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1721 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1722 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1723 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1724 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1725 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1726 0x25, 0xB2, 0x07, 0x2F }
1727};
1728
1729static const int aes_test_ctr_len[3] =
1730 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1731#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1733#if defined(MBEDTLS_CIPHER_MODE_XTS)
1734/*
1735 * AES-XTS test vectors from:
1736 *
1737 * IEEE P1619/D16 Annex B
1738 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1739 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1740 */
1741static const unsigned char aes_test_xts_key[][32] =
1742{
1743 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1747 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1748 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1749 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1750 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1751 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1752 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1753 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1754 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1755};
1756
1757static const unsigned char aes_test_xts_pt32[][32] =
1758{
1759 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1763 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1764 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1765 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1766 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1767 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1768 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1769 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1771};
1772
1773static const unsigned char aes_test_xts_ct32[][32] =
1774{
1775 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1776 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1777 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1778 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1779 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1780 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1781 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1782 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1783 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1784 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1785 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1786 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1787};
1788
1789static const unsigned char aes_test_xts_data_unit[][16] =
1790{
1791 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1793 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1795 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1797};
1798
1799#endif /* MBEDTLS_CIPHER_MODE_XTS */
1800
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801/*
1802 * Checkup routine
1803 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1804int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1806 int ret = 0, i, j, u, mode;
1807 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808 unsigned char key[32];
1809 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1810 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1811#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1813#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1814#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1815 unsigned char prv[16];
1816#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1817#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1818 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1819 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1820#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1821#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1822 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1823#endif
1824#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1825 unsigned char nonce_counter[16];
1826 unsigned char stream_block[16];
1827#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1828 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829
1830 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1831 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832
1833 /*
1834 * ECB mode
1835 */
1836 for( i = 0; i < 6; i++ )
1837 {
1838 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1839 keybits = 128 + u * 64;
1840 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841
1842 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1843 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1844 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845
1846 memset( buf, 0, 16 );
1847
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1851 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 }
1853 else
1854 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1855 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1856 aes_tests = aes_test_ecb_enc[u];
1857 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1859 /*
1860 * AES-192 is an optional feature that may be unavailable when
1861 * there is an alternative underlying implementation i.e. when
1862 * MBEDTLS_AES_ALT is defined.
1863 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1864 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865 {
1866 mbedtls_printf( "skipped\n" );
1867 continue;
1868 }
1869 else if( ret != 0 )
1870 {
1871 goto exit;
1872 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1874 for( j = 0; j < 10000; j++ )
1875 {
1876 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1877 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1878 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 }
1880
1881 if( memcmp( buf, aes_tests, 16 ) != 0 )
1882 {
1883 ret = 1;
1884 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1885 }
1886
1887 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1888 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 }
1890
1891 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1892 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1894#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895 /*
1896 * CBC mode
1897 */
1898 for( i = 0; i < 6; i++ )
1899 {
1900 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1901 keybits = 128 + u * 64;
1902 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1903
1904 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1905 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1906 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1907
1908 memset( iv , 0, 16 );
1909 memset( prv, 0, 16 );
1910 memset( buf, 0, 16 );
1911
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1912 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1914 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1915 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 }
1917 else
1918 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1920 aes_tests = aes_test_cbc_enc[u];
1921 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1923 /*
1924 * AES-192 is an optional feature that may be unavailable when
1925 * there is an alternative underlying implementation i.e. when
1926 * MBEDTLS_AES_ALT is defined.
1927 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1928 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1929 {
1930 mbedtls_printf( "skipped\n" );
1931 continue;
1932 }
1933 else if( ret != 0 )
1934 {
1935 goto exit;
1936 }
1937
1938 for( j = 0; j < 10000; j++ )
1939 {
1940 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1941 {
1942 unsigned char tmp[16];
1943
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944 memcpy( tmp, prv, 16 );
1945 memcpy( prv, buf, 16 );
1946 memcpy( buf, tmp, 16 );
1947 }
1948
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1950 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1951 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952
1953 }
1954
1955 if( memcmp( buf, aes_tests, 16 ) != 0 )
1956 {
1957 ret = 1;
1958 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1959 }
1960
1961 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1962 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1963 }
1964
1965 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1966 mbedtls_printf( "\n" );
1967#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1968
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1970 /*
1971 * CFB128 mode
1972 */
1973 for( i = 0; i < 6; i++ )
1974 {
1975 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1976 keybits = 128 + u * 64;
1977 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1978
1979 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1980 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982
1983 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
1986 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1987 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1988 /*
1989 * AES-192 is an optional feature that may be unavailable when
1990 * there is an alternative underlying implementation i.e. when
1991 * MBEDTLS_AES_ALT is defined.
1992 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1993 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1994 {
1995 mbedtls_printf( "skipped\n" );
1996 continue;
1997 }
1998 else if( ret != 0 )
1999 {
2000 goto exit;
2001 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2002
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004 {
2005 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2006 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007 }
2008 else
2009 {
2010 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 aes_tests = aes_test_cfb128_ct[u];
2012 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2014 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2015 if( ret != 0 )
2016 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2018 if( memcmp( buf, aes_tests, 64 ) != 0 )
2019 {
2020 ret = 1;
2021 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022 }
2023
2024 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2025 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026 }
2027
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2028 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2029 mbedtls_printf( "\n" );
2030#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2031
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2032#if defined(MBEDTLS_CIPHER_MODE_OFB)
2033 /*
2034 * OFB mode
2035 */
2036 for( i = 0; i < 6; i++ )
2037 {
2038 u = i >> 1;
2039 keybits = 128 + u * 64;
2040 mode = i & 1;
2041
2042 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2043 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2044 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2045
2046 memcpy( iv, aes_test_ofb_iv, 16 );
2047 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2048
2049 offset = 0;
2050 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2051 /*
2052 * AES-192 is an optional feature that may be unavailable when
2053 * there is an alternative underlying implementation i.e. when
2054 * MBEDTLS_AES_ALT is defined.
2055 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2056 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2057 {
2058 mbedtls_printf( "skipped\n" );
2059 continue;
2060 }
2061 else if( ret != 0 )
2062 {
2063 goto exit;
2064 }
2065
2066 if( mode == MBEDTLS_AES_DECRYPT )
2067 {
2068 memcpy( buf, aes_test_ofb_ct[u], 64 );
2069 aes_tests = aes_test_ofb_pt;
2070 }
2071 else
2072 {
2073 memcpy( buf, aes_test_ofb_pt, 64 );
2074 aes_tests = aes_test_ofb_ct[u];
2075 }
2076
2077 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2078 if( ret != 0 )
2079 goto exit;
2080
2081 if( memcmp( buf, aes_tests, 64 ) != 0 )
2082 {
2083 ret = 1;
2084 goto exit;
2085 }
2086
2087 if( verbose != 0 )
2088 mbedtls_printf( "passed\n" );
2089 }
2090
2091 if( verbose != 0 )
2092 mbedtls_printf( "\n" );
2093#endif /* MBEDTLS_CIPHER_MODE_OFB */
2094
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2095#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2096 /*
2097 * CTR mode
2098 */
2099 for( i = 0; i < 6; i++ )
2100 {
2101 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2102 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2103
2104 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2105 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2106 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2107
2108 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2109 memcpy( key, aes_test_ctr_key[u], 16 );
2110
2111 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2112 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2113 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2114
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2115 len = aes_test_ctr_len[u];
2116
2117 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2118 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2121 }
2122 else
2123 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2125 aes_tests = aes_test_ctr_ct[u];
2126 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2127
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2128 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2129 stream_block, buf, buf );
2130 if( ret != 0 )
2131 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2132
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 if( memcmp( buf, aes_tests, len ) != 0 )
2134 {
2135 ret = 1;
2136 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2137 }
2138
2139 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2140 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2141 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142
2143 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2144 mbedtls_printf( "\n" );
2145#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2146
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2147#if defined(MBEDTLS_CIPHER_MODE_XTS)
2148 {
2149 static const int num_tests =
2150 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2151 mbedtls_aes_xts_context ctx_xts;
2152
2153 /*
2154 * XTS mode
2155 */
2156 mbedtls_aes_xts_init( &ctx_xts );
2157
2158 for( i = 0; i < num_tests << 1; i++ )
2159 {
2160 const unsigned char *data_unit;
2161 u = i >> 1;
2162 mode = i & 1;
2163
2164 if( verbose != 0 )
2165 mbedtls_printf( " AES-XTS-128 (%s): ",
2166 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2167
2168 memset( key, 0, sizeof( key ) );
2169 memcpy( key, aes_test_xts_key[u], 32 );
2170 data_unit = aes_test_xts_data_unit[u];
2171
2172 len = sizeof( *aes_test_xts_ct32 );
2173
2174 if( mode == MBEDTLS_AES_DECRYPT )
2175 {
2176 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2177 if( ret != 0)
2178 goto exit;
2179 memcpy( buf, aes_test_xts_ct32[u], len );
2180 aes_tests = aes_test_xts_pt32[u];
2181 }
2182 else
2183 {
2184 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2185 if( ret != 0)
2186 goto exit;
2187 memcpy( buf, aes_test_xts_pt32[u], len );
2188 aes_tests = aes_test_xts_ct32[u];
2189 }
2190
2191
2192 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2193 buf, buf );
2194 if( ret != 0 )
2195 goto exit;
2196
2197 if( memcmp( buf, aes_tests, len ) != 0 )
2198 {
2199 ret = 1;
2200 goto exit;
2201 }
2202
2203 if( verbose != 0 )
2204 mbedtls_printf( "passed\n" );
2205 }
2206
2207 if( verbose != 0 )
2208 mbedtls_printf( "\n" );
2209
2210 mbedtls_aes_xts_free( &ctx_xts );
2211 }
2212#endif /* MBEDTLS_CIPHER_MODE_XTS */
2213
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2214 ret = 0;
2215
2216exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2217 if( ret != 0 && verbose != 0 )
2218 mbedtls_printf( "failed\n" );
2219
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2220 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2221
2222 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2223}
2224
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2225#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2227#endif /* MBEDTLS_AES_C */