TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 998a358529faac5b6bfded2d79590bdf2d610579 / . / library / aes.c
blob: f6dc9963ea8390d3fbd47164bf8103bd3cf2b0e2 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
398#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
399#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
400#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]578 }
579#endif
580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584
585 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]587 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]594#endif
595
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]596 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]598 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 }
600
601 switch( ctx->nr )
602 {
603 case 10:
604
605 for( i = 0; i < 10; i++, RK += 4 )
606 {
607 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
616 }
617 break;
618
619 case 12:
620
621 for( i = 0; i < 8; i++, RK += 6 )
622 {
623 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
634 }
635 break;
636
637 case 14:
638
639 for( i = 0; i < 7; i++, RK += 8 )
640 {
641 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
650
651 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
660 }
661 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]663
664 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
668/*
669 * AES key schedule (decryption)
670 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]671#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]673 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]675 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 uint32_t *RK;
678 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]679
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]697 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]698
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]699 ctx->nr = cty.nr;
700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]703 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]705 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]706 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]707 }
708#endif
709
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 SK = cty.rk + cty.nr * 4;
711
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
718 {
719 for( j = 0; j < 4; j++, SK++ )
720 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726 }
727
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]735
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]736 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]738
739#if defined(MBEDTLS_CIPHER_MODE_XTS)
740static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
741 unsigned int keybits,
742 const unsigned char **key1,
743 unsigned int *key1bits,
744 const unsigned char **key2,
745 unsigned int *key2bits )
746{
747 const unsigned int half_keybits = keybits / 2;
748 const unsigned int half_keybytes = half_keybits / 8;
749
750 switch( keybits )
751 {
752 case 256: break;
753 case 512: break;
754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
755 }
756
757 *key1bits = half_keybits;
758 *key2bits = half_keybits;
759 *key1 = &key[0];
760 *key2 = &key[half_keybytes];
761
762 return 0;
763}
764
765int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
768{
769 int ret;
770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
772
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
775
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for the encryption mode. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for encryption. */
787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
788}
789
790int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for encryption. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for decryption. */
812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
813}
814#endif /* MBEDTLS_CIPHER_MODE_XTS */
815
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]816#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]818#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
819{ \
820 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
821 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
824 \
825 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
826 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
829 \
830 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
831 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
834 \
835 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
836 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
837 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
838 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]839}
840
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]841#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
842{ \
843 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
844 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
845 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
846 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
847 \
848 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
849 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
850 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
851 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
852 \
853 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
854 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
855 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
856 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
857 \
858 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
859 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
860 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
861 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]862}
863
864/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]865 * AES-ECB block encryption
866 */
867#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]868int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
869 const unsigned char input[16],
870 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]871{
872 int i;
873 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
874
875 RK = ctx->rk;
876
877 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
878 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
879 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
880 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
881
882 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
883 {
884 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
885 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
886 }
887
888 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
889
890 X0 = *RK++ ^ \
891 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
892 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
893 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
894 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
895
896 X1 = *RK++ ^ \
897 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
898 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
899 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
900 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
901
902 X2 = *RK++ ^ \
903 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
904 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
905 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
906 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
907
908 X3 = *RK++ ^ \
909 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
910 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
911 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
912 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
913
914 PUT_UINT32_LE( X0, output, 0 );
915 PUT_UINT32_LE( X1, output, 4 );
916 PUT_UINT32_LE( X2, output, 8 );
917 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]918
919 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]920}
921#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
922
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]923#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]924void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
925 const unsigned char input[16],
926 unsigned char output[16] )
927{
928 mbedtls_internal_aes_encrypt( ctx, input, output );
929}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]930#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]931
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]932/*
933 * AES-ECB block decryption
934 */
935#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]936int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
937 const unsigned char input[16],
938 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]939{
940 int i;
941 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
942
943 RK = ctx->rk;
944
945 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
946 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
947 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
948 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
949
950 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
951 {
952 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
953 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
954 }
955
956 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
957
958 X0 = *RK++ ^ \
959 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
960 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
961 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
962 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
963
964 X1 = *RK++ ^ \
965 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
966 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
967 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
968 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
969
970 X2 = *RK++ ^ \
971 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
972 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
973 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
974 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
975
976 X3 = *RK++ ^ \
977 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
978 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
979 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
980 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
981
982 PUT_UINT32_LE( X0, output, 0 );
983 PUT_UINT32_LE( X1, output, 4 );
984 PUT_UINT32_LE( X2, output, 8 );
985 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]986
987 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988}
989#endif /* !MBEDTLS_AES_DECRYPT_ALT */
990
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]991#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]992void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
993 const unsigned char input[16],
994 unsigned char output[16] )
995{
996 mbedtls_internal_aes_decrypt( ctx, input, output );
997}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]998#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]999
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1000/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 * AES-ECB block encryption/decryption
1002 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1003int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1004 int mode,
1005 const unsigned char input[16],
1006 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1008 AES_VALIDATE_RET( ctx != NULL );
1009 AES_VALIDATE_RET( input != NULL );
1010 AES_VALIDATE_RET( output != NULL );
1011 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1012 mode == MBEDTLS_AES_DECRYPT );
1013
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1014#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1015 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1017#endif
1018
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1019#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1020 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1021 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1022 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1023 return( 0 );
1024
1025 // If padlock data misaligned, we just fall back to
1026 // unaccelerated mode
1027 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 }
1029#endif
1030
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1031 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1032 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1033 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1034 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035}
1036
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038/*
1039 * AES-CBC buffer encryption/decryption
1040 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1043 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1044 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1045 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046 unsigned char *output )
1047{
1048 int i;
1049 unsigned char temp[16];
1050
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1051 AES_VALIDATE_RET( ctx != NULL );
1052 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1053 mode == MBEDTLS_AES_DECRYPT );
1054 AES_VALIDATE_RET( iv != NULL );
1055 AES_VALIDATE_RET( input != NULL );
1056 AES_VALIDATE_RET( output != NULL );
1057
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1058 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1059 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1062 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1065 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1066
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067 // If padlock data misaligned, we just fall back to
1068 // unaccelerated mode
1069 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 }
1071#endif
1072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074 {
1075 while( length > 0 )
1076 {
1077 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1078 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079
1080 for( i = 0; i < 16; i++ )
1081 output[i] = (unsigned char)( output[i] ^ iv[i] );
1082
1083 memcpy( iv, temp, 16 );
1084
1085 input += 16;
1086 output += 16;
1087 length -= 16;
1088 }
1089 }
1090 else
1091 {
1092 while( length > 0 )
1093 {
1094 for( i = 0; i < 16; i++ )
1095 output[i] = (unsigned char)( input[i] ^ iv[i] );
1096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1097 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1098 memcpy( iv, output, 16 );
1099
1100 input += 16;
1101 output += 16;
1102 length -= 16;
1103 }
1104 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1105
1106 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1107}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1108#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1110#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1111
1112/* Endianess with 64 bits values */
1113#ifndef GET_UINT64_LE
1114#define GET_UINT64_LE(n,b,i) \
1115{ \
1116 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1117 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1118 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1119 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1120 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1121 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1122 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1123 | ( (uint64_t) (b)[(i) ] ); \
1124}
1125#endif
1126
1127#ifndef PUT_UINT64_LE
1128#define PUT_UINT64_LE(n,b,i) \
1129{ \
1130 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1131 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1132 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1133 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1134 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1135 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1136 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1137 (b)[(i) ] = (unsigned char) ( (n) ); \
1138}
1139#endif
1140
1141typedef unsigned char mbedtls_be128[16];
1142
1143/*
1144 * GF(2^128) multiplication function
1145 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1146 * This function multiplies a field element by x in the polynomial field
1147 * representation. It uses 64-bit word operations to gain speed but compensates
1148 * for machine endianess and hence works correctly on both big and little
1149 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1150 */
1151static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1152 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1153{
1154 uint64_t a, b, ra, rb;
1155
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1156 GET_UINT64_LE( a, x, 0 );
1157 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1158
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1159 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1160 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1161
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1162 PUT_UINT64_LE( ra, r, 0 );
1163 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1164}
1165
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1166/*
1167 * AES-XTS buffer encryption/decryption
1168 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1169int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1170 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1171 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1172 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1173 const unsigned char *input,
1174 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1175{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1176 int ret;
1177 size_t blocks = length / 16;
1178 size_t leftover = length % 16;
1179 unsigned char tweak[16];
1180 unsigned char prev_tweak[16];
1181 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1182
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1183 AES_VALIDATE_RET( ctx != NULL );
1184 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1185 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame^]1186 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1187 AES_VALIDATE_RET( input != NULL );
1188 AES_VALIDATE_RET( output != NULL );
1189
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1190 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1192 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1193
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1194 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1195 if( length > ( 1 << 20 ) * 16 )
1196 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1197
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1198 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1199 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1200 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1201 if( ret != 0 )
1202 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1203
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1204 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1205 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1206 size_t i;
1207
1208 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1209 {
1210 /* We are on the last block in a decrypt operation that has
1211 * leftover bytes, so we need to use the next tweak for this block,
1212 * and this tweak for the lefover bytes. Save the current tweak for
1213 * the leftovers and then update the current tweak for use on this,
1214 * the last full block. */
1215 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1216 mbedtls_gf128mul_x_ble( tweak, tweak );
1217 }
1218
1219 for( i = 0; i < 16; i++ )
1220 tmp[i] = input[i] ^ tweak[i];
1221
1222 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1223 if( ret != 0 )
1224 return( ret );
1225
1226 for( i = 0; i < 16; i++ )
1227 output[i] = tmp[i] ^ tweak[i];
1228
1229 /* Update the tweak for the next block. */
1230 mbedtls_gf128mul_x_ble( tweak, tweak );
1231
1232 output += 16;
1233 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1234 }
1235
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1236 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1237 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 /* If we are on the leftover bytes in a decrypt operation, we need to
1239 * use the previous tweak for these bytes (as saved in prev_tweak). */
1240 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1241
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1242 /* We are now on the final part of the data unit, which doesn't divide
1243 * evenly by 16. It's time for ciphertext stealing. */
1244 size_t i;
1245 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1247 /* Copy ciphertext bytes from the previous block to our output for each
1248 * byte of cyphertext we won't steal. At the same time, copy the
1249 * remainder of the input for this final round (since the loop bounds
1250 * are the same). */
1251 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1252 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1253 output[i] = prev_output[i];
1254 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1255 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1256
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1257 /* Copy ciphertext bytes from the previous block for input in this
1258 * round. */
1259 for( ; i < 16; i++ )
1260 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1261
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1262 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1263 if( ret != 0 )
1264 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1265
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1266 /* Write the result back to the previous block, overriding the previous
1267 * output we copied. */
1268 for( i = 0; i < 16; i++ )
1269 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1270 }
1271
1272 return( 0 );
1273}
1274#endif /* MBEDTLS_CIPHER_MODE_XTS */
1275
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1276#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277/*
1278 * AES-CFB128 buffer encryption/decryption
1279 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1282 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1283 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1284 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1285 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286 unsigned char *output )
1287{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1288 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1289 size_t n;
1290
1291 AES_VALIDATE_RET( ctx != NULL );
1292 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1293 mode == MBEDTLS_AES_DECRYPT );
1294 AES_VALIDATE_RET( iv_off != NULL );
1295 AES_VALIDATE_RET( iv != NULL );
1296 AES_VALIDATE_RET( input != NULL );
1297 AES_VALIDATE_RET( output != NULL );
1298
1299 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302 {
1303 while( length-- )
1304 {
1305 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307
1308 c = *input++;
1309 *output++ = (unsigned char)( c ^ iv[n] );
1310 iv[n] = (unsigned char) c;
1311
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1312 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 }
1314 }
1315 else
1316 {
1317 while( length-- )
1318 {
1319 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1320 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321
1322 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1323
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1324 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325 }
1326 }
1327
1328 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1329
1330 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1332
1333/*
1334 * AES-CFB8 buffer encryption/decryption
1335 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1337 int mode,
1338 size_t length,
1339 unsigned char iv[16],
1340 const unsigned char *input,
1341 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1342{
1343 unsigned char c;
1344 unsigned char ov[17];
1345
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1346 AES_VALIDATE_RET( ctx != NULL );
1347 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1348 mode == MBEDTLS_AES_DECRYPT );
1349 AES_VALIDATE_RET( iv != NULL );
1350 AES_VALIDATE_RET( input != NULL );
1351 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1352 while( length-- )
1353 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1354 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1355 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1356
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1357 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1358 ov[16] = *input;
1359
1360 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1361
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1362 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1363 ov[16] = c;
1364
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1365 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1366 }
1367
1368 return( 0 );
1369}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1370#endif /* MBEDTLS_CIPHER_MODE_CFB */
1371
1372#if defined(MBEDTLS_CIPHER_MODE_OFB)
1373/*
1374 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1375 */
1376int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1377 size_t length,
1378 size_t *iv_off,
1379 unsigned char iv[16],
1380 const unsigned char *input,
1381 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1382{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1383 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1384 size_t n;
1385
1386 AES_VALIDATE_RET( ctx != NULL );
1387 AES_VALIDATE_RET( iv_off != NULL );
1388 AES_VALIDATE_RET( iv != NULL );
1389 AES_VALIDATE_RET( input != NULL );
1390 AES_VALIDATE_RET( output != NULL );
1391
1392 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1393
1394 while( length-- )
1395 {
1396 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1397 {
1398 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1399 if( ret != 0 )
1400 goto exit;
1401 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1402 *output++ = *input++ ^ iv[n];
1403
1404 n = ( n + 1 ) & 0x0F;
1405 }
1406
1407 *iv_off = n;
1408
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1409exit:
1410 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1411}
1412#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1413
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1414#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1415/*
1416 * AES-CTR buffer encryption/decryption
1417 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1418int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1419 size_t length,
1420 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1421 unsigned char nonce_counter[16],
1422 unsigned char stream_block[16],
1423 const unsigned char *input,
1424 unsigned char *output )
1425{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1426 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1427 size_t n;
1428
1429 AES_VALIDATE_RET( ctx != NULL );
1430 AES_VALIDATE_RET( nc_off != NULL );
1431 AES_VALIDATE_RET( nonce_counter != NULL );
1432 AES_VALIDATE_RET( stream_block != NULL );
1433 AES_VALIDATE_RET( input != NULL );
1434 AES_VALIDATE_RET( output != NULL );
1435
1436 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1437
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1438 if ( n > 0x0F )
1439 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1440
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1441 while( length-- )
1442 {
1443 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1445
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1446 for( i = 16; i > 0; i-- )
1447 if( ++nonce_counter[i - 1] != 0 )
1448 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1449 }
1450 c = *input++;
1451 *output++ = (unsigned char)( c ^ stream_block[n] );
1452
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1453 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1454 }
1455
1456 *nc_off = n;
1457
1458 return( 0 );
1459}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1460#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1461
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1462#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1463
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1464#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1465/*
1466 * AES test vectors from:
1467 *
1468 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1469 */
1470static const unsigned char aes_test_ecb_dec[3][16] =
1471{
1472 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1473 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1474 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1475 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1476 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1477 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1478};
1479
1480static const unsigned char aes_test_ecb_enc[3][16] =
1481{
1482 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1483 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1484 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1485 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1486 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1487 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1488};
1489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1490#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491static const unsigned char aes_test_cbc_dec[3][16] =
1492{
1493 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1494 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1495 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1496 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1497 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1498 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1499};
1500
1501static const unsigned char aes_test_cbc_enc[3][16] =
1502{
1503 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1504 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1505 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1506 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1507 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1508 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1509};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1510#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1512#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1513/*
1514 * AES-CFB128 test vectors from:
1515 *
1516 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1517 */
1518static const unsigned char aes_test_cfb128_key[3][32] =
1519{
1520 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1521 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1522 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1523 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1524 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1525 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1526 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1527 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1528 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1529};
1530
1531static const unsigned char aes_test_cfb128_iv[16] =
1532{
1533 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1534 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1535};
1536
1537static const unsigned char aes_test_cfb128_pt[64] =
1538{
1539 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1540 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1541 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1542 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1543 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1544 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1545 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1546 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1547};
1548
1549static const unsigned char aes_test_cfb128_ct[3][64] =
1550{
1551 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1552 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1553 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1554 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1555 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1556 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1557 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1558 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1559 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1560 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1561 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1562 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1563 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1564 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1565 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1566 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1567 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1568 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1569 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1570 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1571 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1572 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1573 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1574 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1575};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1576#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1577
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1578#if defined(MBEDTLS_CIPHER_MODE_OFB)
1579/*
1580 * AES-OFB test vectors from:
1581 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1582 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1583 */
1584static const unsigned char aes_test_ofb_key[3][32] =
1585{
1586 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1587 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1588 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1589 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1590 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1591 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1592 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1593 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1594 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1595};
1596
1597static const unsigned char aes_test_ofb_iv[16] =
1598{
1599 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1600 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1601};
1602
1603static const unsigned char aes_test_ofb_pt[64] =
1604{
1605 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1606 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1607 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1608 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1609 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1610 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1611 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1612 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1613};
1614
1615static const unsigned char aes_test_ofb_ct[3][64] =
1616{
1617 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1618 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1619 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1620 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1621 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1622 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1623 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1624 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1625 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1626 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1627 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1628 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1629 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1630 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1631 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1632 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1633 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1634 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1635 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1636 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1637 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1638 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1639 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1640 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1641};
1642#endif /* MBEDTLS_CIPHER_MODE_OFB */
1643
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1644#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1645/*
1646 * AES-CTR test vectors from:
1647 *
1648 * http://www.faqs.org/rfcs/rfc3686.html
1649 */
1650
1651static const unsigned char aes_test_ctr_key[3][16] =
1652{
1653 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1654 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1655 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1656 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1657 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1658 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1659};
1660
1661static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1662{
1663 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1665 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1666 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1667 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1668 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1669};
1670
1671static const unsigned char aes_test_ctr_pt[3][48] =
1672{
1673 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1674 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1675
1676 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1677 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1678 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1679 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1680
1681 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1682 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1683 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1684 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1685 0x20, 0x21, 0x22, 0x23 }
1686};
1687
1688static const unsigned char aes_test_ctr_ct[3][48] =
1689{
1690 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1691 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1692 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1693 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1694 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1695 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1696 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1697 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1698 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1699 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1700 0x25, 0xB2, 0x07, 0x2F }
1701};
1702
1703static const int aes_test_ctr_len[3] =
1704 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1705#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1706
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1707#if defined(MBEDTLS_CIPHER_MODE_XTS)
1708/*
1709 * AES-XTS test vectors from:
1710 *
1711 * IEEE P1619/D16 Annex B
1712 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1713 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1714 */
1715static const unsigned char aes_test_xts_key[][32] =
1716{
1717 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1718 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1719 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1721 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1722 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1723 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1724 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1725 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1726 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1727 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1728 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1729};
1730
1731static const unsigned char aes_test_xts_pt32[][32] =
1732{
1733 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1734 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1737 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1738 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1739 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1740 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1741 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1742 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1743 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1744 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1745};
1746
1747static const unsigned char aes_test_xts_ct32[][32] =
1748{
1749 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1750 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1751 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1752 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1753 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1754 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1755 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1756 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1757 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1758 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1759 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1760 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1761};
1762
1763static const unsigned char aes_test_xts_data_unit[][16] =
1764{
1765 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1767 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1769 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1771};
1772
1773#endif /* MBEDTLS_CIPHER_MODE_XTS */
1774
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1775/*
1776 * Checkup routine
1777 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1778int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1779{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1780 int ret = 0, i, j, u, mode;
1781 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782 unsigned char key[32];
1783 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1784 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1785#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1786 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1787#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1788#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1789 unsigned char prv[16];
1790#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1791#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1792 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1793 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1794#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1795#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1796 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1797#endif
1798#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1799 unsigned char nonce_counter[16];
1800 unsigned char stream_block[16];
1801#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1802 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1803
1804 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806
1807 /*
1808 * ECB mode
1809 */
1810 for( i = 0; i < 6; i++ )
1811 {
1812 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1813 keybits = 128 + u * 64;
1814 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815
1816 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1817 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1818 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
1820 memset( buf, 0, 16 );
1821
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1822 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1825 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826 }
1827 else
1828 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1829 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1830 aes_tests = aes_test_ecb_enc[u];
1831 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1833 /*
1834 * AES-192 is an optional feature that may be unavailable when
1835 * there is an alternative underlying implementation i.e. when
1836 * MBEDTLS_AES_ALT is defined.
1837 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1838 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1839 {
1840 mbedtls_printf( "skipped\n" );
1841 continue;
1842 }
1843 else if( ret != 0 )
1844 {
1845 goto exit;
1846 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1848 for( j = 0; j < 10000; j++ )
1849 {
1850 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1851 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1852 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1853 }
1854
1855 if( memcmp( buf, aes_tests, 16 ) != 0 )
1856 {
1857 ret = 1;
1858 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 }
1860
1861 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863 }
1864
1865 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1866 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1868#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869 /*
1870 * CBC mode
1871 */
1872 for( i = 0; i < 6; i++ )
1873 {
1874 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1875 keybits = 128 + u * 64;
1876 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877
1878 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1880 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881
1882 memset( iv , 0, 16 );
1883 memset( prv, 0, 16 );
1884 memset( buf, 0, 16 );
1885
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1886 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1887 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1888 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1889 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890 }
1891 else
1892 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1893 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1894 aes_tests = aes_test_cbc_enc[u];
1895 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1897 /*
1898 * AES-192 is an optional feature that may be unavailable when
1899 * there is an alternative underlying implementation i.e. when
1900 * MBEDTLS_AES_ALT is defined.
1901 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1902 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1903 {
1904 mbedtls_printf( "skipped\n" );
1905 continue;
1906 }
1907 else if( ret != 0 )
1908 {
1909 goto exit;
1910 }
1911
1912 for( j = 0; j < 10000; j++ )
1913 {
1914 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 {
1916 unsigned char tmp[16];
1917
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 memcpy( tmp, prv, 16 );
1919 memcpy( prv, buf, 16 );
1920 memcpy( buf, tmp, 16 );
1921 }
1922
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1923 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1924 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1925 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926
1927 }
1928
1929 if( memcmp( buf, aes_tests, 16 ) != 0 )
1930 {
1931 ret = 1;
1932 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933 }
1934
1935 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1937 }
1938
1939 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1940 mbedtls_printf( "\n" );
1941#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1943#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1944 /*
1945 * CFB128 mode
1946 */
1947 for( i = 0; i < 6; i++ )
1948 {
1949 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1950 keybits = 128 + u * 64;
1951 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1952
1953 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1954 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1955 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956
1957 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1958 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1959
1960 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1961 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1962 /*
1963 * AES-192 is an optional feature that may be unavailable when
1964 * there is an alternative underlying implementation i.e. when
1965 * MBEDTLS_AES_ALT is defined.
1966 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1967 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1968 {
1969 mbedtls_printf( "skipped\n" );
1970 continue;
1971 }
1972 else if( ret != 0 )
1973 {
1974 goto exit;
1975 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1976
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1977 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1978 {
1979 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1980 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1981 }
1982 else
1983 {
1984 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1985 aes_tests = aes_test_cfb128_ct[u];
1986 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1987
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1988 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1989 if( ret != 0 )
1990 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1991
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1992 if( memcmp( buf, aes_tests, 64 ) != 0 )
1993 {
1994 ret = 1;
1995 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1996 }
1997
1998 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1999 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000 }
2001
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2002 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2003 mbedtls_printf( "\n" );
2004#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2005
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2006#if defined(MBEDTLS_CIPHER_MODE_OFB)
2007 /*
2008 * OFB mode
2009 */
2010 for( i = 0; i < 6; i++ )
2011 {
2012 u = i >> 1;
2013 keybits = 128 + u * 64;
2014 mode = i & 1;
2015
2016 if( verbose != 0 )
2017 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2018 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2019
2020 memcpy( iv, aes_test_ofb_iv, 16 );
2021 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2022
2023 offset = 0;
2024 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2025 /*
2026 * AES-192 is an optional feature that may be unavailable when
2027 * there is an alternative underlying implementation i.e. when
2028 * MBEDTLS_AES_ALT is defined.
2029 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2030 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2031 {
2032 mbedtls_printf( "skipped\n" );
2033 continue;
2034 }
2035 else if( ret != 0 )
2036 {
2037 goto exit;
2038 }
2039
2040 if( mode == MBEDTLS_AES_DECRYPT )
2041 {
2042 memcpy( buf, aes_test_ofb_ct[u], 64 );
2043 aes_tests = aes_test_ofb_pt;
2044 }
2045 else
2046 {
2047 memcpy( buf, aes_test_ofb_pt, 64 );
2048 aes_tests = aes_test_ofb_ct[u];
2049 }
2050
2051 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2052 if( ret != 0 )
2053 goto exit;
2054
2055 if( memcmp( buf, aes_tests, 64 ) != 0 )
2056 {
2057 ret = 1;
2058 goto exit;
2059 }
2060
2061 if( verbose != 0 )
2062 mbedtls_printf( "passed\n" );
2063 }
2064
2065 if( verbose != 0 )
2066 mbedtls_printf( "\n" );
2067#endif /* MBEDTLS_CIPHER_MODE_OFB */
2068
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2069#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2070 /*
2071 * CTR mode
2072 */
2073 for( i = 0; i < 6; i++ )
2074 {
2075 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2076 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2077
2078 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2079 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2080 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2081
2082 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2083 memcpy( key, aes_test_ctr_key[u], 16 );
2084
2085 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2086 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2087 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2088
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2089 len = aes_test_ctr_len[u];
2090
2091 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2092 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2093 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2094 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2095 }
2096 else
2097 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2098 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2099 aes_tests = aes_test_ctr_ct[u];
2100 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2101
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2102 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2103 stream_block, buf, buf );
2104 if( ret != 0 )
2105 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2106
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2107 if( memcmp( buf, aes_tests, len ) != 0 )
2108 {
2109 ret = 1;
2110 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2111 }
2112
2113 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2116
2117 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2118 mbedtls_printf( "\n" );
2119#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2120
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2121#if defined(MBEDTLS_CIPHER_MODE_XTS)
2122 {
2123 static const int num_tests =
2124 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2125 mbedtls_aes_xts_context ctx_xts;
2126
2127 /*
2128 * XTS mode
2129 */
2130 mbedtls_aes_xts_init( &ctx_xts );
2131
2132 for( i = 0; i < num_tests << 1; i++ )
2133 {
2134 const unsigned char *data_unit;
2135 u = i >> 1;
2136 mode = i & 1;
2137
2138 if( verbose != 0 )
2139 mbedtls_printf( " AES-XTS-128 (%s): ",
2140 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2141
2142 memset( key, 0, sizeof( key ) );
2143 memcpy( key, aes_test_xts_key[u], 32 );
2144 data_unit = aes_test_xts_data_unit[u];
2145
2146 len = sizeof( *aes_test_xts_ct32 );
2147
2148 if( mode == MBEDTLS_AES_DECRYPT )
2149 {
2150 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2151 if( ret != 0)
2152 goto exit;
2153 memcpy( buf, aes_test_xts_ct32[u], len );
2154 aes_tests = aes_test_xts_pt32[u];
2155 }
2156 else
2157 {
2158 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2159 if( ret != 0)
2160 goto exit;
2161 memcpy( buf, aes_test_xts_pt32[u], len );
2162 aes_tests = aes_test_xts_ct32[u];
2163 }
2164
2165
2166 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2167 buf, buf );
2168 if( ret != 0 )
2169 goto exit;
2170
2171 if( memcmp( buf, aes_tests, len ) != 0 )
2172 {
2173 ret = 1;
2174 goto exit;
2175 }
2176
2177 if( verbose != 0 )
2178 mbedtls_printf( "passed\n" );
2179 }
2180
2181 if( verbose != 0 )
2182 mbedtls_printf( "\n" );
2183
2184 mbedtls_aes_xts_free( &ctx_xts );
2185 }
2186#endif /* MBEDTLS_CIPHER_MODE_XTS */
2187
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2188 ret = 0;
2189
2190exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2191 if( ret != 0 && verbose != 0 )
2192 mbedtls_printf( "failed\n" );
2193
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2195
2196 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2197}
2198
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2199#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2201#endif /* MBEDTLS_AES_C */