TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a8ef1565bb38b707f49b917dbfe8381a2a16c977 / . / library / aes.c
blob: 03eccef21bddc28da913b8910acbc3a5429f844e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#if defined(MBEDTLS_PADLOCK_C) && \
55 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]56static int aes_padlock_ace = -1;
57#endif
58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * Forward S-box
62 */
63static const unsigned char FSb[256] =
64{
65 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
66 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
67 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
68 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
69 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
70 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
71 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
72 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
73 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
74 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
75 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
76 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
77 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
78 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
79 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
80 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
81 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
82 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
83 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
84 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
85 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
86 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
87 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
88 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
89 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
90 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
91 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
92 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
93 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
94 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
95 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
96 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
97};
98
99/*
100 * Forward tables
101 */
102#define FT \
103\
104 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
105 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
106 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
107 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
108 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
109 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
110 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
111 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
112 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
113 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
114 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
115 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
116 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
117 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
118 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
119 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
120 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
121 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
122 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
123 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
124 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
125 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
126 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
127 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
128 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
129 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
130 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
131 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
132 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
133 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
134 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
135 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
136 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
137 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
138 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
139 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
140 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
141 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
142 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
143 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
144 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
145 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
146 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
147 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
148 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
149 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
150 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
151 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
152 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
153 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
154 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
155 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
156 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
157 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
158 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
159 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
160 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
161 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
162 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
163 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
164 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
165 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
166 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
167 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
168
169#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]170static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]171#undef V
172
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]173#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]174
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]175#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]176static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]177#undef V
178
179#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]180static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181#undef V
182
183#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]184static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]185#undef V
186
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]187#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]188
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]189#undef FT
190
191/*
192 * Reverse S-box
193 */
194static const unsigned char RSb[256] =
195{
196 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
197 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
198 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
199 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
200 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
201 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
202 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
203 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
204 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
205 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
206 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
207 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
208 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
209 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
210 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
211 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
212 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
213 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
214 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
215 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
216 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
217 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
218 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
219 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
220 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
221 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
222 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
223 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
224 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
225 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
226 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
227 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
228};
229
230/*
231 * Reverse tables
232 */
233#define RT \
234\
235 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
236 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
237 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
238 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
239 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
240 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
241 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
242 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
243 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
244 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
245 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
246 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
247 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
248 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
249 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
250 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
251 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
252 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
253 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
254 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
255 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
256 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
257 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
258 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
259 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
260 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
261 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
262 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
263 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
264 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
265 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
266 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
267 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
268 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
269 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
270 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
271 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
272 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
273 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
274 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
275 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
276 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
277 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
278 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
279 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
280 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
281 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
282 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
283 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
284 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
285 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
286 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
287 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
288 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
289 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
290 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
291 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
292 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
293 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
294 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
295 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
296 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
297 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
298 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
299
300#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]301static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]302#undef V
303
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]304#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]305
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]306#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]307static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308#undef V
309
310#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]311static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#undef V
313
314#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]315static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]316#undef V
317
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]318#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]319
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320#undef RT
321
322/*
323 * Round constants
324 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]325static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326{
327 0x00000001, 0x00000002, 0x00000004, 0x00000008,
328 0x00000010, 0x00000020, 0x00000040, 0x00000080,
329 0x0000001B, 0x00000036
330};
331
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]332#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333
334/*
335 * Forward S-box & tables
336 */
337static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]338static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]339#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]340static uint32_t FT1[256];
341static uint32_t FT2[256];
342static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]343#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344
345/*
346 * Reverse S-box & tables
347 */
348static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]350#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static uint32_t RT1[256];
352static uint32_t RT2[256];
353static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]354#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Tables generation code
363 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]364#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
365#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]366#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368static int aes_init_done = 0;
369
370static void aes_gen_tables( void )
371{
372 int i, x, y, z;
373 int pow[256];
374 int log[256];
375
376 /*
377 * compute pow and log tables over GF(2^8)
378 */
379 for( i = 0, x = 1; i < 256; i++ )
380 {
381 pow[i] = x;
382 log[x] = i;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]383 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384 }
385
386 /*
387 * calculate the round constants
388 */
389 for( i = 0, x = 1; i < 10; i++ )
390 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]391 RCON[i] = (uint32_t) x;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]392 x = MBEDTLS_BYTE_0( XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]393 }
394
395 /*
396 * generate the forward and reverse S-boxes
397 */
398 FSb[0x00] = 0x63;
399 RSb[0x63] = 0x00;
400
401 for( i = 1; i < 256; i++ )
402 {
403 x = pow[255 - log[i]];
404
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]405 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
406 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
407 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
408 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]409 x ^= y ^ 0x63;
410
411 FSb[i] = (unsigned char) x;
412 RSb[x] = (unsigned char) i;
413 }
414
415 /*
416 * generate the forward and reverse tables
417 */
418 for( i = 0; i < 256; i++ )
419 {
420 x = FSb[i];
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]421 y = MBEDTLS_BYTE_0( XTIME( x ) );
422 z = MBEDTLS_BYTE_0( y ^ x );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]424 FT0[i] = ( (uint32_t) y ) ^
425 ( (uint32_t) x << 8 ) ^
426 ( (uint32_t) x << 16 ) ^
427 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]429#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430 FT1[i] = ROTL8( FT0[i] );
431 FT2[i] = ROTL8( FT1[i] );
432 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]433#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
435 x = RSb[i];
436
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]437 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
438 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
439 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
440 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]441
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]442#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 RT1[i] = ROTL8( RT0[i] );
444 RT2[i] = ROTL8( RT1[i] );
445 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]446#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 }
448}
449
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]450#undef ROTL8
451
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]452#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]454#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]455
456#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
457#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
458#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
459
460#define AES_RT0(idx) RT0[idx]
461#define AES_RT1(idx) ROTL8( RT0[idx] )
462#define AES_RT2(idx) ROTL16( RT0[idx] )
463#define AES_RT3(idx) ROTL24( RT0[idx] )
464
465#define AES_FT0(idx) FT0[idx]
466#define AES_FT1(idx) ROTL8( FT0[idx] )
467#define AES_FT2(idx) ROTL16( FT0[idx] )
468#define AES_FT3(idx) ROTL24( FT0[idx] )
469
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]470#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]471
472#define AES_RT0(idx) RT0[idx]
473#define AES_RT1(idx) RT1[idx]
474#define AES_RT2(idx) RT2[idx]
475#define AES_RT3(idx) RT3[idx]
476
477#define AES_FT0(idx) FT0[idx]
478#define AES_FT1(idx) FT1[idx]
479#define AES_FT2(idx) FT2[idx]
480#define AES_FT3(idx) FT3[idx]
481
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]482#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]484void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]485{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]487}
488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]489void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]490{
491 if( ctx == NULL )
492 return;
493
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]494 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495}
496
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]497#if defined(MBEDTLS_CIPHER_MODE_XTS)
498void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
499{
500 mbedtls_aes_init( &ctx->crypt );
501 mbedtls_aes_init( &ctx->tweak );
502}
503
504void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
505{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]506 if( ctx == NULL )
507 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]508
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]509 mbedtls_aes_free( &ctx->crypt );
510 mbedtls_aes_free( &ctx->tweak );
511}
512#endif /* MBEDTLS_CIPHER_MODE_XTS */
513
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514/*
515 * AES key schedule (encryption)
516 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]517#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]519 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]520{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]521 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]522 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]523
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]524 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 {
526 case 128: ctx->nr = 10; break;
527 case 192: ctx->nr = 12; break;
528 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530 }
531
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532#if !defined(MBEDTLS_AES_ROM_TABLES)
533 if( aes_init_done == 0 )
534 {
535 aes_gen_tables();
536 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537 }
538#endif
539
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]540 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]541#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]542 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]543 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]544
545 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]546 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]548 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]551 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]552 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]553#endif
554
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]555 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]557 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558 }
559
560 switch( ctx->nr )
561 {
562 case 10:
563
564 for( i = 0; i < 10; i++, RK += 4 )
565 {
566 RK[4] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]567 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
568 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
569 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
570 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571
572 RK[5] = RK[1] ^ RK[4];
573 RK[6] = RK[2] ^ RK[5];
574 RK[7] = RK[3] ^ RK[6];
575 }
576 break;
577
578 case 12:
579
580 for( i = 0; i < 8; i++, RK += 6 )
581 {
582 RK[6] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]583 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
584 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
585 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
586 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587
588 RK[7] = RK[1] ^ RK[6];
589 RK[8] = RK[2] ^ RK[7];
590 RK[9] = RK[3] ^ RK[8];
591 RK[10] = RK[4] ^ RK[9];
592 RK[11] = RK[5] ^ RK[10];
593 }
594 break;
595
596 case 14:
597
598 for( i = 0; i < 7; i++, RK += 8 )
599 {
600 RK[8] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]601 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
602 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
603 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
604 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605
606 RK[9] = RK[1] ^ RK[8];
607 RK[10] = RK[2] ^ RK[9];
608 RK[11] = RK[3] ^ RK[10];
609
610 RK[12] = RK[4] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]611 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
612 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
613 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
614 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
616 RK[13] = RK[5] ^ RK[12];
617 RK[14] = RK[6] ^ RK[13];
618 RK[15] = RK[7] ^ RK[14];
619 }
620 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]621 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]622
623 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]625#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626
627/*
628 * AES key schedule (decryption)
629 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]630#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]632 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]633{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]634 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]636 uint32_t *RK;
637 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]638
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]639 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]641 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]642#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]643 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]644 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]645
646 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]647 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]649 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]650
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]651 /* Also checks keybits */
652 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]653 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]654
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]655 ctx->nr = cty.nr;
656
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]657#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]658 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]659 {
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]660 mbedtls_aesni_inverse_key( (unsigned char *) RK,
661 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]662 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]663 }
664#endif
665
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]666 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
668 *RK++ = *SK++;
669 *RK++ = *SK++;
670 *RK++ = *SK++;
671 *RK++ = *SK++;
672
673 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
674 {
675 for( j = 0; j < 4; j++, SK++ )
676 {
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]677 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
678 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
679 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
680 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681 }
682 }
683
684 *RK++ = *SK++;
685 *RK++ = *SK++;
686 *RK++ = *SK++;
687 *RK++ = *SK++;
688
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]689exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]691
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]694#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]695
696#if defined(MBEDTLS_CIPHER_MODE_XTS)
697static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
698 unsigned int keybits,
699 const unsigned char **key1,
700 unsigned int *key1bits,
701 const unsigned char **key2,
702 unsigned int *key2bits )
703{
704 const unsigned int half_keybits = keybits / 2;
705 const unsigned int half_keybytes = half_keybits / 8;
706
707 switch( keybits )
708 {
709 case 256: break;
710 case 512: break;
711 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
712 }
713
714 *key1bits = half_keybits;
715 *key2bits = half_keybits;
716 *key1 = &key[0];
717 *key2 = &key[half_keybytes];
718
719 return 0;
720}
721
722int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
723 const unsigned char *key,
724 unsigned int keybits)
725{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]726 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]727 const unsigned char *key1, *key2;
728 unsigned int key1bits, key2bits;
729
730 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
731 &key2, &key2bits );
732 if( ret != 0 )
733 return( ret );
734
735 /* Set the tweak key. Always set tweak key for the encryption mode. */
736 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
737 if( ret != 0 )
738 return( ret );
739
740 /* Set crypt key for encryption. */
741 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
742}
743
744int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
745 const unsigned char *key,
746 unsigned int keybits)
747{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]748 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]749 const unsigned char *key1, *key2;
750 unsigned int key1bits, key2bits;
751
752 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
753 &key2, &key2bits );
754 if( ret != 0 )
755 return( ret );
756
757 /* Set the tweak key. Always set tweak key for encryption. */
758 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
759 if( ret != 0 )
760 return( ret );
761
762 /* Set crypt key for decryption. */
763 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
764}
765#endif /* MBEDTLS_CIPHER_MODE_XTS */
766
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]767#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
768 do \
769 { \
770 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
771 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
772 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
773 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
774 \
775 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
776 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
777 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
778 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
779 \
780 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
781 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
782 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
783 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
784 \
785 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
786 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
787 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
788 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]789 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]790
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]791#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
792 do \
793 { \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]794 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
795 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
796 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
797 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]798 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]799 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
800 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
801 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
802 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]803 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]804 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
805 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
806 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
807 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]808 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]809 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
810 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
811 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
812 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814
815/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]816 * AES-ECB block encryption
817 */
818#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]819int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
820 const unsigned char input[16],
821 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]822{
823 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]824 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]825 struct
826 {
827 uint32_t X[4];
828 uint32_t Y[4];
829 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]830
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]831 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
832 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
833 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
834 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]835
836 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
837 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]838 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
839 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]840 }
841
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]842 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]843
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]844 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]845 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
846 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
847 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
848 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]849
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]850 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]851 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
852 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
853 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
854 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]855
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]856 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]857 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
858 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
859 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
860 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]861
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]862 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]863 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
864 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
865 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
866 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]868 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
869 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
870 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
871 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]872
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]873 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]874
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]875 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]876}
877#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
878
879/*
880 * AES-ECB block decryption
881 */
882#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]883int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
884 const unsigned char input[16],
885 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]886{
887 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]888 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]889 struct
890 {
891 uint32_t X[4];
892 uint32_t Y[4];
893 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]895 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
896 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
897 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
898 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]899
900 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
901 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]902 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
903 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]904 }
905
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]906 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]907
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]908 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]909 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
910 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
911 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
912 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]913
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]914 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]915 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
916 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
917 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
918 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]920 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]921 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
922 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
923 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
924 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]925
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]926 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]927 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
928 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
929 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
930 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]932 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
933 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
934 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
935 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]936
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]937 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]938
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]939 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]940}
941#endif /* !MBEDTLS_AES_DECRYPT_ALT */
942
943/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]944 * AES-ECB block encryption/decryption
945 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]946int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]947 int mode,
948 const unsigned char input[16],
949 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950{
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame^]951 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
952 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]953
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]955 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]956 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]957#endif
958
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]959#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]960 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]961 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]962 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]963 return( 0 );
964
965 // If padlock data misaligned, we just fall back to
966 // unaccelerated mode
967 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968 }
969#endif
970
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]971 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]972 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]973 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]974 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]975}
976
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]977#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]978/*
979 * AES-CBC buffer encryption/decryption
980 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]983 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]985 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986 unsigned char *output )
987{
988 int i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]989 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990 unsigned char temp[16];
991
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame^]992 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
993 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]994
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]995 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]996 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]997
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]999 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1000 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1001 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1002 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1003
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1004 // If padlock data misaligned, we just fall back to
1005 // unaccelerated mode
1006 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 }
1008#endif
1009
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1010 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1011 {
1012 while( length > 0 )
1013 {
1014 memcpy( temp, input, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1015 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1016 if( ret != 0 )
1017 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1018
1019 for( i = 0; i < 16; i++ )
1020 output[i] = (unsigned char)( output[i] ^ iv[i] );
1021
1022 memcpy( iv, temp, 16 );
1023
1024 input += 16;
1025 output += 16;
1026 length -= 16;
1027 }
1028 }
1029 else
1030 {
1031 while( length > 0 )
1032 {
1033 for( i = 0; i < 16; i++ )
1034 output[i] = (unsigned char)( input[i] ^ iv[i] );
1035
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1036 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1037 if( ret != 0 )
1038 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039 memcpy( iv, output, 16 );
1040
1041 input += 16;
1042 output += 16;
1043 length -= 16;
1044 }
1045 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1046 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1047
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1048exit:
1049 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1050}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1051#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1053#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1054
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1055typedef unsigned char mbedtls_be128[16];
1056
1057/*
1058 * GF(2^128) multiplication function
1059 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1060 * This function multiplies a field element by x in the polynomial field
1061 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1062 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1063 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1064 */
1065static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1066 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1067{
1068 uint64_t a, b, ra, rb;
1069
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1070 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1071 b = MBEDTLS_GET_UINT64_LE( x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1072
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1073 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1074 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1075
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1076 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1077 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1078}
1079
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1080/*
1081 * AES-XTS buffer encryption/decryption
1082 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1083int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1084 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1085 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1086 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1087 const unsigned char *input,
1088 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1089{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1090 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1091 size_t blocks = length / 16;
1092 size_t leftover = length % 16;
1093 unsigned char tweak[16];
1094 unsigned char prev_tweak[16];
1095 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1096
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame^]1097 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1098 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1099
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1100 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1101 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1102 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1103
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1104 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1105 if( length > ( 1 << 20 ) * 16 )
1106 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1107
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1108 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1109 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1110 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1111 if( ret != 0 )
1112 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1113
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1114 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1115 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1116 size_t i;
1117
1118 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1119 {
1120 /* We are on the last block in a decrypt operation that has
1121 * leftover bytes, so we need to use the next tweak for this block,
1122 * and this tweak for the lefover bytes. Save the current tweak for
1123 * the leftovers and then update the current tweak for use on this,
1124 * the last full block. */
1125 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1126 mbedtls_gf128mul_x_ble( tweak, tweak );
1127 }
1128
1129 for( i = 0; i < 16; i++ )
1130 tmp[i] = input[i] ^ tweak[i];
1131
1132 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1133 if( ret != 0 )
1134 return( ret );
1135
1136 for( i = 0; i < 16; i++ )
1137 output[i] = tmp[i] ^ tweak[i];
1138
1139 /* Update the tweak for the next block. */
1140 mbedtls_gf128mul_x_ble( tweak, tweak );
1141
1142 output += 16;
1143 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1144 }
1145
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1146 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1147 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1148 /* If we are on the leftover bytes in a decrypt operation, we need to
1149 * use the previous tweak for these bytes (as saved in prev_tweak). */
1150 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1151
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1152 /* We are now on the final part of the data unit, which doesn't divide
1153 * evenly by 16. It's time for ciphertext stealing. */
1154 size_t i;
1155 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1156
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1157 /* Copy ciphertext bytes from the previous block to our output for each
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1158 * byte of ciphertext we won't steal. At the same time, copy the
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1159 * remainder of the input for this final round (since the loop bounds
1160 * are the same). */
1161 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1162 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1163 output[i] = prev_output[i];
1164 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1165 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1166
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1167 /* Copy ciphertext bytes from the previous block for input in this
1168 * round. */
1169 for( ; i < 16; i++ )
1170 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1171
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1172 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1173 if( ret != 0 )
1174 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1175
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1176 /* Write the result back to the previous block, overriding the previous
1177 * output we copied. */
1178 for( i = 0; i < 16; i++ )
1179 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1180 }
1181
1182 return( 0 );
1183}
1184#endif /* MBEDTLS_CIPHER_MODE_XTS */
1185
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1186#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1187/*
1188 * AES-CFB128 buffer encryption/decryption
1189 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1190int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1191 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1192 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1193 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1194 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1195 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1196 unsigned char *output )
1197{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1198 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1199 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1200 size_t n;
1201
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame^]1202 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1203 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1204
1205 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1206
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1207 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1208 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1209
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1210 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1211 {
1212 while( length-- )
1213 {
1214 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1215 {
1216 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1217 if( ret != 0 )
1218 goto exit;
1219 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1220
1221 c = *input++;
1222 *output++ = (unsigned char)( c ^ iv[n] );
1223 iv[n] = (unsigned char) c;
1224
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1225 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226 }
1227 }
1228 else
1229 {
1230 while( length-- )
1231 {
1232 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1233 {
1234 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1235 if( ret != 0 )
1236 goto exit;
1237 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1238
1239 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1240
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1241 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242 }
1243 }
1244
1245 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1246 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1247
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1248exit:
1249 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1250}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1251
1252/*
1253 * AES-CFB8 buffer encryption/decryption
1254 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1255int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1256 int mode,
1257 size_t length,
1258 unsigned char iv[16],
1259 const unsigned char *input,
1260 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1261{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1262 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1263 unsigned char c;
1264 unsigned char ov[17];
1265
Tuvshinzaya Erdenekhuua8ef1562022-08-05 15:31:57 +0100[diff] [blame^]1266 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1267 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1268 while( length-- )
1269 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1270 memcpy( ov, iv, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1271 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1272 if( ret != 0 )
1273 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1274
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1276 ov[16] = *input;
1277
1278 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1279
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1281 ov[16] = c;
1282
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1283 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1284 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1285 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1286
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1287exit:
1288 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1289}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1290#endif /* MBEDTLS_CIPHER_MODE_CFB */
1291
1292#if defined(MBEDTLS_CIPHER_MODE_OFB)
1293/*
1294 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1295 */
1296int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1297 size_t length,
1298 size_t *iv_off,
1299 unsigned char iv[16],
1300 const unsigned char *input,
1301 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1302{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1303 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1304 size_t n;
1305
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1306 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1307
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1308 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1309 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1310
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1311 while( length-- )
1312 {
1313 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1314 {
1315 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1316 if( ret != 0 )
1317 goto exit;
1318 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1319 *output++ = *input++ ^ iv[n];
1320
1321 n = ( n + 1 ) & 0x0F;
1322 }
1323
1324 *iv_off = n;
1325
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1326exit:
1327 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1328}
1329#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1332/*
1333 * AES-CTR buffer encryption/decryption
1334 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1336 size_t length,
1337 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1338 unsigned char nonce_counter[16],
1339 unsigned char stream_block[16],
1340 const unsigned char *input,
1341 unsigned char *output )
1342{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1343 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1344 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1345 size_t n;
1346
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1347 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1348
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1349 if ( n > 0x0F )
1350 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1351
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1352 while( length-- )
1353 {
1354 if( n == 0 ) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1355 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1356 if( ret != 0 )
1357 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1358
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1359 for( i = 16; i > 0; i-- )
1360 if( ++nonce_counter[i - 1] != 0 )
1361 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1362 }
1363 c = *input++;
1364 *output++ = (unsigned char)( c ^ stream_block[n] );
1365
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1366 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1367 }
1368
1369 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1370 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1371
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1372exit:
1373 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1374}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1375#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1376
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1377#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1379#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1380/*
1381 * AES test vectors from:
1382 *
1383 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1384 */
1385static const unsigned char aes_test_ecb_dec[3][16] =
1386{
1387 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1388 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1389 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1390 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1391 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1392 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1393};
1394
1395static const unsigned char aes_test_ecb_enc[3][16] =
1396{
1397 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1398 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1399 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1400 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1401 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1402 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1403};
1404
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1405#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1406static const unsigned char aes_test_cbc_dec[3][16] =
1407{
1408 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1409 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1410 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1411 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1412 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1413 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1414};
1415
1416static const unsigned char aes_test_cbc_enc[3][16] =
1417{
1418 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1419 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1420 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1421 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1422 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1423 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1424};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1425#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1426
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1427#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1428/*
1429 * AES-CFB128 test vectors from:
1430 *
1431 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1432 */
1433static const unsigned char aes_test_cfb128_key[3][32] =
1434{
1435 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1436 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1437 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1438 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1439 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1440 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1441 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1442 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1443 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1444};
1445
1446static const unsigned char aes_test_cfb128_iv[16] =
1447{
1448 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1449 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1450};
1451
1452static const unsigned char aes_test_cfb128_pt[64] =
1453{
1454 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1455 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1456 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1457 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1458 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1459 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1460 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1461 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1462};
1463
1464static const unsigned char aes_test_cfb128_ct[3][64] =
1465{
1466 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1467 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1468 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1469 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1470 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1471 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1472 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1473 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1474 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1475 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1476 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1477 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1478 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1479 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1480 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1481 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1482 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1483 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1484 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1485 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1486 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1487 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1488 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1489 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1490};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1492
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1493#if defined(MBEDTLS_CIPHER_MODE_OFB)
1494/*
1495 * AES-OFB test vectors from:
1496 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1497 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1498 */
1499static const unsigned char aes_test_ofb_key[3][32] =
1500{
1501 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1502 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1503 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1504 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1505 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1506 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1507 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1508 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1509 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1510};
1511
1512static const unsigned char aes_test_ofb_iv[16] =
1513{
1514 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1515 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1516};
1517
1518static const unsigned char aes_test_ofb_pt[64] =
1519{
1520 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1521 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1522 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1523 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1524 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1525 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1526 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1527 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1528};
1529
1530static const unsigned char aes_test_ofb_ct[3][64] =
1531{
1532 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1533 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1534 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1535 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1536 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1537 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1538 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1539 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1540 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1541 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1542 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1543 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1544 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1545 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1546 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1547 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1548 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1549 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1550 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1551 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1552 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1553 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1554 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1555 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1556};
1557#endif /* MBEDTLS_CIPHER_MODE_OFB */
1558
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1559#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1560/*
1561 * AES-CTR test vectors from:
1562 *
1563 * http://www.faqs.org/rfcs/rfc3686.html
1564 */
1565
1566static const unsigned char aes_test_ctr_key[3][16] =
1567{
1568 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1569 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1570 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1571 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1572 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1573 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1574};
1575
1576static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1577{
1578 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1580 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1581 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1582 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1583 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1584};
1585
1586static const unsigned char aes_test_ctr_pt[3][48] =
1587{
1588 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1589 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1590
1591 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1592 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1593 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1594 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1595
1596 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1597 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1598 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1599 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1600 0x20, 0x21, 0x22, 0x23 }
1601};
1602
1603static const unsigned char aes_test_ctr_ct[3][48] =
1604{
1605 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1606 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1607 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1608 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1609 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1610 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1611 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1612 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1613 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1614 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1615 0x25, 0xB2, 0x07, 0x2F }
1616};
1617
1618static const int aes_test_ctr_len[3] =
1619 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1620#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1621
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1622#if defined(MBEDTLS_CIPHER_MODE_XTS)
1623/*
1624 * AES-XTS test vectors from:
1625 *
1626 * IEEE P1619/D16 Annex B
1627 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1628 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1629 */
1630static const unsigned char aes_test_xts_key[][32] =
1631{
1632 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1636 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1637 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1638 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1639 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1640 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1641 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1642 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1643 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1644};
1645
1646static const unsigned char aes_test_xts_pt32[][32] =
1647{
1648 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1650 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1651 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1652 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1653 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1654 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1655 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1656 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1657 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1658 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1659 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1660};
1661
1662static const unsigned char aes_test_xts_ct32[][32] =
1663{
1664 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1665 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1666 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1667 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1668 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1669 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1670 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1671 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1672 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1673 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1674 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1675 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1676};
1677
1678static const unsigned char aes_test_xts_data_unit[][16] =
1679{
1680 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1681 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1682 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1683 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1684 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1686};
1687
1688#endif /* MBEDTLS_CIPHER_MODE_XTS */
1689
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690/*
1691 * Checkup routine
1692 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1693int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1695 int ret = 0, i, j, u, mode;
1696 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1697 unsigned char key[32];
1698 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1699 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1700#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1701 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1702#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1703#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1704 unsigned char prv[16];
1705#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1706#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1707 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1708 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1709#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1710#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1711 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1712#endif
1713#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1714 unsigned char nonce_counter[16];
1715 unsigned char stream_block[16];
1716#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1717 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718
1719 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1720 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721
1722 /*
1723 * ECB mode
1724 */
1725 for( i = 0; i < 6; i++ )
1726 {
1727 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1728 keybits = 128 + u * 64;
1729 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1730
1731 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1732 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1733 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1734
1735 memset( buf, 0, 16 );
1736
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1737 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1739 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1740 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1741 }
1742 else
1743 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1744 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1745 aes_tests = aes_test_ecb_enc[u];
1746 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1748 /*
1749 * AES-192 is an optional feature that may be unavailable when
1750 * there is an alternative underlying implementation i.e. when
1751 * MBEDTLS_AES_ALT is defined.
1752 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1753 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1754 {
1755 mbedtls_printf( "skipped\n" );
1756 continue;
1757 }
1758 else if( ret != 0 )
1759 {
1760 goto exit;
1761 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1763 for( j = 0; j < 10000; j++ )
1764 {
1765 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1766 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1767 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1768 }
1769
1770 if( memcmp( buf, aes_tests, 16 ) != 0 )
1771 {
1772 ret = 1;
1773 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774 }
1775
1776 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1777 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1778 }
1779
1780 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1781 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1782
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784 /*
1785 * CBC mode
1786 */
1787 for( i = 0; i < 6; i++ )
1788 {
1789 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1790 keybits = 128 + u * 64;
1791 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792
1793 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1794 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1795 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1796
1797 memset( iv , 0, 16 );
1798 memset( prv, 0, 16 );
1799 memset( buf, 0, 16 );
1800
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1801 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1803 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1804 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805 }
1806 else
1807 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1808 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1809 aes_tests = aes_test_cbc_enc[u];
1810 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1812 /*
1813 * AES-192 is an optional feature that may be unavailable when
1814 * there is an alternative underlying implementation i.e. when
1815 * MBEDTLS_AES_ALT is defined.
1816 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1817 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 {
1819 mbedtls_printf( "skipped\n" );
1820 continue;
1821 }
1822 else if( ret != 0 )
1823 {
1824 goto exit;
1825 }
1826
1827 for( j = 0; j < 10000; j++ )
1828 {
1829 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830 {
1831 unsigned char tmp[16];
1832
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833 memcpy( tmp, prv, 16 );
1834 memcpy( prv, buf, 16 );
1835 memcpy( buf, tmp, 16 );
1836 }
1837
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1838 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1839 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1840 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1841
1842 }
1843
1844 if( memcmp( buf, aes_tests, 16 ) != 0 )
1845 {
1846 ret = 1;
1847 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848 }
1849
1850 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1851 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852 }
1853
1854 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1855 mbedtls_printf( "\n" );
1856#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 /*
1860 * CFB128 mode
1861 */
1862 for( i = 0; i < 6; i++ )
1863 {
1864 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865 keybits = 128 + u * 64;
1866 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1867
1868 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1869 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1870 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1871
1872 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1873 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
1875 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1877 /*
1878 * AES-192 is an optional feature that may be unavailable when
1879 * there is an alternative underlying implementation i.e. when
1880 * MBEDTLS_AES_ALT is defined.
1881 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1882 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1883 {
1884 mbedtls_printf( "skipped\n" );
1885 continue;
1886 }
1887 else if( ret != 0 )
1888 {
1889 goto exit;
1890 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1893 {
1894 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1895 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 }
1897 else
1898 {
1899 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 aes_tests = aes_test_cfb128_ct[u];
1901 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1903 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1904 if( ret != 0 )
1905 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 if( memcmp( buf, aes_tests, 64 ) != 0 )
1908 {
1909 ret = 1;
1910 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911 }
1912
1913 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1914 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1915 }
1916
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1917 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1918 mbedtls_printf( "\n" );
1919#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1920
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1921#if defined(MBEDTLS_CIPHER_MODE_OFB)
1922 /*
1923 * OFB mode
1924 */
1925 for( i = 0; i < 6; i++ )
1926 {
1927 u = i >> 1;
1928 keybits = 128 + u * 64;
1929 mode = i & 1;
1930
1931 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1932 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1933 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1934
1935 memcpy( iv, aes_test_ofb_iv, 16 );
1936 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1937
1938 offset = 0;
1939 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1940 /*
1941 * AES-192 is an optional feature that may be unavailable when
1942 * there is an alternative underlying implementation i.e. when
1943 * MBEDTLS_AES_ALT is defined.
1944 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1945 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1946 {
1947 mbedtls_printf( "skipped\n" );
1948 continue;
1949 }
1950 else if( ret != 0 )
1951 {
1952 goto exit;
1953 }
1954
1955 if( mode == MBEDTLS_AES_DECRYPT )
1956 {
1957 memcpy( buf, aes_test_ofb_ct[u], 64 );
1958 aes_tests = aes_test_ofb_pt;
1959 }
1960 else
1961 {
1962 memcpy( buf, aes_test_ofb_pt, 64 );
1963 aes_tests = aes_test_ofb_ct[u];
1964 }
1965
1966 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1967 if( ret != 0 )
1968 goto exit;
1969
1970 if( memcmp( buf, aes_tests, 64 ) != 0 )
1971 {
1972 ret = 1;
1973 goto exit;
1974 }
1975
1976 if( verbose != 0 )
1977 mbedtls_printf( "passed\n" );
1978 }
1979
1980 if( verbose != 0 )
1981 mbedtls_printf( "\n" );
1982#endif /* MBEDTLS_CIPHER_MODE_OFB */
1983
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1984#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1985 /*
1986 * CTR mode
1987 */
1988 for( i = 0; i < 6; i++ )
1989 {
1990 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1991 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1992
1993 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1994 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1995 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1996
1997 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1998 memcpy( key, aes_test_ctr_key[u], 16 );
1999
2000 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2002 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2003
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2004 len = aes_test_ctr_len[u];
2005
2006 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2007 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2008 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2009 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2010 }
2011 else
2012 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2013 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2014 aes_tests = aes_test_ctr_ct[u];
2015 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2016
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2017 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2018 stream_block, buf, buf );
2019 if( ret != 0 )
2020 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2021
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2022 if( memcmp( buf, aes_tests, len ) != 0 )
2023 {
2024 ret = 1;
2025 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2026 }
2027
2028 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2029 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2030 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031
2032 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2033 mbedtls_printf( "\n" );
2034#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2035
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2036#if defined(MBEDTLS_CIPHER_MODE_XTS)
2037 {
2038 static const int num_tests =
2039 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2040 mbedtls_aes_xts_context ctx_xts;
2041
2042 /*
2043 * XTS mode
2044 */
2045 mbedtls_aes_xts_init( &ctx_xts );
2046
2047 for( i = 0; i < num_tests << 1; i++ )
2048 {
2049 const unsigned char *data_unit;
2050 u = i >> 1;
2051 mode = i & 1;
2052
2053 if( verbose != 0 )
2054 mbedtls_printf( " AES-XTS-128 (%s): ",
2055 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2056
2057 memset( key, 0, sizeof( key ) );
2058 memcpy( key, aes_test_xts_key[u], 32 );
2059 data_unit = aes_test_xts_data_unit[u];
2060
2061 len = sizeof( *aes_test_xts_ct32 );
2062
2063 if( mode == MBEDTLS_AES_DECRYPT )
2064 {
2065 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2066 if( ret != 0)
2067 goto exit;
2068 memcpy( buf, aes_test_xts_ct32[u], len );
2069 aes_tests = aes_test_xts_pt32[u];
2070 }
2071 else
2072 {
2073 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2074 if( ret != 0)
2075 goto exit;
2076 memcpy( buf, aes_test_xts_pt32[u], len );
2077 aes_tests = aes_test_xts_ct32[u];
2078 }
2079
2080
2081 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2082 buf, buf );
2083 if( ret != 0 )
2084 goto exit;
2085
2086 if( memcmp( buf, aes_tests, len ) != 0 )
2087 {
2088 ret = 1;
2089 goto exit;
2090 }
2091
2092 if( verbose != 0 )
2093 mbedtls_printf( "passed\n" );
2094 }
2095
2096 if( verbose != 0 )
2097 mbedtls_printf( "\n" );
2098
2099 mbedtls_aes_xts_free( &ctx_xts );
2100 }
2101#endif /* MBEDTLS_CIPHER_MODE_XTS */
2102
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2103 ret = 0;
2104
2105exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2106 if( ret != 0 && verbose != 0 )
2107 mbedtls_printf( "failed\n" );
2108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2110
2111 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2112}
2113
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2114#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2115
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2116#endif /* MBEDTLS_AES_C */