TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 5706e920a465d187ba3fe428417b195276aa4da0 / . / library / aes.c
blob: 7b5e2c663583af25b6ab71cbbf72d8ccddffbf4e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti44bfbe32020-08-19 16:54:51 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkúti4e9f7122020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]64#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]65#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]66#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]67#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]68#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]69#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]71#if defined(MBEDTLS_SELF_TEST)
72#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]73#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]74#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]75#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]76#define mbedtls_printf printf
77#endif /* MBEDTLS_PLATFORM_C */
78#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]79
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]80#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]81
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]82/* Implementation that should never be optimized out by the compiler */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83static void mbedtls_zeroize( void *v, size_t n ) {
Simon Butcher88ffc082016-05-20 00:00:37 +0100[diff] [blame]84 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
Paul Bakker34617722014-06-13 17:20:13 +0200[diff] [blame]85}
86
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * 32-bit integer manipulation macros (little endian)
89 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]90#ifndef GET_UINT32_LE
91#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]92{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93 (n) = ( (uint32_t) (b)[(i) ] ) \
94 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
95 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
96 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97}
98#endif
99
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]100#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]101#define PUT_UINT32_LE(n,b,i) \
102{ \
103 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
104 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
105 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
106 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]107}
108#endif
109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110#if defined(MBEDTLS_PADLOCK_C) && \
111 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]112static int aes_padlock_ace = -1;
113#endif
114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]115#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]116/*
117 * Forward S-box
118 */
119static const unsigned char FSb[256] =
120{
121 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
122 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
123 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
124 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
125 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
126 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
127 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
128 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
129 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
130 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
131 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
132 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
133 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
134 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
135 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
136 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
137 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
138 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
139 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
140 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
141 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
142 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
143 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
144 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
145 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
146 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
147 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
148 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
149 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
150 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
151 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
152 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
153};
154
155/*
156 * Forward tables
157 */
158#define FT \
159\
160 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
161 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
162 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
163 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
164 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
165 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
166 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
167 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
168 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
169 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
170 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
171 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
172 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
173 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
174 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
175 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
176 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
177 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
178 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
179 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
180 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
181 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
182 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
183 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
184 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
185 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
186 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
187 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
188 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
189 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
190 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
191 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
192 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
193 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
194 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
195 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
196 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
197 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
198 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
199 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
200 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
201 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
202 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
203 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
204 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
205 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
206 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
207 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
208 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
209 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
210 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
211 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
212 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
213 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
214 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
215 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
216 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
217 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
218 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
219 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
220 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
221 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
222 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
223 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
224
225#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]226static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227#undef V
228
229#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]230static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]231#undef V
232
233#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]234static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]235#undef V
236
237#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]238static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]239#undef V
240
241#undef FT
242
243/*
244 * Reverse S-box
245 */
246static const unsigned char RSb[256] =
247{
248 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
249 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
250 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
251 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
252 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
253 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
254 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
255 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
256 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
257 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
258 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
259 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
260 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
261 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
262 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
263 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
264 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
265 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
266 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
267 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
268 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
269 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
270 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
271 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
272 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
273 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
274 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
275 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
276 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
277 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
278 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
279 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
280};
281
282/*
283 * Reverse tables
284 */
285#define RT \
286\
287 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
288 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
289 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
290 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
291 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
292 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
293 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
294 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
295 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
296 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
297 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
298 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
299 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
300 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
301 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
302 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
303 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
304 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
305 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
306 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
307 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
308 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
309 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
310 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
311 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
312 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
313 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
314 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
315 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
316 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
317 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
318 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
319 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
320 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
321 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
322 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
323 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
324 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
325 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
326 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
327 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
328 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
329 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
330 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
331 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
332 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
333 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
334 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
335 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
336 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
337 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
338 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
339 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
340 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
341 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
342 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
343 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
344 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
345 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
346 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
347 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
348 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
349 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
350 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
351
352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
356#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef V
359
360#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]361static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362#undef V
363
364#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366#undef V
367
368#undef RT
369
370/*
371 * Round constants
372 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]373static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]374{
375 0x00000001, 0x00000002, 0x00000004, 0x00000008,
376 0x00000010, 0x00000020, 0x00000040, 0x00000080,
377 0x0000001B, 0x00000036
378};
379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]380#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381
382/*
383 * Forward S-box & tables
384 */
385static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]386static uint32_t FT0[256];
387static uint32_t FT1[256];
388static uint32_t FT2[256];
389static uint32_t FT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390
391/*
392 * Reverse S-box & tables
393 */
394static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]395static uint32_t RT0[256];
396static uint32_t RT1[256];
397static uint32_t RT2[256];
398static uint32_t RT3[256];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399
400/*
401 * Round constants
402 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]404
405/*
406 * Tables generation code
407 */
408#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
409#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
410#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
411
412static int aes_init_done = 0;
413
414static void aes_gen_tables( void )
415{
416 int i, x, y, z;
417 int pow[256];
418 int log[256];
419
420 /*
421 * compute pow and log tables over GF(2^8)
422 */
423 for( i = 0, x = 1; i < 256; i++ )
424 {
425 pow[i] = x;
426 log[x] = i;
427 x = ( x ^ XTIME( x ) ) & 0xFF;
428 }
429
430 /*
431 * calculate the round constants
432 */
433 for( i = 0, x = 1; i < 10; i++ )
434 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]435 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x = XTIME( x ) & 0xFF;
437 }
438
439 /*
440 * generate the forward and reverse S-boxes
441 */
442 FSb[0x00] = 0x63;
443 RSb[0x63] = 0x00;
444
445 for( i = 1; i < 256; i++ )
446 {
447 x = pow[255 - log[i]];
448
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]449 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
450 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
451 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
452 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 x ^= y ^ 0x63;
454
455 FSb[i] = (unsigned char) x;
456 RSb[x] = (unsigned char) i;
457 }
458
459 /*
460 * generate the forward and reverse tables
461 */
462 for( i = 0; i < 256; i++ )
463 {
464 x = FSb[i];
465 y = XTIME( x ) & 0xFF;
466 z = ( y ^ x ) & 0xFF;
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 FT0[i] = ( (uint32_t) y ) ^
469 ( (uint32_t) x << 8 ) ^
470 ( (uint32_t) x << 16 ) ^
471 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
473 FT1[i] = ROTL8( FT0[i] );
474 FT2[i] = ROTL8( FT1[i] );
475 FT3[i] = ROTL8( FT2[i] );
476
477 x = RSb[i];
478
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]479 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
480 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
481 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
482 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]483
484 RT1[i] = ROTL8( RT0[i] );
485 RT2[i] = ROTL8( RT1[i] );
486 RT3[i] = ROTL8( RT2[i] );
487 }
488}
489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]492void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]493{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]494 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]495}
496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]497void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]498{
499 if( ctx == NULL )
500 return;
501
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]502 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]503}
504
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505/*
506 * AES key schedule (encryption)
507 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]508#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]509int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]510 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]511{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]512 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]513 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]515#if !defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]516 if( aes_init_done == 0 )
517 {
518 aes_gen_tables();
519 aes_init_done = 1;
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]520
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521 }
522#endif
523
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]524 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525 {
526 case 128: ctx->nr = 10; break;
527 case 192: ctx->nr = 12; break;
528 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]529 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530 }
531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]532#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]533 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]534 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]535
536 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]537 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]538 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]539#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]540 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]543 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]544 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]545#endif
546
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]547 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]548 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]549 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550 }
551
552 switch( ctx->nr )
553 {
554 case 10:
555
556 for( i = 0; i < 10; i++, RK += 4 )
557 {
558 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]559 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
560 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
561 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
562 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]563
564 RK[5] = RK[1] ^ RK[4];
565 RK[6] = RK[2] ^ RK[5];
566 RK[7] = RK[3] ^ RK[6];
567 }
568 break;
569
570 case 12:
571
572 for( i = 0; i < 8; i++, RK += 6 )
573 {
574 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]575 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
576 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
577 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
578 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]579
580 RK[7] = RK[1] ^ RK[6];
581 RK[8] = RK[2] ^ RK[7];
582 RK[9] = RK[3] ^ RK[8];
583 RK[10] = RK[4] ^ RK[9];
584 RK[11] = RK[5] ^ RK[10];
585 }
586 break;
587
588 case 14:
589
590 for( i = 0; i < 7; i++, RK += 8 )
591 {
592 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
594 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
595 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
596 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597
598 RK[9] = RK[1] ^ RK[8];
599 RK[10] = RK[2] ^ RK[9];
600 RK[11] = RK[3] ^ RK[10];
601
602 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[13] = RK[5] ^ RK[12];
609 RK[14] = RK[6] ^ RK[13];
610 RK[15] = RK[7] ^ RK[14];
611 }
612 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]614
615 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]617#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618
619/*
620 * AES key schedule (decryption)
621 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]622#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]623int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]624 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]626 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]627 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]628 uint32_t *RK;
629 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]630
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]631 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]633#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]634 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]635 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]636
637 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]639 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]641 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]643 /* Also checks keybits */
644 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]645 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]646
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]647 ctx->nr = cty.nr;
648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]649#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]650 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]651 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]652 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]653 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]654 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]655 }
656#endif
657
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 SK = cty.rk + cty.nr * 4;
659
660 *RK++ = *SK++;
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664
665 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
666 {
667 for( j = 0; j < 4; j++, SK++ )
668 {
669 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
670 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
671 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
672 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
673 }
674 }
675
676 *RK++ = *SK++;
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]681exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]682 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]683
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]684 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]686#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687
688#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
689{ \
690 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
691 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
692 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
693 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
694 \
695 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
696 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
697 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
698 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
699 \
700 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
701 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
702 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
703 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
704 \
705 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
706 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
707 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
708 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
709}
710
711#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
712{ \
713 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
714 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
715 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
716 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
717 \
718 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
719 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
720 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
721 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
722 \
723 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
724 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
725 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
726 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
727 \
728 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
729 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
730 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
731 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
732}
733
734/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]735 * AES-ECB block encryption
736 */
737#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]738int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
739 const unsigned char input[16],
740 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]741{
742 int i;
743 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
744
745 RK = ctx->rk;
746
747 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
748 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
749 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
750 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
751
752 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
753 {
754 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
755 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
756 }
757
758 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
759
760 X0 = *RK++ ^ \
761 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
762 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
763 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
764 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
765
766 X1 = *RK++ ^ \
767 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
768 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
769 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
770 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
771
772 X2 = *RK++ ^ \
773 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
774 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
775 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
776 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
777
778 X3 = *RK++ ^ \
779 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
780 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
781 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
782 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
783
784 PUT_UINT32_LE( X0, output, 0 );
785 PUT_UINT32_LE( X1, output, 4 );
786 PUT_UINT32_LE( X2, output, 8 );
787 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]788
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]789 mbedtls_zeroize( &X0, sizeof( X0 ) );
790 mbedtls_zeroize( &X1, sizeof( X1 ) );
791 mbedtls_zeroize( &X2, sizeof( X2 ) );
792 mbedtls_zeroize( &X3, sizeof( X3 ) );
793
794 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
795 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
796 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
797 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
798
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]799 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]800}
801#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
802
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]803#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]804void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
805 const unsigned char input[16],
806 unsigned char output[16] )
807{
808 mbedtls_internal_aes_encrypt( ctx, input, output );
809}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]810#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]811
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]812/*
813 * AES-ECB block decryption
814 */
815#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]816int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
817 const unsigned char input[16],
818 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]819{
820 int i;
821 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
822
823 RK = ctx->rk;
824
825 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
826 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
827 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
828 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
829
830 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
831 {
832 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
833 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
834 }
835
836 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
837
838 X0 = *RK++ ^ \
839 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
840 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
841 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
842 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
843
844 X1 = *RK++ ^ \
845 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
846 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
847 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
848 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
849
850 X2 = *RK++ ^ \
851 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
852 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
853 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
854 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
855
856 X3 = *RK++ ^ \
857 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
858 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
859 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
860 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
861
862 PUT_UINT32_LE( X0, output, 0 );
863 PUT_UINT32_LE( X1, output, 4 );
864 PUT_UINT32_LE( X2, output, 8 );
865 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]866
Andrzej Kurek07597362019-11-12 03:23:51 -0500[diff] [blame]867 mbedtls_zeroize( &X0, sizeof( X0 ) );
868 mbedtls_zeroize( &X1, sizeof( X1 ) );
869 mbedtls_zeroize( &X2, sizeof( X2 ) );
870 mbedtls_zeroize( &X3, sizeof( X3 ) );
871
872 mbedtls_zeroize( &Y0, sizeof( Y0 ) );
873 mbedtls_zeroize( &Y1, sizeof( Y1 ) );
874 mbedtls_zeroize( &Y2, sizeof( Y2 ) );
875 mbedtls_zeroize( &Y3, sizeof( Y3 ) );
876
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]877 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]878}
879#endif /* !MBEDTLS_AES_DECRYPT_ALT */
880
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]881#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]882void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
883 const unsigned char input[16],
884 unsigned char output[16] )
885{
886 mbedtls_internal_aes_decrypt( ctx, input, output );
887}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]888#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]889
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]890/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]891 * AES-ECB block encryption/decryption
892 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]893int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]895 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]896 unsigned char output[16] )
897{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]898#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]899 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]900 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]901#endif
902
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]903#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]904 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]905 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]906 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]907 return( 0 );
908
909 // If padlock data misaligned, we just fall back to
910 // unaccelerated mode
911 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]912 }
913#endif
914
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]915 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]916 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]917 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]918 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]919}
920
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]921#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]922/*
923 * AES-CBC buffer encryption/decryption
924 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]925int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]926 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]927 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]928 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]929 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930 unsigned char *output )
931{
932 int i;
933 unsigned char temp[16];
934
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]935 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]936 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]937
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]938#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]939 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]940 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]941 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]942 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]943
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]944 // If padlock data misaligned, we just fall back to
945 // unaccelerated mode
946 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]947 }
948#endif
949
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]950 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]951 {
952 while( length > 0 )
953 {
954 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]955 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]956
957 for( i = 0; i < 16; i++ )
958 output[i] = (unsigned char)( output[i] ^ iv[i] );
959
960 memcpy( iv, temp, 16 );
961
962 input += 16;
963 output += 16;
964 length -= 16;
965 }
966 }
967 else
968 {
969 while( length > 0 )
970 {
971 for( i = 0; i < 16; i++ )
972 output[i] = (unsigned char)( input[i] ^ iv[i] );
973
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]974 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]975 memcpy( iv, output, 16 );
976
977 input += 16;
978 output += 16;
979 length -= 16;
980 }
981 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]982
983 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]985#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988/*
989 * AES-CFB128 buffer encryption/decryption
990 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]993 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]994 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]996 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]997 unsigned char *output )
998{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]999 int c;
1000 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1003 {
1004 while( length-- )
1005 {
1006 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1008
1009 c = *input++;
1010 *output++ = (unsigned char)( c ^ iv[n] );
1011 iv[n] = (unsigned char) c;
1012
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1013 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1014 }
1015 }
1016 else
1017 {
1018 while( length-- )
1019 {
1020 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1021 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022
1023 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1024
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1025 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026 }
1027 }
1028
1029 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1030
1031 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1033
1034/*
1035 * AES-CFB8 buffer encryption/decryption
1036 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1038 int mode,
1039 size_t length,
1040 unsigned char iv[16],
1041 const unsigned char *input,
1042 unsigned char *output )
1043{
1044 unsigned char c;
1045 unsigned char ov[17];
1046
1047 while( length-- )
1048 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1049 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1053 ov[16] = *input;
1054
1055 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1056
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1058 ov[16] = c;
1059
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1060 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1061 }
1062
1063 return( 0 );
1064}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1065#endif /*MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1066
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1068/*
1069 * AES-CTR buffer encryption/decryption
1070 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1071int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1072 size_t length,
1073 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1074 unsigned char nonce_counter[16],
1075 unsigned char stream_block[16],
1076 const unsigned char *input,
1077 unsigned char *output )
1078{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1079 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1080 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1081
1082 while( length-- )
1083 {
1084 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1086
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1087 for( i = 16; i > 0; i-- )
1088 if( ++nonce_counter[i - 1] != 0 )
1089 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1090 }
1091 c = *input++;
1092 *output++ = (unsigned char)( c ^ stream_block[n] );
1093
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1094 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1095 }
1096
1097 *nc_off = n;
1098
1099 return( 0 );
1100}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1101#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1103#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1104
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1105#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106/*
1107 * AES test vectors from:
1108 *
1109 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1110 */
1111static const unsigned char aes_test_ecb_dec[3][16] =
1112{
1113 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1114 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1115 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1116 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1117 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1118 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1119};
1120
1121static const unsigned char aes_test_ecb_enc[3][16] =
1122{
1123 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1124 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1125 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1126 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1127 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1128 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1129};
1130
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1131#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1132static const unsigned char aes_test_cbc_dec[3][16] =
1133{
1134 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1135 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1136 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1137 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1138 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1139 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1140};
1141
1142static const unsigned char aes_test_cbc_enc[3][16] =
1143{
1144 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1145 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1146 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1147 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1148 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1149 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1150};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1151#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1152
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1153#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1154/*
1155 * AES-CFB128 test vectors from:
1156 *
1157 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1158 */
1159static const unsigned char aes_test_cfb128_key[3][32] =
1160{
1161 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1162 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1163 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1164 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1165 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1166 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1167 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1168 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1169 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1170};
1171
1172static const unsigned char aes_test_cfb128_iv[16] =
1173{
1174 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1175 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1176};
1177
1178static const unsigned char aes_test_cfb128_pt[64] =
1179{
1180 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1181 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1182 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1183 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1184 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1185 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1186 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1187 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1188};
1189
1190static const unsigned char aes_test_cfb128_ct[3][64] =
1191{
1192 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1193 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1194 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1195 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1196 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1197 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1198 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1199 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1200 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1201 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1202 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1203 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1204 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1205 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1206 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1207 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1208 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1209 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1210 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1211 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1212 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1213 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1214 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1215 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1216};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1217#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1218
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1219#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1220/*
1221 * AES-CTR test vectors from:
1222 *
1223 * http://www.faqs.org/rfcs/rfc3686.html
1224 */
1225
1226static const unsigned char aes_test_ctr_key[3][16] =
1227{
1228 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1229 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1230 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1231 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1232 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1233 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1234};
1235
1236static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1237{
1238 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1240 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1241 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1242 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1243 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1244};
1245
1246static const unsigned char aes_test_ctr_pt[3][48] =
1247{
1248 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1249 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1250
1251 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1252 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1253 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1254 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1255
1256 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1257 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1258 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1259 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1260 0x20, 0x21, 0x22, 0x23 }
1261};
1262
1263static const unsigned char aes_test_ctr_ct[3][48] =
1264{
1265 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1266 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1267 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1268 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1269 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1270 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1271 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1272 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1273 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1274 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1275 0x25, 0xB2, 0x07, 0x2F }
1276};
1277
1278static const int aes_test_ctr_len[3] =
1279 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281
1282/*
1283 * Checkup routine
1284 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1285int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1287 int ret = 0, i, j, u, mode;
1288 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 unsigned char key[32];
1290 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1291 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1292#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1294#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1295#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1296 unsigned char prv[16];
1297#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1298#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1299 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1300#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1302 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1303 unsigned char nonce_counter[16];
1304 unsigned char stream_block[16];
1305#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307
1308 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1309 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310
1311 /*
1312 * ECB mode
1313 */
1314 for( i = 0; i < 6; i++ )
1315 {
1316 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1317 keybits = 128 + u * 64;
1318 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319
1320 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1321 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1322 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323
1324 memset( buf, 0, 16 );
1325
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1326 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1328 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1329 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1330 }
1331 else
1332 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1333 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1334 aes_tests = aes_test_ecb_enc[u];
1335 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1337 /*
1338 * AES-192 is an optional feature that may be unavailable when
1339 * there is an alternative underlying implementation i.e. when
1340 * MBEDTLS_AES_ALT is defined.
1341 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1342 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1343 {
1344 mbedtls_printf( "skipped\n" );
1345 continue;
1346 }
1347 else if( ret != 0 )
1348 {
1349 goto exit;
1350 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1352 for( j = 0; j < 10000; j++ )
1353 {
1354 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1355 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1356 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1357 }
1358
1359 if( memcmp( buf, aes_tests, 16 ) != 0 )
1360 {
1361 ret = 1;
1362 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1363 }
1364
1365 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1366 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1367 }
1368
1369 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1370 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1371
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1372#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1373 /*
1374 * CBC mode
1375 */
1376 for( i = 0; i < 6; i++ )
1377 {
1378 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1379 keybits = 128 + u * 64;
1380 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1381
1382 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1383 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1384 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1385
1386 memset( iv , 0, 16 );
1387 memset( prv, 0, 16 );
1388 memset( buf, 0, 16 );
1389
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1390 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1391 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1392 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1393 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1394 }
1395 else
1396 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1397 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1398 aes_tests = aes_test_cbc_enc[u];
1399 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1400
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1401 /*
1402 * AES-192 is an optional feature that may be unavailable when
1403 * there is an alternative underlying implementation i.e. when
1404 * MBEDTLS_AES_ALT is defined.
1405 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1406 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1407 {
1408 mbedtls_printf( "skipped\n" );
1409 continue;
1410 }
1411 else if( ret != 0 )
1412 {
1413 goto exit;
1414 }
1415
1416 for( j = 0; j < 10000; j++ )
1417 {
1418 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1419 {
1420 unsigned char tmp[16];
1421
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1422 memcpy( tmp, prv, 16 );
1423 memcpy( prv, buf, 16 );
1424 memcpy( buf, tmp, 16 );
1425 }
1426
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1427 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1428 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1429 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1430
1431 }
1432
1433 if( memcmp( buf, aes_tests, 16 ) != 0 )
1434 {
1435 ret = 1;
1436 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1437 }
1438
1439 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1441 }
1442
1443 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444 mbedtls_printf( "\n" );
1445#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1447#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1448 /*
1449 * CFB128 mode
1450 */
1451 for( i = 0; i < 6; i++ )
1452 {
1453 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1454 keybits = 128 + u * 64;
1455 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1456
1457 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1458 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1459 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1460
1461 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1462 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1463
1464 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1465 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1466 /*
1467 * AES-192 is an optional feature that may be unavailable when
1468 * there is an alternative underlying implementation i.e. when
1469 * MBEDTLS_AES_ALT is defined.
1470 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1471 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1472 {
1473 mbedtls_printf( "skipped\n" );
1474 continue;
1475 }
1476 else if( ret != 0 )
1477 {
1478 goto exit;
1479 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1480
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1481 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1482 {
1483 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1484 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485 }
1486 else
1487 {
1488 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1489 aes_tests = aes_test_cfb128_ct[u];
1490 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1492 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1493 if( ret != 0 )
1494 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1496 if( memcmp( buf, aes_tests, 64 ) != 0 )
1497 {
1498 ret = 1;
1499 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500 }
1501
1502 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1503 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1504 }
1505
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1506 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1507 mbedtls_printf( "\n" );
1508#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1510#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1511 /*
1512 * CTR mode
1513 */
1514 for( i = 0; i < 6; i++ )
1515 {
1516 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1517 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1518
1519 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1521 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1522
1523 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1524 memcpy( key, aes_test_ctr_key[u], 16 );
1525
1526 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1527 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1528 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1529
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1530 len = aes_test_ctr_len[u];
1531
1532 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1533 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1534 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1535 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1536 }
1537 else
1538 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1539 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1540 aes_tests = aes_test_ctr_ct[u];
1541 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1542
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1543 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1544 stream_block, buf, buf );
1545 if( ret != 0 )
1546 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1547
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1548 if( memcmp( buf, aes_tests, len ) != 0 )
1549 {
1550 ret = 1;
1551 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1552 }
1553
1554 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1556 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1557
1558 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1559 mbedtls_printf( "\n" );
1560#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1562 ret = 0;
1563
1564exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1565 if( ret != 0 && verbose != 0 )
1566 mbedtls_printf( "failed\n" );
1567
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1568 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1569
1570 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1571}
1572
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1573#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1574
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1575#endif /* MBEDTLS_AES_C */