TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / af0c6cb9e0ad58b61b7ceae4cfe1994ce3612311 / . / library / aes.c
blob: cc1e5ceb4d2aa9fc544ae8182732d42c1a65c8bc [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
398#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
399#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
400#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
578
579 }
580#endif
581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]582#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585
586 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]595#endif
596
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]597 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]599 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601
602 switch( ctx->nr )
603 {
604 case 10:
605
606 for( i = 0; i < 10; i++, RK += 4 )
607 {
608 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 RK[5] = RK[1] ^ RK[4];
615 RK[6] = RK[2] ^ RK[5];
616 RK[7] = RK[3] ^ RK[6];
617 }
618 break;
619
620 case 12:
621
622 for( i = 0; i < 8; i++, RK += 6 )
623 {
624 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[7] = RK[1] ^ RK[6];
631 RK[8] = RK[2] ^ RK[7];
632 RK[9] = RK[3] ^ RK[8];
633 RK[10] = RK[4] ^ RK[9];
634 RK[11] = RK[5] ^ RK[10];
635 }
636 break;
637
638 case 14:
639
640 for( i = 0; i < 7; i++, RK += 8 )
641 {
642 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 RK[9] = RK[1] ^ RK[8];
649 RK[10] = RK[2] ^ RK[9];
650 RK[11] = RK[3] ^ RK[10];
651
652 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
658 RK[13] = RK[5] ^ RK[12];
659 RK[14] = RK[6] ^ RK[13];
660 RK[15] = RK[7] ^ RK[14];
661 }
662 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]664
665 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]667#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669/*
670 * AES key schedule (decryption)
671 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]672#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]674 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]678 uint32_t *RK;
679 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]681 AES_VALIDATE_RET( ctx != NULL );
682 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]687 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689
690 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]692 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]696 /* Also checks keybits */
697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]699
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]700 ctx->nr = cty.nr;
701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 }
709#endif
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 SK = cty.rk + cty.nr * 4;
712
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717
718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 {
720 for( j = 0; j < 4; j++, SK++ )
721 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 }
728
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]735 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]736
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
770 int ret;
771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
774 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
775 &key2, &key2bits );
776 if( ret != 0 )
777 return( ret );
778
779 /* Set the tweak key. Always set tweak key for the encryption mode. */
780 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
781 if( ret != 0 )
782 return( ret );
783
784 /* Set crypt key for encryption. */
785 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
786}
787
788int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
789 const unsigned char *key,
790 unsigned int keybits)
791{
792 int ret;
793 const unsigned char *key1, *key2;
794 unsigned int key1bits, key2bits;
795
796 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
797 &key2, &key2bits );
798 if( ret != 0 )
799 return( ret );
800
801 /* Set the tweak key. Always set tweak key for encryption. */
802 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set crypt key for decryption. */
807 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
808}
809#endif /* MBEDTLS_CIPHER_MODE_XTS */
810
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]811#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]813#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
814{ \
815 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
816 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
817 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
818 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
819 \
820 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
821 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
824 \
825 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
826 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
829 \
830 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
831 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]834}
835
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]836#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
837{ \
838 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
839 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
840 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
841 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
842 \
843 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
844 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
845 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
846 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
847 \
848 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
849 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
850 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
851 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
852 \
853 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
854 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
855 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
856 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]857}
858
859/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]860 * AES-ECB block encryption
861 */
862#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]863int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
864 const unsigned char input[16],
865 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]866{
867 int i;
868 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
869
870 RK = ctx->rk;
871
872 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
873 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
874 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
875 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
876
877 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
878 {
879 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
880 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
881 }
882
883 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
884
885 X0 = *RK++ ^ \
886 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
887 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
888 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
889 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
890
891 X1 = *RK++ ^ \
892 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
893 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
894 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
895 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
896
897 X2 = *RK++ ^ \
898 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
899 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
900 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
901 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
902
903 X3 = *RK++ ^ \
904 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
905 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
906 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
907 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
908
909 PUT_UINT32_LE( X0, output, 0 );
910 PUT_UINT32_LE( X1, output, 4 );
911 PUT_UINT32_LE( X2, output, 8 );
912 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]913
914 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]915}
916#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
917
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]918#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]919void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
920 const unsigned char input[16],
921 unsigned char output[16] )
922{
923 mbedtls_internal_aes_encrypt( ctx, input, output );
924}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]925#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]926
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]927/*
928 * AES-ECB block decryption
929 */
930#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]931int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
932 const unsigned char input[16],
933 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]934{
935 int i;
936 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
937
938 RK = ctx->rk;
939
940 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
941 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
942 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
943 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
944
945 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
946 {
947 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
948 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
949 }
950
951 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
952
953 X0 = *RK++ ^ \
954 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
955 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
956 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
957 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
958
959 X1 = *RK++ ^ \
960 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
961 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
962 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
963 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
964
965 X2 = *RK++ ^ \
966 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
967 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
968 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
969 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
970
971 X3 = *RK++ ^ \
972 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
973 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
976
977 PUT_UINT32_LE( X0, output, 0 );
978 PUT_UINT32_LE( X1, output, 4 );
979 PUT_UINT32_LE( X2, output, 8 );
980 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]981
982 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]983}
984#endif /* !MBEDTLS_AES_DECRYPT_ALT */
985
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]986#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]987void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
988 const unsigned char input[16],
989 unsigned char output[16] )
990{
991 mbedtls_internal_aes_decrypt( ctx, input, output );
992}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]993#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]994
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]995/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 * AES-ECB block encryption/decryption
997 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]998int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]999 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1000 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 unsigned char output[16] )
1002{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1003#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1004 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1005 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1006#endif
1007
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1008#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1009 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1011 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1012 return( 0 );
1013
1014 // If padlock data misaligned, we just fall back to
1015 // unaccelerated mode
1016 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 }
1018#endif
1019
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1020 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1021 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1022 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1023 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024}
1025
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1026#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027/*
1028 * AES-CBC buffer encryption/decryption
1029 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1031 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1032 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1034 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1035 unsigned char *output )
1036{
1037 int i;
1038 unsigned char temp[16];
1039
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1040 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1042
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1044 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1047 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1048
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1049 // If padlock data misaligned, we just fall back to
1050 // unaccelerated mode
1051 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1052 }
1053#endif
1054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056 {
1057 while( length > 0 )
1058 {
1059 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1060 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061
1062 for( i = 0; i < 16; i++ )
1063 output[i] = (unsigned char)( output[i] ^ iv[i] );
1064
1065 memcpy( iv, temp, 16 );
1066
1067 input += 16;
1068 output += 16;
1069 length -= 16;
1070 }
1071 }
1072 else
1073 {
1074 while( length > 0 )
1075 {
1076 for( i = 0; i < 16; i++ )
1077 output[i] = (unsigned char)( input[i] ^ iv[i] );
1078
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1079 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 memcpy( iv, output, 16 );
1081
1082 input += 16;
1083 output += 16;
1084 length -= 16;
1085 }
1086 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1087
1088 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1092#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1093
1094/* Endianess with 64 bits values */
1095#ifndef GET_UINT64_LE
1096#define GET_UINT64_LE(n,b,i) \
1097{ \
1098 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1099 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1100 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1101 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1102 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1103 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1104 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1105 | ( (uint64_t) (b)[(i) ] ); \
1106}
1107#endif
1108
1109#ifndef PUT_UINT64_LE
1110#define PUT_UINT64_LE(n,b,i) \
1111{ \
1112 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1113 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1114 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1115 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1116 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1117 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1118 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1119 (b)[(i) ] = (unsigned char) ( (n) ); \
1120}
1121#endif
1122
1123typedef unsigned char mbedtls_be128[16];
1124
1125/*
1126 * GF(2^128) multiplication function
1127 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1128 * This function multiplies a field element by x in the polynomial field
1129 * representation. It uses 64-bit word operations to gain speed but compensates
1130 * for machine endianess and hence works correctly on both big and little
1131 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1132 */
1133static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1134 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1135{
1136 uint64_t a, b, ra, rb;
1137
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1138 GET_UINT64_LE( a, x, 0 );
1139 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1140
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1141 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1142 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1143
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1144 PUT_UINT64_LE( ra, r, 0 );
1145 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1146}
1147
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1148/*
1149 * AES-XTS buffer encryption/decryption
1150 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1151int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1152 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1153 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1154 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1155 const unsigned char *input,
1156 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1157{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1158 int ret;
1159 size_t blocks = length / 16;
1160 size_t leftover = length % 16;
1161 unsigned char tweak[16];
1162 unsigned char prev_tweak[16];
1163 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1164
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1165 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1166 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1167 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1169 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1170 if( length > ( 1 << 20 ) * 16 )
1171 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1172
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1173 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1174 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1175 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1176 if( ret != 0 )
1177 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1178
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1179 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1180 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1181 size_t i;
1182
1183 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1184 {
1185 /* We are on the last block in a decrypt operation that has
1186 * leftover bytes, so we need to use the next tweak for this block,
1187 * and this tweak for the lefover bytes. Save the current tweak for
1188 * the leftovers and then update the current tweak for use on this,
1189 * the last full block. */
1190 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1191 mbedtls_gf128mul_x_ble( tweak, tweak );
1192 }
1193
1194 for( i = 0; i < 16; i++ )
1195 tmp[i] = input[i] ^ tweak[i];
1196
1197 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1198 if( ret != 0 )
1199 return( ret );
1200
1201 for( i = 0; i < 16; i++ )
1202 output[i] = tmp[i] ^ tweak[i];
1203
1204 /* Update the tweak for the next block. */
1205 mbedtls_gf128mul_x_ble( tweak, tweak );
1206
1207 output += 16;
1208 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1209 }
1210
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1211 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1212 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1213 /* If we are on the leftover bytes in a decrypt operation, we need to
1214 * use the previous tweak for these bytes (as saved in prev_tweak). */
1215 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217 /* We are now on the final part of the data unit, which doesn't divide
1218 * evenly by 16. It's time for ciphertext stealing. */
1219 size_t i;
1220 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1221
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1222 /* Copy ciphertext bytes from the previous block to our output for each
1223 * byte of cyphertext we won't steal. At the same time, copy the
1224 * remainder of the input for this final round (since the loop bounds
1225 * are the same). */
1226 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1227 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1228 output[i] = prev_output[i];
1229 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1231
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1232 /* Copy ciphertext bytes from the previous block for input in this
1233 * round. */
1234 for( ; i < 16; i++ )
1235 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1236
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1237 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1238 if( ret != 0 )
1239 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 /* Write the result back to the previous block, overriding the previous
1242 * output we copied. */
1243 for( i = 0; i < 16; i++ )
1244 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1245 }
1246
1247 return( 0 );
1248}
1249#endif /* MBEDTLS_CIPHER_MODE_XTS */
1250
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1251#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1252/*
1253 * AES-CFB128 buffer encryption/decryption
1254 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1255int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1256 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1257 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1258 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1259 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1260 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1261 unsigned char *output )
1262{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1263 int c;
1264 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1266 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267 {
1268 while( length-- )
1269 {
1270 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1271 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272
1273 c = *input++;
1274 *output++ = (unsigned char)( c ^ iv[n] );
1275 iv[n] = (unsigned char) c;
1276
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1277 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278 }
1279 }
1280 else
1281 {
1282 while( length-- )
1283 {
1284 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1285 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286
1287 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1288
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1289 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290 }
1291 }
1292
1293 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1294
1295 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1296}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1297
1298/*
1299 * AES-CFB8 buffer encryption/decryption
1300 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1302 int mode,
1303 size_t length,
1304 unsigned char iv[16],
1305 const unsigned char *input,
1306 unsigned char *output )
1307{
1308 unsigned char c;
1309 unsigned char ov[17];
1310
1311 while( length-- )
1312 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1313 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1314 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1317 ov[16] = *input;
1318
1319 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1320
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1322 ov[16] = c;
1323
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1324 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1325 }
1326
1327 return( 0 );
1328}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1329#endif /* MBEDTLS_CIPHER_MODE_CFB */
1330
1331#if defined(MBEDTLS_CIPHER_MODE_OFB)
1332/*
1333 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1334 */
1335int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1336 size_t length,
1337 size_t *iv_off,
1338 unsigned char iv[16],
1339 const unsigned char *input,
1340 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1341{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1342 int ret = 0;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1343 size_t n = *iv_off;
1344
1345 while( length-- )
1346 {
1347 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1348 {
1349 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1350 if( ret != 0 )
1351 goto exit;
1352 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1353 *output++ = *input++ ^ iv[n];
1354
1355 n = ( n + 1 ) & 0x0F;
1356 }
1357
1358 *iv_off = n;
1359
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1360exit:
1361 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1362}
1363#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1364
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1366/*
1367 * AES-CTR buffer encryption/decryption
1368 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1369int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1370 size_t length,
1371 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1372 unsigned char nonce_counter[16],
1373 unsigned char stream_block[16],
1374 const unsigned char *input,
1375 unsigned char *output )
1376{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1377 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1378 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1379
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1380 if ( n > 0x0F )
1381 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1382
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1383 while( length-- )
1384 {
1385 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1387
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1388 for( i = 16; i > 0; i-- )
1389 if( ++nonce_counter[i - 1] != 0 )
1390 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1391 }
1392 c = *input++;
1393 *output++ = (unsigned char)( c ^ stream_block[n] );
1394
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1395 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1396 }
1397
1398 *nc_off = n;
1399
1400 return( 0 );
1401}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1402#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1403
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1404#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1405
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1406#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1407/*
1408 * AES test vectors from:
1409 *
1410 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1411 */
1412static const unsigned char aes_test_ecb_dec[3][16] =
1413{
1414 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1415 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1416 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1417 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1418 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1419 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1420};
1421
1422static const unsigned char aes_test_ecb_enc[3][16] =
1423{
1424 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1425 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1426 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1427 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1428 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1429 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1430};
1431
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1432#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1433static const unsigned char aes_test_cbc_dec[3][16] =
1434{
1435 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1436 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1437 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1438 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1439 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1440 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1441};
1442
1443static const unsigned char aes_test_cbc_enc[3][16] =
1444{
1445 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1446 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1447 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1448 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1449 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1450 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1451};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1452#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1454#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1455/*
1456 * AES-CFB128 test vectors from:
1457 *
1458 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1459 */
1460static const unsigned char aes_test_cfb128_key[3][32] =
1461{
1462 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1463 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1464 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1465 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1466 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1467 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1468 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1469 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1470 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1471};
1472
1473static const unsigned char aes_test_cfb128_iv[16] =
1474{
1475 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1476 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1477};
1478
1479static const unsigned char aes_test_cfb128_pt[64] =
1480{
1481 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1482 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1483 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1484 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1485 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1486 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1487 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1488 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1489};
1490
1491static const unsigned char aes_test_cfb128_ct[3][64] =
1492{
1493 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1494 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1495 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1496 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1497 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1498 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1499 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1500 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1501 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1502 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1503 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1504 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1505 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1506 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1507 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1508 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1509 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1510 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1511 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1512 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1513 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1514 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1515 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1516 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1517};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1518#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1519
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1520#if defined(MBEDTLS_CIPHER_MODE_OFB)
1521/*
1522 * AES-OFB test vectors from:
1523 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1524 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1525 */
1526static const unsigned char aes_test_ofb_key[3][32] =
1527{
1528 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1529 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1530 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1531 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1532 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1533 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1534 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1535 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1536 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1537};
1538
1539static const unsigned char aes_test_ofb_iv[16] =
1540{
1541 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1542 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1543};
1544
1545static const unsigned char aes_test_ofb_pt[64] =
1546{
1547 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1548 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1549 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1550 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1551 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1552 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1553 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1554 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1555};
1556
1557static const unsigned char aes_test_ofb_ct[3][64] =
1558{
1559 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1560 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1561 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1562 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1563 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1564 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1565 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1566 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1567 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1568 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1569 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1570 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1571 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1572 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1573 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1574 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1575 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1576 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1577 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1578 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1579 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1580 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1581 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1582 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1583};
1584#endif /* MBEDTLS_CIPHER_MODE_OFB */
1585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1586#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1587/*
1588 * AES-CTR test vectors from:
1589 *
1590 * http://www.faqs.org/rfcs/rfc3686.html
1591 */
1592
1593static const unsigned char aes_test_ctr_key[3][16] =
1594{
1595 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1596 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1597 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1598 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1599 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1600 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1601};
1602
1603static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1604{
1605 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1607 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1608 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1609 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1610 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1611};
1612
1613static const unsigned char aes_test_ctr_pt[3][48] =
1614{
1615 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1616 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1617
1618 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1619 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1620 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1621 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1622
1623 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1624 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1625 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1626 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1627 0x20, 0x21, 0x22, 0x23 }
1628};
1629
1630static const unsigned char aes_test_ctr_ct[3][48] =
1631{
1632 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1633 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1634 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1635 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1636 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1637 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1638 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1639 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1640 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1641 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1642 0x25, 0xB2, 0x07, 0x2F }
1643};
1644
1645static const int aes_test_ctr_len[3] =
1646 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1647#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1648
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1649#if defined(MBEDTLS_CIPHER_MODE_XTS)
1650/*
1651 * AES-XTS test vectors from:
1652 *
1653 * IEEE P1619/D16 Annex B
1654 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1655 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1656 */
1657static const unsigned char aes_test_xts_key[][32] =
1658{
1659 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1661 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1662 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1663 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1664 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1665 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1666 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1667 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1668 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1669 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1670 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1671};
1672
1673static const unsigned char aes_test_xts_pt32[][32] =
1674{
1675 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1677 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1679 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1680 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1681 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1682 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1683 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1684 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1685 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1686 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1687};
1688
1689static const unsigned char aes_test_xts_ct32[][32] =
1690{
1691 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1692 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1693 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1694 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1695 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1696 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1697 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1698 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1699 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1700 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1701 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1702 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1703};
1704
1705static const unsigned char aes_test_xts_data_unit[][16] =
1706{
1707 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1709 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1710 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1711 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1713};
1714
1715#endif /* MBEDTLS_CIPHER_MODE_XTS */
1716
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1717/*
1718 * Checkup routine
1719 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1720int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1721{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1722 int ret = 0, i, j, u, mode;
1723 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1724 unsigned char key[32];
1725 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1726 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1727#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1728 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1729#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1730#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1731 unsigned char prv[16];
1732#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1733#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1734 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1735 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1736#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1737#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1738 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1739#endif
1740#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1741 unsigned char nonce_counter[16];
1742 unsigned char stream_block[16];
1743#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1744 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745
1746 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1748
1749 /*
1750 * ECB mode
1751 */
1752 for( i = 0; i < 6; i++ )
1753 {
1754 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1755 keybits = 128 + u * 64;
1756 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1757
1758 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1759 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1760 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1761
1762 memset( buf, 0, 16 );
1763
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1764 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1765 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1766 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1767 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768 }
1769 else
1770 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1771 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1772 aes_tests = aes_test_ecb_enc[u];
1773 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1775 /*
1776 * AES-192 is an optional feature that may be unavailable when
1777 * there is an alternative underlying implementation i.e. when
1778 * MBEDTLS_AES_ALT is defined.
1779 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1780 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1781 {
1782 mbedtls_printf( "skipped\n" );
1783 continue;
1784 }
1785 else if( ret != 0 )
1786 {
1787 goto exit;
1788 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1789
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1790 for( j = 0; j < 10000; j++ )
1791 {
1792 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1793 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1794 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1795 }
1796
1797 if( memcmp( buf, aes_tests, 16 ) != 0 )
1798 {
1799 ret = 1;
1800 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801 }
1802
1803 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1804 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805 }
1806
1807 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1808 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1810#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811 /*
1812 * CBC mode
1813 */
1814 for( i = 0; i < 6; i++ )
1815 {
1816 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1817 keybits = 128 + u * 64;
1818 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819
1820 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1821 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1822 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1823
1824 memset( iv , 0, 16 );
1825 memset( prv, 0, 16 );
1826 memset( buf, 0, 16 );
1827
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1828 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1829 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1830 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1831 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832 }
1833 else
1834 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1835 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1836 aes_tests = aes_test_cbc_enc[u];
1837 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1839 /*
1840 * AES-192 is an optional feature that may be unavailable when
1841 * there is an alternative underlying implementation i.e. when
1842 * MBEDTLS_AES_ALT is defined.
1843 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1844 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 {
1846 mbedtls_printf( "skipped\n" );
1847 continue;
1848 }
1849 else if( ret != 0 )
1850 {
1851 goto exit;
1852 }
1853
1854 for( j = 0; j < 10000; j++ )
1855 {
1856 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 {
1858 unsigned char tmp[16];
1859
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860 memcpy( tmp, prv, 16 );
1861 memcpy( prv, buf, 16 );
1862 memcpy( buf, tmp, 16 );
1863 }
1864
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1865 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1866 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1867 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1868
1869 }
1870
1871 if( memcmp( buf, aes_tests, 16 ) != 0 )
1872 {
1873 ret = 1;
1874 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875 }
1876
1877 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1878 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879 }
1880
1881 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1882 mbedtls_printf( "\n" );
1883#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1885#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 /*
1887 * CFB128 mode
1888 */
1889 for( i = 0; i < 6; i++ )
1890 {
1891 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 keybits = 128 + u * 64;
1893 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894
1895 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1896 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1897 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
1899 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901
1902 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1903 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1904 /*
1905 * AES-192 is an optional feature that may be unavailable when
1906 * there is an alternative underlying implementation i.e. when
1907 * MBEDTLS_AES_ALT is defined.
1908 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1909 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1910 {
1911 mbedtls_printf( "skipped\n" );
1912 continue;
1913 }
1914 else if( ret != 0 )
1915 {
1916 goto exit;
1917 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 {
1921 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1922 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923 }
1924 else
1925 {
1926 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1927 aes_tests = aes_test_cfb128_ct[u];
1928 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1929
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1930 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1931 if( ret != 0 )
1932 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1933
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1934 if( memcmp( buf, aes_tests, 64 ) != 0 )
1935 {
1936 ret = 1;
1937 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938 }
1939
1940 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1941 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942 }
1943
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1944 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1945 mbedtls_printf( "\n" );
1946#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1947
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1948#if defined(MBEDTLS_CIPHER_MODE_OFB)
1949 /*
1950 * OFB mode
1951 */
1952 for( i = 0; i < 6; i++ )
1953 {
1954 u = i >> 1;
1955 keybits = 128 + u * 64;
1956 mode = i & 1;
1957
1958 if( verbose != 0 )
1959 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1960 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1961
1962 memcpy( iv, aes_test_ofb_iv, 16 );
1963 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1964
1965 offset = 0;
1966 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1967 /*
1968 * AES-192 is an optional feature that may be unavailable when
1969 * there is an alternative underlying implementation i.e. when
1970 * MBEDTLS_AES_ALT is defined.
1971 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1972 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1973 {
1974 mbedtls_printf( "skipped\n" );
1975 continue;
1976 }
1977 else if( ret != 0 )
1978 {
1979 goto exit;
1980 }
1981
1982 if( mode == MBEDTLS_AES_DECRYPT )
1983 {
1984 memcpy( buf, aes_test_ofb_ct[u], 64 );
1985 aes_tests = aes_test_ofb_pt;
1986 }
1987 else
1988 {
1989 memcpy( buf, aes_test_ofb_pt, 64 );
1990 aes_tests = aes_test_ofb_ct[u];
1991 }
1992
1993 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1994 if( ret != 0 )
1995 goto exit;
1996
1997 if( memcmp( buf, aes_tests, 64 ) != 0 )
1998 {
1999 ret = 1;
2000 goto exit;
2001 }
2002
2003 if( verbose != 0 )
2004 mbedtls_printf( "passed\n" );
2005 }
2006
2007 if( verbose != 0 )
2008 mbedtls_printf( "\n" );
2009#endif /* MBEDTLS_CIPHER_MODE_OFB */
2010
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2011#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2012 /*
2013 * CTR mode
2014 */
2015 for( i = 0; i < 6; i++ )
2016 {
2017 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2018 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2019
2020 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2021 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2022 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2023
2024 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2025 memcpy( key, aes_test_ctr_key[u], 16 );
2026
2027 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2029 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2030
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2031 len = aes_test_ctr_len[u];
2032
2033 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2034 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2035 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2036 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2037 }
2038 else
2039 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2040 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2041 aes_tests = aes_test_ctr_ct[u];
2042 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2043
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2044 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2045 stream_block, buf, buf );
2046 if( ret != 0 )
2047 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2048
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2049 if( memcmp( buf, aes_tests, len ) != 0 )
2050 {
2051 ret = 1;
2052 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2053 }
2054
2055 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2056 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2057 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2058
2059 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2060 mbedtls_printf( "\n" );
2061#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2063#if defined(MBEDTLS_CIPHER_MODE_XTS)
2064 {
2065 static const int num_tests =
2066 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2067 mbedtls_aes_xts_context ctx_xts;
2068
2069 /*
2070 * XTS mode
2071 */
2072 mbedtls_aes_xts_init( &ctx_xts );
2073
2074 for( i = 0; i < num_tests << 1; i++ )
2075 {
2076 const unsigned char *data_unit;
2077 u = i >> 1;
2078 mode = i & 1;
2079
2080 if( verbose != 0 )
2081 mbedtls_printf( " AES-XTS-128 (%s): ",
2082 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2083
2084 memset( key, 0, sizeof( key ) );
2085 memcpy( key, aes_test_xts_key[u], 32 );
2086 data_unit = aes_test_xts_data_unit[u];
2087
2088 len = sizeof( *aes_test_xts_ct32 );
2089
2090 if( mode == MBEDTLS_AES_DECRYPT )
2091 {
2092 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2093 if( ret != 0)
2094 goto exit;
2095 memcpy( buf, aes_test_xts_ct32[u], len );
2096 aes_tests = aes_test_xts_pt32[u];
2097 }
2098 else
2099 {
2100 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2101 if( ret != 0)
2102 goto exit;
2103 memcpy( buf, aes_test_xts_pt32[u], len );
2104 aes_tests = aes_test_xts_ct32[u];
2105 }
2106
2107
2108 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2109 buf, buf );
2110 if( ret != 0 )
2111 goto exit;
2112
2113 if( memcmp( buf, aes_tests, len ) != 0 )
2114 {
2115 ret = 1;
2116 goto exit;
2117 }
2118
2119 if( verbose != 0 )
2120 mbedtls_printf( "passed\n" );
2121 }
2122
2123 if( verbose != 0 )
2124 mbedtls_printf( "\n" );
2125
2126 mbedtls_aes_xts_free( &ctx_xts );
2127 }
2128#endif /* MBEDTLS_CIPHER_MODE_XTS */
2129
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2130 ret = 0;
2131
2132exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2133 if( ret != 0 && verbose != 0 )
2134 mbedtls_printf( "failed\n" );
2135
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2136 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2137
2138 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139}
2140
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2143#endif /* MBEDTLS_AES_C */