TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b2be92e2c7e9fd65895065cbf75cdaaec8bd81da / . / library / aes.c
blob: 76838480ba2d8cc6b6268131acb44c06f3dd351e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]225#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]264#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]265
266/*
267 * Reverse tables
268 */
269#define RT \
270\
271 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
272 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
273 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
274 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
275 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
276 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
277 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
278 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
279 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
280 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
281 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
282 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
283 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
284 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
285 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
286 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
287 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
288 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
289 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
290 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
291 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
292 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
293 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
294 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
295 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
296 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
297 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
298 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
299 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
300 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
301 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
302 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
303 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
304 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
305 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
306 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
307 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
308 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
309 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
310 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
311 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
312 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
313 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
314 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
315 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
316 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
317 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
318 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
319 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
320 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
321 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
322 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
323 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
324 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
325 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
326 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
327 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
328 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
329 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
330 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
331 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
332 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
333 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
334 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
335
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]336#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]341#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]342
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
347#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]348static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef V
350
351#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353#undef V
354
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]355#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]356#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef RT
359
360/*
361 * Round constants
362 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364{
365 0x00000001, 0x00000002, 0x00000004, 0x00000008,
366 0x00000010, 0x00000020, 0x00000040, 0x00000080,
367 0x0000001B, 0x00000036
368};
369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]370#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Forward S-box & tables
374 */
375static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]376static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]378static uint32_t FT1[256];
379static uint32_t FT2[256];
380static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Reverse S-box & tables
385 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]386#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]389#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RT1[256];
391static uint32_t RT2[256];
392static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]393#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]394#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Round constants
398 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]399static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]400
401/*
402 * Tables generation code
403 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]404#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
405#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]406#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407
408static int aes_init_done = 0;
409
410static void aes_gen_tables( void )
411{
412 int i, x, y, z;
413 int pow[256];
414 int log[256];
415
416 /*
417 * compute pow and log tables over GF(2^8)
418 */
419 for( i = 0, x = 1; i < 256; i++ )
420 {
421 pow[i] = x;
422 log[x] = i;
423 x = ( x ^ XTIME( x ) ) & 0xFF;
424 }
425
426 /*
427 * calculate the round constants
428 */
429 for( i = 0, x = 1; i < 10; i++ )
430 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]431 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432 x = XTIME( x ) & 0xFF;
433 }
434
435 /*
436 * generate the forward and reverse S-boxes
437 */
438 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]439#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]441#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442
443 for( i = 1; i < 256; i++ )
444 {
445 x = pow[255 - log[i]];
446
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]447 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
448 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
449 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
450 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x ^= y ^ 0x63;
452
453 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 }
458
459 /*
460 * generate the forward and reverse tables
461 */
462 for( i = 0; i < 256; i++ )
463 {
464 x = FSb[i];
465 y = XTIME( x ) & 0xFF;
466 z = ( y ^ x ) & 0xFF;
467
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]468 FT0[i] = ( (uint32_t) y ) ^
469 ( (uint32_t) x << 8 ) ^
470 ( (uint32_t) x << 16 ) ^
471 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]473#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 FT1[i] = ROTL8( FT0[i] );
475 FT2[i] = ROTL8( FT1[i] );
476 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]479#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480 x = RSb[i];
481
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]482 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
483 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
484 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
485 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]486
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]487#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488 RT1[i] = ROTL8( RT0[i] );
489 RT2[i] = ROTL8( RT1[i] );
490 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]491#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]492#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494}
495
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]496#undef ROTL8
497
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]498#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]500#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]501
502#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
503#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
504#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) ROTL8( RT0[idx] )
508#define AES_RT2(idx) ROTL16( RT0[idx] )
509#define AES_RT3(idx) ROTL24( RT0[idx] )
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) ROTL8( FT0[idx] )
513#define AES_FT2(idx) ROTL16( FT0[idx] )
514#define AES_FT3(idx) ROTL24( FT0[idx] )
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
518#define AES_RT0(idx) RT0[idx]
519#define AES_RT1(idx) RT1[idx]
520#define AES_RT2(idx) RT2[idx]
521#define AES_RT3(idx) RT3[idx]
522
523#define AES_FT0(idx) FT0[idx]
524#define AES_FT1(idx) FT1[idx]
525#define AES_FT2(idx) FT2[idx]
526#define AES_FT3(idx) FT3[idx]
527
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]528#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]529
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]530#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
531/*
532 * SCA CM table position check
533 */
534#define SCA_CM_TBL_MATCH(tbl, n) ( tbl[0] == ( n ) || \
535 tbl[1] == ( n ) || \
536 tbl[2] == ( n ) )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]537
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]538/*
539 * SCA CM always true check
540 */
541#define SCA_CM_ALWAYS_TRUE(tbl, n) ( tbl[0] != ( n ) || \
542 tbl[1] != ( n ) || \
543 tbl[2] != tbl[0] )
544/*
545 * Number of SCA CM dummy rounds.
546 */
547#define SCA_CM_DUMMY_ROUND_COUNT 3
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]548
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]549#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
550
551#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
Arto Kinnunen45a475f2019-10-14 12:31:50 +0300[diff] [blame]552static void aes_sca_rand_tbl_fill( uint8_t *tbl, uint8_t tbl_len, uint8_t max_num )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]553{
554 int i, j, is_unique_number;
555 uint8_t *cur_num;
556 uint8_t num;
557
558 cur_num = tbl;
559
560 for ( i = 0; i < tbl_len; i++ )
561 {
562 do {
563 is_unique_number = 1;
564 num = mbedtls_platform_random_in_range( max_num + 1 );
565
566 for ( j = 0; j < i; j++ )
567 {
Arto Kinnunen45a475f2019-10-14 12:31:50 +0300[diff] [blame]568 if ( num == tbl[j] )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]569 {
570 is_unique_number = 0;
571 break;
572 }
573 }
574 } while ( is_unique_number == 0 );
575
576 *cur_num++ = num;
577 }
578}
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]579#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]582{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]583 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]584
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]585 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]586}
587
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]588void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]589{
590 if( ctx == NULL )
591 return;
592
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]593 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]594}
595
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]596#if defined(MBEDTLS_CIPHER_MODE_XTS)
597void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
598{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]599 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]600
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]601 mbedtls_aes_init( &ctx->crypt );
602 mbedtls_aes_init( &ctx->tweak );
603}
604
605void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
606{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]607 if( ctx == NULL )
608 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]609
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]610 mbedtls_aes_free( &ctx->crypt );
611 mbedtls_aes_free( &ctx->tweak );
612}
613#endif /* MBEDTLS_CIPHER_MODE_XTS */
614
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615/*
616 * AES key schedule (encryption)
617 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]618#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]619int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]620 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]621{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]622 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]625 AES_VALIDATE_RET( ctx != NULL );
626 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]628 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629 {
630 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]631#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632 case 192: ctx->nr = 12; break;
633 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]634#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]635 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]636 }
637
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]638#if !defined(MBEDTLS_AES_ROM_TABLES)
639 if( aes_init_done == 0 )
640 {
641 aes_gen_tables();
642 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]643 }
644#endif
645
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]646#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]647 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]648 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]649
650 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]651 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]652 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]654 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]655
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]656#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]657 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]658 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]659#endif
660
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]661 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]663 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 }
665
666 switch( ctx->nr )
667 {
668 case 10:
669
670 for( i = 0; i < 10; i++, RK += 4 )
671 {
672 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]673 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
674 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
675 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
676 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677
678 RK[5] = RK[1] ^ RK[4];
679 RK[6] = RK[2] ^ RK[5];
680 RK[7] = RK[3] ^ RK[6];
681 }
682 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]683#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684 case 12:
685
686 for( i = 0; i < 8; i++, RK += 6 )
687 {
688 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]689 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
690 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
691 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
692 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693
694 RK[7] = RK[1] ^ RK[6];
695 RK[8] = RK[2] ^ RK[7];
696 RK[9] = RK[3] ^ RK[8];
697 RK[10] = RK[4] ^ RK[9];
698 RK[11] = RK[5] ^ RK[10];
699 }
700 break;
701
702 case 14:
703
704 for( i = 0; i < 7; i++, RK += 8 )
705 {
706 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]707 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
708 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
709 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
710 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711
712 RK[9] = RK[1] ^ RK[8];
713 RK[10] = RK[2] ^ RK[9];
714 RK[11] = RK[3] ^ RK[10];
715
716 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]717 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
718 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
719 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
720 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]721
722 RK[13] = RK[5] ^ RK[12];
723 RK[14] = RK[6] ^ RK[13];
724 RK[15] = RK[7] ^ RK[14];
725 }
726 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]727#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]728 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]729
730 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]732#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]733
734/*
735 * AES key schedule (decryption)
736 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]737#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]738int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]739 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]740{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]741#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
742 (void) ctx;
743 (void) key;
744 (void) keybits;
745
746 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
747#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]748 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]749 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]750 uint32_t *RK;
751 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]752
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]753 AES_VALIDATE_RET( ctx != NULL );
754 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]755
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]756 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]757
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]758#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]759 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]760 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]761
762 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]763 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]764 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]765#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]766 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]768 /* Also checks keybits */
769 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]770 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]771
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]772 ctx->nr = cty.nr;
773
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]774#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]775 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]776 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]777 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]778 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]779 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]780 }
781#endif
782
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783 SK = cty.rk + cty.nr * 4;
784
785 *RK++ = *SK++;
786 *RK++ = *SK++;
787 *RK++ = *SK++;
788 *RK++ = *SK++;
789
790 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
791 {
792 for( j = 0; j < 4; j++, SK++ )
793 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]794 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
795 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
796 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
797 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]798 }
799 }
800
801 *RK++ = *SK++;
802 *RK++ = *SK++;
803 *RK++ = *SK++;
804 *RK++ = *SK++;
805
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]806exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]807 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]808
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]809 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]810#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]811}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]812
813#if defined(MBEDTLS_CIPHER_MODE_XTS)
814static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
815 unsigned int keybits,
816 const unsigned char **key1,
817 unsigned int *key1bits,
818 const unsigned char **key2,
819 unsigned int *key2bits )
820{
821 const unsigned int half_keybits = keybits / 2;
822 const unsigned int half_keybytes = half_keybits / 8;
823
824 switch( keybits )
825 {
826 case 256: break;
827 case 512: break;
828 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
829 }
830
831 *key1bits = half_keybits;
832 *key2bits = half_keybits;
833 *key1 = &key[0];
834 *key2 = &key[half_keybytes];
835
836 return 0;
837}
838
839int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
840 const unsigned char *key,
841 unsigned int keybits)
842{
843 int ret;
844 const unsigned char *key1, *key2;
845 unsigned int key1bits, key2bits;
846
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]847 AES_VALIDATE_RET( ctx != NULL );
848 AES_VALIDATE_RET( key != NULL );
849
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]850 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
851 &key2, &key2bits );
852 if( ret != 0 )
853 return( ret );
854
855 /* Set the tweak key. Always set tweak key for the encryption mode. */
856 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
857 if( ret != 0 )
858 return( ret );
859
860 /* Set crypt key for encryption. */
861 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
862}
863
864int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
865 const unsigned char *key,
866 unsigned int keybits)
867{
868 int ret;
869 const unsigned char *key1, *key2;
870 unsigned int key1bits, key2bits;
871
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]872 AES_VALIDATE_RET( ctx != NULL );
873 AES_VALIDATE_RET( key != NULL );
874
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]875 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
876 &key2, &key2bits );
877 if( ret != 0 )
878 return( ret );
879
880 /* Set the tweak key. Always set tweak key for encryption. */
881 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
882 if( ret != 0 )
883 return( ret );
884
885 /* Set crypt key for decryption. */
886 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
887}
888#endif /* MBEDTLS_CIPHER_MODE_XTS */
889
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]890#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]891
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]892#define AES_FROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
893 do \
894 { \
895 (X0) = *(R)++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
896 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
897 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
898 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
899 \
900 (X1) = *(R)++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
901 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
902 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
903 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
904 \
905 (X2) = *(R)++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
906 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
907 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
908 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
909 \
910 (X3) = *(R)++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
911 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
912 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
913 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]914 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]915
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]916#define AES_FROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
917 do { \
918 (X0) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^ \
919 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
920 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
921 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
922 \
923 (X1) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^ \
924 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
925 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
926 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
927 \
928 (X2) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^ \
929 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
930 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
931 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
932 \
933 (X3) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^ \
934 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
935 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
936 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
937 } while ( 0 )
938
939#define AES_RROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
940 do \
941 { \
942 (X0) = *(R)++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
943 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
944 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
945 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
946 \
947 (X1) = *(R)++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
948 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
949 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
950 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
951 \
952 (X2) = *(R)++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
953 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
954 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
955 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
956 \
957 (X3) = *(R)++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
958 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
959 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
960 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
961 } while( 0 )
962
963#define AES_RROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
964 do \
965 { \
966 (X0) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^ \
967 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
968 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
969 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
970 \
971 (X1) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^ \
972 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
973 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
974 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
975 \
976 (X2) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^ \
977 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
978 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
979 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
980 \
981 (X3) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^ \
982 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
983 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
984 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]985 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]986
987/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988 * AES-ECB block encryption
989 */
990#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]991int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
992 const unsigned char input[16],
993 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]994{
995 int i;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]996 uint32_t *RK, X0, X1, X2, X3, Y0 = 0, Y1 = 0, Y2 = 0, Y3 = 0;
997
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]998#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]999 uint32_t *RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA;
1000 uint8_t sca_cm_pos_tbl[SCA_CM_DUMMY_ROUND_COUNT]; // position for SCA countermeasure dummy rounds, not in any order
1001
Arto Kinnunen45a475f2019-10-14 12:31:50 +0300[diff] [blame]1002 aes_sca_rand_tbl_fill( sca_cm_pos_tbl, SCA_CM_DUMMY_ROUND_COUNT, ctx->nr );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1003
1004 X0_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1005 X1_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1006 X2_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1007 X3_SCA = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1008#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1009
1010 RK = ctx->rk;
1011
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1012#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1013 RK_SCA = RK;
1014
1015 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, ctx->nr ) )
1016 {
1017 /* LE conversions to Xn, Xn_SCA randomized */
1018 GET_UINT32_LE( X0, input, 0 ); X0_SCA ^= *RK_SCA++;
1019 GET_UINT32_LE( X1, input, 4 ); X1_SCA ^= *RK_SCA++;
1020 GET_UINT32_LE( X2, input, 8 ); X2_SCA ^= *RK_SCA++;
1021 GET_UINT32_LE( X3, input, 12 ); X3_SCA ^= *RK_SCA++;
1022 }
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1023#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1024 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1025 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1026 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1027 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
1028
1029 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
1030 {
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1031#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1032 // Would random delay before each round be necessary?
1033 //
1034 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 ) )
1035 AES_FROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1036 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
1037
1038 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i* 2 ) )
1039 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1040
1041 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 + 1 ) )
1042 AES_FROUND( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1043 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA);
1044
1045 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i * 2 + 1 ) )
1046 AES_FROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1047#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1048 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1049 AES_FROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1050#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1051 }
1052
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1053#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1054 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 1 ) )
1055 AES_FROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1056 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1057
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1058 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 1 ) )
1059 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1060
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1061 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 0 ) )
1062 AES_FROUND_F( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1063 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1064
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1065 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 0 ) )
1066 AES_FROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1067
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1068#else
1069 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1070 AES_FROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1071#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1072
1073 PUT_UINT32_LE( X0, output, 0 );
1074 PUT_UINT32_LE( X1, output, 4 );
1075 PUT_UINT32_LE( X2, output, 8 );
1076 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1077
1078 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1079}
1080#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1081
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1082#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1083void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1084 const unsigned char input[16],
1085 unsigned char output[16] )
1086{
1087 mbedtls_internal_aes_encrypt( ctx, input, output );
1088}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1089#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1090
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1091/*
1092 * AES-ECB block decryption
1093 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1094
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1095#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1096#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1097int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1098 const unsigned char input[16],
1099 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1100{
1101 int i;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1102 uint32_t *RK, X0, X1, X2, X3, Y0 = 0, Y1 = 0, Y2 = 0, Y3 = 0;
1103
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1104#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1105 uint32_t *RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA;
1106 uint8_t sca_cm_pos_tbl[SCA_CM_DUMMY_ROUND_COUNT]; // position for SCA countermeasure dummy rounds, not in any order
1107
Arto Kinnunen45a475f2019-10-14 12:31:50 +0300[diff] [blame]1108 aes_sca_rand_tbl_fill( sca_cm_pos_tbl, SCA_CM_DUMMY_ROUND_COUNT, ctx->nr );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1109
1110 X0_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1111 X1_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1112 X2_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1113 X3_SCA = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1114#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1115
1116 RK = ctx->rk;
1117
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1118#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1119 RK_SCA = RK;
1120 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, ctx->nr ) )
1121 {
1122 GET_UINT32_LE( X0, input, 0 ); X0_SCA ^= *RK_SCA++;
1123 GET_UINT32_LE( X1, input, 4 ); X1_SCA ^= *RK_SCA++;
1124 GET_UINT32_LE( X2, input, 8 ); X2_SCA ^= *RK_SCA++;
1125 GET_UINT32_LE( X3, input, 12 ); X3_SCA ^= *RK_SCA++;
1126 }
1127
1128 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, ctx->nr ) )
1129 {
1130 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1131 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1132 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1133 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
1134 }
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1135#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1136 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1137 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1138 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1139 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1140#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1141
1142 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
1143 {
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1144#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1145 // Would random delay before each round be necessary?
1146 //
1147 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 ) )
1148 AES_RROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1149 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
1150
1151 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i* 2 ) )
1152 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1153
1154 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 + 1 ) )
1155 AES_RROUND( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1156 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA);
1157
1158 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i * 2 + 1 ) )
1159 AES_RROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1160#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1161 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1162 AES_RROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1163#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1164 }
1165
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1166#ifdef MBEDTLS_AES_SCA_COUNTERMEASURES
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1167 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 1 ) )
1168 AES_RROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1169 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1170
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1171 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 1 ) )
1172 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1173
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1174 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 0 ) )
1175 AES_RROUND_F( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1176 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1177
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1178 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 0 ) )
1179 AES_RROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1180
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1181#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1182 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1183 AES_RROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Arto Kinnunen430ac132019-10-14 10:42:28 +0300[diff] [blame]1184#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1185
1186 PUT_UINT32_LE( X0, output, 0 );
1187 PUT_UINT32_LE( X1, output, 4 );
1188 PUT_UINT32_LE( X2, output, 8 );
1189 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1190
1191 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1192}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1193#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1194#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1195
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1196#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1197void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1198 const unsigned char input[16],
1199 unsigned char output[16] )
1200{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1201#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1202 (void) ctx;
1203 (void) input;
1204 (void) output;
1205#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1206 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1207#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1208}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1209#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1210
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1211/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1212 * AES-ECB block encryption/decryption
1213 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1214int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1215 int mode,
1216 const unsigned char input[16],
1217 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1218{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1219 AES_VALIDATE_RET( ctx != NULL );
1220 AES_VALIDATE_RET( input != NULL );
1221 AES_VALIDATE_RET( output != NULL );
1222 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1223 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1224 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1226#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1227 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1229#endif
1230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1232 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1233 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1234 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1235 return( 0 );
1236
1237 // If padlock data misaligned, we just fall back to
1238 // unaccelerated mode
1239 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1240 }
1241#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1242#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1243 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1244#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1245
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1246 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1247 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1248 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1249 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1250#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251}
1252
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1253#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1254/*
1255 * AES-CBC buffer encryption/decryption
1256 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1257int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1259 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1260 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1261 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1262 unsigned char *output )
1263{
1264 int i;
1265 unsigned char temp[16];
1266
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1267 AES_VALIDATE_RET( ctx != NULL );
1268 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1269 mode == MBEDTLS_AES_DECRYPT );
1270 AES_VALIDATE_RET( iv != NULL );
1271 AES_VALIDATE_RET( input != NULL );
1272 AES_VALIDATE_RET( output != NULL );
1273
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1274 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1278 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1279 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1281 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1282
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1283 // If padlock data misaligned, we just fall back to
1284 // unaccelerated mode
1285 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1286 }
1287#endif
1288
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1289 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290 {
1291 while( length > 0 )
1292 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1293 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1294 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295
1296 for( i = 0; i < 16; i++ )
1297 output[i] = (unsigned char)( output[i] ^ iv[i] );
1298
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1299 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1300
1301 input += 16;
1302 output += 16;
1303 length -= 16;
1304 }
1305 }
1306 else
1307 {
1308 while( length > 0 )
1309 {
1310 for( i = 0; i < 16; i++ )
1311 output[i] = (unsigned char)( input[i] ^ iv[i] );
1312
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1313 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1314 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1315
1316 input += 16;
1317 output += 16;
1318 length -= 16;
1319 }
1320 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1321
1322 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1323}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1324#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1325
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1326#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1327
1328/* Endianess with 64 bits values */
1329#ifndef GET_UINT64_LE
1330#define GET_UINT64_LE(n,b,i) \
1331{ \
1332 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1333 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1334 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1335 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1336 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1337 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1338 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1339 | ( (uint64_t) (b)[(i) ] ); \
1340}
1341#endif
1342
1343#ifndef PUT_UINT64_LE
1344#define PUT_UINT64_LE(n,b,i) \
1345{ \
1346 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1347 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1348 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1349 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1350 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1351 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1352 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1353 (b)[(i) ] = (unsigned char) ( (n) ); \
1354}
1355#endif
1356
1357typedef unsigned char mbedtls_be128[16];
1358
1359/*
1360 * GF(2^128) multiplication function
1361 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1362 * This function multiplies a field element by x in the polynomial field
1363 * representation. It uses 64-bit word operations to gain speed but compensates
1364 * for machine endianess and hence works correctly on both big and little
1365 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1366 */
1367static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1368 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1369{
1370 uint64_t a, b, ra, rb;
1371
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1372 GET_UINT64_LE( a, x, 0 );
1373 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1374
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1375 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1376 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1377
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1378 PUT_UINT64_LE( ra, r, 0 );
1379 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1380}
1381
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1382/*
1383 * AES-XTS buffer encryption/decryption
1384 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1385int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1386 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1387 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1388 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1389 const unsigned char *input,
1390 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1391{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1392 int ret;
1393 size_t blocks = length / 16;
1394 size_t leftover = length % 16;
1395 unsigned char tweak[16];
1396 unsigned char prev_tweak[16];
1397 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1398
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1399 AES_VALIDATE_RET( ctx != NULL );
1400 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1401 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1402 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1403 AES_VALIDATE_RET( input != NULL );
1404 AES_VALIDATE_RET( output != NULL );
1405
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1406 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1407 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1408 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1409
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1410 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1411 if( length > ( 1 << 20 ) * 16 )
1412 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1413
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1414 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1415 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1416 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1417 if( ret != 0 )
1418 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1419
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1420 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1421 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1422 size_t i;
1423
1424 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1425 {
1426 /* We are on the last block in a decrypt operation that has
1427 * leftover bytes, so we need to use the next tweak for this block,
1428 * and this tweak for the lefover bytes. Save the current tweak for
1429 * the leftovers and then update the current tweak for use on this,
1430 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1431 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1432 mbedtls_gf128mul_x_ble( tweak, tweak );
1433 }
1434
1435 for( i = 0; i < 16; i++ )
1436 tmp[i] = input[i] ^ tweak[i];
1437
1438 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1439 if( ret != 0 )
1440 return( ret );
1441
1442 for( i = 0; i < 16; i++ )
1443 output[i] = tmp[i] ^ tweak[i];
1444
1445 /* Update the tweak for the next block. */
1446 mbedtls_gf128mul_x_ble( tweak, tweak );
1447
1448 output += 16;
1449 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1450 }
1451
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1452 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1453 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1454 /* If we are on the leftover bytes in a decrypt operation, we need to
1455 * use the previous tweak for these bytes (as saved in prev_tweak). */
1456 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1457
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1458 /* We are now on the final part of the data unit, which doesn't divide
1459 * evenly by 16. It's time for ciphertext stealing. */
1460 size_t i;
1461 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1462
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1463 /* Copy ciphertext bytes from the previous block to our output for each
1464 * byte of cyphertext we won't steal. At the same time, copy the
1465 * remainder of the input for this final round (since the loop bounds
1466 * are the same). */
1467 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1468 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1469 output[i] = prev_output[i];
1470 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1471 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1472
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1473 /* Copy ciphertext bytes from the previous block for input in this
1474 * round. */
1475 for( ; i < 16; i++ )
1476 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1477
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1478 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1479 if( ret != 0 )
1480 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1481
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1482 /* Write the result back to the previous block, overriding the previous
1483 * output we copied. */
1484 for( i = 0; i < 16; i++ )
1485 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1486 }
1487
1488 return( 0 );
1489}
1490#endif /* MBEDTLS_CIPHER_MODE_XTS */
1491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1492#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1493/*
1494 * AES-CFB128 buffer encryption/decryption
1495 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1498 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1499 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1501 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502 unsigned char *output )
1503{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1504 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1505 size_t n;
1506
1507 AES_VALIDATE_RET( ctx != NULL );
1508 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1509 mode == MBEDTLS_AES_DECRYPT );
1510 AES_VALIDATE_RET( iv_off != NULL );
1511 AES_VALIDATE_RET( iv != NULL );
1512 AES_VALIDATE_RET( input != NULL );
1513 AES_VALIDATE_RET( output != NULL );
1514
1515 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1516
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1517 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1518 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1520 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1521 {
1522 while( length-- )
1523 {
1524 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1525 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1526
1527 c = *input++;
1528 *output++ = (unsigned char)( c ^ iv[n] );
1529 iv[n] = (unsigned char) c;
1530
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1531 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1532 }
1533 }
1534 else
1535 {
1536 while( length-- )
1537 {
1538 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1539 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540
1541 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1542
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1543 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544 }
1545 }
1546
1547 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1548
1549 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1550}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1551
1552/*
1553 * AES-CFB8 buffer encryption/decryption
1554 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1555int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1556 int mode,
1557 size_t length,
1558 unsigned char iv[16],
1559 const unsigned char *input,
1560 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1561{
1562 unsigned char c;
1563 unsigned char ov[17];
1564
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1565 AES_VALIDATE_RET( ctx != NULL );
1566 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1567 mode == MBEDTLS_AES_DECRYPT );
1568 AES_VALIDATE_RET( iv != NULL );
1569 AES_VALIDATE_RET( input != NULL );
1570 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1571 while( length-- )
1572 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1573 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1574 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1576 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1577 ov[16] = *input;
1578
1579 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1581 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1582 ov[16] = c;
1583
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1584 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1585 }
1586
1587 return( 0 );
1588}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1589#endif /* MBEDTLS_CIPHER_MODE_CFB */
1590
1591#if defined(MBEDTLS_CIPHER_MODE_OFB)
1592/*
1593 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1594 */
1595int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1596 size_t length,
1597 size_t *iv_off,
1598 unsigned char iv[16],
1599 const unsigned char *input,
1600 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1601{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1602 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1603 size_t n;
1604
1605 AES_VALIDATE_RET( ctx != NULL );
1606 AES_VALIDATE_RET( iv_off != NULL );
1607 AES_VALIDATE_RET( iv != NULL );
1608 AES_VALIDATE_RET( input != NULL );
1609 AES_VALIDATE_RET( output != NULL );
1610
1611 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1612
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1613 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1614 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1615
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1616 while( length-- )
1617 {
1618 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1619 {
1620 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1621 if( ret != 0 )
1622 goto exit;
1623 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1624 *output++ = *input++ ^ iv[n];
1625
1626 n = ( n + 1 ) & 0x0F;
1627 }
1628
1629 *iv_off = n;
1630
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1631exit:
1632 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1633}
1634#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1635
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1636#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1637/*
1638 * AES-CTR buffer encryption/decryption
1639 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1640int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1641 size_t length,
1642 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1643 unsigned char nonce_counter[16],
1644 unsigned char stream_block[16],
1645 const unsigned char *input,
1646 unsigned char *output )
1647{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1648 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1649 size_t n;
1650
1651 AES_VALIDATE_RET( ctx != NULL );
1652 AES_VALIDATE_RET( nc_off != NULL );
1653 AES_VALIDATE_RET( nonce_counter != NULL );
1654 AES_VALIDATE_RET( stream_block != NULL );
1655 AES_VALIDATE_RET( input != NULL );
1656 AES_VALIDATE_RET( output != NULL );
1657
1658 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1659
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1660 if ( n > 0x0F )
1661 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1662
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1663 while( length-- )
1664 {
1665 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1666 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1667
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1668 for( i = 16; i > 0; i-- )
1669 if( ++nonce_counter[i - 1] != 0 )
1670 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1671 }
1672 c = *input++;
1673 *output++ = (unsigned char)( c ^ stream_block[n] );
1674
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1675 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1676 }
1677
1678 *nc_off = n;
1679
1680 return( 0 );
1681}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1682#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1684#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1687/*
1688 * AES test vectors from:
1689 *
1690 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1691 */
1692static const unsigned char aes_test_ecb_dec[3][16] =
1693{
1694 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1695 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1696 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1697 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1698 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1699 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1700};
1701
1702static const unsigned char aes_test_ecb_enc[3][16] =
1703{
1704 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1705 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1706 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1707 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1708 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1709 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1710};
1711
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1712#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1713static const unsigned char aes_test_cbc_dec[3][16] =
1714{
1715 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1716 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1717 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1718 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1719 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1720 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1721};
1722
1723static const unsigned char aes_test_cbc_enc[3][16] =
1724{
1725 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1726 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1727 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1728 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1729 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1730 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1731};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1732#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1733
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1734#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1735/*
1736 * AES-CFB128 test vectors from:
1737 *
1738 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1739 */
1740static const unsigned char aes_test_cfb128_key[3][32] =
1741{
1742 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1743 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1744 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1745 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1746 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1747 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1748 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1749 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1750 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1751};
1752
1753static const unsigned char aes_test_cfb128_iv[16] =
1754{
1755 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1756 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1757};
1758
1759static const unsigned char aes_test_cfb128_pt[64] =
1760{
1761 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1762 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1763 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1764 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1765 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1766 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1767 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1768 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1769};
1770
1771static const unsigned char aes_test_cfb128_ct[3][64] =
1772{
1773 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1774 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1775 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1776 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1777 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1778 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1779 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1780 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1781 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1782 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1783 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1784 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1785 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1786 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1787 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1788 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1789 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1790 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1791 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1792 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1793 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1794 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1795 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1796 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1797};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1798#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1799
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1800#if defined(MBEDTLS_CIPHER_MODE_OFB)
1801/*
1802 * AES-OFB test vectors from:
1803 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1804 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1805 */
1806static const unsigned char aes_test_ofb_key[3][32] =
1807{
1808 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1809 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1810 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1811 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1812 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1813 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1814 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1815 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1816 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1817};
1818
1819static const unsigned char aes_test_ofb_iv[16] =
1820{
1821 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1822 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1823};
1824
1825static const unsigned char aes_test_ofb_pt[64] =
1826{
1827 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1828 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1829 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1830 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1831 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1832 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1833 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1834 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1835};
1836
1837static const unsigned char aes_test_ofb_ct[3][64] =
1838{
1839 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1840 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1841 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1842 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1843 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1844 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1845 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1846 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1847 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1848 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1849 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1850 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1851 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1852 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1853 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1854 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1855 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1856 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1857 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1858 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1859 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1860 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1861 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1862 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1863};
1864#endif /* MBEDTLS_CIPHER_MODE_OFB */
1865
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1866#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1867/*
1868 * AES-CTR test vectors from:
1869 *
1870 * http://www.faqs.org/rfcs/rfc3686.html
1871 */
1872
1873static const unsigned char aes_test_ctr_key[3][16] =
1874{
1875 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1876 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1877 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1878 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1879 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1880 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1881};
1882
1883static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1884{
1885 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1886 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1887 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1888 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1889 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1890 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1891};
1892
1893static const unsigned char aes_test_ctr_pt[3][48] =
1894{
1895 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1896 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1897
1898 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1899 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1900 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1901 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1902
1903 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1904 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1905 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1906 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1907 0x20, 0x21, 0x22, 0x23 }
1908};
1909
1910static const unsigned char aes_test_ctr_ct[3][48] =
1911{
1912 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1913 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1914 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1915 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1916 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1917 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1918 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1919 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1920 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1921 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1922 0x25, 0xB2, 0x07, 0x2F }
1923};
1924
1925static const int aes_test_ctr_len[3] =
1926 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1927#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1929#if defined(MBEDTLS_CIPHER_MODE_XTS)
1930/*
1931 * AES-XTS test vectors from:
1932 *
1933 * IEEE P1619/D16 Annex B
1934 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1935 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1936 */
1937static const unsigned char aes_test_xts_key[][32] =
1938{
1939 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1942 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1943 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1944 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1945 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1946 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1947 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1948 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1949 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1950 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1951};
1952
1953static const unsigned char aes_test_xts_pt32[][32] =
1954{
1955 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1959 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1960 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1961 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1962 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1963 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1964 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1965 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1966 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1967};
1968
1969static const unsigned char aes_test_xts_ct32[][32] =
1970{
1971 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1972 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1973 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1974 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1975 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1976 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1977 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1978 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1979 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1980 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1981 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1982 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1983};
1984
1985static const unsigned char aes_test_xts_data_unit[][16] =
1986{
1987 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1989 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1991 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1992 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1993};
1994
1995#endif /* MBEDTLS_CIPHER_MODE_XTS */
1996
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997/*
1998 * Checkup routine
1999 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 int ret = 0, i, j, u, mode;
2003 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004 unsigned char key[32];
2005 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2006 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2007#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2009#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2010#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2011 unsigned char prv[16];
2012#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2013#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2014 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2015 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2016#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2017#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2018 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2019#endif
2020#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2021 unsigned char nonce_counter[16];
2022 unsigned char stream_block[16];
2023#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2024 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2025
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2026 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2027 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028
2029 /*
2030 * ECB mode
2031 */
2032 for( i = 0; i < 6; i++ )
2033 {
2034 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2035 keybits = 128 + u * 64;
2036 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037
2038 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2039 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2040 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2041
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2042#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2043 if( keybits > 128 )
2044 {
2045 mbedtls_printf( "skipped\n" );
2046 continue;
2047 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2048#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2049
2050#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2051 if( mode == MBEDTLS_AES_DECRYPT )
2052 {
2053 mbedtls_printf( "skipped\n" );
2054 continue;
2055 }
2056#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2057
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2058 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2060 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2061 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2062 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2063 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2064 }
2065 else
2066 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2067 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2068 aes_tests = aes_test_ecb_enc[u];
2069 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2071 /*
2072 * AES-192 is an optional feature that may be unavailable when
2073 * there is an alternative underlying implementation i.e. when
2074 * MBEDTLS_AES_ALT is defined.
2075 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2076 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2077 {
2078 mbedtls_printf( "skipped\n" );
2079 continue;
2080 }
2081 else if( ret != 0 )
2082 {
2083 goto exit;
2084 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2085
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2086 for( j = 0; j < 10000; j++ )
2087 {
2088 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2089 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2090 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2091 }
2092
2093 if( memcmp( buf, aes_tests, 16 ) != 0 )
2094 {
2095 ret = 1;
2096 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2097 }
2098
2099 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2100 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2101 }
2102
2103 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2104 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2106#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2107 /*
2108 * CBC mode
2109 */
2110 for( i = 0; i < 6; i++ )
2111 {
2112 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2113 keybits = 128 + u * 64;
2114 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2115
2116 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2117 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2118 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2119
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2120#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2121 if( keybits > 128 )
2122 {
2123 mbedtls_printf( "skipped\n" );
2124 continue;
2125 }
2126#endif
2127
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2128#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2129 if( mode == MBEDTLS_AES_DECRYPT )
2130 {
2131 mbedtls_printf( "skipped\n" );
2132 continue;
2133 }
2134#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2135
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2136 memset( iv , 0, 16 );
2137 memset( prv, 0, 16 );
2138 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2139
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2140 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2141 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2142 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2143 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2144 }
2145 else
2146 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2147 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2148 aes_tests = aes_test_cbc_enc[u];
2149 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2150
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2151 /*
2152 * AES-192 is an optional feature that may be unavailable when
2153 * there is an alternative underlying implementation i.e. when
2154 * MBEDTLS_AES_ALT is defined.
2155 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2156 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2157 {
2158 mbedtls_printf( "skipped\n" );
2159 continue;
2160 }
2161 else if( ret != 0 )
2162 {
2163 goto exit;
2164 }
2165
2166 for( j = 0; j < 10000; j++ )
2167 {
2168 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2169 {
2170 unsigned char tmp[16];
2171
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2172 memcpy( tmp, prv, 16 );
2173 memcpy( prv, buf, 16 );
2174 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2175 }
2176
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2177 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2178 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2179 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2180
2181 }
2182
2183 if( memcmp( buf, aes_tests, 16 ) != 0 )
2184 {
2185 ret = 1;
2186 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2187 }
2188
2189 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2190 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2191 }
2192
2193 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2194 mbedtls_printf( "\n" );
2195#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2196
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198 /*
2199 * CFB128 mode
2200 */
2201 for( i = 0; i < 6; i++ )
2202 {
2203 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2204 keybits = 128 + u * 64;
2205 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2206
2207 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2208 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2209 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2210
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2211#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2212 if( keybits > 128 )
2213 {
2214 mbedtls_printf( "skipped\n" );
2215 continue;
2216 }
2217#endif
2218
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2219#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2220 if( mode == MBEDTLS_AES_DECRYPT )
2221 {
2222 mbedtls_printf( "skipped\n" );
2223 continue;
2224 }
2225#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2226
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2228 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2229
2230 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2231 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2232 /*
2233 * AES-192 is an optional feature that may be unavailable when
2234 * there is an alternative underlying implementation i.e. when
2235 * MBEDTLS_AES_ALT is defined.
2236 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2237 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2238 {
2239 mbedtls_printf( "skipped\n" );
2240 continue;
2241 }
2242 else if( ret != 0 )
2243 {
2244 goto exit;
2245 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2246
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2247 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2248 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2249 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2250 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2251 }
2252 else
2253 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2254 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2255 aes_tests = aes_test_cfb128_ct[u];
2256 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2258 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2259 if( ret != 0 )
2260 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2261
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2262 if( memcmp( buf, aes_tests, 64 ) != 0 )
2263 {
2264 ret = 1;
2265 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2266 }
2267
2268 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2269 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2270 }
2271
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2272 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2273 mbedtls_printf( "\n" );
2274#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2275
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2276#if defined(MBEDTLS_CIPHER_MODE_OFB)
2277 /*
2278 * OFB mode
2279 */
2280 for( i = 0; i < 6; i++ )
2281 {
2282 u = i >> 1;
2283 keybits = 128 + u * 64;
2284 mode = i & 1;
2285
2286 if( verbose != 0 )
2287 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2288 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2289
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2290#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2291 if( keybits > 128 )
2292 {
2293 mbedtls_printf( "skipped\n" );
2294 continue;
2295 }
2296#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2297
2298#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2299 if( mode == MBEDTLS_AES_DECRYPT )
2300 {
2301 mbedtls_printf( "skipped\n" );
2302 continue;
2303 }
2304#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2305
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2306 memcpy( iv, aes_test_ofb_iv, 16 );
2307 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2308
2309 offset = 0;
2310 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2311 /*
2312 * AES-192 is an optional feature that may be unavailable when
2313 * there is an alternative underlying implementation i.e. when
2314 * MBEDTLS_AES_ALT is defined.
2315 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2316 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2317 {
2318 mbedtls_printf( "skipped\n" );
2319 continue;
2320 }
2321 else if( ret != 0 )
2322 {
2323 goto exit;
2324 }
2325
2326 if( mode == MBEDTLS_AES_DECRYPT )
2327 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2328 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2329 aes_tests = aes_test_ofb_pt;
2330 }
2331 else
2332 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2333 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2334 aes_tests = aes_test_ofb_ct[u];
2335 }
2336
2337 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2338 if( ret != 0 )
2339 goto exit;
2340
2341 if( memcmp( buf, aes_tests, 64 ) != 0 )
2342 {
2343 ret = 1;
2344 goto exit;
2345 }
2346
2347 if( verbose != 0 )
2348 mbedtls_printf( "passed\n" );
2349 }
2350
2351 if( verbose != 0 )
2352 mbedtls_printf( "\n" );
2353#endif /* MBEDTLS_CIPHER_MODE_OFB */
2354
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2355#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2356 /*
2357 * CTR mode
2358 */
2359 for( i = 0; i < 6; i++ )
2360 {
2361 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2362 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2363
2364 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2365 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2366 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2367
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2368#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2369 if( keybits > 128 )
2370 {
2371 mbedtls_printf( "skipped\n" );
2372 continue;
2373 }
2374#endif
2375
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2376#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2377 if( mode == MBEDTLS_AES_DECRYPT )
2378 {
2379 mbedtls_printf( "skipped\n" );
2380 continue;
2381 }
2382#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2383
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2384 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2385 memcpy( key, aes_test_ctr_key[u], 16 );
2386
2387 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2388 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2389 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2390
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2391 len = aes_test_ctr_len[u];
2392
2393 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2394 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2395 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2396 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2397 }
2398 else
2399 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2400 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2401 aes_tests = aes_test_ctr_ct[u];
2402 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2403
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2404 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2405 stream_block, buf, buf );
2406 if( ret != 0 )
2407 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2408
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2409 if( memcmp( buf, aes_tests, len ) != 0 )
2410 {
2411 ret = 1;
2412 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2413 }
2414
2415 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2416 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2417 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2418
2419 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2420 mbedtls_printf( "\n" );
2421#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2422
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2423#if defined(MBEDTLS_CIPHER_MODE_XTS)
2424 {
2425 static const int num_tests =
2426 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2427 mbedtls_aes_xts_context ctx_xts;
2428
2429 /*
2430 * XTS mode
2431 */
2432 mbedtls_aes_xts_init( &ctx_xts );
2433
2434 for( i = 0; i < num_tests << 1; i++ )
2435 {
2436 const unsigned char *data_unit;
2437 u = i >> 1;
2438 mode = i & 1;
2439
2440 if( verbose != 0 )
2441 mbedtls_printf( " AES-XTS-128 (%s): ",
2442 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2443
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2444#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2445 if( mode == MBEDTLS_AES_DECRYPT )
2446 {
2447 mbedtls_printf( "skipped\n" );
2448 continue;
2449 }
2450#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2451
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2452 memset( key, 0, sizeof( key ) );
2453 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2454 data_unit = aes_test_xts_data_unit[u];
2455
2456 len = sizeof( *aes_test_xts_ct32 );
2457
2458 if( mode == MBEDTLS_AES_DECRYPT )
2459 {
2460 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2461 if( ret != 0)
2462 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2463 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2464 aes_tests = aes_test_xts_pt32[u];
2465 }
2466 else
2467 {
2468 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2469 if( ret != 0)
2470 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2471 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2472 aes_tests = aes_test_xts_ct32[u];
2473 }
2474
2475
2476 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2477 buf, buf );
2478 if( ret != 0 )
2479 goto exit;
2480
2481 if( memcmp( buf, aes_tests, len ) != 0 )
2482 {
2483 ret = 1;
2484 goto exit;
2485 }
2486
2487 if( verbose != 0 )
2488 mbedtls_printf( "passed\n" );
2489 }
2490
2491 if( verbose != 0 )
2492 mbedtls_printf( "\n" );
2493
2494 mbedtls_aes_xts_free( &ctx_xts );
2495 }
2496#endif /* MBEDTLS_CIPHER_MODE_XTS */
2497
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2498 ret = 0;
2499
2500exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2501 if( ret != 0 && verbose != 0 )
2502 mbedtls_printf( "failed\n" );
2503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2504 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2505
2506 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2507}
2508
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2509#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2511#endif /* MBEDTLS_AES_C */