TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c0eabdc63657f784dee45167b010534cd3924cfa / . / library / aes.c
blob: 45b44484caf0227d227220af020e1178726e7aeb [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]30# include <string.h>
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]31
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]32# include "mbedtls/aes.h"
33# include "mbedtls/platform.h"
34# include "mbedtls/platform_util.h"
35# include "mbedtls/error.h"
36# if defined(MBEDTLS_PADLOCK_C)
37# include "padlock.h"
38# endif
39# if defined(MBEDTLS_AESNI_C)
40# include "aesni.h"
41# endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]43# if defined(MBEDTLS_SELF_TEST)
44# if defined(MBEDTLS_PLATFORM_C)
45# include "mbedtls/platform.h"
46# else
47# include <stdio.h>
48# define mbedtls_printf printf
49# endif /* MBEDTLS_PLATFORM_C */
50# endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]52# if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]55# define AES_VALIDATE_RET(cond) \
56 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA)
57# define AES_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]58
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59/*
60 * 32-bit integer manipulation macros (little endian)
61 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]62# ifndef GET_UINT32_LE
63# define GET_UINT32_LE(n, b, i) \
64 { \
65 (n) = ((uint32_t)(b)[(i)]) | \
66 ((uint32_t)(b)[(i) + 1] << 8) | \
67 ((uint32_t)(b)[(i) + 2] << 16) | \
68 ((uint32_t)(b)[(i) + 3] << 24); \
69 }
70# endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]72# ifndef PUT_UINT32_LE
73# define PUT_UINT32_LE(n, b, i) \
74 { \
75 (b)[(i)] = (unsigned char)(((n)) & 0xFF); \
76 (b)[(i) + 1] = (unsigned char)(((n) >> 8) & 0xFF); \
77 (b)[(i) + 2] = (unsigned char)(((n) >> 16) & 0xFF); \
78 (b)[(i) + 3] = (unsigned char)(((n) >> 24) & 0xFF); \
79 }
80# endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]81
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]82# if defined(MBEDTLS_PADLOCK_C) && \
83 (defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16))
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]84static int aes_padlock_ace = -1;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]85# endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]86
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]87# if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]88/*
89 * Forward S-box
90 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]91static const unsigned char FSb[256] = {
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
93 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
94 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
95 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
96 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
97 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
98 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
99 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
100 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
101 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
102 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
103 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
104 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
105 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
106 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
107 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
108 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
109 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
110 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
111 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
112 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
113 0xB0, 0x54, 0xBB, 0x16
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]114};
115
116/*
117 * Forward tables
118 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]119# define FT \
120 \
121 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), \
122 V(8D, 7B, 7B, F6), V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), \
123 V(B1, 6F, 6F, DE), V(54, C5, C5, 91), V(50, 30, 30, 60), \
124 V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
125 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), \
126 V(9A, 76, 76, EC), V(45, CA, CA, 8F), V(9D, 82, 82, 1F), \
127 V(40, C9, C9, 89), V(87, 7D, 7D, FA), V(15, FA, FA, EF), \
128 V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
129 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), \
130 V(EA, AF, AF, 45), V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), \
131 V(96, 72, 72, E4), V(5B, C0, C0, 9B), V(C2, B7, B7, 75), \
132 V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
133 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), \
134 V(4F, CC, CC, 83), V(5C, 34, 34, 68), V(F4, A5, A5, 51), \
135 V(34, E5, E5, D1), V(08, F1, F1, F9), V(93, 71, 71, E2), \
136 V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
137 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), \
138 V(5E, C3, C3, 9D), V(28, 18, 18, 30), V(A1, 96, 96, 37), \
139 V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), V(09, 07, 07, 0E), \
140 V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
141 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), \
142 V(9F, 75, 75, EA), V(1B, 09, 09, 12), V(9E, 83, 83, 1D), \
143 V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), V(2D, 1B, 1B, 36), \
144 V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
145 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), \
146 V(CE, B3, B3, 7D), V(7B, 29, 29, 52), V(3E, E3, E3, DD), \
147 V(71, 2F, 2F, 5E), V(97, 84, 84, 13), V(F5, 53, 53, A6), \
148 V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
149 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), \
150 V(ED, 5B, 5B, B6), V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), \
151 V(D9, BE, BE, 67), V(4B, 39, 39, 72), V(DE, 4A, 4A, 94), \
152 V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
153 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), \
154 V(16, FB, FB, ED), V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), \
155 V(55, 33, 33, 66), V(94, 85, 85, 11), V(CF, 45, 45, 8A), \
156 V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
157 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), \
158 V(E3, A8, A8, 4B), V(F3, 51, 51, A2), V(FE, A3, A3, 5D), \
159 V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), V(AD, 92, 92, 3F), \
160 V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
161 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), \
162 V(63, 21, 21, 42), V(30, 10, 10, 20), V(1A, FF, FF, E5), \
163 V(0E, F3, F3, FD), V(6D, D2, D2, BF), V(4C, CD, CD, 81), \
164 V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
165 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), \
166 V(39, 17, 17, 2E), V(57, C4, C4, 93), V(F2, A7, A7, 55), \
167 V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), V(AC, 64, 64, C8), \
168 V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
169 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), \
170 V(7F, DC, DC, A3), V(66, 22, 22, 44), V(7E, 2A, 2A, 54), \
171 V(AB, 90, 90, 3B), V(83, 88, 88, 0B), V(CA, 46, 46, 8C), \
172 V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
173 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), \
174 V(76, DB, DB, AD), V(3B, E0, E0, DB), V(56, 32, 32, 64), \
175 V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), V(DB, 49, 49, 92), \
176 V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
177 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), \
178 V(A6, 62, 62, C4), V(A8, 91, 91, 39), V(A4, 95, 95, 31), \
179 V(37, E4, E4, D3), V(8B, 79, 79, F2), V(32, E7, E7, D5), \
180 V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
181 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), \
182 V(E0, A9, A9, 49), V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), \
183 V(07, F4, F4, F3), V(25, EA, EA, CF), V(AF, 65, 65, CA), \
184 V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
185 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), \
186 V(72, 2E, 2E, 5C), V(24, 1C, 1C, 38), V(F1, A6, A6, 57), \
187 V(C7, B4, B4, 73), V(51, C6, C6, 97), V(23, E8, E8, CB), \
188 V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
189 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), \
190 V(85, 8A, 8A, 0F), V(90, 70, 70, E0), V(42, 3E, 3E, 7C), \
191 V(C4, B5, B5, 71), V(AA, 66, 66, CC), V(D8, 48, 48, 90), \
192 V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
193 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), \
194 V(D0, B9, B9, 69), V(91, 86, 86, 17), V(58, C1, C1, 99), \
195 V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), V(38, E1, E1, D9), \
196 V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
197 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), \
198 V(A7, 94, 94, 33), V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), \
199 V(92, 87, 87, 15), V(20, E9, E9, C9), V(49, CE, CE, 87), \
200 V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
201 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), \
202 V(17, 0D, 0D, 1A), V(DA, BF, BF, 65), V(31, E6, E6, D7), \
203 V(C6, 42, 42, 84), V(B8, 68, 68, D0), V(C3, 41, 41, 82), \
204 V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
205 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), \
206 V(3A, 16, 16, 2C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]207
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]208# define V(a, b, c, d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT0[256] = { FT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]210# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]212# if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]213
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]214# define V(a, b, c, d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT1[256] = { FT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]216# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]217
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]218# define V(a, b, c, d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT2[256] = { FT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]220# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]221
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]222# define V(a, b, c, d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]223static const uint32_t FT3[256] = { FT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]224# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]225
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]226# endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]227
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]228# undef FT
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]229
230/*
231 * Reverse S-box
232 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]233static const unsigned char RSb[256] = {
234 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
235 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
236 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
237 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
238 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
239 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
241 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
243 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
244 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
245 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
246 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
247 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
248 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
249 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
250 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
251 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
253 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
254 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
255 0x55, 0x21, 0x0C, 0x7D
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]256};
257
258/*
259 * Reverse tables
260 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]261# define RT \
262 \
263 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), \
264 V(96, 5E, 27, 3A), V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), \
265 V(AB, 58, FA, AC), V(93, 03, E3, 4B), V(55, FA, 30, 20), \
266 V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
267 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), \
268 V(8F, A3, 62, B5), V(49, 5A, B1, DE), V(67, 1B, BA, 25), \
269 V(98, 0E, EA, 45), V(E1, C0, FE, 5D), V(02, 75, 2F, C3), \
270 V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
271 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), \
272 V(DA, 59, 52, 95), V(2D, 83, BE, D4), V(D3, 21, 74, 58), \
273 V(29, 69, E0, 49), V(44, C8, C9, 8E), V(6A, 89, C2, 75), \
274 V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
275 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), \
276 V(B4, 3A, CE, 7D), V(18, 4A, DF, 63), V(82, 31, 1A, E5), \
277 V(60, 33, 51, 97), V(45, 7F, 53, 62), V(E0, 77, 64, B1), \
278 V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
279 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), \
280 V(B7, F8, 7B, 52), V(23, D3, 73, AB), V(E2, 02, 4B, 72), \
281 V(57, 8F, 1F, E3), V(2A, AB, 55, 66), V(07, 28, EB, B2), \
282 V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
283 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), \
284 V(5C, 82, 16, ED), V(2B, 1C, CF, 8A), V(92, B4, 79, A7), \
285 V(F0, F2, 07, F3), V(A1, E2, 69, 4E), V(CD, F4, DA, 65), \
286 V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
287 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), \
288 V(75, EB, F6, A4), V(39, EC, 83, 0B), V(AA, EF, 60, 40), \
289 V(06, 9F, 71, 5E), V(51, 10, 6E, BD), V(F9, 8A, 21, 3E), \
290 V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
291 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), \
292 V(FF, 15, 50, 60), V(24, FB, 98, 19), V(97, E9, BD, D6), \
293 V(CC, 43, 40, 89), V(77, 9E, D9, 67), V(BD, 42, E8, B0), \
294 V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
295 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), \
296 V(00, 00, 00, 00), V(83, 86, 80, 09), V(48, ED, 2B, 32), \
297 V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), V(FB, FF, 0E, FD), \
298 V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
299 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), \
300 V(3A, 2E, 36, 24), V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), \
301 V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), V(4F, C5, C0, 80), \
302 V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
303 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), \
304 V(1D, 17, 1B, 12), V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), \
305 V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), V(85, 19, F1, 57), \
306 V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
307 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), \
308 V(34, 7E, FB, 5B), V(76, 29, 43, 8B), V(DC, C6, 23, CB), \
309 V(68, FC, ED, B6), V(63, F1, E4, B8), V(CA, DC, 31, D7), \
310 V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
311 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), \
312 V(6D, A1, 29, C7), V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), \
313 V(EC, 52, 86, 0D), V(D0, E3, C1, 77), V(6C, 16, B3, 2B), \
314 V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
315 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), \
316 V(EF, 90, 33, 22), V(C7, 4E, 49, 87), V(C1, D1, 38, D9), \
317 V(FE, A2, CA, 8C), V(36, 0B, D4, 98), V(CF, 81, F5, A6), \
318 V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
319 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), \
320 V(62, 46, 7E, 54), V(C2, 13, 8D, F6), V(E8, B8, D8, 90), \
321 V(5E, F7, 39, 2E), V(F5, AF, C3, 82), V(BE, 80, 5D, 9F), \
322 V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
323 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), \
324 V(7B, BB, 3B, DB), V(09, 78, 26, CD), V(F4, 18, 59, 6E), \
325 V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), V(65, 6E, 95, E6), \
326 V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
327 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), \
328 V(D6, 7C, B0, 29), V(AF, B2, A4, 31), V(31, 23, 3F, 2A), \
329 V(30, 94, A5, C6), V(C0, 66, A2, 35), V(37, BC, 4E, 74), \
330 V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
331 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), \
332 V(2F, F6, 91, 17), V(8D, D6, 4D, 76), V(4D, B0, EF, 43), \
333 V(54, 4D, AA, CC), V(DF, 04, 96, E4), V(E3, B5, D1, 9E), \
334 V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
335 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), \
336 V(2E, 41, 0B, FB), V(5A, 1D, 67, B3), V(52, D2, DB, 92), \
337 V(33, 56, 10, E9), V(13, 47, D6, 6D), V(8C, 61, D7, 9A), \
338 V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
339 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), \
340 V(3C, B1, 47, 7A), V(59, DF, D2, 9C), V(3F, 73, F2, 55), \
341 V(79, CE, 14, 18), V(BF, 37, C7, 73), V(EA, CD, F7, 53), \
342 V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
343 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), \
344 V(5F, 40, A3, C2), V(72, C3, 1D, 16), V(0C, 25, E2, BC), \
345 V(8B, 49, 3C, 28), V(41, 95, 0D, FF), V(71, 01, A8, 39), \
346 V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
347 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), \
348 V(42, 57, B8, D0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]350# define V(a, b, c, d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]351static const uint32_t RT0[256] = { RT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]352# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]354# if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]355
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]356# define V(a, b, c, d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static const uint32_t RT1[256] = { RT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]358# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]360# define V(a, b, c, d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]361static const uint32_t RT2[256] = { RT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]362# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]363
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]364# define V(a, b, c, d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static const uint32_t RT3[256] = { RT };
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]366# undef V
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]368# endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]369
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]370# undef RT
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Round constants
374 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]375static const uint32_t RCON[10] = { 0x00000001, 0x00000002, 0x00000004,
376 0x00000008, 0x00000010, 0x00000020,
377 0x00000040, 0x00000080, 0x0000001B,
378 0x00000036 };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]380# else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381
382/*
383 * Forward S-box & tables
384 */
385static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]386static uint32_t FT0[256];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]387# if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]388static uint32_t FT1[256];
389static uint32_t FT2[256];
390static uint32_t FT3[256];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]391# endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Reverse S-box & tables
395 */
396static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397static uint32_t RT0[256];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]398# if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]399static uint32_t RT1[256];
400static uint32_t RT2[256];
401static uint32_t RT3[256];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]402# endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Round constants
406 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]407static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]408
409/*
410 * Tables generation code
411 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]412# define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
413# define XTIME(x) (((x) << 1) ^ (((x)&0x80) ? 0x1B : 0x00))
414# define MUL(x, y) \
415 (((x) && (y)) ? pow[(log[(x)] + log[(y)]) % 255] : 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]416
417static int aes_init_done = 0;
418
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]419static void aes_gen_tables(void)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]420{
421 int i, x, y, z;
422 int pow[256];
423 int log[256];
424
425 /*
426 * compute pow and log tables over GF(2^8)
427 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]428 for (i = 0, x = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429 pow[i] = x;
430 log[x] = i;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]431 x = (x ^ XTIME(x)) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432 }
433
434 /*
435 * calculate the round constants
436 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]437 for (i = 0, x = 1; i < 10; i++) {
438 RCON[i] = (uint32_t)x;
439 x = XTIME(x) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440 }
441
442 /*
443 * generate the forward and reverse S-boxes
444 */
445 FSb[0x00] = 0x63;
446 RSb[0x63] = 0x00;
447
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]448 for (i = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 x = pow[255 - log[i]];
450
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]451 y = x;
452 y = ((y << 1) | (y >> 7)) & 0xFF;
453 x ^= y;
454 y = ((y << 1) | (y >> 7)) & 0xFF;
455 x ^= y;
456 y = ((y << 1) | (y >> 7)) & 0xFF;
457 x ^= y;
458 y = ((y << 1) | (y >> 7)) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 x ^= y ^ 0x63;
460
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]461 FSb[i] = (unsigned char)x;
462 RSb[x] = (unsigned char)i;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463 }
464
465 /*
466 * generate the forward and reverse tables
467 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]468 for (i = 0; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469 x = FSb[i];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]470 y = XTIME(x) & 0xFF;
471 z = (y ^ x) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]473 FT0[i] = ((uint32_t)y) ^ ((uint32_t)x << 8) ^ ((uint32_t)x << 16) ^
474 ((uint32_t)z << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]476# if !defined(MBEDTLS_AES_FEWER_TABLES)
477 FT1[i] = ROTL8(FT0[i]);
478 FT2[i] = ROTL8(FT1[i]);
479 FT3[i] = ROTL8(FT2[i]);
480# endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481
482 x = RSb[i];
483
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]484 RT0[i] = ((uint32_t)MUL(0x0E, x)) ^ ((uint32_t)MUL(0x09, x) << 8) ^
485 ((uint32_t)MUL(0x0D, x) << 16) ^
486 ((uint32_t)MUL(0x0B, x) << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]488# if !defined(MBEDTLS_AES_FEWER_TABLES)
489 RT1[i] = ROTL8(RT0[i]);
490 RT2[i] = ROTL8(RT1[i]);
491 RT3[i] = ROTL8(RT2[i]);
492# endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493 }
494}
495
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]496# undef ROTL8
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]497
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]498# endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]499
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]500# if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]501
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]502# define ROTL8(x) ((uint32_t)((x) << 8) + (uint32_t)((x) >> 24))
503# define ROTL16(x) ((uint32_t)((x) << 16) + (uint32_t)((x) >> 16))
504# define ROTL24(x) ((uint32_t)((x) << 24) + (uint32_t)((x) >> 8))
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]506# define AES_RT0(idx) RT0[idx]
507# define AES_RT1(idx) ROTL8(RT0[idx])
508# define AES_RT2(idx) ROTL16(RT0[idx])
509# define AES_RT3(idx) ROTL24(RT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]510
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]511# define AES_FT0(idx) FT0[idx]
512# define AES_FT1(idx) ROTL8(FT0[idx])
513# define AES_FT2(idx) ROTL16(FT0[idx])
514# define AES_FT3(idx) ROTL24(FT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]515
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]516# else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]518# define AES_RT0(idx) RT0[idx]
519# define AES_RT1(idx) RT1[idx]
520# define AES_RT2(idx) RT2[idx]
521# define AES_RT3(idx) RT3[idx]
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]522
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]523# define AES_FT0(idx) FT0[idx]
524# define AES_FT1(idx) FT1[idx]
525# define AES_FT2(idx) FT2[idx]
526# define AES_FT3(idx) FT3[idx]
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]527
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]528# endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]529
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]530void mbedtls_aes_init(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]532 AES_VALIDATE(ctx != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]533
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]534 memset(ctx, 0, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]535}
536
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]537void mbedtls_aes_free(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]538{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]539 if (ctx == NULL)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]540 return;
541
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]542 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]543}
544
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]545# if defined(MBEDTLS_CIPHER_MODE_XTS)
546void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]548 AES_VALIDATE(ctx != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]549
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]550 mbedtls_aes_init(&ctx->crypt);
551 mbedtls_aes_init(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]552}
553
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]554void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]555{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]556 if (ctx == NULL)
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]558
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]559 mbedtls_aes_free(&ctx->crypt);
560 mbedtls_aes_free(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]561}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]562# endif /* MBEDTLS_CIPHER_MODE_XTS */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564/*
565 * AES key schedule (encryption)
566 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]567# if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
568int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx,
569 const unsigned char *key,
570 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]572 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]573 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]575 AES_VALIDATE_RET(ctx != NULL);
576 AES_VALIDATE_RET(key != NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]578 switch (keybits) {
579 case 128:
580 ctx->nr = 10;
581 break;
582 case 192:
583 ctx->nr = 12;
584 break;
585 case 256:
586 ctx->nr = 14;
587 break;
588 default:
589 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590 }
591
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]592# if !defined(MBEDTLS_AES_ROM_TABLES)
593 if (aes_init_done == 0) {
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]594 aes_gen_tables();
595 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]596 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]597# endif
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]599# if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
600 if (aes_padlock_ace == -1)
601 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]602
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]603 if (aes_padlock_ace)
604 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]605 else
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]606# endif
607 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]608
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]609# if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
610 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
611 return mbedtls_aesni_setkey_enc((unsigned char *)ctx->rk, key, keybits);
612# endif
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]613
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]614 for (i = 0; i < (keybits >> 5); i++) {
615 GET_UINT32_LE(RK[i], key, i << 2);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]616 }
617
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]618 switch (ctx->nr) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]619 case 10:
620
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]621 for (i = 0; i < 10; i++, RK += 4) {
622 RK[4] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[3] >> 8) & 0xFF]) ^
623 ((uint32_t)FSb[(RK[3] >> 16) & 0xFF] << 8) ^
624 ((uint32_t)FSb[(RK[3] >> 24) & 0xFF] << 16) ^
625 ((uint32_t)FSb[(RK[3]) & 0xFF] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]626
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]627 RK[5] = RK[1] ^ RK[4];
628 RK[6] = RK[2] ^ RK[5];
629 RK[7] = RK[3] ^ RK[6];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630 }
631 break;
632
633 case 12:
634
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]635 for (i = 0; i < 8; i++, RK += 6) {
636 RK[6] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[5] >> 8) & 0xFF]) ^
637 ((uint32_t)FSb[(RK[5] >> 16) & 0xFF] << 8) ^
638 ((uint32_t)FSb[(RK[5] >> 24) & 0xFF] << 16) ^
639 ((uint32_t)FSb[(RK[5]) & 0xFF] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]640
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]641 RK[7] = RK[1] ^ RK[6];
642 RK[8] = RK[2] ^ RK[7];
643 RK[9] = RK[3] ^ RK[8];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]644 RK[10] = RK[4] ^ RK[9];
645 RK[11] = RK[5] ^ RK[10];
646 }
647 break;
648
649 case 14:
650
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]651 for (i = 0; i < 7; i++, RK += 8) {
652 RK[8] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[7] >> 8) & 0xFF]) ^
653 ((uint32_t)FSb[(RK[7] >> 16) & 0xFF] << 8) ^
654 ((uint32_t)FSb[(RK[7] >> 24) & 0xFF] << 16) ^
655 ((uint32_t)FSb[(RK[7]) & 0xFF] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]657 RK[9] = RK[1] ^ RK[8];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658 RK[10] = RK[2] ^ RK[9];
659 RK[11] = RK[3] ^ RK[10];
660
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]661 RK[12] = RK[4] ^ ((uint32_t)FSb[(RK[11]) & 0xFF]) ^
662 ((uint32_t)FSb[(RK[11] >> 8) & 0xFF] << 8) ^
663 ((uint32_t)FSb[(RK[11] >> 16) & 0xFF] << 16) ^
664 ((uint32_t)FSb[(RK[11] >> 24) & 0xFF] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665
666 RK[13] = RK[5] ^ RK[12];
667 RK[14] = RK[6] ^ RK[13];
668 RK[15] = RK[7] ^ RK[14];
669 }
670 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]672
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]673 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]675# endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]676
677/*
678 * AES key schedule (decryption)
679 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]680# if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
681int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx,
682 const unsigned char *key,
683 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]685 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]687 uint32_t *RK;
688 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]689
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]690 AES_VALIDATE_RET(ctx != NULL);
691 AES_VALIDATE_RET(key != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]692
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]693 mbedtls_aes_init(&cty);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]695# if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
696 if (aes_padlock_ace == -1)
697 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]698
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]699 if (aes_padlock_ace)
700 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]701 else
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]702# endif
703 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]704
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]705 /* Also checks keybits */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]706 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]708
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]709 ctx->nr = cty.nr;
710
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]711# if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
712 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
713 mbedtls_aesni_inverse_key((unsigned char *)ctx->rk,
714 (const unsigned char *)cty.rk, ctx->nr);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]715 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]716 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]717# endif
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]718
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719 SK = cty.rk + cty.nr * 4;
720
721 *RK++ = *SK++;
722 *RK++ = *SK++;
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]726 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
727 for (j = 0; j < 4; j++, SK++) {
728 *RK++ = AES_RT0(FSb[(*SK) & 0xFF]) ^
729 AES_RT1(FSb[(*SK >> 8) & 0xFF]) ^
730 AES_RT2(FSb[(*SK >> 16) & 0xFF]) ^
731 AES_RT3(FSb[(*SK >> 24) & 0xFF]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732 }
733 }
734
735 *RK++ = *SK++;
736 *RK++ = *SK++;
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]740exit:
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]741 mbedtls_aes_free(&cty);
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]742
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]743 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]744}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]745# endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]746
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]747# if defined(MBEDTLS_CIPHER_MODE_XTS)
748static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
749 unsigned int keybits,
750 const unsigned char **key1,
751 unsigned int *key1bits,
752 const unsigned char **key2,
753 unsigned int *key2bits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]754{
755 const unsigned int half_keybits = keybits / 2;
756 const unsigned int half_keybytes = half_keybits / 8;
757
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]758 switch (keybits) {
759 case 256:
760 break;
761 case 512:
762 break;
763 default:
764 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765 }
766
767 *key1bits = half_keybits;
768 *key2bits = half_keybits;
769 *key1 = &key[0];
770 *key2 = &key[half_keybytes];
771
772 return 0;
773}
774
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]775int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
776 const unsigned char *key,
777 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]778{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]779 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]780 const unsigned char *key1, *key2;
781 unsigned int key1bits, key2bits;
782
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]783 AES_VALIDATE_RET(ctx != NULL);
784 AES_VALIDATE_RET(key != NULL);
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]785
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]786 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, &key2,
787 &key2bits);
788 if (ret != 0)
789 return ret;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]790
791 /* Set the tweak key. Always set tweak key for the encryption mode. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]792 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
793 if (ret != 0)
794 return ret;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]795
796 /* Set crypt key for encryption. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]797 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]798}
799
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]800int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
801 const unsigned char *key,
802 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]803{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]804 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]805 const unsigned char *key1, *key2;
806 unsigned int key1bits, key2bits;
807
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]808 AES_VALIDATE_RET(ctx != NULL);
809 AES_VALIDATE_RET(key != NULL);
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]810
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]811 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, &key2,
812 &key2bits);
813 if (ret != 0)
814 return ret;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]815
816 /* Set the tweak key. Always set tweak key for encryption. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]817 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
818 if (ret != 0)
819 return ret;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]820
821 /* Set crypt key for decryption. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]822 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]823}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]824# endif /* MBEDTLS_CIPHER_MODE_XTS */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]825
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]826# define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
827 do { \
828 (X0) = *RK++ ^ AES_FT0(((Y0)) & 0xFF) ^ \
829 AES_FT1(((Y1) >> 8) & 0xFF) ^ \
830 AES_FT2(((Y2) >> 16) & 0xFF) ^ \
831 AES_FT3(((Y3) >> 24) & 0xFF); \
832 \
833 (X1) = *RK++ ^ AES_FT0(((Y1)) & 0xFF) ^ \
834 AES_FT1(((Y2) >> 8) & 0xFF) ^ \
835 AES_FT2(((Y3) >> 16) & 0xFF) ^ \
836 AES_FT3(((Y0) >> 24) & 0xFF); \
837 \
838 (X2) = *RK++ ^ AES_FT0(((Y2)) & 0xFF) ^ \
839 AES_FT1(((Y3) >> 8) & 0xFF) ^ \
840 AES_FT2(((Y0) >> 16) & 0xFF) ^ \
841 AES_FT3(((Y1) >> 24) & 0xFF); \
842 \
843 (X3) = *RK++ ^ AES_FT0(((Y3)) & 0xFF) ^ \
844 AES_FT1(((Y0) >> 8) & 0xFF) ^ \
845 AES_FT2(((Y1) >> 16) & 0xFF) ^ \
846 AES_FT3(((Y2) >> 24) & 0xFF); \
847 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]848
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]849# define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
850 do { \
851 (X0) = *RK++ ^ AES_RT0(((Y0)) & 0xFF) ^ \
852 AES_RT1(((Y3) >> 8) & 0xFF) ^ \
853 AES_RT2(((Y2) >> 16) & 0xFF) ^ \
854 AES_RT3(((Y1) >> 24) & 0xFF); \
855 \
856 (X1) = *RK++ ^ AES_RT0(((Y1)) & 0xFF) ^ \
857 AES_RT1(((Y0) >> 8) & 0xFF) ^ \
858 AES_RT2(((Y3) >> 16) & 0xFF) ^ \
859 AES_RT3(((Y2) >> 24) & 0xFF); \
860 \
861 (X2) = *RK++ ^ AES_RT0(((Y2)) & 0xFF) ^ \
862 AES_RT1(((Y1) >> 8) & 0xFF) ^ \
863 AES_RT2(((Y0) >> 16) & 0xFF) ^ \
864 AES_RT3(((Y3) >> 24) & 0xFF); \
865 \
866 (X3) = *RK++ ^ AES_RT0(((Y3)) & 0xFF) ^ \
867 AES_RT1(((Y2) >> 8) & 0xFF) ^ \
868 AES_RT2(((Y1) >> 16) & 0xFF) ^ \
869 AES_RT3(((Y0) >> 24) & 0xFF); \
870 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]871
872/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]873 * AES-ECB block encryption
874 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]875# if !defined(MBEDTLS_AES_ENCRYPT_ALT)
876int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
877 const unsigned char input[16],
878 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]879{
880 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]881 uint32_t *RK = ctx->rk;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]882 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]883 uint32_t X[4];
884 uint32_t Y[4];
885 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]886
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]887 GET_UINT32_LE(t.X[0], input, 0);
888 t.X[0] ^= *RK++;
889 GET_UINT32_LE(t.X[1], input, 4);
890 t.X[1] ^= *RK++;
891 GET_UINT32_LE(t.X[2], input, 8);
892 t.X[2] ^= *RK++;
893 GET_UINT32_LE(t.X[3], input, 12);
894 t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]895
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]896 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
897 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2],
898 t.X[3]);
899 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2],
900 t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]901 }
902
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]903 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]904
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]905 t.X[0] = *RK++ ^ ((uint32_t)FSb[(t.Y[0]) & 0xFF]) ^
906 ((uint32_t)FSb[(t.Y[1] >> 8) & 0xFF] << 8) ^
907 ((uint32_t)FSb[(t.Y[2] >> 16) & 0xFF] << 16) ^
908 ((uint32_t)FSb[(t.Y[3] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]909
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]910 t.X[1] = *RK++ ^ ((uint32_t)FSb[(t.Y[1]) & 0xFF]) ^
911 ((uint32_t)FSb[(t.Y[2] >> 8) & 0xFF] << 8) ^
912 ((uint32_t)FSb[(t.Y[3] >> 16) & 0xFF] << 16) ^
913 ((uint32_t)FSb[(t.Y[0] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]914
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]915 t.X[2] = *RK++ ^ ((uint32_t)FSb[(t.Y[2]) & 0xFF]) ^
916 ((uint32_t)FSb[(t.Y[3] >> 8) & 0xFF] << 8) ^
917 ((uint32_t)FSb[(t.Y[0] >> 16) & 0xFF] << 16) ^
918 ((uint32_t)FSb[(t.Y[1] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]920 t.X[3] = *RK++ ^ ((uint32_t)FSb[(t.Y[3]) & 0xFF]) ^
921 ((uint32_t)FSb[(t.Y[0] >> 8) & 0xFF] << 8) ^
922 ((uint32_t)FSb[(t.Y[1] >> 16) & 0xFF] << 16) ^
923 ((uint32_t)FSb[(t.Y[2] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]925 PUT_UINT32_LE(t.X[0], output, 0);
926 PUT_UINT32_LE(t.X[1], output, 4);
927 PUT_UINT32_LE(t.X[2], output, 8);
928 PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]929
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]930 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]931
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]932 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]934# endif /* !MBEDTLS_AES_ENCRYPT_ALT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]935
936/*
937 * AES-ECB block decryption
938 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]939# if !defined(MBEDTLS_AES_DECRYPT_ALT)
940int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
941 const unsigned char input[16],
942 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]943{
944 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]945 uint32_t *RK = ctx->rk;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]946 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]947 uint32_t X[4];
948 uint32_t Y[4];
949 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]950
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]951 GET_UINT32_LE(t.X[0], input, 0);
952 t.X[0] ^= *RK++;
953 GET_UINT32_LE(t.X[1], input, 4);
954 t.X[1] ^= *RK++;
955 GET_UINT32_LE(t.X[2], input, 8);
956 t.X[2] ^= *RK++;
957 GET_UINT32_LE(t.X[3], input, 12);
958 t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]959
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]960 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
961 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2],
962 t.X[3]);
963 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2],
964 t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]965 }
966
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]967 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]968
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]969 t.X[0] = *RK++ ^ ((uint32_t)RSb[(t.Y[0]) & 0xFF]) ^
970 ((uint32_t)RSb[(t.Y[3] >> 8) & 0xFF] << 8) ^
971 ((uint32_t)RSb[(t.Y[2] >> 16) & 0xFF] << 16) ^
972 ((uint32_t)RSb[(t.Y[1] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]973
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]974 t.X[1] = *RK++ ^ ((uint32_t)RSb[(t.Y[1]) & 0xFF]) ^
975 ((uint32_t)RSb[(t.Y[0] >> 8) & 0xFF] << 8) ^
976 ((uint32_t)RSb[(t.Y[3] >> 16) & 0xFF] << 16) ^
977 ((uint32_t)RSb[(t.Y[2] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]978
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]979 t.X[2] = *RK++ ^ ((uint32_t)RSb[(t.Y[2]) & 0xFF]) ^
980 ((uint32_t)RSb[(t.Y[1] >> 8) & 0xFF] << 8) ^
981 ((uint32_t)RSb[(t.Y[0] >> 16) & 0xFF] << 16) ^
982 ((uint32_t)RSb[(t.Y[3] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]983
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]984 t.X[3] = *RK++ ^ ((uint32_t)RSb[(t.Y[3]) & 0xFF]) ^
985 ((uint32_t)RSb[(t.Y[2] >> 8) & 0xFF] << 8) ^
986 ((uint32_t)RSb[(t.Y[1] >> 16) & 0xFF] << 16) ^
987 ((uint32_t)RSb[(t.Y[0] >> 24) & 0xFF] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]989 PUT_UINT32_LE(t.X[0], output, 0);
990 PUT_UINT32_LE(t.X[1], output, 4);
991 PUT_UINT32_LE(t.X[2], output, 8);
992 PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]993
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]994 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]995
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]996 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]997}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]998# endif /* !MBEDTLS_AES_DECRYPT_ALT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]999
1000/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 * AES-ECB block encryption/decryption
1002 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1003int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
1004 int mode,
1005 const unsigned char input[16],
1006 unsigned char output[16])
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007{
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1008 AES_VALIDATE_RET(ctx != NULL);
1009 AES_VALIDATE_RET(input != NULL);
1010 AES_VALIDATE_RET(output != NULL);
1011 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1012 mode == MBEDTLS_AES_DECRYPT);
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1013
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1014# if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1015 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
1016 return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
1017# endif
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1018
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1019# if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1020 if (aes_padlock_ace > 0) {
1021 if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0)
1022 return 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1023
1024 // If padlock data misaligned, we just fall back to
1025 // unaccelerated mode
1026 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1028# endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1030 if (mode == MBEDTLS_AES_ENCRYPT)
1031 return mbedtls_internal_aes_encrypt(ctx, input, output);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1032 else
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1033 return mbedtls_internal_aes_decrypt(ctx, input, output);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034}
1035
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1036# if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037/*
1038 * AES-CBC buffer encryption/decryption
1039 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1040int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1041 int mode,
1042 size_t length,
1043 unsigned char iv[16],
1044 const unsigned char *input,
1045 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046{
1047 int i;
1048 unsigned char temp[16];
1049
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1050 AES_VALIDATE_RET(ctx != NULL);
1051 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1052 mode == MBEDTLS_AES_DECRYPT);
1053 AES_VALIDATE_RET(iv != NULL);
1054 AES_VALIDATE_RET(input != NULL);
1055 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1056
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1057 if (length % 16)
1058 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1059
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1060# if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1061 if (aes_padlock_ace > 0) {
1062 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) ==
1063 0)
1064 return 0;
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1065
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1066 // If padlock data misaligned, we just fall back to
1067 // unaccelerated mode
1068 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1070# endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1072 if (mode == MBEDTLS_AES_DECRYPT) {
1073 while (length > 0) {
1074 memcpy(temp, input, 16);
1075 mbedtls_aes_crypt_ecb(ctx, mode, input, output);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1077 for (i = 0; i < 16; i++)
1078 output[i] = (unsigned char)(output[i] ^ iv[i]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1079
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1080 memcpy(iv, temp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1082 input += 16;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083 output += 16;
1084 length -= 16;
1085 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1086 } else {
1087 while (length > 0) {
1088 for (i = 0; i < 16; i++)
1089 output[i] = (unsigned char)(input[i] ^ iv[i]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1091 mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1092 memcpy(iv, output, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1093
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1094 input += 16;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 output += 16;
1096 length -= 16;
1097 }
1098 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1099
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1100 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1102# endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1103
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1104# if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1105
1106/* Endianess with 64 bits values */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1107# ifndef GET_UINT64_LE
1108# define GET_UINT64_LE(n, b, i) \
1109 { \
1110 (n) = ((uint64_t)(b)[(i) + 7] << 56) | \
1111 ((uint64_t)(b)[(i) + 6] << 48) | \
1112 ((uint64_t)(b)[(i) + 5] << 40) | \
1113 ((uint64_t)(b)[(i) + 4] << 32) | \
1114 ((uint64_t)(b)[(i) + 3] << 24) | \
1115 ((uint64_t)(b)[(i) + 2] << 16) | \
1116 ((uint64_t)(b)[(i) + 1] << 8) | \
1117 ((uint64_t)(b)[(i)]); \
1118 }
1119# endif
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1120
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1121# ifndef PUT_UINT64_LE
1122# define PUT_UINT64_LE(n, b, i) \
1123 { \
1124 (b)[(i) + 7] = (unsigned char)((n) >> 56); \
1125 (b)[(i) + 6] = (unsigned char)((n) >> 48); \
1126 (b)[(i) + 5] = (unsigned char)((n) >> 40); \
1127 (b)[(i) + 4] = (unsigned char)((n) >> 32); \
1128 (b)[(i) + 3] = (unsigned char)((n) >> 24); \
1129 (b)[(i) + 2] = (unsigned char)((n) >> 16); \
1130 (b)[(i) + 1] = (unsigned char)((n) >> 8); \
1131 (b)[(i)] = (unsigned char)((n)); \
1132 }
1133# endif
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1134
1135typedef unsigned char mbedtls_be128[16];
1136
1137/*
1138 * GF(2^128) multiplication function
1139 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1140 * This function multiplies a field element by x in the polynomial field
1141 * representation. It uses 64-bit word operations to gain speed but compensates
1142 * for machine endianess and hence works correctly on both big and little
1143 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1144 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1145static void mbedtls_gf128mul_x_ble(unsigned char r[16],
1146 const unsigned char x[16])
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1147{
1148 uint64_t a, b, ra, rb;
1149
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1150 GET_UINT64_LE(a, x, 0);
1151 GET_UINT64_LE(b, x, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1152
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1153 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1154 rb = (a >> 63) | (b << 1);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1155
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1156 PUT_UINT64_LE(ra, r, 0);
1157 PUT_UINT64_LE(rb, r, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1158}
1159
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1160/*
1161 * AES-XTS buffer encryption/decryption
1162 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1163int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1164 int mode,
1165 size_t length,
1166 const unsigned char data_unit[16],
1167 const unsigned char *input,
1168 unsigned char *output)
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1169{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1170 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1171 size_t blocks = length / 16;
1172 size_t leftover = length % 16;
1173 unsigned char tweak[16];
1174 unsigned char prev_tweak[16];
1175 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1176
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1177 AES_VALIDATE_RET(ctx != NULL);
1178 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1179 mode == MBEDTLS_AES_DECRYPT);
1180 AES_VALIDATE_RET(data_unit != NULL);
1181 AES_VALIDATE_RET(input != NULL);
1182 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1183
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1184 /* Data units must be at least 16 bytes long. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1185 if (length < 16)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1186 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1187
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1188 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1189 if (length > (1 << 20) * 16)
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1190 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1192 /* Compute the tweak. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1193 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, data_unit,
1194 tweak);
1195 if (ret != 0)
1196 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1197
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1198 while (blocks--) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1199 size_t i;
1200
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1201 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 /* We are on the last block in a decrypt operation that has
1203 * leftover bytes, so we need to use the next tweak for this block,
1204 * and this tweak for the lefover bytes. Save the current tweak for
1205 * the leftovers and then update the current tweak for use on this,
1206 * the last full block. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1207 memcpy(prev_tweak, tweak, sizeof(tweak));
1208 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 }
1210
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1211 for (i = 0; i < 16; i++)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1212 tmp[i] = input[i] ^ tweak[i];
1213
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1214 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1215 if (ret != 0)
1216 return ret;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1218 for (i = 0; i < 16; i++)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 output[i] = tmp[i] ^ tweak[i];
1220
1221 /* Update the tweak for the next block. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1222 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1223
1224 output += 16;
1225 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1226 }
1227
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1228 if (leftover) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1229 /* If we are on the leftover bytes in a decrypt operation, we need to
1230 * use the previous tweak for these bytes (as saved in prev_tweak). */
1231 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1232
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1233 /* We are now on the final part of the data unit, which doesn't divide
1234 * evenly by 16. It's time for ciphertext stealing. */
1235 size_t i;
1236 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1237
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1238 /* Copy ciphertext bytes from the previous block to our output for each
1239 * byte of cyphertext we won't steal. At the same time, copy the
1240 * remainder of the input for this final round (since the loop bounds
1241 * are the same). */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1242 for (i = 0; i < leftover; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 output[i] = prev_output[i];
1244 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1245 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1246
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1247 /* Copy ciphertext bytes from the previous block for input in this
1248 * round. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1249 for (; i < 16; i++)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1250 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1251
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1252 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1253 if (ret != 0)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1254 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1255
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1256 /* Write the result back to the previous block, overriding the previous
1257 * output we copied. */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1258 for (i = 0; i < 16; i++)
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1260 }
1261
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1262 return 0;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1264# endif /* MBEDTLS_CIPHER_MODE_XTS */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1265
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1266# if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267/*
1268 * AES-CFB128 buffer encryption/decryption
1269 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1270int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1271 int mode,
1272 size_t length,
1273 size_t *iv_off,
1274 unsigned char iv[16],
1275 const unsigned char *input,
1276 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1277{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1278 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1279 size_t n;
1280
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1281 AES_VALIDATE_RET(ctx != NULL);
1282 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1283 mode == MBEDTLS_AES_DECRYPT);
1284 AES_VALIDATE_RET(iv_off != NULL);
1285 AES_VALIDATE_RET(iv != NULL);
1286 AES_VALIDATE_RET(input != NULL);
1287 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1288
1289 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1290
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1291 if (n > 15)
1292 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1293
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1294 if (mode == MBEDTLS_AES_DECRYPT) {
1295 while (length--) {
1296 if (n == 0)
1297 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298
1299 c = *input++;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1300 *output++ = (unsigned char)(c ^ iv[n]);
1301 iv[n] = (unsigned char)c;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1303 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1305 } else {
1306 while (length--) {
1307 if (n == 0)
1308 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1310 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1312 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 }
1314 }
1315
1316 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1317
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1318 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1319}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1320
1321/*
1322 * AES-CFB8 buffer encryption/decryption
1323 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1324int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1325 int mode,
1326 size_t length,
1327 unsigned char iv[16],
1328 const unsigned char *input,
1329 unsigned char *output)
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1330{
1331 unsigned char c;
1332 unsigned char ov[17];
1333
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1334 AES_VALIDATE_RET(ctx != NULL);
1335 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1336 mode == MBEDTLS_AES_DECRYPT);
1337 AES_VALIDATE_RET(iv != NULL);
1338 AES_VALIDATE_RET(input != NULL);
1339 AES_VALIDATE_RET(output != NULL);
1340 while (length--) {
1341 memcpy(ov, iv, 16);
1342 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1343
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1344 if (mode == MBEDTLS_AES_DECRYPT)
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1345 ov[16] = *input;
1346
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1347 c = *output++ = (unsigned char)(iv[0] ^ *input++);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1348
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1349 if (mode == MBEDTLS_AES_ENCRYPT)
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1350 ov[16] = c;
1351
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1352 memcpy(iv, ov + 1, 16);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1353 }
1354
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1355 return 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1356}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1357# endif /* MBEDTLS_CIPHER_MODE_CFB */
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1358
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1359# if defined(MBEDTLS_CIPHER_MODE_OFB)
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1360/*
1361 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1362 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1363int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1364 size_t length,
1365 size_t *iv_off,
1366 unsigned char iv[16],
1367 const unsigned char *input,
1368 unsigned char *output)
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1369{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1370 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1371 size_t n;
1372
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1373 AES_VALIDATE_RET(ctx != NULL);
1374 AES_VALIDATE_RET(iv_off != NULL);
1375 AES_VALIDATE_RET(iv != NULL);
1376 AES_VALIDATE_RET(input != NULL);
1377 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1378
1379 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1380
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1381 if (n > 15)
1382 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1383
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1384 while (length--) {
1385 if (n == 0) {
1386 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1387 if (ret != 0)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1388 goto exit;
1389 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1390 *output++ = *input++ ^ iv[n];
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1391
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1392 n = (n + 1) & 0x0F;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1393 }
1394
1395 *iv_off = n;
1396
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1397exit:
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1398 return ret;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1399}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1400# endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1401
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1402# if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1403/*
1404 * AES-CTR buffer encryption/decryption
1405 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1406int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1407 size_t length,
1408 size_t *nc_off,
1409 unsigned char nonce_counter[16],
1410 unsigned char stream_block[16],
1411 const unsigned char *input,
1412 unsigned char *output)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1413{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1414 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1415 size_t n;
1416
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1417 AES_VALIDATE_RET(ctx != NULL);
1418 AES_VALIDATE_RET(nc_off != NULL);
1419 AES_VALIDATE_RET(nonce_counter != NULL);
1420 AES_VALIDATE_RET(stream_block != NULL);
1421 AES_VALIDATE_RET(input != NULL);
1422 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1423
1424 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1425
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1426 if (n > 0x0F)
1427 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1428
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1429 while (length--) {
1430 if (n == 0) {
1431 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter,
1432 stream_block);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1433
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1434 for (i = 16; i > 0; i--)
1435 if (++nonce_counter[i - 1] != 0)
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1436 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1437 }
1438 c = *input++;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1439 *output++ = (unsigned char)(c ^ stream_block[n]);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1440
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1441 n = (n + 1) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1442 }
1443
1444 *nc_off = n;
1445
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1446 return 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1447}
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1448# endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1449
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1450# endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1451
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1452# if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1453/*
1454 * AES test vectors from:
1455 *
1456 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1457 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1458static const unsigned char aes_test_ecb_dec[3][16] = {
1459 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 0x33, 0x03, 0x91, 0x7E,
1460 0x6B, 0xE9, 0xEB, 0xE0 },
1461 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 0x92, 0x29, 0x31, 0x9C,
1462 0x19, 0xF1, 0x5B, 0xA4 },
1463 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 0x1F, 0x6F, 0x56, 0x58,
1464 0x5D, 0x8A, 0x4A, 0xDE }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1465};
1466
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1467static const unsigned char aes_test_ecb_enc[3][16] = {
1468 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 0x45, 0x1A, 0xFE, 0x5F,
1469 0x03, 0xBE, 0x29, 0x7F },
1470 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 0x38, 0xF0, 0x41, 0x56,
1471 0x06, 0x31, 0xB1, 0x14 },
1472 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 0xFF, 0x30, 0xB4, 0xEA,
1473 0x21, 0x63, 0x6D, 0xA4 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1474};
1475
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1476# if defined(MBEDTLS_CIPHER_MODE_CBC)
1477static const unsigned char aes_test_cbc_dec[3][16] = {
1478 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 0xDF, 0x70, 0x6E, 0x73,
1479 0xF7, 0xC9, 0xAF, 0x86 },
1480 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 0xB6, 0x17, 0x68, 0xC6,
1481 0xAD, 0xEF, 0x7C, 0x7B },
1482 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 0x19, 0xA3, 0xE8, 0x8C,
1483 0x57, 0x31, 0x04, 0x13 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1484};
1485
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1486static const unsigned char aes_test_cbc_enc[3][16] = {
1487 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 0x8A, 0x08, 0xD3, 0x28,
1488 0xD3, 0x68, 0x8E, 0x3D },
1489 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 0x85, 0xD2, 0xAD, 0xFA,
1490 0xE8, 0x7B, 0xB1, 0x04 },
1491 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 0x6F, 0xCD, 0x88, 0xB2,
1492 0xCC, 0x89, 0x8F, 0xF0 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1493};
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1494# endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1496# if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497/*
1498 * AES-CFB128 test vectors from:
1499 *
1500 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1501 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1502static const unsigned char aes_test_cfb128_key[3][32] = {
1503 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
1504 0x09, 0xCF, 0x4F, 0x3C },
1505 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 0xC8, 0x10, 0xF3, 0x2B,
1506 0x80, 0x90, 0x79, 0xE5, 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1507 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 0x2B, 0x73, 0xAE,
1508 0xF0, 0x85, 0x7D, 0x77, 0x81, 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61,
1509 0x08, 0xD7, 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1510};
1511
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1512static const unsigned char aes_test_cfb128_iv[16] = { 0x00, 0x01, 0x02, 0x03,
1513 0x04, 0x05, 0x06, 0x07,
1514 0x08, 0x09, 0x0A, 0x0B,
1515 0x0C, 0x0D, 0x0E, 0x0F };
1516
1517static const unsigned char aes_test_cfb128_pt[64] = {
1518 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E,
1519 0x11, 0x73, 0x93, 0x17, 0x2A, 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03,
1520 0xAC, 0x9C, 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 0x30,
1521 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 0xE5, 0xFB, 0xC1, 0x19,
1522 0x1A, 0x0A, 0x52, 0xEF, 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B,
1523 0x17, 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524};
1525
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1526static const unsigned char aes_test_cfb128_ct[3][64] = {
1527 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49,
1528 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3,
1529 0xA9, 0x3F, 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 0x26,
1530 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 0xB1, 0x80, 0x8C, 0xF1,
1531 0x87, 0xA4, 0xF4, 0xDF, 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C,
1532 0x0E, 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1533 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 0x34, 0xC2, 0x59,
1534 0x09, 0xC9, 0x9A, 0x41, 0x74, 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17,
1535 0x36, 0x21, 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 0x2E,
1536 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 0xC8, 0xE6, 0x0F, 0xED,
1537 0x1E, 0xFA, 0xC4, 0xC9, 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F,
1538 0xA0, 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1539 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 0x7E, 0xCD, 0x84,
1540 0x86, 0x98, 0x5D, 0x38, 0x60, 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28,
1541 0xB1, 0xC8, 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 0xDF,
1542 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 0xA1, 0x3E, 0xD0, 0xA8,
1543 0x26, 0x7A, 0xE2, 0xF9, 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE,
1544 0xF8, 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545};
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1546# endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1548# if defined(MBEDTLS_CIPHER_MODE_OFB)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1549/*
1550 * AES-OFB test vectors from:
1551 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1552 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1553 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1554static const unsigned char aes_test_ofb_key[3][32] = {
1555 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 0xAB, 0xF7, 0x15, 0x88,
1556 0x09, 0xCF, 0x4F, 0x3C },
1557 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 0xC8, 0x10, 0xF3, 0x2B,
1558 0x80, 0x90, 0x79, 0xE5, 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1559 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 0x2B, 0x73, 0xAE,
1560 0xF0, 0x85, 0x7D, 0x77, 0x81, 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61,
1561 0x08, 0xD7, 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1562};
1563
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1564static const unsigned char aes_test_ofb_iv[16] = { 0x00, 0x01, 0x02, 0x03,
1565 0x04, 0x05, 0x06, 0x07,
1566 0x08, 0x09, 0x0A, 0x0B,
1567 0x0C, 0x0D, 0x0E, 0x0F };
1568
1569static const unsigned char aes_test_ofb_pt[64] = {
1570 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E,
1571 0x11, 0x73, 0x93, 0x17, 0x2A, 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03,
1572 0xAC, 0x9C, 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 0x30,
1573 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 0xE5, 0xFB, 0xC1, 0x19,
1574 0x1A, 0x0A, 0x52, 0xEF, 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B,
1575 0x17, 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1576};
1577
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1578static const unsigned char aes_test_ofb_ct[3][64] = {
1579 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 0x33, 0x34, 0x49,
1580 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91,
1581 0x8f, 0x03, 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 0x97,
1582 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 0x43, 0x44, 0xf7, 0xa8,
1583 0x22, 0x60, 0xed, 0xcc, 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7,
1584 0x78, 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1585 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 0x34, 0xC2, 0x59,
1586 0x09, 0xC9, 0x9A, 0x41, 0x74, 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63,
1587 0x83, 0x7c, 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 0x8d,
1588 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 0x55, 0x9c, 0x6d, 0x4d,
1589 0xaf, 0x59, 0xa5, 0xf2, 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c,
1590 0x3e, 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1591 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 0x7E, 0xCD, 0x84,
1592 0x86, 0x98, 0x5D, 0x38, 0x60, 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2,
1593 0x0b, 0x3a, 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 0x71,
1594 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 0xf3, 0x9d, 0x1c, 0x5b,
1595 0xba, 0x97, 0xc4, 0x08, 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b,
1596 0xe8, 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1597};
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1598# endif /* MBEDTLS_CIPHER_MODE_OFB */
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1599
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1600# if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1601/*
1602 * AES-CTR test vectors from:
1603 *
1604 * http://www.faqs.org/rfcs/rfc3686.html
1605 */
1606
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1607static const unsigned char aes_test_ctr_key[3][16] = {
1608 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 0x4B, 0xF7, 0xA5, 0x76,
1609 0x55, 0x77, 0xF3, 0x9E },
1610 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 0x43, 0xD6, 0xCE, 0x1F,
1611 0x32, 0x53, 0x91, 0x63 },
1612 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 0xAC, 0x6E, 0x61, 0x85,
1613 0x29, 0xF9, 0xA0, 0xDC }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1614};
1615
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1616static const unsigned char aes_test_ctr_nonce_counter[3][16] = {
1617 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1618 0x00, 0x00, 0x00, 0x01 },
1619 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 0xDA, 0x48, 0xD9, 0x0B,
1620 0x00, 0x00, 0x00, 0x01 },
1621 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 0x4A, 0x17, 0x86, 0xF0,
1622 0x00, 0x00, 0x00, 0x01 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1623};
1624
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1625static const unsigned char aes_test_ctr_pt[3][48] = {
1626 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 0x6C, 0x6F, 0x63, 0x6B,
1627 0x20, 0x6D, 0x73, 0x67 },
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1628
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1629 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A,
1630 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
1631 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1632
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1633 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B,
1634 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1635 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1636};
1637
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1638static const unsigned char aes_test_ctr_ct[3][48] = {
1639 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 0x2D, 0x61, 0x75, 0xA3,
1640 0x26, 0x13, 0x11, 0xB8 },
1641 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 0x79, 0x0D, 0x41,
1642 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA,
1643 0x57, 0xC8, 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1644 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 0xCF, 0x46, 0x52, 0xE9,
1645 0xEF, 0xDB, 0x72, 0xD7, 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1646 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 0x25, 0xB2, 0x07, 0x2F }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1647};
1648
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1649static const int aes_test_ctr_len[3] = { 16, 32, 36 };
1650# endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1651
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1652# if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1653/*
1654 * AES-XTS test vectors from:
1655 *
1656 * IEEE P1619/D16 Annex B
1657 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1658 * (Archived from original at
1659 * http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1660 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1661static const unsigned char aes_test_xts_key[][32] = {
1662 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1663 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1664 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1665 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1666 0x11, 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1667 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1668 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 0xf7, 0xf6, 0xf5,
1669 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1670 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1671};
1672
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1673static const unsigned char aes_test_xts_pt32[][32] = {
1674 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1677 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1678 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1679 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1680 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1681 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1682 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1683};
1684
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1685static const unsigned char aes_test_xts_ct32[][32] = {
1686 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 0x9b, 0x9f, 0xe9,
1687 0xa3, 0xea, 0xdd, 0xa6, 0x92, 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98,
1688 0xed, 0x85, 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1689 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 0x39, 0x33, 0x40,
1690 0x38, 0xac, 0xef, 0x83, 0x8b, 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80,
1691 0xad, 0xc4, 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1692 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 0x90, 0x0b, 0x2e,
1693 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b,
1694 0x21, 0x53, 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1695};
1696
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1697static const unsigned char aes_test_xts_data_unit[][16] = {
1698 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1699 0x00, 0x00, 0x00, 0x00 },
1700 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1701 0x00, 0x00, 0x00, 0x00 },
1702 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1703 0x00, 0x00, 0x00, 0x00 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1704};
1705
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1706# endif /* MBEDTLS_CIPHER_MODE_XTS */
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1707
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1708/*
1709 * Checkup routine
1710 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1711int mbedtls_aes_self_test(int verbose)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1712{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1713 int ret = 0, i, j, u, mode;
1714 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1715 unsigned char key[32];
1716 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1717 const unsigned char *aes_tests;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1718# if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1719 unsigned char iv[16];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1720# endif
1721# if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1722 unsigned char prv[16];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1723# endif
1724# if defined(MBEDTLS_CIPHER_MODE_CTR) || \
1725 defined(MBEDTLS_CIPHER_MODE_CFB) || \
1726 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1727 size_t offset;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1728# endif
1729# if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1730 int len;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1731# endif
1732# if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1733 unsigned char nonce_counter[16];
1734 unsigned char stream_block[16];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1735# endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1736 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1737
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1738 memset(key, 0, 32);
1739 mbedtls_aes_init(&ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
1741 /*
1742 * ECB mode
1743 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1744 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1746 keybits = 128 + u * 64;
1747 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1748
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1749 if (verbose != 0)
1750 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1751 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1752
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1753 memset(buf, 0, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1754
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1755 if (mode == MBEDTLS_AES_DECRYPT) {
1756 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1757 aes_tests = aes_test_ecb_dec[u];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1758 } else {
1759 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1760 aes_tests = aes_test_ecb_enc[u];
1761 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1763 /*
1764 * AES-192 is an optional feature that may be unavailable when
1765 * there is an alternative underlying implementation i.e. when
1766 * MBEDTLS_AES_ALT is defined.
1767 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1768 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1769 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1770 continue;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1771 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1772 goto exit;
1773 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1774
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1775 for (j = 0; j < 10000; j++) {
1776 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1777 if (ret != 0)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1778 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1779 }
1780
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1781 if (memcmp(buf, aes_tests, 16) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1782 ret = 1;
1783 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784 }
1785
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1786 if (verbose != 0)
1787 mbedtls_printf("passed\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788 }
1789
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1790 if (verbose != 0)
1791 mbedtls_printf("\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1793# if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1794 /*
1795 * CBC mode
1796 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1797 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1799 keybits = 128 + u * 64;
1800 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1801
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1802 if (verbose != 0)
1803 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1804 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1805
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1806 memset(iv, 0, 16);
1807 memset(prv, 0, 16);
1808 memset(buf, 0, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1810 if (mode == MBEDTLS_AES_DECRYPT) {
1811 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1812 aes_tests = aes_test_cbc_dec[u];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1813 } else {
1814 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1815 aes_tests = aes_test_cbc_enc[u];
1816 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1818 /*
1819 * AES-192 is an optional feature that may be unavailable when
1820 * there is an alternative underlying implementation i.e. when
1821 * MBEDTLS_AES_ALT is defined.
1822 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1823 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1824 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 continue;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1826 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1827 goto exit;
1828 }
1829
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1830 for (j = 0; j < 10000; j++) {
1831 if (mode == MBEDTLS_AES_ENCRYPT) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1832 unsigned char tmp[16];
1833
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1834 memcpy(tmp, prv, 16);
1835 memcpy(prv, buf, 16);
1836 memcpy(buf, tmp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1837 }
1838
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1839 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1840 if (ret != 0)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1841 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1842 }
1843
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1844 if (memcmp(buf, aes_tests, 16) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 ret = 1;
1846 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847 }
1848
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1849 if (verbose != 0)
1850 mbedtls_printf("passed\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851 }
1852
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1853 if (verbose != 0)
1854 mbedtls_printf("\n");
1855# endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1857# if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 /*
1859 * CFB128 mode
1860 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1861 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1862 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1863 keybits = 128 + u * 64;
1864 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1866 if (verbose != 0)
1867 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
1868 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1870 memcpy(iv, aes_test_cfb128_iv, 16);
1871 memcpy(key, aes_test_cfb128_key[u], keybits / 8);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1872
1873 offset = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1874 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1875 /*
1876 * AES-192 is an optional feature that may be unavailable when
1877 * there is an alternative underlying implementation i.e. when
1878 * MBEDTLS_AES_ALT is defined.
1879 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1880 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1881 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 continue;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1883 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1884 goto exit;
1885 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1887 if (mode == MBEDTLS_AES_DECRYPT) {
1888 memcpy(buf, aes_test_cfb128_ct[u], 64);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1889 aes_tests = aes_test_cfb128_pt;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1890 } else {
1891 memcpy(buf, aes_test_cfb128_pt, 64);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1892 aes_tests = aes_test_cfb128_ct[u];
1893 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1895 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
1896 if (ret != 0)
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1897 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1898
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1899 if (memcmp(buf, aes_tests, 64) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1900 ret = 1;
1901 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902 }
1903
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1904 if (verbose != 0)
1905 mbedtls_printf("passed\n");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906 }
1907
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1908 if (verbose != 0)
1909 mbedtls_printf("\n");
1910# endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1911
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1912# if defined(MBEDTLS_CIPHER_MODE_OFB)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1913 /*
1914 * OFB mode
1915 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1916 for (i = 0; i < 6; i++) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1917 u = i >> 1;
1918 keybits = 128 + u * 64;
1919 mode = i & 1;
1920
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1921 if (verbose != 0)
1922 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
1923 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1924
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1925 memcpy(iv, aes_test_ofb_iv, 16);
1926 memcpy(key, aes_test_ofb_key[u], keybits / 8);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1927
1928 offset = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1929 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1930 /*
1931 * AES-192 is an optional feature that may be unavailable when
1932 * there is an alternative underlying implementation i.e. when
1933 * MBEDTLS_AES_ALT is defined.
1934 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1935 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1936 mbedtls_printf("skipped\n");
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1937 continue;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1938 } else if (ret != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1939 goto exit;
1940 }
1941
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1942 if (mode == MBEDTLS_AES_DECRYPT) {
1943 memcpy(buf, aes_test_ofb_ct[u], 64);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1944 aes_tests = aes_test_ofb_pt;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1945 } else {
1946 memcpy(buf, aes_test_ofb_pt, 64);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1947 aes_tests = aes_test_ofb_ct[u];
1948 }
1949
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1950 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
1951 if (ret != 0)
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1952 goto exit;
1953
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1954 if (memcmp(buf, aes_tests, 64) != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1955 ret = 1;
1956 goto exit;
1957 }
1958
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1959 if (verbose != 0)
1960 mbedtls_printf("passed\n");
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1961 }
1962
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1963 if (verbose != 0)
1964 mbedtls_printf("\n");
1965# endif /* MBEDTLS_CIPHER_MODE_OFB */
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1966
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1967# if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1968 /*
1969 * CTR mode
1970 */
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1971 for (i = 0; i < 6; i++) {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1972 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1973 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1974
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1975 if (verbose != 0)
1976 mbedtls_printf(" AES-CTR-128 (%s): ",
1977 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1978
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1979 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
1980 memcpy(key, aes_test_ctr_key[u], 16);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1981
1982 offset = 0;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1983 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0)
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1984 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1985
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 len = aes_test_ctr_len[u];
1987
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1988 if (mode == MBEDTLS_AES_DECRYPT) {
1989 memcpy(buf, aes_test_ctr_ct[u], len);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1990 aes_tests = aes_test_ctr_pt[u];
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1991 } else {
1992 memcpy(buf, aes_test_ctr_pt[u], len);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 aes_tests = aes_test_ctr_ct[u];
1994 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1995
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]1996 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
1997 stream_block, buf, buf);
1998 if (ret != 0)
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1999 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2000
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2001 if (memcmp(buf, aes_tests, len) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2002 ret = 1;
2003 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2004 }
2005
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2006 if (verbose != 0)
2007 mbedtls_printf("passed\n");
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2008 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2010 if (verbose != 0)
2011 mbedtls_printf("\n");
2012# endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2014# if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2015 {
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2016 static const int num_tests =
2017 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2018 mbedtls_aes_xts_context ctx_xts;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2019
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2020 /*
2021 * XTS mode
2022 */
2023 mbedtls_aes_xts_init(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2024
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2025 for (i = 0; i < num_tests << 1; i++) {
2026 const unsigned char *data_unit;
2027 u = i >> 1;
2028 mode = i & 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2029
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2030 if (verbose != 0)
2031 mbedtls_printf(" AES-XTS-128 (%s): ",
2032 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2033
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2034 memset(key, 0, sizeof(key));
2035 memcpy(key, aes_test_xts_key[u], 32);
2036 data_unit = aes_test_xts_data_unit[u];
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2037
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2038 len = sizeof(*aes_test_xts_ct32);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2039
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2040 if (mode == MBEDTLS_AES_DECRYPT) {
2041 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2042 if (ret != 0)
2043 goto exit;
2044 memcpy(buf, aes_test_xts_ct32[u], len);
2045 aes_tests = aes_test_xts_pt32[u];
2046 } else {
2047 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2048 if (ret != 0)
2049 goto exit;
2050 memcpy(buf, aes_test_xts_pt32[u], len);
2051 aes_tests = aes_test_xts_ct32[u];
2052 }
2053
2054 ret =
2055 mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, buf, buf);
2056 if (ret != 0)
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2057 goto exit;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2058
2059 if (memcmp(buf, aes_tests, len) != 0) {
2060 ret = 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2061 goto exit;
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2062 }
2063
2064 if (verbose != 0)
2065 mbedtls_printf("passed\n");
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2066 }
2067
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2068 if (verbose != 0)
2069 mbedtls_printf("\n");
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2070
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2071 mbedtls_aes_xts_free(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2072 }
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2073# endif /* MBEDTLS_CIPHER_MODE_XTS */
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2074
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2075 ret = 0;
2076
2077exit:
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2078 if (ret != 0 && verbose != 0)
2079 mbedtls_printf("failed\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2080
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2081 mbedtls_aes_free(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2082
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2083 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2084}
2085
Mateusz Starzykc0eabdc2021-08-03 14:09:02 +0200[diff] [blame^]2086# endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2088#endif /* MBEDTLS_AES_C */