TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 172836a28153b0d72a6a38c1463b7111ab9f2398 / . / library / aes.c
blob: 4dacd6417b7a49107c7cbd186f1b7ac29733c6da [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]88/*
89 * Data structure for AES round data
90 */
91typedef struct _aes_r_data_s {
92 uint32_t *rk_ptr; /* Round Key */
93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, U1, Y2, Y3 */
94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
98#define AES_SCA_CM_ROUNDS 3
99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]515/**
516 * Randomize positions when to use AES SCA countermeasures.
517 * Each byte indicates one AES round as follows:
518 * first ( tbl_len - 2 ) bytes are reserved for AES rounds
519 * -4 high bit = table to use 0x10 for SCA CM data, 0 otherwise
520 * -4 low bits = offset based on order, 4 for even position, 0 otherwise
521 * Last 2 bytes for first/final round calculation
522 * -4 high bit = table to use, 0x10 for SCA CM data, otherwise real data
523 * -4 low bits = not used
524 *
525 */
526static void aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
527{
528 int i, is_even_pos;
529#if AES_SCA_CM_ROUNDS != 0
530 int is_unique_number;
531 int num;
532#endif
533
534 memset( tbl, 0, tbl_len );
535
536#if AES_SCA_CM_ROUNDS != 0
537 // Randomize SCA CM positions to tbl
538 for ( i = 0; i < AES_SCA_CM_ROUNDS; i++ )
539 {
540 do {
541 is_unique_number = 1;
542/* TODO - Use proper random. This is now ONLY FOR TESTING as mbedtls_platform_random_in_range is alwyays returning 0 */
543 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % (tbl_len - 2);
544
545 if ( tbl[num] == 0 )
546 {
547 is_unique_number = 0;
548 tbl[num] = 0x10;
549 }
550 } while ( is_unique_number == 1 );
551 }
552
553 // Fill start/final round control data
554 if ( AES_SCA_CM_ROUNDS != 0 )
555 {
556 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % 0xff;
557 if ( ( num % 2 ) == 0 )
558 {
559 tbl[tbl_len - 2] = 0x10;
560 tbl[tbl_len - 1] = 0x0;
561 }
562 else
563 {
564 tbl[tbl_len - 2] = 0x00;
565 tbl[tbl_len - 1] = 0x10;
566 }
567 }
568#endif /* AES_SCA_CM_ROUNDS != 0 */
569
570 // Fill real AES round data to the remaining places
571 is_even_pos = 1;
572 for ( i = 0; i < tbl_len - 2; i++ )
573 {
574 if ( tbl[i] == 0 )
575 {
576 if ( is_even_pos == 1 )
577 {
578 tbl[i] = 0x04; // real data, offset 0
579 is_even_pos = 0;
580 }
581 else
582 {
583 tbl[i] = 0x00; // real data, offset 0
584 is_even_pos = 1;
585 }
586 }
587 }
588}
589
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]590#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]591
592#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
593#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
594#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
595
596#define AES_RT0(idx) RT0[idx]
597#define AES_RT1(idx) ROTL8( RT0[idx] )
598#define AES_RT2(idx) ROTL16( RT0[idx] )
599#define AES_RT3(idx) ROTL24( RT0[idx] )
600
601#define AES_FT0(idx) FT0[idx]
602#define AES_FT1(idx) ROTL8( FT0[idx] )
603#define AES_FT2(idx) ROTL16( FT0[idx] )
604#define AES_FT3(idx) ROTL24( FT0[idx] )
605
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]606#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]607
608#define AES_RT0(idx) RT0[idx]
609#define AES_RT1(idx) RT1[idx]
610#define AES_RT2(idx) RT2[idx]
611#define AES_RT3(idx) RT3[idx]
612
613#define AES_FT0(idx) FT0[idx]
614#define AES_FT1(idx) FT1[idx]
615#define AES_FT2(idx) FT2[idx]
616#define AES_FT3(idx) FT3[idx]
617
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]618#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]619
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]621{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]622 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]623
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]624 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]625}
626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]627void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]628{
629 if( ctx == NULL )
630 return;
631
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]632 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]633}
634
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]635#if defined(MBEDTLS_CIPHER_MODE_XTS)
636void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
637{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]638 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]639
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]640 mbedtls_aes_init( &ctx->crypt );
641 mbedtls_aes_init( &ctx->tweak );
642}
643
644void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
645{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]646 if( ctx == NULL )
647 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]648
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]649 mbedtls_aes_free( &ctx->crypt );
650 mbedtls_aes_free( &ctx->tweak );
651}
652#endif /* MBEDTLS_CIPHER_MODE_XTS */
653
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]654/*
655 * AES key schedule (encryption)
656 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]657#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]659 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]661 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]662 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]664 AES_VALIDATE_RET( ctx != NULL );
665 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]667 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668 {
669 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]670#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 case 192: ctx->nr = 12; break;
672 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]673#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]674 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675 }
676
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677#if !defined(MBEDTLS_AES_ROM_TABLES)
678 if( aes_init_done == 0 )
679 {
680 aes_gen_tables();
681 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682 }
683#endif
684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]695#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]696 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]697 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]698#endif
699
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]700 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 }
704
705 switch( ctx->nr )
706 {
707 case 10:
708
709 for( i = 0; i < 10; i++, RK += 4 )
710 {
711 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]712 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
713 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
714 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
715 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
717 RK[5] = RK[1] ^ RK[4];
718 RK[6] = RK[2] ^ RK[5];
719 RK[7] = RK[3] ^ RK[6];
720 }
721 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]722#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]723 case 12:
724
725 for( i = 0; i < 8; i++, RK += 6 )
726 {
727 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]728 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
729 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
730 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
731 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
733 RK[7] = RK[1] ^ RK[6];
734 RK[8] = RK[2] ^ RK[7];
735 RK[9] = RK[3] ^ RK[8];
736 RK[10] = RK[4] ^ RK[9];
737 RK[11] = RK[5] ^ RK[10];
738 }
739 break;
740
741 case 14:
742
743 for( i = 0; i < 7; i++, RK += 8 )
744 {
745 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]746 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750
751 RK[9] = RK[1] ^ RK[8];
752 RK[10] = RK[2] ^ RK[9];
753 RK[11] = RK[3] ^ RK[10];
754
755 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]756 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
757 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
758 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
759 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760
761 RK[13] = RK[5] ^ RK[12];
762 RK[14] = RK[6] ^ RK[13];
763 RK[15] = RK[7] ^ RK[14];
764 }
765 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]766#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]768
769 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]771#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772
773/*
774 * AES key schedule (decryption)
775 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]776#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]777int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]778 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]780#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
781 (void) ctx;
782 (void) key;
783 (void) keybits;
784
785 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
786#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]787 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]788 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 uint32_t *RK;
790 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]791
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]792 AES_VALIDATE_RET( ctx != NULL );
793 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]794
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]795 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]798 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]799 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]800
801 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]802 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]803 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]805 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]807 /* Also checks keybits */
808 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]809 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]810
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]811 ctx->nr = cty.nr;
812
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]813#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]814 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]815 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]816 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]817 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]818 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]819 }
820#endif
821
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 SK = cty.rk + cty.nr * 4;
823
824 *RK++ = *SK++;
825 *RK++ = *SK++;
826 *RK++ = *SK++;
827 *RK++ = *SK++;
828
829 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
830 {
831 for( j = 0; j < 4; j++, SK++ )
832 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]833 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
834 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
835 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
836 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837 }
838 }
839
840 *RK++ = *SK++;
841 *RK++ = *SK++;
842 *RK++ = *SK++;
843 *RK++ = *SK++;
844
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]845exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]846 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]847
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]848 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]849#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]850}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]851
852#if defined(MBEDTLS_CIPHER_MODE_XTS)
853static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
854 unsigned int keybits,
855 const unsigned char **key1,
856 unsigned int *key1bits,
857 const unsigned char **key2,
858 unsigned int *key2bits )
859{
860 const unsigned int half_keybits = keybits / 2;
861 const unsigned int half_keybytes = half_keybits / 8;
862
863 switch( keybits )
864 {
865 case 256: break;
866 case 512: break;
867 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
868 }
869
870 *key1bits = half_keybits;
871 *key2bits = half_keybits;
872 *key1 = &key[0];
873 *key2 = &key[half_keybytes];
874
875 return 0;
876}
877
878int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
879 const unsigned char *key,
880 unsigned int keybits)
881{
882 int ret;
883 const unsigned char *key1, *key2;
884 unsigned int key1bits, key2bits;
885
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]886 AES_VALIDATE_RET( ctx != NULL );
887 AES_VALIDATE_RET( key != NULL );
888
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]889 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
890 &key2, &key2bits );
891 if( ret != 0 )
892 return( ret );
893
894 /* Set the tweak key. Always set tweak key for the encryption mode. */
895 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
896 if( ret != 0 )
897 return( ret );
898
899 /* Set crypt key for encryption. */
900 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
901}
902
903int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
904 const unsigned char *key,
905 unsigned int keybits)
906{
907 int ret;
908 const unsigned char *key1, *key2;
909 unsigned int key1bits, key2bits;
910
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]911 AES_VALIDATE_RET( ctx != NULL );
912 AES_VALIDATE_RET( key != NULL );
913
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]914 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
915 &key2, &key2bits );
916 if( ret != 0 )
917 return( ret );
918
919 /* Set the tweak key. Always set tweak key for encryption. */
920 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
921 if( ret != 0 )
922 return( ret );
923
924 /* Set crypt key for decryption. */
925 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
926}
927#endif /* MBEDTLS_CIPHER_MODE_XTS */
928
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]929#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]931#define AES_FROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
932 do \
933 { \
934 (X0) = *(R)++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
935 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
936 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
937 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
938 \
939 (X1) = *(R)++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
940 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
941 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
942 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
943 \
944 (X2) = *(R)++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
945 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
946 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
947 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
948 \
949 (X3) = *(R)++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
950 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
951 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
952 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]953 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]954
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]955#define AES_FROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
956 do { \
957 (X0) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^ \
958 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
959 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
960 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
961 \
962 (X1) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^ \
963 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
964 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
965 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
966 \
967 (X2) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^ \
968 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
969 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
970 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
971 \
972 (X3) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^ \
973 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
974 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
975 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
976 } while ( 0 )
977
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]978
979#define AES_RROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
980 do \
981 { \
982 (X0) = *(R)++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
983 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
984 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
985 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
986 \
987 (X1) = *(R)++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
988 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
989 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
990 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
991 \
992 (X2) = *(R)++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
993 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
994 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
995 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
996 \
997 (X3) = *(R)++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
998 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
999 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
1000 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1001 } while( 0 )
1002
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1003#define AES_RROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
1004 do \
1005 { \
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1006 (X0) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^ \
1007 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
1008 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
1009 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
1010 \
1011 (X1) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^ \
1012 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
1013 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
1014 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
1015 \
1016 (X2) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^ \
1017 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
1018 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
1019 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
1020 \
1021 (X3) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^ \
1022 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
1023 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
1024 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]1025 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026
1027/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1028 * AES-ECB block encryption
1029 */
1030#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1031int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
1032 const unsigned char input[16],
1033 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1034{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1035 int i, j, offset, start_fin_loops = 1;
1036 aes_r_data_t aes_data_real; // real data
1037#if AES_SCA_CM_ROUNDS != 0
1038 aes_r_data_t aes_data_fake; // fake data
1039#endif /* AES_SCA_CM_ROUNDS != 0 */
1040 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1041 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
1042 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
1043 // control bytes for AES rounds, reserve based on max ctx->nr
1044 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1045
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1046 aes_data_real.rk_ptr = ctx->rk;
1047 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1048
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1049#if AES_SCA_CM_ROUNDS != 0
1050 aes_data_table[1] = &aes_data_fake;
1051 aes_data_fake.rk_ptr = ctx->rk;
1052 start_fin_loops = 2;
1053 for (i = 0; i < 4; i++ )
1054 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1055#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1056
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1057 // Get randomized AES calculation control bytes
1058 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
1059
1060 for (i = 0; i < 4; i++ )
1061 {
1062 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
1063 for (j = 0; j < start_fin_loops; j++ )
1064 {
1065 aes_data_ptr = aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
1066 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1067 }
1068 }
1069
1070 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
1071 {
1072 // Read AES control data
1073 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1074 offset = round_ctrl_table[i] & 0x0f;
1075
1076 AES_FROUND( aes_data_ptr->rk_ptr,
1077 aes_data_ptr->xy_values[0 + offset],
1078 aes_data_ptr->xy_values[1 + offset],
1079 aes_data_ptr->xy_values[2 + offset],
1080 aes_data_ptr->xy_values[3 + offset],
1081 aes_data_ptr->xy_values[4 - offset],
1082 aes_data_ptr->xy_values[5 - offset],
1083 aes_data_ptr->xy_values[6 - offset],
1084 aes_data_ptr->xy_values[7 - offset] );
1085 }
1086
1087 for ( j = 0; j < start_fin_loops; j++ )
1088 {
1089 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
1090 AES_FROUND_F( aes_data_ptr->rk_ptr,
1091 aes_data_ptr->xy_values[0],
1092 aes_data_ptr->xy_values[1],
1093 aes_data_ptr->xy_values[2],
1094 aes_data_ptr->xy_values[3],
1095 aes_data_ptr->xy_values[4],
1096 aes_data_ptr->xy_values[5],
1097 aes_data_ptr->xy_values[6],
1098 aes_data_ptr->xy_values[7] );
1099 }
1100
1101 for ( i = 0; i < 4; i++ )
1102 {
1103 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1104 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1105
1106 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1107}
1108#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1109
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1110#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1111void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1112 const unsigned char input[16],
1113 unsigned char output[16] )
1114{
1115 mbedtls_internal_aes_encrypt( ctx, input, output );
1116}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1117#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1118
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1119/*
1120 * AES-ECB block decryption
1121 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1122
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1123#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1124#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1125int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1126 const unsigned char input[16],
1127 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1128{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1129 int i, j, offset, start_fin_loops = 1;
1130 aes_r_data_t aes_data_real; // real data
1131#if AES_SCA_CM_ROUNDS != 0
1132 aes_r_data_t aes_data_fake; // fake data
1133#endif /* AES_SCA_CM_ROUNDS != 0 */
1134 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1135 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
1136 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
1137 // control bytes for AES rounds, reserve based on max ctx->nr
1138 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1139
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1140 aes_data_real.rk_ptr = ctx->rk;
1141 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1142
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1143#if AES_SCA_CM_ROUNDS != 0
1144 aes_data_table[1] = &aes_data_fake;
1145 aes_data_fake.rk_ptr = ctx->rk;
1146 start_fin_loops = 2;
1147 for (i = 0; i < 4; i++ )
1148 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1149#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1150
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1151 // Get randomized AES calculation control bytes
1152 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1153
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1154 for (i = 0; i < 4; i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1155 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1156 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
1157 for (j = 0; j < start_fin_loops; j++ )
1158 {
1159 aes_data_ptr = aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
1160 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1161 }
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1162 }
1163
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1164 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1165 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1166 // Read AES control data
1167 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1168 offset = round_ctrl_table[i] & 0x0f;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1169
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1170 AES_RROUND( aes_data_ptr->rk_ptr,
1171 aes_data_ptr->xy_values[0 + offset],
1172 aes_data_ptr->xy_values[1 + offset],
1173 aes_data_ptr->xy_values[2 + offset],
1174 aes_data_ptr->xy_values[3 + offset],
1175 aes_data_ptr->xy_values[4 - offset],
1176 aes_data_ptr->xy_values[5 - offset],
1177 aes_data_ptr->xy_values[6 - offset],
1178 aes_data_ptr->xy_values[7 - offset] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1179 }
1180
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1181 for ( j = 0; j < start_fin_loops; j++ )
1182 {
1183 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
1184 AES_RROUND_F( aes_data_ptr->rk_ptr,
1185 aes_data_ptr->xy_values[0],
1186 aes_data_ptr->xy_values[1],
1187 aes_data_ptr->xy_values[2],
1188 aes_data_ptr->xy_values[3],
1189 aes_data_ptr->xy_values[4],
1190 aes_data_ptr->xy_values[5],
1191 aes_data_ptr->xy_values[6],
1192 aes_data_ptr->xy_values[7] );
1193 }
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1194
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame^]1195 for ( i = 0; i < 4; i++ )
1196 {
1197 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1198 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1199
1200 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1201}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1202#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1203#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1204
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1205#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1206void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1207 const unsigned char input[16],
1208 unsigned char output[16] )
1209{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1210#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1211 (void) ctx;
1212 (void) input;
1213 (void) output;
1214#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1215 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1216#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1217}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1218#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1219
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1220/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1221 * AES-ECB block encryption/decryption
1222 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1223int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1224 int mode,
1225 const unsigned char input[16],
1226 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1227{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1228 AES_VALIDATE_RET( ctx != NULL );
1229 AES_VALIDATE_RET( input != NULL );
1230 AES_VALIDATE_RET( output != NULL );
1231 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1232 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1233 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1234
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1235#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1236 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1238#endif
1239
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1240#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1241 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1242 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1243 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1244 return( 0 );
1245
1246 // If padlock data misaligned, we just fall back to
1247 // unaccelerated mode
1248 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1249 }
1250#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1251#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1252 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1253#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1254
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1255 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1256 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1257 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1258 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1259#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1260}
1261
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1262#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1263/*
1264 * AES-CBC buffer encryption/decryption
1265 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1266int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1267 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1268 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1270 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1271 unsigned char *output )
1272{
1273 int i;
1274 unsigned char temp[16];
1275
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1276 AES_VALIDATE_RET( ctx != NULL );
1277 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1278 mode == MBEDTLS_AES_DECRYPT );
1279 AES_VALIDATE_RET( iv != NULL );
1280 AES_VALIDATE_RET( input != NULL );
1281 AES_VALIDATE_RET( output != NULL );
1282
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1283 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1284 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1287 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1289 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1290 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1291
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1292 // If padlock data misaligned, we just fall back to
1293 // unaccelerated mode
1294 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1295 }
1296#endif
1297
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1298 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1299 {
1300 while( length > 0 )
1301 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1302 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1303 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304
1305 for( i = 0; i < 16; i++ )
1306 output[i] = (unsigned char)( output[i] ^ iv[i] );
1307
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1308 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1309
1310 input += 16;
1311 output += 16;
1312 length -= 16;
1313 }
1314 }
1315 else
1316 {
1317 while( length > 0 )
1318 {
1319 for( i = 0; i < 16; i++ )
1320 output[i] = (unsigned char)( input[i] ^ iv[i] );
1321
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1322 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1323 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1324
1325 input += 16;
1326 output += 16;
1327 length -= 16;
1328 }
1329 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1330
1331 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1333#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1334
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1335#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1336
1337/* Endianess with 64 bits values */
1338#ifndef GET_UINT64_LE
1339#define GET_UINT64_LE(n,b,i) \
1340{ \
1341 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1342 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1343 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1344 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1345 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1346 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1347 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1348 | ( (uint64_t) (b)[(i) ] ); \
1349}
1350#endif
1351
1352#ifndef PUT_UINT64_LE
1353#define PUT_UINT64_LE(n,b,i) \
1354{ \
1355 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1356 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1357 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1358 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1359 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1360 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1361 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1362 (b)[(i) ] = (unsigned char) ( (n) ); \
1363}
1364#endif
1365
1366typedef unsigned char mbedtls_be128[16];
1367
1368/*
1369 * GF(2^128) multiplication function
1370 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1371 * This function multiplies a field element by x in the polynomial field
1372 * representation. It uses 64-bit word operations to gain speed but compensates
1373 * for machine endianess and hence works correctly on both big and little
1374 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1375 */
1376static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1377 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1378{
1379 uint64_t a, b, ra, rb;
1380
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1381 GET_UINT64_LE( a, x, 0 );
1382 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1383
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1384 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1385 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1386
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1387 PUT_UINT64_LE( ra, r, 0 );
1388 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1389}
1390
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1391/*
1392 * AES-XTS buffer encryption/decryption
1393 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1394int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1395 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1396 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1397 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1398 const unsigned char *input,
1399 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1400{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1401 int ret;
1402 size_t blocks = length / 16;
1403 size_t leftover = length % 16;
1404 unsigned char tweak[16];
1405 unsigned char prev_tweak[16];
1406 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1407
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1408 AES_VALIDATE_RET( ctx != NULL );
1409 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1410 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1411 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1412 AES_VALIDATE_RET( input != NULL );
1413 AES_VALIDATE_RET( output != NULL );
1414
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1415 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1416 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1417 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1418
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1419 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1420 if( length > ( 1 << 20 ) * 16 )
1421 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1422
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1423 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1424 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1425 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1426 if( ret != 0 )
1427 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1428
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1429 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1430 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1431 size_t i;
1432
1433 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1434 {
1435 /* We are on the last block in a decrypt operation that has
1436 * leftover bytes, so we need to use the next tweak for this block,
1437 * and this tweak for the lefover bytes. Save the current tweak for
1438 * the leftovers and then update the current tweak for use on this,
1439 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1440 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1441 mbedtls_gf128mul_x_ble( tweak, tweak );
1442 }
1443
1444 for( i = 0; i < 16; i++ )
1445 tmp[i] = input[i] ^ tweak[i];
1446
1447 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1448 if( ret != 0 )
1449 return( ret );
1450
1451 for( i = 0; i < 16; i++ )
1452 output[i] = tmp[i] ^ tweak[i];
1453
1454 /* Update the tweak for the next block. */
1455 mbedtls_gf128mul_x_ble( tweak, tweak );
1456
1457 output += 16;
1458 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1459 }
1460
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1461 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1462 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1463 /* If we are on the leftover bytes in a decrypt operation, we need to
1464 * use the previous tweak for these bytes (as saved in prev_tweak). */
1465 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1466
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1467 /* We are now on the final part of the data unit, which doesn't divide
1468 * evenly by 16. It's time for ciphertext stealing. */
1469 size_t i;
1470 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1471
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1472 /* Copy ciphertext bytes from the previous block to our output for each
1473 * byte of cyphertext we won't steal. At the same time, copy the
1474 * remainder of the input for this final round (since the loop bounds
1475 * are the same). */
1476 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1477 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1478 output[i] = prev_output[i];
1479 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1480 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1481
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1482 /* Copy ciphertext bytes from the previous block for input in this
1483 * round. */
1484 for( ; i < 16; i++ )
1485 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1486
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1487 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1488 if( ret != 0 )
1489 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1490
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1491 /* Write the result back to the previous block, overriding the previous
1492 * output we copied. */
1493 for( i = 0; i < 16; i++ )
1494 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1495 }
1496
1497 return( 0 );
1498}
1499#endif /* MBEDTLS_CIPHER_MODE_XTS */
1500
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1501#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1502/*
1503 * AES-CFB128 buffer encryption/decryption
1504 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1505int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1506 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1507 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1508 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1509 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1510 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511 unsigned char *output )
1512{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1513 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1514 size_t n;
1515
1516 AES_VALIDATE_RET( ctx != NULL );
1517 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1518 mode == MBEDTLS_AES_DECRYPT );
1519 AES_VALIDATE_RET( iv_off != NULL );
1520 AES_VALIDATE_RET( iv != NULL );
1521 AES_VALIDATE_RET( input != NULL );
1522 AES_VALIDATE_RET( output != NULL );
1523
1524 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1525
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1526 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1527 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1529 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1530 {
1531 while( length-- )
1532 {
1533 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1534 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1535
1536 c = *input++;
1537 *output++ = (unsigned char)( c ^ iv[n] );
1538 iv[n] = (unsigned char) c;
1539
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1540 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1541 }
1542 }
1543 else
1544 {
1545 while( length-- )
1546 {
1547 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1548 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1549
1550 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1551
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1552 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553 }
1554 }
1555
1556 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1557
1558 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1559}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1560
1561/*
1562 * AES-CFB8 buffer encryption/decryption
1563 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1564int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1565 int mode,
1566 size_t length,
1567 unsigned char iv[16],
1568 const unsigned char *input,
1569 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1570{
1571 unsigned char c;
1572 unsigned char ov[17];
1573
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1574 AES_VALIDATE_RET( ctx != NULL );
1575 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1576 mode == MBEDTLS_AES_DECRYPT );
1577 AES_VALIDATE_RET( iv != NULL );
1578 AES_VALIDATE_RET( input != NULL );
1579 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1580 while( length-- )
1581 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1582 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1583 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1584
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1585 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1586 ov[16] = *input;
1587
1588 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1589
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1590 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1591 ov[16] = c;
1592
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1593 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1594 }
1595
1596 return( 0 );
1597}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1598#endif /* MBEDTLS_CIPHER_MODE_CFB */
1599
1600#if defined(MBEDTLS_CIPHER_MODE_OFB)
1601/*
1602 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1603 */
1604int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1605 size_t length,
1606 size_t *iv_off,
1607 unsigned char iv[16],
1608 const unsigned char *input,
1609 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1610{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1611 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1612 size_t n;
1613
1614 AES_VALIDATE_RET( ctx != NULL );
1615 AES_VALIDATE_RET( iv_off != NULL );
1616 AES_VALIDATE_RET( iv != NULL );
1617 AES_VALIDATE_RET( input != NULL );
1618 AES_VALIDATE_RET( output != NULL );
1619
1620 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1621
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1622 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1623 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1624
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1625 while( length-- )
1626 {
1627 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1628 {
1629 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1630 if( ret != 0 )
1631 goto exit;
1632 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1633 *output++ = *input++ ^ iv[n];
1634
1635 n = ( n + 1 ) & 0x0F;
1636 }
1637
1638 *iv_off = n;
1639
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1640exit:
1641 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1642}
1643#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1645#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1646/*
1647 * AES-CTR buffer encryption/decryption
1648 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1650 size_t length,
1651 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1652 unsigned char nonce_counter[16],
1653 unsigned char stream_block[16],
1654 const unsigned char *input,
1655 unsigned char *output )
1656{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1657 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1658 size_t n;
1659
1660 AES_VALIDATE_RET( ctx != NULL );
1661 AES_VALIDATE_RET( nc_off != NULL );
1662 AES_VALIDATE_RET( nonce_counter != NULL );
1663 AES_VALIDATE_RET( stream_block != NULL );
1664 AES_VALIDATE_RET( input != NULL );
1665 AES_VALIDATE_RET( output != NULL );
1666
1667 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1668
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1669 if ( n > 0x0F )
1670 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1671
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1672 while( length-- )
1673 {
1674 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1675 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1676
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1677 for( i = 16; i > 0; i-- )
1678 if( ++nonce_counter[i - 1] != 0 )
1679 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1680 }
1681 c = *input++;
1682 *output++ = (unsigned char)( c ^ stream_block[n] );
1683
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1684 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1685 }
1686
1687 *nc_off = n;
1688
1689 return( 0 );
1690}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1691#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1692
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1693#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1695#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696/*
1697 * AES test vectors from:
1698 *
1699 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1700 */
1701static const unsigned char aes_test_ecb_dec[3][16] =
1702{
1703 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1704 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1705 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1706 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1707 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1708 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1709};
1710
1711static const unsigned char aes_test_ecb_enc[3][16] =
1712{
1713 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1714 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1715 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1716 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1717 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1718 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1719};
1720
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1721#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1722static const unsigned char aes_test_cbc_dec[3][16] =
1723{
1724 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1725 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1726 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1727 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1728 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1729 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1730};
1731
1732static const unsigned char aes_test_cbc_enc[3][16] =
1733{
1734 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1735 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1736 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1737 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1738 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1739 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1740};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1741#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1743#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744/*
1745 * AES-CFB128 test vectors from:
1746 *
1747 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1748 */
1749static const unsigned char aes_test_cfb128_key[3][32] =
1750{
1751 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1752 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1753 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1754 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1755 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1756 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1757 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1758 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1759 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1760};
1761
1762static const unsigned char aes_test_cfb128_iv[16] =
1763{
1764 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1765 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1766};
1767
1768static const unsigned char aes_test_cfb128_pt[64] =
1769{
1770 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1771 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1772 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1773 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1774 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1775 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1776 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1777 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1778};
1779
1780static const unsigned char aes_test_cfb128_ct[3][64] =
1781{
1782 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1783 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1784 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1785 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1786 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1787 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1788 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1789 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1790 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1791 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1792 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1793 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1794 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1795 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1796 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1797 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1798 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1799 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1800 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1801 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1802 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1803 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1804 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1805 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1806};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1807#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1808
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1809#if defined(MBEDTLS_CIPHER_MODE_OFB)
1810/*
1811 * AES-OFB test vectors from:
1812 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1813 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1814 */
1815static const unsigned char aes_test_ofb_key[3][32] =
1816{
1817 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1818 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1819 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1820 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1821 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1822 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1823 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1824 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1825 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1826};
1827
1828static const unsigned char aes_test_ofb_iv[16] =
1829{
1830 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1831 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1832};
1833
1834static const unsigned char aes_test_ofb_pt[64] =
1835{
1836 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1837 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1838 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1839 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1840 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1841 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1842 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1843 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1844};
1845
1846static const unsigned char aes_test_ofb_ct[3][64] =
1847{
1848 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1849 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1850 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1851 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1852 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1853 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1854 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1855 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1856 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1857 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1858 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1859 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1860 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1861 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1862 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1863 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1864 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1865 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1866 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1867 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1868 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1869 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1870 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1871 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1872};
1873#endif /* MBEDTLS_CIPHER_MODE_OFB */
1874
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1875#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1876/*
1877 * AES-CTR test vectors from:
1878 *
1879 * http://www.faqs.org/rfcs/rfc3686.html
1880 */
1881
1882static const unsigned char aes_test_ctr_key[3][16] =
1883{
1884 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1885 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1886 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1887 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1888 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1889 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1890};
1891
1892static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1893{
1894 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1895 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1896 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1897 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1898 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1899 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1900};
1901
1902static const unsigned char aes_test_ctr_pt[3][48] =
1903{
1904 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1905 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1906
1907 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1908 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1909 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1910 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1911
1912 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1913 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1914 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1915 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1916 0x20, 0x21, 0x22, 0x23 }
1917};
1918
1919static const unsigned char aes_test_ctr_ct[3][48] =
1920{
1921 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1922 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1923 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1924 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1925 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1926 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1927 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1928 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1929 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1930 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1931 0x25, 0xB2, 0x07, 0x2F }
1932};
1933
1934static const int aes_test_ctr_len[3] =
1935 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1936#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1937
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1938#if defined(MBEDTLS_CIPHER_MODE_XTS)
1939/*
1940 * AES-XTS test vectors from:
1941 *
1942 * IEEE P1619/D16 Annex B
1943 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1944 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1945 */
1946static const unsigned char aes_test_xts_key[][32] =
1947{
1948 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1949 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1950 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1951 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1952 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1953 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1954 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1955 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1956 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1957 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1958 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1959 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1960};
1961
1962static const unsigned char aes_test_xts_pt32[][32] =
1963{
1964 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1965 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1966 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1967 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1968 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1969 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1970 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1971 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1972 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1973 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1974 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1975 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1976};
1977
1978static const unsigned char aes_test_xts_ct32[][32] =
1979{
1980 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1981 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1982 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1983 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1984 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1985 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1986 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1987 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1988 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1989 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1990 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1991 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1992};
1993
1994static const unsigned char aes_test_xts_data_unit[][16] =
1995{
1996 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1997 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1998 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1999 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2000 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2001 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2002};
2003
2004#endif /* MBEDTLS_CIPHER_MODE_XTS */
2005
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2006/*
2007 * Checkup routine
2008 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2009int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2011 int ret = 0, i, j, u, mode;
2012 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 unsigned char key[32];
2014 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2016#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2017 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2018#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2019#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2020 unsigned char prv[16];
2021#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2022#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2023 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2024 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2025#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2026#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2027 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2028#endif
2029#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2030 unsigned char nonce_counter[16];
2031 unsigned char stream_block[16];
2032#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2033 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2034
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2035 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2036 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037
2038 /*
2039 * ECB mode
2040 */
2041 for( i = 0; i < 6; i++ )
2042 {
2043 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2044 keybits = 128 + u * 64;
2045 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
2047 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2048 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2049 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2050
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2051#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2052 if( keybits > 128 )
2053 {
2054 mbedtls_printf( "skipped\n" );
2055 continue;
2056 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2057#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2058
2059#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2060 if( mode == MBEDTLS_AES_DECRYPT )
2061 {
2062 mbedtls_printf( "skipped\n" );
2063 continue;
2064 }
2065#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2066
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2067 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2068
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2069 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2070 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2071 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2072 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073 }
2074 else
2075 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2076 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2077 aes_tests = aes_test_ecb_enc[u];
2078 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2080 /*
2081 * AES-192 is an optional feature that may be unavailable when
2082 * there is an alternative underlying implementation i.e. when
2083 * MBEDTLS_AES_ALT is defined.
2084 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2085 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2086 {
2087 mbedtls_printf( "skipped\n" );
2088 continue;
2089 }
2090 else if( ret != 0 )
2091 {
2092 goto exit;
2093 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2094
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2095 for( j = 0; j < 10000; j++ )
2096 {
2097 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2098 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2099 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2100 }
2101
2102 if( memcmp( buf, aes_tests, 16 ) != 0 )
2103 {
2104 ret = 1;
2105 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2106 }
2107
2108 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2110 }
2111
2112 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2113 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2116 /*
2117 * CBC mode
2118 */
2119 for( i = 0; i < 6; i++ )
2120 {
2121 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2122 keybits = 128 + u * 64;
2123 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2124
2125 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2126 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2127 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2128
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2129#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2130 if( keybits > 128 )
2131 {
2132 mbedtls_printf( "skipped\n" );
2133 continue;
2134 }
2135#endif
2136
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2137#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2138 if( mode == MBEDTLS_AES_DECRYPT )
2139 {
2140 mbedtls_printf( "skipped\n" );
2141 continue;
2142 }
2143#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2144
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2145 memset( iv , 0, 16 );
2146 memset( prv, 0, 16 );
2147 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2148
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2149 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2150 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2151 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2152 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2153 }
2154 else
2155 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2156 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2157 aes_tests = aes_test_cbc_enc[u];
2158 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2160 /*
2161 * AES-192 is an optional feature that may be unavailable when
2162 * there is an alternative underlying implementation i.e. when
2163 * MBEDTLS_AES_ALT is defined.
2164 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2165 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2166 {
2167 mbedtls_printf( "skipped\n" );
2168 continue;
2169 }
2170 else if( ret != 0 )
2171 {
2172 goto exit;
2173 }
2174
2175 for( j = 0; j < 10000; j++ )
2176 {
2177 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178 {
2179 unsigned char tmp[16];
2180
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2181 memcpy( tmp, prv, 16 );
2182 memcpy( prv, buf, 16 );
2183 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2184 }
2185
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2186 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2187 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2188 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2189
2190 }
2191
2192 if( memcmp( buf, aes_tests, 16 ) != 0 )
2193 {
2194 ret = 1;
2195 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2196 }
2197
2198 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2199 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2200 }
2201
2202 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2203 mbedtls_printf( "\n" );
2204#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2206#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2207 /*
2208 * CFB128 mode
2209 */
2210 for( i = 0; i < 6; i++ )
2211 {
2212 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2213 keybits = 128 + u * 64;
2214 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2215
2216 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2217 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2218 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2219
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2220#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2221 if( keybits > 128 )
2222 {
2223 mbedtls_printf( "skipped\n" );
2224 continue;
2225 }
2226#endif
2227
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2228#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2229 if( mode == MBEDTLS_AES_DECRYPT )
2230 {
2231 mbedtls_printf( "skipped\n" );
2232 continue;
2233 }
2234#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2235
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2236 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2237 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2238
2239 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2240 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2241 /*
2242 * AES-192 is an optional feature that may be unavailable when
2243 * there is an alternative underlying implementation i.e. when
2244 * MBEDTLS_AES_ALT is defined.
2245 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2246 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2247 {
2248 mbedtls_printf( "skipped\n" );
2249 continue;
2250 }
2251 else if( ret != 0 )
2252 {
2253 goto exit;
2254 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2255
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2256 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2257 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2258 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2259 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260 }
2261 else
2262 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2263 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2264 aes_tests = aes_test_cfb128_ct[u];
2265 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2266
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2267 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2268 if( ret != 0 )
2269 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2270
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2271 if( memcmp( buf, aes_tests, 64 ) != 0 )
2272 {
2273 ret = 1;
2274 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275 }
2276
2277 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2278 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2279 }
2280
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2281 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2282 mbedtls_printf( "\n" );
2283#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2284
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2285#if defined(MBEDTLS_CIPHER_MODE_OFB)
2286 /*
2287 * OFB mode
2288 */
2289 for( i = 0; i < 6; i++ )
2290 {
2291 u = i >> 1;
2292 keybits = 128 + u * 64;
2293 mode = i & 1;
2294
2295 if( verbose != 0 )
2296 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2297 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2298
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2299#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2300 if( keybits > 128 )
2301 {
2302 mbedtls_printf( "skipped\n" );
2303 continue;
2304 }
2305#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2306
2307#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2308 if( mode == MBEDTLS_AES_DECRYPT )
2309 {
2310 mbedtls_printf( "skipped\n" );
2311 continue;
2312 }
2313#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2314
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2315 memcpy( iv, aes_test_ofb_iv, 16 );
2316 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2317
2318 offset = 0;
2319 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2320 /*
2321 * AES-192 is an optional feature that may be unavailable when
2322 * there is an alternative underlying implementation i.e. when
2323 * MBEDTLS_AES_ALT is defined.
2324 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2325 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2326 {
2327 mbedtls_printf( "skipped\n" );
2328 continue;
2329 }
2330 else if( ret != 0 )
2331 {
2332 goto exit;
2333 }
2334
2335 if( mode == MBEDTLS_AES_DECRYPT )
2336 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2337 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2338 aes_tests = aes_test_ofb_pt;
2339 }
2340 else
2341 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2342 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2343 aes_tests = aes_test_ofb_ct[u];
2344 }
2345
2346 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2347 if( ret != 0 )
2348 goto exit;
2349
2350 if( memcmp( buf, aes_tests, 64 ) != 0 )
2351 {
2352 ret = 1;
2353 goto exit;
2354 }
2355
2356 if( verbose != 0 )
2357 mbedtls_printf( "passed\n" );
2358 }
2359
2360 if( verbose != 0 )
2361 mbedtls_printf( "\n" );
2362#endif /* MBEDTLS_CIPHER_MODE_OFB */
2363
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2364#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2365 /*
2366 * CTR mode
2367 */
2368 for( i = 0; i < 6; i++ )
2369 {
2370 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2371 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2372
2373 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2374 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2375 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2376
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2377#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2378 if( keybits > 128 )
2379 {
2380 mbedtls_printf( "skipped\n" );
2381 continue;
2382 }
2383#endif
2384
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2385#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2386 if( mode == MBEDTLS_AES_DECRYPT )
2387 {
2388 mbedtls_printf( "skipped\n" );
2389 continue;
2390 }
2391#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2392
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2393 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2394 memcpy( key, aes_test_ctr_key[u], 16 );
2395
2396 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2397 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2398 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2399
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2400 len = aes_test_ctr_len[u];
2401
2402 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2403 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2404 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2405 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2406 }
2407 else
2408 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2409 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2410 aes_tests = aes_test_ctr_ct[u];
2411 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2412
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2413 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2414 stream_block, buf, buf );
2415 if( ret != 0 )
2416 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2417
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2418 if( memcmp( buf, aes_tests, len ) != 0 )
2419 {
2420 ret = 1;
2421 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2422 }
2423
2424 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2425 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2426 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2427
2428 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2429 mbedtls_printf( "\n" );
2430#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2431
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2432#if defined(MBEDTLS_CIPHER_MODE_XTS)
2433 {
2434 static const int num_tests =
2435 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2436 mbedtls_aes_xts_context ctx_xts;
2437
2438 /*
2439 * XTS mode
2440 */
2441 mbedtls_aes_xts_init( &ctx_xts );
2442
2443 for( i = 0; i < num_tests << 1; i++ )
2444 {
2445 const unsigned char *data_unit;
2446 u = i >> 1;
2447 mode = i & 1;
2448
2449 if( verbose != 0 )
2450 mbedtls_printf( " AES-XTS-128 (%s): ",
2451 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2452
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2453#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2454 if( mode == MBEDTLS_AES_DECRYPT )
2455 {
2456 mbedtls_printf( "skipped\n" );
2457 continue;
2458 }
2459#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2460
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2461 memset( key, 0, sizeof( key ) );
2462 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2463 data_unit = aes_test_xts_data_unit[u];
2464
2465 len = sizeof( *aes_test_xts_ct32 );
2466
2467 if( mode == MBEDTLS_AES_DECRYPT )
2468 {
2469 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2470 if( ret != 0)
2471 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2472 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2473 aes_tests = aes_test_xts_pt32[u];
2474 }
2475 else
2476 {
2477 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2478 if( ret != 0)
2479 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2480 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2481 aes_tests = aes_test_xts_ct32[u];
2482 }
2483
2484
2485 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2486 buf, buf );
2487 if( ret != 0 )
2488 goto exit;
2489
2490 if( memcmp( buf, aes_tests, len ) != 0 )
2491 {
2492 ret = 1;
2493 goto exit;
2494 }
2495
2496 if( verbose != 0 )
2497 mbedtls_printf( "passed\n" );
2498 }
2499
2500 if( verbose != 0 )
2501 mbedtls_printf( "\n" );
2502
2503 mbedtls_aes_xts_free( &ctx_xts );
2504 }
2505#endif /* MBEDTLS_CIPHER_MODE_XTS */
2506
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2507 ret = 0;
2508
2509exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2510 if( ret != 0 && verbose != 0 )
2511 mbedtls_printf( "failed\n" );
2512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2513 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2514
2515 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2516}
2517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2518#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2520#endif /* MBEDTLS_AES_C */