TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c3532c233906d956ca56affd75c19d65df7a2350 / . / library / aes.c
blob: 9c5c1697a56da3a5b8db1075eb3d712fcf94bd0d [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]88/*
89 * Data structure for AES round data
90 */
91typedef struct _aes_r_data_s {
92 uint32_t *rk_ptr; /* Round Key */
93 uint32_t xy_values[8]; /* X0, X1, X2, X3, Y0, U1, Y2, Y3 */
94} aes_r_data_t;
95
96#if defined(MBEDTLS_AES_SCA_COUNTERMEASURES)
97/* Number of additional AES calculation rounds added for SCA CM */
98#define AES_SCA_CM_ROUNDS 3
99#else /* MBEDTLS_AES_SCA_COUNTERMEASURES */
100#define AES_SCA_CM_ROUNDS 0
101#endif /* MBEDTLS_AES_SCA_COUNTERMEASURES */
102
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]103#if defined(MBEDTLS_PADLOCK_C) && \
104 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]105static int aes_padlock_ace = -1;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]109/*
110 * Forward S-box
111 */
112static const unsigned char FSb[256] =
113{
114 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
115 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
116 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
117 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
118 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
119 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
120 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
121 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
122 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
123 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
124 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
125 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
126 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
127 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
128 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
129 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
130 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
131 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
132 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
133 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
134 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
135 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
136 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
137 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
138 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
139 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
140 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
141 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
142 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
143 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
144 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
145 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
146};
147
148/*
149 * Forward tables
150 */
151#define FT \
152\
153 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
154 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
155 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
156 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
157 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
158 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
159 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
160 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
161 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
162 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
163 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
164 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
165 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
166 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
167 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
168 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
169 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
170 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
171 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
172 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
173 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
174 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
175 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
176 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
177 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
178 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
179 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
180 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
181 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
182 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
183 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
184 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
185 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
186 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
187 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
188 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
189 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
190 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
191 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
192 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
193 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
194 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
195 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
196 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
197 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
198 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
199 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
200 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
201 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
202 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
203 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
204 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
205 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
206 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
207 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
208 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
209 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
210 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
211 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
212 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
213 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
214 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
215 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
216 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
217
218#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]222#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]225static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226#undef V
227
228#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
232#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]233static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#undef V
235
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]236#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]237
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]238#undef FT
239
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]240#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]241/*
242 * Reverse S-box
243 */
244static const unsigned char RSb[256] =
245{
246 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
247 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
248 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
249 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
250 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
251 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
252 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
253 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
254 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
255 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
256 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
257 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
258 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
259 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
260 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
261 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
262 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
263 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
264 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
265 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
266 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
267 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
268 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
269 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
270 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
271 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
272 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
273 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
274 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
275 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
276 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
277 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
278};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]279#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]280
281/*
282 * Reverse tables
283 */
284#define RT \
285\
286 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
287 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
288 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
289 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
290 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
291 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
292 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
293 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
294 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
295 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
296 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
297 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
298 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
299 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
300 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
301 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
302 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
303 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
304 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
305 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
306 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
307 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
308 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
309 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
310 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
311 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
312 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
313 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
314 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
315 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
316 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
317 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
318 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
319 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
320 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
321 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
322 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
323 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
324 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
325 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
326 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
327 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
328 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
329 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
330 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
331 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
332 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
333 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
334 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
335 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
336 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
337 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
338 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
339 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
340 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
341 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
342 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
343 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
344 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
345 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
346 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
347 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
348 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
349 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
350
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]351#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]352#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]353static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef V
355
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360#undef V
361
362#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364#undef V
365
366#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]367static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368#undef V
369
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]371#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]372
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373#undef RT
374
375/*
376 * Round constants
377 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379{
380 0x00000001, 0x00000002, 0x00000004, 0x00000008,
381 0x00000010, 0x00000020, 0x00000040, 0x00000080,
382 0x0000001B, 0x00000036
383};
384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]385#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]386
387/*
388 * Forward S-box & tables
389 */
390static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]391static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]392#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]393static uint32_t FT1[256];
394static uint32_t FT2[256];
395static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]396#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]397
398/*
399 * Reverse S-box & tables
400 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]401#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]403static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]404#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]405static uint32_t RT1[256];
406static uint32_t RT2[256];
407static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]408#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]409#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410
411/*
412 * Round constants
413 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]414static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415
416/*
417 * Tables generation code
418 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]419#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
420#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]421#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422
423static int aes_init_done = 0;
424
425static void aes_gen_tables( void )
426{
427 int i, x, y, z;
428 int pow[256];
429 int log[256];
430
431 /*
432 * compute pow and log tables over GF(2^8)
433 */
434 for( i = 0, x = 1; i < 256; i++ )
435 {
436 pow[i] = x;
437 log[x] = i;
438 x = ( x ^ XTIME( x ) ) & 0xFF;
439 }
440
441 /*
442 * calculate the round constants
443 */
444 for( i = 0, x = 1; i < 10; i++ )
445 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]446 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447 x = XTIME( x ) & 0xFF;
448 }
449
450 /*
451 * generate the forward and reverse S-boxes
452 */
453 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]454#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]456#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
458 for( i = 1; i < 256; i++ )
459 {
460 x = pow[255 - log[i]];
461
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]462 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
463 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
464 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]466 x ^= y ^ 0x63;
467
468 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]469#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]471#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]494#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]495 x = RSb[i];
496
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]497 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
498 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
499 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
500 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]501
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]502#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]503 RT1[i] = ROTL8( RT0[i] );
504 RT2[i] = ROTL8( RT1[i] );
505 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]506#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]507#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]508 }
509}
510
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]511#undef ROTL8
512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]514
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]515/**
516 * Randomize positions when to use AES SCA countermeasures.
517 * Each byte indicates one AES round as follows:
518 * first ( tbl_len - 2 ) bytes are reserved for AES rounds
519 * -4 high bit = table to use 0x10 for SCA CM data, 0 otherwise
520 * -4 low bits = offset based on order, 4 for even position, 0 otherwise
521 * Last 2 bytes for first/final round calculation
522 * -4 high bit = table to use, 0x10 for SCA CM data, otherwise real data
523 * -4 low bits = not used
524 *
525 */
526static void aes_sca_cm_data_randomize( uint8_t *tbl, uint8_t tbl_len )
527{
528 int i, is_even_pos;
529#if AES_SCA_CM_ROUNDS != 0
530 int is_unique_number;
531 int num;
532#endif
533
534 memset( tbl, 0, tbl_len );
535
536#if AES_SCA_CM_ROUNDS != 0
537 // Randomize SCA CM positions to tbl
538 for ( i = 0; i < AES_SCA_CM_ROUNDS; i++ )
539 {
540 do {
541 is_unique_number = 1;
542/* TODO - Use proper random. This is now ONLY FOR TESTING as mbedtls_platform_random_in_range is alwyays returning 0 */
543 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % (tbl_len - 2);
544
545 if ( tbl[num] == 0 )
546 {
547 is_unique_number = 0;
548 tbl[num] = 0x10;
549 }
550 } while ( is_unique_number == 1 );
551 }
552
553 // Fill start/final round control data
554 if ( AES_SCA_CM_ROUNDS != 0 )
555 {
556 num = /* mbedtls_platform_random_in_range( tbl_len - 1 ) */rand() % 0xff;
557 if ( ( num % 2 ) == 0 )
558 {
559 tbl[tbl_len - 2] = 0x10;
560 tbl[tbl_len - 1] = 0x0;
561 }
562 else
563 {
564 tbl[tbl_len - 2] = 0x00;
565 tbl[tbl_len - 1] = 0x10;
566 }
567 }
568#endif /* AES_SCA_CM_ROUNDS != 0 */
569
570 // Fill real AES round data to the remaining places
571 is_even_pos = 1;
572 for ( i = 0; i < tbl_len - 2; i++ )
573 {
574 if ( tbl[i] == 0 )
575 {
576 if ( is_even_pos == 1 )
577 {
578 tbl[i] = 0x04; // real data, offset 0
579 is_even_pos = 0;
580 }
581 else
582 {
583 tbl[i] = 0x00; // real data, offset 0
584 is_even_pos = 1;
585 }
586 }
587 }
588}
589
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]590#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]591
592#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
593#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
594#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
595
596#define AES_RT0(idx) RT0[idx]
597#define AES_RT1(idx) ROTL8( RT0[idx] )
598#define AES_RT2(idx) ROTL16( RT0[idx] )
599#define AES_RT3(idx) ROTL24( RT0[idx] )
600
601#define AES_FT0(idx) FT0[idx]
602#define AES_FT1(idx) ROTL8( FT0[idx] )
603#define AES_FT2(idx) ROTL16( FT0[idx] )
604#define AES_FT3(idx) ROTL24( FT0[idx] )
605
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]606#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]607
608#define AES_RT0(idx) RT0[idx]
609#define AES_RT1(idx) RT1[idx]
610#define AES_RT2(idx) RT2[idx]
611#define AES_RT3(idx) RT3[idx]
612
613#define AES_FT0(idx) FT0[idx]
614#define AES_FT1(idx) FT1[idx]
615#define AES_FT2(idx) FT2[idx]
616#define AES_FT3(idx) FT3[idx]
617
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]618#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]619
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]620void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]621{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]622 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]623
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]624 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]625}
626
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]627void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]628{
629 if( ctx == NULL )
630 return;
631
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]632 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]633}
634
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]635#if defined(MBEDTLS_CIPHER_MODE_XTS)
636void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
637{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]638 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]639
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]640 mbedtls_aes_init( &ctx->crypt );
641 mbedtls_aes_init( &ctx->tweak );
642}
643
644void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
645{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]646 if( ctx == NULL )
647 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]648
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]649 mbedtls_aes_free( &ctx->crypt );
650 mbedtls_aes_free( &ctx->tweak );
651}
652#endif /* MBEDTLS_CIPHER_MODE_XTS */
653
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]654/*
655 * AES key schedule (encryption)
656 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]657#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]659 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]661 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]662 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]664 AES_VALIDATE_RET( ctx != NULL );
665 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]667 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668 {
669 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]670#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671 case 192: ctx->nr = 12; break;
672 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]673#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]674 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675 }
676
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677#if !defined(MBEDTLS_AES_ROM_TABLES)
678 if( aes_init_done == 0 )
679 {
680 aes_gen_tables();
681 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682 }
683#endif
684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]695#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]696 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]697 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]698#endif
699
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]700 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]701 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]703 }
704
705 switch( ctx->nr )
706 {
707 case 10:
708
709 for( i = 0; i < 10; i++, RK += 4 )
710 {
711 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]712 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
713 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
714 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
715 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]716
717 RK[5] = RK[1] ^ RK[4];
718 RK[6] = RK[2] ^ RK[5];
719 RK[7] = RK[3] ^ RK[6];
720 }
721 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]722#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]723 case 12:
724
725 for( i = 0; i < 8; i++, RK += 6 )
726 {
727 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]728 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
729 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
730 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
731 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732
733 RK[7] = RK[1] ^ RK[6];
734 RK[8] = RK[2] ^ RK[7];
735 RK[9] = RK[3] ^ RK[8];
736 RK[10] = RK[4] ^ RK[9];
737 RK[11] = RK[5] ^ RK[10];
738 }
739 break;
740
741 case 14:
742
743 for( i = 0; i < 7; i++, RK += 8 )
744 {
745 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]746 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
747 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
748 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
749 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750
751 RK[9] = RK[1] ^ RK[8];
752 RK[10] = RK[2] ^ RK[9];
753 RK[11] = RK[3] ^ RK[10];
754
755 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]756 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
757 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
758 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
759 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760
761 RK[13] = RK[5] ^ RK[12];
762 RK[14] = RK[6] ^ RK[13];
763 RK[15] = RK[7] ^ RK[14];
764 }
765 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]766#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]767 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]768
769 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]771#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]772
773/*
774 * AES key schedule (decryption)
775 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]776#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]777int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]778 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]779{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]780#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
781 (void) ctx;
782 (void) key;
783 (void) keybits;
784
785 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
786#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]787 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]788 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]789 uint32_t *RK;
790 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]791
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]792 AES_VALIDATE_RET( ctx != NULL );
793 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]794
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]795 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]797#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]798 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]799 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]800
801 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]802 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]803 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]804#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]805 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]807 /* Also checks keybits */
808 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]809 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]810
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]811 ctx->nr = cty.nr;
812
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]813#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]814 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]815 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]816 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]817 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]818 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]819 }
820#endif
821
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]822 SK = cty.rk + cty.nr * 4;
823
824 *RK++ = *SK++;
825 *RK++ = *SK++;
826 *RK++ = *SK++;
827 *RK++ = *SK++;
828
829 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
830 {
831 for( j = 0; j < 4; j++, SK++ )
832 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]833 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
834 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
835 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
836 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]837 }
838 }
839
840 *RK++ = *SK++;
841 *RK++ = *SK++;
842 *RK++ = *SK++;
843 *RK++ = *SK++;
844
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]845exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]846 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]847
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]848 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]849#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]850}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]851
852#if defined(MBEDTLS_CIPHER_MODE_XTS)
853static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
854 unsigned int keybits,
855 const unsigned char **key1,
856 unsigned int *key1bits,
857 const unsigned char **key2,
858 unsigned int *key2bits )
859{
860 const unsigned int half_keybits = keybits / 2;
861 const unsigned int half_keybytes = half_keybits / 8;
862
863 switch( keybits )
864 {
865 case 256: break;
866 case 512: break;
867 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
868 }
869
870 *key1bits = half_keybits;
871 *key2bits = half_keybits;
872 *key1 = &key[0];
873 *key2 = &key[half_keybytes];
874
875 return 0;
876}
877
878int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
879 const unsigned char *key,
880 unsigned int keybits)
881{
882 int ret;
883 const unsigned char *key1, *key2;
884 unsigned int key1bits, key2bits;
885
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]886 AES_VALIDATE_RET( ctx != NULL );
887 AES_VALIDATE_RET( key != NULL );
888
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]889 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
890 &key2, &key2bits );
891 if( ret != 0 )
892 return( ret );
893
894 /* Set the tweak key. Always set tweak key for the encryption mode. */
895 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
896 if( ret != 0 )
897 return( ret );
898
899 /* Set crypt key for encryption. */
900 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
901}
902
903int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
904 const unsigned char *key,
905 unsigned int keybits)
906{
907 int ret;
908 const unsigned char *key1, *key2;
909 unsigned int key1bits, key2bits;
910
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]911 AES_VALIDATE_RET( ctx != NULL );
912 AES_VALIDATE_RET( key != NULL );
913
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]914 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
915 &key2, &key2bits );
916 if( ret != 0 )
917 return( ret );
918
919 /* Set the tweak key. Always set tweak key for encryption. */
920 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
921 if( ret != 0 )
922 return( ret );
923
924 /* Set crypt key for decryption. */
925 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
926}
927#endif /* MBEDTLS_CIPHER_MODE_XTS */
928
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]929#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]930
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]931/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]932 * AES-ECB block encryption
933 */
934#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]935
936static uint32_t *aes_fround( uint32_t *R,
937 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
938 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
939{
940 *X0 = *R++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^
941 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^
942 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^
943 AES_FT3( ( Y3 >> 24 ) & 0xFF );
944
945 *X1 = *R++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^
946 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^
947 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^
948 AES_FT3( ( Y0 >> 24 ) & 0xFF );
949
950 *X2 = *R++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^
951 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^
952 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^
953 AES_FT3( ( Y1 >> 24 ) & 0xFF );
954
955 *X3 = *R++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^
956 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^
957 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^
958 AES_FT3( ( Y2 >> 24 ) & 0xFF );
959
960 return R;
961}
962
963static void aes_fround_final( uint32_t *R,
964 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
965 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
966{
967 *X0 = *R++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^
968 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
969 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
970 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
971
972 *X1 = *R++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^
973 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
976
977 *X2 = *R++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^
978 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
979 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
980 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
981
982 *X3 = *R++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^
983 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
984 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
985 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
986}
987
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]988int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
989 const unsigned char input[16],
990 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]992 int i, j, offset, start_fin_loops = 1;
993 aes_r_data_t aes_data_real; // real data
994#if AES_SCA_CM_ROUNDS != 0
995 aes_r_data_t aes_data_fake; // fake data
996#endif /* AES_SCA_CM_ROUNDS != 0 */
997 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
998 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
999 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
1000 // control bytes for AES rounds, reserve based on max ctx->nr
1001 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1002
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1003 aes_data_real.rk_ptr = ctx->rk;
1004 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1005
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1006#if AES_SCA_CM_ROUNDS != 0
1007 aes_data_table[1] = &aes_data_fake;
1008 aes_data_fake.rk_ptr = ctx->rk;
1009 start_fin_loops = 2;
1010 for (i = 0; i < 4; i++ )
1011 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1012#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1013
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1014 // Get randomized AES calculation control bytes
1015 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
1016
1017 for (i = 0; i < 4; i++ )
1018 {
1019 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
1020 for (j = 0; j < start_fin_loops; j++ )
1021 {
1022 aes_data_ptr = aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
1023 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1024 }
1025 }
1026
1027 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
1028 {
1029 // Read AES control data
1030 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1031 offset = round_ctrl_table[i] & 0x0f;
1032
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]1033 aes_data_ptr->rk_ptr = aes_fround( aes_data_ptr->rk_ptr,
1034 &aes_data_ptr->xy_values[0 + offset],
1035 &aes_data_ptr->xy_values[1 + offset],
1036 &aes_data_ptr->xy_values[2 + offset],
1037 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1038 aes_data_ptr->xy_values[4 - offset],
1039 aes_data_ptr->xy_values[5 - offset],
1040 aes_data_ptr->xy_values[6 - offset],
1041 aes_data_ptr->xy_values[7 - offset] );
1042 }
1043
1044 for ( j = 0; j < start_fin_loops; j++ )
1045 {
1046 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]1047 aes_fround_final( aes_data_ptr->rk_ptr,
1048 &aes_data_ptr->xy_values[0],
1049 &aes_data_ptr->xy_values[1],
1050 &aes_data_ptr->xy_values[2],
1051 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1052 aes_data_ptr->xy_values[4],
1053 aes_data_ptr->xy_values[5],
1054 aes_data_ptr->xy_values[6],
1055 aes_data_ptr->xy_values[7] );
1056 }
1057
1058 for ( i = 0; i < 4; i++ )
1059 {
1060 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1061 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1062
1063 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1064}
1065#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1066
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1067#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1068void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1069 const unsigned char input[16],
1070 unsigned char output[16] )
1071{
1072 mbedtls_internal_aes_encrypt( ctx, input, output );
1073}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1074#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1075
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1076/*
1077 * AES-ECB block decryption
1078 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1079
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1080#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1081#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]1082
1083static uint32_t *aes_rround( uint32_t *R,
1084 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1085 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1086{
1087 *X0 = *R++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^
1088 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^
1089 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^
1090 AES_RT3( ( Y1 >> 24 ) & 0xFF );
1091
1092 *X1 = *R++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^
1093 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^
1094 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^
1095 AES_RT3( ( Y2 >> 24 ) & 0xFF );
1096
1097 *X2 = *R++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^
1098 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^
1099 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^
1100 AES_RT3( ( Y3 >> 24 ) & 0xFF );
1101
1102 *X3 = *R++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^
1103 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^
1104 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^
1105 AES_RT3( ( Y0 >> 24 ) & 0xFF );
1106 return R;
1107}
1108
1109static void aes_rround_final( uint32_t *R,
1110 uint32_t *X0, uint32_t *X1, uint32_t *X2, uint32_t *X3,
1111 uint32_t Y0, uint32_t Y1, uint32_t Y2, uint32_t Y3 )
1112{
1113 *X0 = *R++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^
1114 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^
1115 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^
1116 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 );
1117
1118 *X1 = *R++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^
1119 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^
1120 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^
1121 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 );
1122
1123 *X2 = *R++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^
1124 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^
1125 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^
1126 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 );
1127
1128 *X3 = *R++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^
1129 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^
1130 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^
1131 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 );
1132}
1133
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1134int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1135 const unsigned char input[16],
1136 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1137{
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1138 int i, j, offset, start_fin_loops = 1;
1139 aes_r_data_t aes_data_real; // real data
1140#if AES_SCA_CM_ROUNDS != 0
1141 aes_r_data_t aes_data_fake; // fake data
1142#endif /* AES_SCA_CM_ROUNDS != 0 */
1143 aes_r_data_t *aes_data_ptr; // pointer to aes_data_real or aes_data_fake
1144 aes_r_data_t *aes_data_table[2]; // pointers to real and fake data
1145 int round_ctrl_table_len = ctx->nr - 1 + AES_SCA_CM_ROUNDS + 2;
1146 // control bytes for AES rounds, reserve based on max ctx->nr
1147 uint8_t round_ctrl_table[ 14 - 1 + AES_SCA_CM_ROUNDS + 2 ];
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1148
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1149 aes_data_real.rk_ptr = ctx->rk;
1150 aes_data_table[0] = &aes_data_real;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1151
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1152#if AES_SCA_CM_ROUNDS != 0
1153 aes_data_table[1] = &aes_data_fake;
1154 aes_data_fake.rk_ptr = ctx->rk;
1155 start_fin_loops = 2;
1156 for (i = 0; i < 4; i++ )
1157 aes_data_fake.xy_values[i] = mbedtls_platform_random_in_range( 0xffffffff );
1158#endif
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1159
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1160 // Get randomized AES calculation control bytes
1161 aes_sca_cm_data_randomize( round_ctrl_table, round_ctrl_table_len );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1162
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1163 for (i = 0; i < 4; i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1164 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1165 GET_UINT32_LE( aes_data_real.xy_values[i], input, ( i * 4 ) );
1166 for (j = 0; j < start_fin_loops; j++ )
1167 {
1168 aes_data_ptr = aes_data_table[round_ctrl_table[ round_ctrl_table_len - 2 + j ] >> 4];
1169 aes_data_ptr->xy_values[i] ^= *aes_data_ptr->rk_ptr++;
1170 }
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1171 }
1172
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1173 for( i = 0; i < ( ctx->nr - 1 + AES_SCA_CM_ROUNDS ); i++ )
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame]1174 {
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1175 // Read AES control data
1176 aes_data_ptr = aes_data_table[round_ctrl_table[i] >> 4];
1177 offset = round_ctrl_table[i] & 0x0f;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1178
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]1179 aes_data_ptr->rk_ptr = aes_rround( aes_data_ptr->rk_ptr,
1180 &aes_data_ptr->xy_values[0 + offset],
1181 &aes_data_ptr->xy_values[1 + offset],
1182 &aes_data_ptr->xy_values[2 + offset],
1183 &aes_data_ptr->xy_values[3 + offset],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1184 aes_data_ptr->xy_values[4 - offset],
1185 aes_data_ptr->xy_values[5 - offset],
1186 aes_data_ptr->xy_values[6 - offset],
1187 aes_data_ptr->xy_values[7 - offset] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1188 }
1189
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1190 for ( j = 0; j < start_fin_loops; j++ )
1191 {
1192 aes_data_ptr = aes_data_table[round_ctrl_table[ i + j ] >> 4];
Arto Kinnunenc3532c22019-11-29 15:07:11 +0200[diff] [blame^]1193 aes_rround_final( aes_data_ptr->rk_ptr,
1194 &aes_data_ptr->xy_values[0],
1195 &aes_data_ptr->xy_values[1],
1196 &aes_data_ptr->xy_values[2],
1197 &aes_data_ptr->xy_values[3],
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1198 aes_data_ptr->xy_values[4],
1199 aes_data_ptr->xy_values[5],
1200 aes_data_ptr->xy_values[6],
1201 aes_data_ptr->xy_values[7] );
1202 }
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1203
Arto Kinnunen172836a2019-11-28 13:34:13 +0200[diff] [blame]1204 for ( i = 0; i < 4; i++ )
1205 {
1206 PUT_UINT32_LE( aes_data_real.xy_values[i], output, ( i * 4 ) );
1207 }
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1208
1209 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1210}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1211#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1212#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1213
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1214#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1215void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1216 const unsigned char input[16],
1217 unsigned char output[16] )
1218{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1219#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1220 (void) ctx;
1221 (void) input;
1222 (void) output;
1223#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1224 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1225#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1226}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1227#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1228
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1229/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1230 * AES-ECB block encryption/decryption
1231 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1232int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1233 int mode,
1234 const unsigned char input[16],
1235 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1237 AES_VALIDATE_RET( ctx != NULL );
1238 AES_VALIDATE_RET( input != NULL );
1239 AES_VALIDATE_RET( output != NULL );
1240 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1241 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1242 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1243
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1244#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1245 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1246 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1247#endif
1248
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1249#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1250 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1251 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1252 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1253 return( 0 );
1254
1255 // If padlock data misaligned, we just fall back to
1256 // unaccelerated mode
1257 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1258 }
1259#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1260#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1261 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1262#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1263
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1264 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1265 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1266 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1267 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1268#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269}
1270
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1271#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272/*
1273 * AES-CBC buffer encryption/decryption
1274 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1275int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1276 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1277 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1279 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1280 unsigned char *output )
1281{
1282 int i;
1283 unsigned char temp[16];
1284
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1285 AES_VALIDATE_RET( ctx != NULL );
1286 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1287 mode == MBEDTLS_AES_DECRYPT );
1288 AES_VALIDATE_RET( iv != NULL );
1289 AES_VALIDATE_RET( input != NULL );
1290 AES_VALIDATE_RET( output != NULL );
1291
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1292 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1293 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1294
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1295#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1296 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1297 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1298 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1299 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1300
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1301 // If padlock data misaligned, we just fall back to
1302 // unaccelerated mode
1303 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 }
1305#endif
1306
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 {
1309 while( length > 0 )
1310 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1311 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1312 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313
1314 for( i = 0; i < 16; i++ )
1315 output[i] = (unsigned char)( output[i] ^ iv[i] );
1316
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1317 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318
1319 input += 16;
1320 output += 16;
1321 length -= 16;
1322 }
1323 }
1324 else
1325 {
1326 while( length > 0 )
1327 {
1328 for( i = 0; i < 16; i++ )
1329 output[i] = (unsigned char)( input[i] ^ iv[i] );
1330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1332 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1333
1334 input += 16;
1335 output += 16;
1336 length -= 16;
1337 }
1338 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1339
1340 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1342#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1344#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1345
1346/* Endianess with 64 bits values */
1347#ifndef GET_UINT64_LE
1348#define GET_UINT64_LE(n,b,i) \
1349{ \
1350 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1351 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1352 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1353 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1354 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1355 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1356 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1357 | ( (uint64_t) (b)[(i) ] ); \
1358}
1359#endif
1360
1361#ifndef PUT_UINT64_LE
1362#define PUT_UINT64_LE(n,b,i) \
1363{ \
1364 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1365 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1366 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1367 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1368 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1369 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1370 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1371 (b)[(i) ] = (unsigned char) ( (n) ); \
1372}
1373#endif
1374
1375typedef unsigned char mbedtls_be128[16];
1376
1377/*
1378 * GF(2^128) multiplication function
1379 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1380 * This function multiplies a field element by x in the polynomial field
1381 * representation. It uses 64-bit word operations to gain speed but compensates
1382 * for machine endianess and hence works correctly on both big and little
1383 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1384 */
1385static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1386 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1387{
1388 uint64_t a, b, ra, rb;
1389
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1390 GET_UINT64_LE( a, x, 0 );
1391 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1392
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1393 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1394 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1395
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1396 PUT_UINT64_LE( ra, r, 0 );
1397 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1398}
1399
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1400/*
1401 * AES-XTS buffer encryption/decryption
1402 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1403int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1404 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1405 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1406 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1407 const unsigned char *input,
1408 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1409{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1410 int ret;
1411 size_t blocks = length / 16;
1412 size_t leftover = length % 16;
1413 unsigned char tweak[16];
1414 unsigned char prev_tweak[16];
1415 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1416
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1417 AES_VALIDATE_RET( ctx != NULL );
1418 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1419 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1420 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1421 AES_VALIDATE_RET( input != NULL );
1422 AES_VALIDATE_RET( output != NULL );
1423
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1424 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1425 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1426 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1427
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1428 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1429 if( length > ( 1 << 20 ) * 16 )
1430 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1431
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1432 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1433 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1434 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1435 if( ret != 0 )
1436 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1437
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1438 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1439 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1440 size_t i;
1441
1442 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1443 {
1444 /* We are on the last block in a decrypt operation that has
1445 * leftover bytes, so we need to use the next tweak for this block,
1446 * and this tweak for the lefover bytes. Save the current tweak for
1447 * the leftovers and then update the current tweak for use on this,
1448 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1449 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1450 mbedtls_gf128mul_x_ble( tweak, tweak );
1451 }
1452
1453 for( i = 0; i < 16; i++ )
1454 tmp[i] = input[i] ^ tweak[i];
1455
1456 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1457 if( ret != 0 )
1458 return( ret );
1459
1460 for( i = 0; i < 16; i++ )
1461 output[i] = tmp[i] ^ tweak[i];
1462
1463 /* Update the tweak for the next block. */
1464 mbedtls_gf128mul_x_ble( tweak, tweak );
1465
1466 output += 16;
1467 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1468 }
1469
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1470 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1471 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1472 /* If we are on the leftover bytes in a decrypt operation, we need to
1473 * use the previous tweak for these bytes (as saved in prev_tweak). */
1474 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1475
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1476 /* We are now on the final part of the data unit, which doesn't divide
1477 * evenly by 16. It's time for ciphertext stealing. */
1478 size_t i;
1479 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1480
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1481 /* Copy ciphertext bytes from the previous block to our output for each
1482 * byte of cyphertext we won't steal. At the same time, copy the
1483 * remainder of the input for this final round (since the loop bounds
1484 * are the same). */
1485 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1486 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1487 output[i] = prev_output[i];
1488 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1489 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1490
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1491 /* Copy ciphertext bytes from the previous block for input in this
1492 * round. */
1493 for( ; i < 16; i++ )
1494 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1495
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1496 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1497 if( ret != 0 )
1498 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1499
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1500 /* Write the result back to the previous block, overriding the previous
1501 * output we copied. */
1502 for( i = 0; i < 16; i++ )
1503 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1504 }
1505
1506 return( 0 );
1507}
1508#endif /* MBEDTLS_CIPHER_MODE_XTS */
1509
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1510#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1511/*
1512 * AES-CFB128 buffer encryption/decryption
1513 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1514int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1515 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1516 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1517 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1519 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1520 unsigned char *output )
1521{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1522 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1523 size_t n;
1524
1525 AES_VALIDATE_RET( ctx != NULL );
1526 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1527 mode == MBEDTLS_AES_DECRYPT );
1528 AES_VALIDATE_RET( iv_off != NULL );
1529 AES_VALIDATE_RET( iv != NULL );
1530 AES_VALIDATE_RET( input != NULL );
1531 AES_VALIDATE_RET( output != NULL );
1532
1533 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1534
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1535 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1536 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1537
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1538 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1539 {
1540 while( length-- )
1541 {
1542 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544
1545 c = *input++;
1546 *output++ = (unsigned char)( c ^ iv[n] );
1547 iv[n] = (unsigned char) c;
1548
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1549 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1550 }
1551 }
1552 else
1553 {
1554 while( length-- )
1555 {
1556 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1557 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1558
1559 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1560
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1561 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1562 }
1563 }
1564
1565 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1566
1567 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1568}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1569
1570/*
1571 * AES-CFB8 buffer encryption/decryption
1572 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1573int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1574 int mode,
1575 size_t length,
1576 unsigned char iv[16],
1577 const unsigned char *input,
1578 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1579{
1580 unsigned char c;
1581 unsigned char ov[17];
1582
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1583 AES_VALIDATE_RET( ctx != NULL );
1584 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1585 mode == MBEDTLS_AES_DECRYPT );
1586 AES_VALIDATE_RET( iv != NULL );
1587 AES_VALIDATE_RET( input != NULL );
1588 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1589 while( length-- )
1590 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1591 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1592 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1593
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1594 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1595 ov[16] = *input;
1596
1597 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1598
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1599 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1600 ov[16] = c;
1601
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1602 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1603 }
1604
1605 return( 0 );
1606}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1607#endif /* MBEDTLS_CIPHER_MODE_CFB */
1608
1609#if defined(MBEDTLS_CIPHER_MODE_OFB)
1610/*
1611 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1612 */
1613int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1614 size_t length,
1615 size_t *iv_off,
1616 unsigned char iv[16],
1617 const unsigned char *input,
1618 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1619{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1620 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1621 size_t n;
1622
1623 AES_VALIDATE_RET( ctx != NULL );
1624 AES_VALIDATE_RET( iv_off != NULL );
1625 AES_VALIDATE_RET( iv != NULL );
1626 AES_VALIDATE_RET( input != NULL );
1627 AES_VALIDATE_RET( output != NULL );
1628
1629 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1630
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1631 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1632 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1633
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1634 while( length-- )
1635 {
1636 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1637 {
1638 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1639 if( ret != 0 )
1640 goto exit;
1641 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1642 *output++ = *input++ ^ iv[n];
1643
1644 n = ( n + 1 ) & 0x0F;
1645 }
1646
1647 *iv_off = n;
1648
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1649exit:
1650 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1651}
1652#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1653
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1654#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1655/*
1656 * AES-CTR buffer encryption/decryption
1657 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1658int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1659 size_t length,
1660 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1661 unsigned char nonce_counter[16],
1662 unsigned char stream_block[16],
1663 const unsigned char *input,
1664 unsigned char *output )
1665{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1666 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1667 size_t n;
1668
1669 AES_VALIDATE_RET( ctx != NULL );
1670 AES_VALIDATE_RET( nc_off != NULL );
1671 AES_VALIDATE_RET( nonce_counter != NULL );
1672 AES_VALIDATE_RET( stream_block != NULL );
1673 AES_VALIDATE_RET( input != NULL );
1674 AES_VALIDATE_RET( output != NULL );
1675
1676 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1677
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1678 if ( n > 0x0F )
1679 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1680
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1681 while( length-- )
1682 {
1683 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1684 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1685
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1686 for( i = 16; i > 0; i-- )
1687 if( ++nonce_counter[i - 1] != 0 )
1688 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1689 }
1690 c = *input++;
1691 *output++ = (unsigned char)( c ^ stream_block[n] );
1692
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1693 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1694 }
1695
1696 *nc_off = n;
1697
1698 return( 0 );
1699}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1700#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1702#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1704#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1705/*
1706 * AES test vectors from:
1707 *
1708 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1709 */
1710static const unsigned char aes_test_ecb_dec[3][16] =
1711{
1712 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1713 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1714 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1715 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1716 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1717 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1718};
1719
1720static const unsigned char aes_test_ecb_enc[3][16] =
1721{
1722 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1723 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1724 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1725 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1726 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1727 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1728};
1729
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1730#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1731static const unsigned char aes_test_cbc_dec[3][16] =
1732{
1733 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1734 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1735 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1736 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1737 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1738 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1739};
1740
1741static const unsigned char aes_test_cbc_enc[3][16] =
1742{
1743 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1744 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1745 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1746 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1747 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1748 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1749};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1750#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1752#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753/*
1754 * AES-CFB128 test vectors from:
1755 *
1756 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1757 */
1758static const unsigned char aes_test_cfb128_key[3][32] =
1759{
1760 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1761 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1762 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1763 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1764 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1765 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1766 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1767 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1768 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1769};
1770
1771static const unsigned char aes_test_cfb128_iv[16] =
1772{
1773 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1774 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1775};
1776
1777static const unsigned char aes_test_cfb128_pt[64] =
1778{
1779 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1780 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1781 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1782 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1783 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1784 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1785 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1786 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1787};
1788
1789static const unsigned char aes_test_cfb128_ct[3][64] =
1790{
1791 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1792 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1793 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1794 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1795 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1796 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1797 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1798 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1799 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1800 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1801 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1802 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1803 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1804 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1805 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1806 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1807 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1808 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1809 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1810 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1811 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1812 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1813 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1814 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1815};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1816#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1817
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1818#if defined(MBEDTLS_CIPHER_MODE_OFB)
1819/*
1820 * AES-OFB test vectors from:
1821 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1822 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1823 */
1824static const unsigned char aes_test_ofb_key[3][32] =
1825{
1826 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1827 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1828 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1829 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1830 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1831 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1832 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1833 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1834 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1835};
1836
1837static const unsigned char aes_test_ofb_iv[16] =
1838{
1839 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1840 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1841};
1842
1843static const unsigned char aes_test_ofb_pt[64] =
1844{
1845 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1846 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1847 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1848 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1849 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1850 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1851 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1852 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1853};
1854
1855static const unsigned char aes_test_ofb_ct[3][64] =
1856{
1857 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1858 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1859 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1860 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1861 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1862 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1863 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1864 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1865 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1866 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1867 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1868 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1869 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1870 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1871 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1872 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1873 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1874 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1875 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1876 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1877 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1878 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1879 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1880 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1881};
1882#endif /* MBEDTLS_CIPHER_MODE_OFB */
1883
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1884#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1885/*
1886 * AES-CTR test vectors from:
1887 *
1888 * http://www.faqs.org/rfcs/rfc3686.html
1889 */
1890
1891static const unsigned char aes_test_ctr_key[3][16] =
1892{
1893 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1894 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1895 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1896 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1897 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1898 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1899};
1900
1901static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1902{
1903 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1904 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1905 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1906 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1907 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1908 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1909};
1910
1911static const unsigned char aes_test_ctr_pt[3][48] =
1912{
1913 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1914 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1915
1916 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1917 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1918 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1919 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1920
1921 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1922 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1923 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1924 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1925 0x20, 0x21, 0x22, 0x23 }
1926};
1927
1928static const unsigned char aes_test_ctr_ct[3][48] =
1929{
1930 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1931 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1932 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1933 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1934 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1935 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1936 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1937 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1938 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1939 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1940 0x25, 0xB2, 0x07, 0x2F }
1941};
1942
1943static const int aes_test_ctr_len[3] =
1944 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1945#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1947#if defined(MBEDTLS_CIPHER_MODE_XTS)
1948/*
1949 * AES-XTS test vectors from:
1950 *
1951 * IEEE P1619/D16 Annex B
1952 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1953 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1954 */
1955static const unsigned char aes_test_xts_key[][32] =
1956{
1957 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1959 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1960 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1961 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1962 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1963 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1964 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1965 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1966 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1967 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1968 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1969};
1970
1971static const unsigned char aes_test_xts_pt32[][32] =
1972{
1973 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1977 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1978 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1979 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1980 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1981 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1982 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1983 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1984 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1985};
1986
1987static const unsigned char aes_test_xts_ct32[][32] =
1988{
1989 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1990 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1991 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1992 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1993 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1994 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1995 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1996 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1997 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1998 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1999 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
2000 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
2001};
2002
2003static const unsigned char aes_test_xts_data_unit[][16] =
2004{
2005 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2006 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2007 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2008 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2009 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
2010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
2011};
2012
2013#endif /* MBEDTLS_CIPHER_MODE_XTS */
2014
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2015/*
2016 * Checkup routine
2017 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2018int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 int ret = 0, i, j, u, mode;
2021 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2022 unsigned char key[32];
2023 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2024 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2025#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2026 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2027#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2028#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2029 unsigned char prv[16];
2030#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2031#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2032 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2033 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2034#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2035#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2036 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2037#endif
2038#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2039 unsigned char nonce_counter[16];
2040 unsigned char stream_block[16];
2041#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2042 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2043
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2044 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2045 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2046
2047 /*
2048 * ECB mode
2049 */
2050 for( i = 0; i < 6; i++ )
2051 {
2052 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2053 keybits = 128 + u * 64;
2054 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2055
2056 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2057 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2058 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2059
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2060#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2061 if( keybits > 128 )
2062 {
2063 mbedtls_printf( "skipped\n" );
2064 continue;
2065 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2066#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2067
2068#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2069 if( mode == MBEDTLS_AES_DECRYPT )
2070 {
2071 mbedtls_printf( "skipped\n" );
2072 continue;
2073 }
2074#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2075
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2076 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2077
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2078 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2079 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2080 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2081 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2082 }
2083 else
2084 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2085 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2086 aes_tests = aes_test_ecb_enc[u];
2087 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2088
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2089 /*
2090 * AES-192 is an optional feature that may be unavailable when
2091 * there is an alternative underlying implementation i.e. when
2092 * MBEDTLS_AES_ALT is defined.
2093 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2094 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2095 {
2096 mbedtls_printf( "skipped\n" );
2097 continue;
2098 }
2099 else if( ret != 0 )
2100 {
2101 goto exit;
2102 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2103
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2104 for( j = 0; j < 10000; j++ )
2105 {
2106 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2107 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2108 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2109 }
2110
2111 if( memcmp( buf, aes_tests, 16 ) != 0 )
2112 {
2113 ret = 1;
2114 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2115 }
2116
2117 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2118 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2119 }
2120
2121 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2124#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2125 /*
2126 * CBC mode
2127 */
2128 for( i = 0; i < 6; i++ )
2129 {
2130 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2131 keybits = 128 + u * 64;
2132 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2133
2134 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2135 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2136 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2137
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2138#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2139 if( keybits > 128 )
2140 {
2141 mbedtls_printf( "skipped\n" );
2142 continue;
2143 }
2144#endif
2145
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2146#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2147 if( mode == MBEDTLS_AES_DECRYPT )
2148 {
2149 mbedtls_printf( "skipped\n" );
2150 continue;
2151 }
2152#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2153
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2154 memset( iv , 0, 16 );
2155 memset( prv, 0, 16 );
2156 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2157
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2158 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2159 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2160 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2161 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2162 }
2163 else
2164 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2165 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2166 aes_tests = aes_test_cbc_enc[u];
2167 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2168
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2169 /*
2170 * AES-192 is an optional feature that may be unavailable when
2171 * there is an alternative underlying implementation i.e. when
2172 * MBEDTLS_AES_ALT is defined.
2173 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2174 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2175 {
2176 mbedtls_printf( "skipped\n" );
2177 continue;
2178 }
2179 else if( ret != 0 )
2180 {
2181 goto exit;
2182 }
2183
2184 for( j = 0; j < 10000; j++ )
2185 {
2186 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2187 {
2188 unsigned char tmp[16];
2189
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2190 memcpy( tmp, prv, 16 );
2191 memcpy( prv, buf, 16 );
2192 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2193 }
2194
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2195 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2196 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2197 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2198
2199 }
2200
2201 if( memcmp( buf, aes_tests, 16 ) != 0 )
2202 {
2203 ret = 1;
2204 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2205 }
2206
2207 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2208 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209 }
2210
2211 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2212 mbedtls_printf( "\n" );
2213#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2214
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2215#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2216 /*
2217 * CFB128 mode
2218 */
2219 for( i = 0; i < 6; i++ )
2220 {
2221 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2222 keybits = 128 + u * 64;
2223 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224
2225 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2226 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2227 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2228
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2229#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2230 if( keybits > 128 )
2231 {
2232 mbedtls_printf( "skipped\n" );
2233 continue;
2234 }
2235#endif
2236
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2237#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2238 if( mode == MBEDTLS_AES_DECRYPT )
2239 {
2240 mbedtls_printf( "skipped\n" );
2241 continue;
2242 }
2243#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2244
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2245 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2246 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2247
2248 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2249 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2250 /*
2251 * AES-192 is an optional feature that may be unavailable when
2252 * there is an alternative underlying implementation i.e. when
2253 * MBEDTLS_AES_ALT is defined.
2254 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2255 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2256 {
2257 mbedtls_printf( "skipped\n" );
2258 continue;
2259 }
2260 else if( ret != 0 )
2261 {
2262 goto exit;
2263 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2265 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2266 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2267 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2268 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269 }
2270 else
2271 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2272 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2273 aes_tests = aes_test_cfb128_ct[u];
2274 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2275
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2276 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2277 if( ret != 0 )
2278 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2279
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2280 if( memcmp( buf, aes_tests, 64 ) != 0 )
2281 {
2282 ret = 1;
2283 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2284 }
2285
2286 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2287 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2288 }
2289
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2290 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2291 mbedtls_printf( "\n" );
2292#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2293
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2294#if defined(MBEDTLS_CIPHER_MODE_OFB)
2295 /*
2296 * OFB mode
2297 */
2298 for( i = 0; i < 6; i++ )
2299 {
2300 u = i >> 1;
2301 keybits = 128 + u * 64;
2302 mode = i & 1;
2303
2304 if( verbose != 0 )
2305 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2306 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2307
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2308#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2309 if( keybits > 128 )
2310 {
2311 mbedtls_printf( "skipped\n" );
2312 continue;
2313 }
2314#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2315
2316#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2317 if( mode == MBEDTLS_AES_DECRYPT )
2318 {
2319 mbedtls_printf( "skipped\n" );
2320 continue;
2321 }
2322#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2323
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2324 memcpy( iv, aes_test_ofb_iv, 16 );
2325 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2326
2327 offset = 0;
2328 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2329 /*
2330 * AES-192 is an optional feature that may be unavailable when
2331 * there is an alternative underlying implementation i.e. when
2332 * MBEDTLS_AES_ALT is defined.
2333 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2334 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2335 {
2336 mbedtls_printf( "skipped\n" );
2337 continue;
2338 }
2339 else if( ret != 0 )
2340 {
2341 goto exit;
2342 }
2343
2344 if( mode == MBEDTLS_AES_DECRYPT )
2345 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2346 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2347 aes_tests = aes_test_ofb_pt;
2348 }
2349 else
2350 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2351 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2352 aes_tests = aes_test_ofb_ct[u];
2353 }
2354
2355 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2356 if( ret != 0 )
2357 goto exit;
2358
2359 if( memcmp( buf, aes_tests, 64 ) != 0 )
2360 {
2361 ret = 1;
2362 goto exit;
2363 }
2364
2365 if( verbose != 0 )
2366 mbedtls_printf( "passed\n" );
2367 }
2368
2369 if( verbose != 0 )
2370 mbedtls_printf( "\n" );
2371#endif /* MBEDTLS_CIPHER_MODE_OFB */
2372
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2373#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2374 /*
2375 * CTR mode
2376 */
2377 for( i = 0; i < 6; i++ )
2378 {
2379 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2380 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2381
2382 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2383 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2384 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2385
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2386#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2387 if( keybits > 128 )
2388 {
2389 mbedtls_printf( "skipped\n" );
2390 continue;
2391 }
2392#endif
2393
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2394#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2395 if( mode == MBEDTLS_AES_DECRYPT )
2396 {
2397 mbedtls_printf( "skipped\n" );
2398 continue;
2399 }
2400#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2401
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2402 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2403 memcpy( key, aes_test_ctr_key[u], 16 );
2404
2405 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2406 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2407 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2408
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2409 len = aes_test_ctr_len[u];
2410
2411 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2412 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2413 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2414 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2415 }
2416 else
2417 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2418 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2419 aes_tests = aes_test_ctr_ct[u];
2420 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2421
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2422 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2423 stream_block, buf, buf );
2424 if( ret != 0 )
2425 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2426
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2427 if( memcmp( buf, aes_tests, len ) != 0 )
2428 {
2429 ret = 1;
2430 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2431 }
2432
2433 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2434 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2435 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2436
2437 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2438 mbedtls_printf( "\n" );
2439#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2440
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2441#if defined(MBEDTLS_CIPHER_MODE_XTS)
2442 {
2443 static const int num_tests =
2444 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2445 mbedtls_aes_xts_context ctx_xts;
2446
2447 /*
2448 * XTS mode
2449 */
2450 mbedtls_aes_xts_init( &ctx_xts );
2451
2452 for( i = 0; i < num_tests << 1; i++ )
2453 {
2454 const unsigned char *data_unit;
2455 u = i >> 1;
2456 mode = i & 1;
2457
2458 if( verbose != 0 )
2459 mbedtls_printf( " AES-XTS-128 (%s): ",
2460 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2461
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2462#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2463 if( mode == MBEDTLS_AES_DECRYPT )
2464 {
2465 mbedtls_printf( "skipped\n" );
2466 continue;
2467 }
2468#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2469
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2470 memset( key, 0, sizeof( key ) );
2471 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2472 data_unit = aes_test_xts_data_unit[u];
2473
2474 len = sizeof( *aes_test_xts_ct32 );
2475
2476 if( mode == MBEDTLS_AES_DECRYPT )
2477 {
2478 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2479 if( ret != 0)
2480 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2481 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2482 aes_tests = aes_test_xts_pt32[u];
2483 }
2484 else
2485 {
2486 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2487 if( ret != 0)
2488 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2489 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2490 aes_tests = aes_test_xts_ct32[u];
2491 }
2492
2493
2494 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2495 buf, buf );
2496 if( ret != 0 )
2497 goto exit;
2498
2499 if( memcmp( buf, aes_tests, len ) != 0 )
2500 {
2501 ret = 1;
2502 goto exit;
2503 }
2504
2505 if( verbose != 0 )
2506 mbedtls_printf( "passed\n" );
2507 }
2508
2509 if( verbose != 0 )
2510 mbedtls_printf( "\n" );
2511
2512 mbedtls_aes_xts_free( &ctx_xts );
2513 }
2514#endif /* MBEDTLS_CIPHER_MODE_XTS */
2515
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2516 ret = 0;
2517
2518exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2519 if( ret != 0 && verbose != 0 )
2520 mbedtls_printf( "failed\n" );
2521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2522 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2523
2524 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2525}
2526
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2527#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2528
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2529#endif /* MBEDTLS_AES_C */