TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / cac11d7797295ac9cab7085e5fd9a19af393c5ec / . / library / aes.c
blob: 9ad12a61510002e9affd3f8b302fe7a8a0551e97 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]60#if defined(MBEDTLS_PADLOCK_C) && \
61 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]62static int aes_padlock_ace = -1;
63#endif
64
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]65#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * Forward S-box
68 */
69static const unsigned char FSb[256] =
70{
71 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
72 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
73 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
74 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
75 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
76 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
77 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
78 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
79 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
80 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
81 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
82 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
83 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
84 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
85 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
86 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
87 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
88 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
89 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
90 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
91 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
92 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
93 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
94 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
95 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
96 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
97 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
98 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
99 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
100 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
101 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
102 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
103};
104
105/*
106 * Forward tables
107 */
108#define FT \
109\
110 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
111 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
112 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
113 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
114 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
115 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
116 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
117 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
118 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
119 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
120 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
121 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
122 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
123 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
124 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
125 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
126 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
127 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
128 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
129 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
130 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
131 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
132 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
133 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
134 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
135 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
136 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
137 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
138 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
139 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
140 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
141 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
142 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
143 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
144 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
145 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
146 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
147 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
148 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
149 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
150 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
151 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
152 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
153 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
154 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
155 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
156 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
157 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
158 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
159 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
160 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
161 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
162 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
163 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
164 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
165 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
166 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
167 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
168 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
169 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
170 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
171 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
172 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
173 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
174
175#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]176static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]177#undef V
178
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]179#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]180
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]181#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]182static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]183#undef V
184
185#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]186static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]187#undef V
188
189#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]190static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]191#undef V
192
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]193#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]194
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]195#undef FT
196
197/*
198 * Reverse S-box
199 */
200static const unsigned char RSb[256] =
201{
202 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
203 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
204 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
205 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
206 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
207 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
208 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
209 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
210 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
211 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
212 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
213 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
214 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
215 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
216 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
217 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
218 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
219 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
220 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
221 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
222 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
223 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
224 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
225 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
226 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
227 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
228 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
229 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
230 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
231 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
232 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
233 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
234};
235
236/*
237 * Reverse tables
238 */
239#define RT \
240\
241 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
242 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
243 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
244 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
245 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
246 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
247 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
248 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
249 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
250 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
251 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
252 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
253 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
254 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
255 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
256 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
257 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
258 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
259 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
260 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
261 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
262 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
263 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
264 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
265 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
266 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
267 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
268 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
269 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
270 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
271 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
272 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
273 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
274 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
275 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
276 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
277 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
278 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
279 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
280 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
281 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
282 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
283 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
284 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
285 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
286 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
287 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
288 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
289 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
290 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
291 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
292 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
293 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
294 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
295 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
296 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
297 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
298 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
299 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
300 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
301 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
302 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
303 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
304 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
305
306#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]307static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]308#undef V
309
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]310#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]311
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]312#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]313static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]314#undef V
315
316#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]317static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]318#undef V
319
320#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]321static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]322#undef V
323
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]324#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]325
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326#undef RT
327
328/*
329 * Round constants
330 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]331static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332{
333 0x00000001, 0x00000002, 0x00000004, 0x00000008,
334 0x00000010, 0x00000020, 0x00000040, 0x00000080,
335 0x0000001B, 0x00000036
336};
337
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339
340/*
341 * Forward S-box & tables
342 */
343static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]344static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]345#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]346static uint32_t FT1[256];
347static uint32_t FT2[256];
348static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]349#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350
351/*
352 * Reverse S-box & tables
353 */
354static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]355static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]356#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]357static uint32_t RT1[256];
358static uint32_t RT2[256];
359static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]360#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361
362/*
363 * Round constants
364 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]365static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367/*
368 * Tables generation code
369 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]370#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
371#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]372#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374static int aes_init_done = 0;
375
376static void aes_gen_tables( void )
377{
378 int i, x, y, z;
379 int pow[256];
380 int log[256];
381
382 /*
383 * compute pow and log tables over GF(2^8)
384 */
385 for( i = 0, x = 1; i < 256; i++ )
386 {
387 pow[i] = x;
388 log[x] = i;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]389 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 }
391
392 /*
393 * calculate the round constants
394 */
395 for( i = 0, x = 1; i < 10; i++ )
396 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]397 RCON[i] = (uint32_t) x;
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]398 x = MBEDTLS_BYTE_0( XTIME( x ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399 }
400
401 /*
402 * generate the forward and reverse S-boxes
403 */
404 FSb[0x00] = 0x63;
405 RSb[0x63] = 0x00;
406
407 for( i = 1; i < 256; i++ )
408 {
409 x = pow[255 - log[i]];
410
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]411 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
412 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
413 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
414 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 x ^= y ^ 0x63;
416
417 FSb[i] = (unsigned char) x;
418 RSb[x] = (unsigned char) i;
419 }
420
421 /*
422 * generate the forward and reverse tables
423 */
424 for( i = 0; i < 256; i++ )
425 {
426 x = FSb[i];
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]427 y = MBEDTLS_BYTE_0( XTIME( x ) );
428 z = MBEDTLS_BYTE_0( y ^ x );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]430 FT0[i] = ( (uint32_t) y ) ^
431 ( (uint32_t) x << 8 ) ^
432 ( (uint32_t) x << 16 ) ^
433 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]434
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]435#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 FT1[i] = ROTL8( FT0[i] );
437 FT2[i] = ROTL8( FT1[i] );
438 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]439#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]440
441 x = RSb[i];
442
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]443 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
444 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
445 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
446 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]447
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]448#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]449 RT1[i] = ROTL8( RT0[i] );
450 RT2[i] = ROTL8( RT1[i] );
451 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]452#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]453 }
454}
455
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]456#undef ROTL8
457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]458#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]460#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]461
462#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
463#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
464#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
465
466#define AES_RT0(idx) RT0[idx]
467#define AES_RT1(idx) ROTL8( RT0[idx] )
468#define AES_RT2(idx) ROTL16( RT0[idx] )
469#define AES_RT3(idx) ROTL24( RT0[idx] )
470
471#define AES_FT0(idx) FT0[idx]
472#define AES_FT1(idx) ROTL8( FT0[idx] )
473#define AES_FT2(idx) ROTL16( FT0[idx] )
474#define AES_FT3(idx) ROTL24( FT0[idx] )
475
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]476#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477
478#define AES_RT0(idx) RT0[idx]
479#define AES_RT1(idx) RT1[idx]
480#define AES_RT2(idx) RT2[idx]
481#define AES_RT3(idx) RT3[idx]
482
483#define AES_FT0(idx) FT0[idx]
484#define AES_FT1(idx) FT1[idx]
485#define AES_FT2(idx) FT2[idx]
486#define AES_FT3(idx) FT3[idx]
487
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]488#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]490void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]491{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]492 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]493}
494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]495void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]496{
497 if( ctx == NULL )
498 return;
499
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]500 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]501}
502
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]503#if defined(MBEDTLS_CIPHER_MODE_XTS)
504void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
505{
506 mbedtls_aes_init( &ctx->crypt );
507 mbedtls_aes_init( &ctx->tweak );
508}
509
510void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
511{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]512 if( ctx == NULL )
513 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]514
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]515 mbedtls_aes_free( &ctx->crypt );
516 mbedtls_aes_free( &ctx->tweak );
517}
518#endif /* MBEDTLS_CIPHER_MODE_XTS */
519
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]520/*
521 * AES key schedule (encryption)
522 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]523#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]524int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]525 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]526{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]527 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]528 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]529
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]530 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]531 {
532 case 128: ctx->nr = 10; break;
533 case 192: ctx->nr = 12; break;
534 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]535 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]536 }
537
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]538#if !defined(MBEDTLS_AES_ROM_TABLES)
539 if( aes_init_done == 0 )
540 {
541 aes_gen_tables();
542 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]543 }
544#endif
545
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]546 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]548 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]549 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]550
551 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]552 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]554 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]555
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]557 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]558 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]559#endif
560
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]561 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562 {
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]563 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564 }
565
566 switch( ctx->nr )
567 {
568 case 10:
569
570 for( i = 0; i < 10; i++, RK += 4 )
571 {
572 RK[4] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]573 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
574 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
575 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
576 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577
578 RK[5] = RK[1] ^ RK[4];
579 RK[6] = RK[2] ^ RK[5];
580 RK[7] = RK[3] ^ RK[6];
581 }
582 break;
583
584 case 12:
585
586 for( i = 0; i < 8; i++, RK += 6 )
587 {
588 RK[6] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]589 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
590 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
591 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
592 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]593
594 RK[7] = RK[1] ^ RK[6];
595 RK[8] = RK[2] ^ RK[7];
596 RK[9] = RK[3] ^ RK[8];
597 RK[10] = RK[4] ^ RK[9];
598 RK[11] = RK[5] ^ RK[10];
599 }
600 break;
601
602 case 14:
603
604 for( i = 0; i < 7; i++, RK += 8 )
605 {
606 RK[8] = RK[0] ^ RCON[i] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]607 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
608 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
609 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
610 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611
612 RK[9] = RK[1] ^ RK[8];
613 RK[10] = RK[2] ^ RK[9];
614 RK[11] = RK[3] ^ RK[10];
615
616 RK[12] = RK[4] ^
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]617 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
618 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
619 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
620 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]621
622 RK[13] = RK[5] ^ RK[12];
623 RK[14] = RK[6] ^ RK[13];
624 RK[15] = RK[7] ^ RK[14];
625 }
626 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]628
629 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]631#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632
633/*
634 * AES key schedule (decryption)
635 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]636#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]637int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]638 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]640 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]641 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]642 uint32_t *RK;
643 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]645 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646
Werner Lewis7656a372022-06-13 12:28:20 +0100[diff] [blame]647 ctx->rk_offset = 0;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]648#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]649 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]650 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]651
652 if( aes_padlock_ace )
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]653 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]654#endif
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]655 RK = ctx->buf + ctx->rk_offset;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]657 /* Also checks keybits */
658 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]659 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]660
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]661 ctx->nr = cty.nr;
662
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]663#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]664 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]665 {
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]666 mbedtls_aesni_inverse_key( (unsigned char *) RK,
667 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]668 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]669 }
670#endif
671
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]672 SK = cty.buf + cty.rk_offset + cty.nr * 4;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]673
674 *RK++ = *SK++;
675 *RK++ = *SK++;
676 *RK++ = *SK++;
677 *RK++ = *SK++;
678
679 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
680 {
681 for( j = 0; j < 4; j++, SK++ )
682 {
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]683 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
684 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
685 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
686 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
688 }
689
690 *RK++ = *SK++;
691 *RK++ = *SK++;
692 *RK++ = *SK++;
693 *RK++ = *SK++;
694
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]695exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]697
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]700#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]701
702#if defined(MBEDTLS_CIPHER_MODE_XTS)
703static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
704 unsigned int keybits,
705 const unsigned char **key1,
706 unsigned int *key1bits,
707 const unsigned char **key2,
708 unsigned int *key2bits )
709{
710 const unsigned int half_keybits = keybits / 2;
711 const unsigned int half_keybytes = half_keybits / 8;
712
713 switch( keybits )
714 {
715 case 256: break;
716 case 512: break;
717 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
718 }
719
720 *key1bits = half_keybits;
721 *key2bits = half_keybits;
722 *key1 = &key[0];
723 *key2 = &key[half_keybytes];
724
725 return 0;
726}
727
728int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
729 const unsigned char *key,
730 unsigned int keybits)
731{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]732 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]733 const unsigned char *key1, *key2;
734 unsigned int key1bits, key2bits;
735
736 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
737 &key2, &key2bits );
738 if( ret != 0 )
739 return( ret );
740
741 /* Set the tweak key. Always set tweak key for the encryption mode. */
742 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
743 if( ret != 0 )
744 return( ret );
745
746 /* Set crypt key for encryption. */
747 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
748}
749
750int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
751 const unsigned char *key,
752 unsigned int keybits)
753{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]754 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]755 const unsigned char *key1, *key2;
756 unsigned int key1bits, key2bits;
757
758 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
759 &key2, &key2bits );
760 if( ret != 0 )
761 return( ret );
762
763 /* Set the tweak key. Always set tweak key for encryption. */
764 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
765 if( ret != 0 )
766 return( ret );
767
768 /* Set crypt key for decryption. */
769 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
770}
771#endif /* MBEDTLS_CIPHER_MODE_XTS */
772
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]773#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
774 do \
775 { \
776 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
777 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
778 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
779 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
780 \
781 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
782 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
783 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
784 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
785 \
786 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
787 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
788 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
789 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
790 \
791 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
792 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
793 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
794 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]795 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]796
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]797#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
798 do \
799 { \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]800 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
801 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
802 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
803 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]804 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]805 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
806 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
807 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
808 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]809 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]810 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
811 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
812 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
813 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]814 \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]815 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
816 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
817 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
818 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]819 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]820
821/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]822 * AES-ECB block encryption
823 */
824#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]825int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
826 const unsigned char input[16],
827 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]828{
829 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]830 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]831 struct
832 {
833 uint32_t X[4];
834 uint32_t Y[4];
835 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]836
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]837 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
838 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
839 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
840 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]841
842 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
843 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]844 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
845 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]846 }
847
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]848 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]849
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]850 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]851 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
852 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
853 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
854 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]855
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]856 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]857 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
858 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
859 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
860 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]861
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]862 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]863 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
864 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
865 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
866 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]868 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]869 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
870 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
871 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
872 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]873
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]874 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
875 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
876 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
877 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]878
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]879 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]880
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]881 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]882}
883#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
884
885/*
886 * AES-ECB block decryption
887 */
888#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]889int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
890 const unsigned char input[16],
891 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]892{
893 int i;
Werner Lewisdd76ef32022-05-30 12:00:21 +0100[diff] [blame]894 uint32_t *RK = ctx->buf + ctx->rk_offset;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 struct
896 {
897 uint32_t X[4];
898 uint32_t Y[4];
899 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900
Joe Subbiani6a506312021-07-07 16:56:29 +0100[diff] [blame]901 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
902 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
903 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
904 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]905
906 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
907 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]908 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
909 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910 }
911
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]912 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]913
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]914 t.X[0] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]915 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
916 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
917 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
918 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]920 t.X[1] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]921 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
922 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
923 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
924 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]925
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]926 t.X[2] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]927 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
928 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
929 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
930 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]932 t.X[3] = *RK++ ^ \
Joe Subbianicd84d762021-07-08 14:59:52 +0100[diff] [blame]933 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
934 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
935 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
936 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]937
Joe Subbiani5ecac212021-06-24 13:00:03 +0100[diff] [blame]938 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
939 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
940 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
941 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]942
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]943 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]944
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]945 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]946}
947#endif /* !MBEDTLS_AES_DECRYPT_ALT */
948
949/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950 * AES-ECB block encryption/decryption
951 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]953 int mode,
954 const unsigned char input[16],
955 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]956{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]957 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
958 mode == MBEDTLS_AES_DECRYPT );
959
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]961 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]962 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]963#endif
964
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]965#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]966 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]967 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]968 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]969 return( 0 );
970
971 // If padlock data misaligned, we just fall back to
972 // unaccelerated mode
973 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974 }
975#endif
976
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]977 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]978 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]979 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]980 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]981}
982
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]983#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984/*
985 * AES-CBC buffer encryption/decryption
986 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]988 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]989 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]990 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]991 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]992 unsigned char *output )
993{
994 int i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]995 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 unsigned char temp[16];
997
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]998 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
999 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1000
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1001 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1003
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1004#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]1005 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1006 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1008 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1009
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1010 // If padlock data misaligned, we just fall back to
1011 // unaccelerated mode
1012 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1013 }
1014#endif
1015
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1016 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1017 {
1018 while( length > 0 )
1019 {
1020 memcpy( temp, input, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1021 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1022 if( ret != 0 )
1023 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1024
1025 for( i = 0; i < 16; i++ )
1026 output[i] = (unsigned char)( output[i] ^ iv[i] );
1027
1028 memcpy( iv, temp, 16 );
1029
1030 input += 16;
1031 output += 16;
1032 length -= 16;
1033 }
1034 }
1035 else
1036 {
1037 while( length > 0 )
1038 {
1039 for( i = 0; i < 16; i++ )
1040 output[i] = (unsigned char)( input[i] ^ iv[i] );
1041
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1042 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1043 if( ret != 0 )
1044 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 memcpy( iv, output, 16 );
1046
1047 input += 16;
1048 output += 16;
1049 length -= 16;
1050 }
1051 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1052 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1053
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1054exit:
1055 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1057#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1059#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1060
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1061typedef unsigned char mbedtls_be128[16];
1062
1063/*
1064 * GF(2^128) multiplication function
1065 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1066 * This function multiplies a field element by x in the polynomial field
1067 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1068 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1069 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1070 */
1071static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1072 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1073{
1074 uint64_t a, b, ra, rb;
1075
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1076 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1077 b = MBEDTLS_GET_UINT64_LE( x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1078
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1079 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1080 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1081
Joe Subbiani99edd6c2021-07-16 12:29:49 +0100[diff] [blame]1082 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1083 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1084}
1085
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1086/*
1087 * AES-XTS buffer encryption/decryption
1088 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1089int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1090 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1091 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1092 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1093 const unsigned char *input,
1094 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1095{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1096 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1097 size_t blocks = length / 16;
1098 size_t leftover = length % 16;
1099 unsigned char tweak[16];
1100 unsigned char prev_tweak[16];
1101 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1102
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1103 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1104 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1105
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1106 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1107 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1108 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1109
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1110 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1111 if( length > ( 1 << 20 ) * 16 )
1112 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1113
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1114 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1115 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1116 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1117 if( ret != 0 )
1118 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1119
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1120 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1121 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1122 size_t i;
1123
1124 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1125 {
1126 /* We are on the last block in a decrypt operation that has
1127 * leftover bytes, so we need to use the next tweak for this block,
1128 * and this tweak for the lefover bytes. Save the current tweak for
1129 * the leftovers and then update the current tweak for use on this,
1130 * the last full block. */
1131 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1132 mbedtls_gf128mul_x_ble( tweak, tweak );
1133 }
1134
1135 for( i = 0; i < 16; i++ )
1136 tmp[i] = input[i] ^ tweak[i];
1137
1138 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1139 if( ret != 0 )
1140 return( ret );
1141
1142 for( i = 0; i < 16; i++ )
1143 output[i] = tmp[i] ^ tweak[i];
1144
1145 /* Update the tweak for the next block. */
1146 mbedtls_gf128mul_x_ble( tweak, tweak );
1147
1148 output += 16;
1149 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1150 }
1151
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1152 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1153 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1154 /* If we are on the leftover bytes in a decrypt operation, we need to
1155 * use the previous tweak for these bytes (as saved in prev_tweak). */
1156 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1157
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1158 /* We are now on the final part of the data unit, which doesn't divide
1159 * evenly by 16. It's time for ciphertext stealing. */
1160 size_t i;
1161 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1162
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1163 /* Copy ciphertext bytes from the previous block to our output for each
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1164 * byte of ciphertext we won't steal. At the same time, copy the
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1165 * remainder of the input for this final round (since the loop bounds
1166 * are the same). */
1167 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1169 output[i] = prev_output[i];
1170 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1171 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1172
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1173 /* Copy ciphertext bytes from the previous block for input in this
1174 * round. */
1175 for( ; i < 16; i++ )
1176 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1177
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1178 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1179 if( ret != 0 )
1180 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1181
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1182 /* Write the result back to the previous block, overriding the previous
1183 * output we copied. */
1184 for( i = 0; i < 16; i++ )
1185 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1186 }
1187
1188 return( 0 );
1189}
1190#endif /* MBEDTLS_CIPHER_MODE_XTS */
1191
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1192#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1193/*
1194 * AES-CFB128 buffer encryption/decryption
1195 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1196int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1197 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1198 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1199 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1200 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1201 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1202 unsigned char *output )
1203{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1204 int c;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1205 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1206 size_t n;
1207
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1208 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1209 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1210
1211 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1212
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1213 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1214 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1215
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1216 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1217 {
1218 while( length-- )
1219 {
1220 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1221 {
1222 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1223 if( ret != 0 )
1224 goto exit;
1225 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1226
1227 c = *input++;
1228 *output++ = (unsigned char)( c ^ iv[n] );
1229 iv[n] = (unsigned char) c;
1230
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1231 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1232 }
1233 }
1234 else
1235 {
1236 while( length-- )
1237 {
1238 if( n == 0 )
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1239 {
1240 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1241 if( ret != 0 )
1242 goto exit;
1243 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1244
1245 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1246
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1247 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248 }
1249 }
1250
1251 *iv_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1252 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1253
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1254exit:
1255 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1256}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1257
1258/*
1259 * AES-CFB8 buffer encryption/decryption
1260 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1261int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1262 int mode,
1263 size_t length,
1264 unsigned char iv[16],
1265 const unsigned char *input,
1266 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1267{
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1268 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1269 unsigned char c;
1270 unsigned char ov[17];
1271
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1272 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1273 mode == MBEDTLS_AES_DECRYPT );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1274 while( length-- )
1275 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1276 memcpy( ov, iv, 16 );
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1277 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1278 if( ret != 0 )
1279 goto exit;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1282 ov[16] = *input;
1283
1284 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1285
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1286 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1287 ov[16] = c;
1288
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1289 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1290 }
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1291 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1292
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1293exit:
1294 return( ret );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1295}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1296#endif /* MBEDTLS_CIPHER_MODE_CFB */
1297
1298#if defined(MBEDTLS_CIPHER_MODE_OFB)
1299/*
1300 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1301 */
1302int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1303 size_t length,
1304 size_t *iv_off,
1305 unsigned char iv[16],
1306 const unsigned char *input,
1307 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1308{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1309 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1310 size_t n;
1311
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1312 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1313
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1314 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1315 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1316
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1317 while( length-- )
1318 {
1319 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1320 {
1321 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1322 if( ret != 0 )
1323 goto exit;
1324 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1325 *output++ = *input++ ^ iv[n];
1326
1327 n = ( n + 1 ) & 0x0F;
1328 }
1329
1330 *iv_off = n;
1331
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1332exit:
1333 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1334}
1335#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1336
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1338/*
1339 * AES-CTR buffer encryption/decryption
1340 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1341int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1342 size_t length,
1343 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1344 unsigned char nonce_counter[16],
1345 unsigned char stream_block[16],
1346 const unsigned char *input,
1347 unsigned char *output )
1348{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1349 int c, i;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1351 size_t n;
1352
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1353 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1354
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1355 if ( n > 0x0F )
1356 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1357
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1358 while( length-- )
1359 {
1360 if( n == 0 ) {
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1361 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1362 if( ret != 0 )
1363 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1364
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1365 for( i = 16; i > 0; i-- )
1366 if( ++nonce_counter[i - 1] != 0 )
1367 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1368 }
1369 c = *input++;
1370 *output++ = (unsigned char)( c ^ stream_block[n] );
1371
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1372 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1373 }
1374
1375 *nc_off = n;
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1376 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1377
Gilles Peskine7820a572021-07-07 21:08:28 +0200[diff] [blame]1378exit:
1379 return( ret );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1380}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1382
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1383#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1384
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1386/*
1387 * AES test vectors from:
1388 *
1389 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1390 */
1391static const unsigned char aes_test_ecb_dec[3][16] =
1392{
1393 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1394 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1395 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1396 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1397 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1398 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1399};
1400
1401static const unsigned char aes_test_ecb_enc[3][16] =
1402{
1403 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1404 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1405 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1406 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1407 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1408 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1409};
1410
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1411#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1412static const unsigned char aes_test_cbc_dec[3][16] =
1413{
1414 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1415 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1416 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1417 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1418 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1419 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1420};
1421
1422static const unsigned char aes_test_cbc_enc[3][16] =
1423{
1424 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1425 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1426 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1427 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1428 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1429 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1430};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1432
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1433#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1434/*
1435 * AES-CFB128 test vectors from:
1436 *
1437 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1438 */
1439static const unsigned char aes_test_cfb128_key[3][32] =
1440{
1441 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1442 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1443 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1444 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1445 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1446 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1447 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1448 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1449 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1450};
1451
1452static const unsigned char aes_test_cfb128_iv[16] =
1453{
1454 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1455 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1456};
1457
1458static const unsigned char aes_test_cfb128_pt[64] =
1459{
1460 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1461 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1462 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1463 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1464 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1465 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1466 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1467 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1468};
1469
1470static const unsigned char aes_test_cfb128_ct[3][64] =
1471{
1472 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1473 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1474 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1475 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1476 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1477 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1478 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1479 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1480 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1481 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1482 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1483 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1484 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1485 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1486 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1487 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1488 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1489 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1490 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1491 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1492 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1493 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1494 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1495 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1496};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1498
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1499#if defined(MBEDTLS_CIPHER_MODE_OFB)
1500/*
1501 * AES-OFB test vectors from:
1502 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1503 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1504 */
1505static const unsigned char aes_test_ofb_key[3][32] =
1506{
1507 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1508 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1509 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1510 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1511 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1512 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1513 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1514 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1515 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1516};
1517
1518static const unsigned char aes_test_ofb_iv[16] =
1519{
1520 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1521 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1522};
1523
1524static const unsigned char aes_test_ofb_pt[64] =
1525{
1526 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1527 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1528 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1529 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1530 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1531 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1532 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1533 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1534};
1535
1536static const unsigned char aes_test_ofb_ct[3][64] =
1537{
1538 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1539 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1540 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1541 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1542 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1543 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1544 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1545 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1546 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1547 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1548 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1549 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1550 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1551 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1552 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1553 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1554 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1555 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1556 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1557 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1558 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1559 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1560 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1561 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1562};
1563#endif /* MBEDTLS_CIPHER_MODE_OFB */
1564
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1565#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1566/*
1567 * AES-CTR test vectors from:
1568 *
1569 * http://www.faqs.org/rfcs/rfc3686.html
1570 */
1571
1572static const unsigned char aes_test_ctr_key[3][16] =
1573{
1574 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1575 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1576 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1577 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1578 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1579 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1580};
1581
1582static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1583{
1584 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1586 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1587 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1588 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1589 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1590};
1591
1592static const unsigned char aes_test_ctr_pt[3][48] =
1593{
1594 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1595 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1596
1597 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1598 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1599 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1600 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1601
1602 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1603 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1604 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1605 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1606 0x20, 0x21, 0x22, 0x23 }
1607};
1608
1609static const unsigned char aes_test_ctr_ct[3][48] =
1610{
1611 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1612 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1613 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1614 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1615 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1616 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1617 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1618 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1619 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1620 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1621 0x25, 0xB2, 0x07, 0x2F }
1622};
1623
1624static const int aes_test_ctr_len[3] =
1625 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1626#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1627
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1628#if defined(MBEDTLS_CIPHER_MODE_XTS)
1629/*
1630 * AES-XTS test vectors from:
1631 *
1632 * IEEE P1619/D16 Annex B
1633 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1634 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1635 */
1636static const unsigned char aes_test_xts_key[][32] =
1637{
1638 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1640 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1641 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1642 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1643 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1644 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1645 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1646 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1647 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1648 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1649 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1650};
1651
1652static const unsigned char aes_test_xts_pt32[][32] =
1653{
1654 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1658 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1659 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1660 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1661 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1662 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1663 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1664 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1665 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1666};
1667
1668static const unsigned char aes_test_xts_ct32[][32] =
1669{
1670 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1671 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1672 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1673 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1674 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1675 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1676 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1677 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1678 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1679 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1680 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1681 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1682};
1683
1684static const unsigned char aes_test_xts_data_unit[][16] =
1685{
1686 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1687 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1688 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1690 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1692};
1693
1694#endif /* MBEDTLS_CIPHER_MODE_XTS */
1695
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1696/*
1697 * Checkup routine
1698 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1699int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1701 int ret = 0, i, j, u, mode;
1702 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1703 unsigned char key[32];
1704 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1705 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1706#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1707 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1708#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1709#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1710 unsigned char prv[16];
1711#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1712#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1713 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1714 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1715#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1716#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1717 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1718#endif
1719#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1720 unsigned char nonce_counter[16];
1721 unsigned char stream_block[16];
1722#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1724
1725 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1726 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1727
1728 /*
1729 * ECB mode
1730 */
1731 for( i = 0; i < 6; i++ )
1732 {
1733 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1734 keybits = 128 + u * 64;
1735 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1736
1737 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1738 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1739 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1740
1741 memset( buf, 0, 16 );
1742
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1743 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1744 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1745 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1746 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1747 }
1748 else
1749 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1750 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1751 aes_tests = aes_test_ecb_enc[u];
1752 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1753
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1754 /*
1755 * AES-192 is an optional feature that may be unavailable when
1756 * there is an alternative underlying implementation i.e. when
1757 * MBEDTLS_AES_ALT is defined.
1758 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1759 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1760 {
1761 mbedtls_printf( "skipped\n" );
1762 continue;
1763 }
1764 else if( ret != 0 )
1765 {
1766 goto exit;
1767 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1768
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1769 for( j = 0; j < 10000; j++ )
1770 {
1771 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1772 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1773 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1774 }
1775
1776 if( memcmp( buf, aes_tests, 16 ) != 0 )
1777 {
1778 ret = 1;
1779 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780 }
1781
1782 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784 }
1785
1786 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1787 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1789#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1790 /*
1791 * CBC mode
1792 */
1793 for( i = 0; i < 6; i++ )
1794 {
1795 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1796 keybits = 128 + u * 64;
1797 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1798
1799 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1800 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1801 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802
1803 memset( iv , 0, 16 );
1804 memset( prv, 0, 16 );
1805 memset( buf, 0, 16 );
1806
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1807 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1809 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1810 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811 }
1812 else
1813 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1814 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1815 aes_tests = aes_test_cbc_enc[u];
1816 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1818 /*
1819 * AES-192 is an optional feature that may be unavailable when
1820 * there is an alternative underlying implementation i.e. when
1821 * MBEDTLS_AES_ALT is defined.
1822 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1823 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1824 {
1825 mbedtls_printf( "skipped\n" );
1826 continue;
1827 }
1828 else if( ret != 0 )
1829 {
1830 goto exit;
1831 }
1832
1833 for( j = 0; j < 10000; j++ )
1834 {
1835 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 {
1837 unsigned char tmp[16];
1838
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839 memcpy( tmp, prv, 16 );
1840 memcpy( prv, buf, 16 );
1841 memcpy( buf, tmp, 16 );
1842 }
1843
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1844 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1845 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1846 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847
1848 }
1849
1850 if( memcmp( buf, aes_tests, 16 ) != 0 )
1851 {
1852 ret = 1;
1853 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1854 }
1855
1856 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1857 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 }
1859
1860 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1861 mbedtls_printf( "\n" );
1862#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1864#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865 /*
1866 * CFB128 mode
1867 */
1868 for( i = 0; i < 6; i++ )
1869 {
1870 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1871 keybits = 128 + u * 64;
1872 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1873
1874 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1875 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1877
1878 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880
1881 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1883 /*
1884 * AES-192 is an optional feature that may be unavailable when
1885 * there is an alternative underlying implementation i.e. when
1886 * MBEDTLS_AES_ALT is defined.
1887 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1888 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1889 {
1890 mbedtls_printf( "skipped\n" );
1891 continue;
1892 }
1893 else if( ret != 0 )
1894 {
1895 goto exit;
1896 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1898 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899 {
1900 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1901 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902 }
1903 else
1904 {
1905 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1906 aes_tests = aes_test_cfb128_ct[u];
1907 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1909 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1910 if( ret != 0 )
1911 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1913 if( memcmp( buf, aes_tests, 64 ) != 0 )
1914 {
1915 ret = 1;
1916 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917 }
1918
1919 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1920 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921 }
1922
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1923 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1924 mbedtls_printf( "\n" );
1925#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1926
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1927#if defined(MBEDTLS_CIPHER_MODE_OFB)
1928 /*
1929 * OFB mode
1930 */
1931 for( i = 0; i < 6; i++ )
1932 {
1933 u = i >> 1;
1934 keybits = 128 + u * 64;
1935 mode = i & 1;
1936
1937 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1938 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1939 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1940
1941 memcpy( iv, aes_test_ofb_iv, 16 );
1942 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1943
1944 offset = 0;
1945 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1946 /*
1947 * AES-192 is an optional feature that may be unavailable when
1948 * there is an alternative underlying implementation i.e. when
1949 * MBEDTLS_AES_ALT is defined.
1950 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1951 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1952 {
1953 mbedtls_printf( "skipped\n" );
1954 continue;
1955 }
1956 else if( ret != 0 )
1957 {
1958 goto exit;
1959 }
1960
1961 if( mode == MBEDTLS_AES_DECRYPT )
1962 {
1963 memcpy( buf, aes_test_ofb_ct[u], 64 );
1964 aes_tests = aes_test_ofb_pt;
1965 }
1966 else
1967 {
1968 memcpy( buf, aes_test_ofb_pt, 64 );
1969 aes_tests = aes_test_ofb_ct[u];
1970 }
1971
1972 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1973 if( ret != 0 )
1974 goto exit;
1975
1976 if( memcmp( buf, aes_tests, 64 ) != 0 )
1977 {
1978 ret = 1;
1979 goto exit;
1980 }
1981
1982 if( verbose != 0 )
1983 mbedtls_printf( "passed\n" );
1984 }
1985
1986 if( verbose != 0 )
1987 mbedtls_printf( "\n" );
1988#endif /* MBEDTLS_CIPHER_MODE_OFB */
1989
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1990#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1991 /*
1992 * CTR mode
1993 */
1994 for( i = 0; i < 6; i++ )
1995 {
1996 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1997 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1998
1999 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2002
2003 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2004 memcpy( key, aes_test_ctr_key[u], 16 );
2005
2006 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2008 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2009
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2010 len = aes_test_ctr_len[u];
2011
2012 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2013 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2014 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2016 }
2017 else
2018 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2019 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 aes_tests = aes_test_ctr_ct[u];
2021 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2022
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2023 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2024 stream_block, buf, buf );
2025 if( ret != 0 )
2026 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2027
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2028 if( memcmp( buf, aes_tests, len ) != 0 )
2029 {
2030 ret = 1;
2031 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2032 }
2033
2034 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2035 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2036 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2037
2038 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2039 mbedtls_printf( "\n" );
2040#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2041
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2042#if defined(MBEDTLS_CIPHER_MODE_XTS)
2043 {
2044 static const int num_tests =
2045 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2046 mbedtls_aes_xts_context ctx_xts;
2047
2048 /*
2049 * XTS mode
2050 */
2051 mbedtls_aes_xts_init( &ctx_xts );
2052
2053 for( i = 0; i < num_tests << 1; i++ )
2054 {
2055 const unsigned char *data_unit;
2056 u = i >> 1;
2057 mode = i & 1;
2058
2059 if( verbose != 0 )
2060 mbedtls_printf( " AES-XTS-128 (%s): ",
2061 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2062
2063 memset( key, 0, sizeof( key ) );
2064 memcpy( key, aes_test_xts_key[u], 32 );
2065 data_unit = aes_test_xts_data_unit[u];
2066
2067 len = sizeof( *aes_test_xts_ct32 );
2068
2069 if( mode == MBEDTLS_AES_DECRYPT )
2070 {
2071 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2072 if( ret != 0)
2073 goto exit;
2074 memcpy( buf, aes_test_xts_ct32[u], len );
2075 aes_tests = aes_test_xts_pt32[u];
2076 }
2077 else
2078 {
2079 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2080 if( ret != 0)
2081 goto exit;
2082 memcpy( buf, aes_test_xts_pt32[u], len );
2083 aes_tests = aes_test_xts_ct32[u];
2084 }
2085
2086
2087 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2088 buf, buf );
2089 if( ret != 0 )
2090 goto exit;
2091
2092 if( memcmp( buf, aes_tests, len ) != 0 )
2093 {
2094 ret = 1;
2095 goto exit;
2096 }
2097
2098 if( verbose != 0 )
2099 mbedtls_printf( "passed\n" );
2100 }
2101
2102 if( verbose != 0 )
2103 mbedtls_printf( "\n" );
2104
2105 mbedtls_aes_xts_free( &ctx_xts );
2106 }
2107#endif /* MBEDTLS_CIPHER_MODE_XTS */
2108
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2109 ret = 0;
2110
2111exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2112 if( ret != 0 && verbose != 0 )
2113 mbedtls_printf( "failed\n" );
2114
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2116
2117 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118}
2119
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2120#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2121
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2122#endif /* MBEDTLS_AES_C */