TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ceeaeb9439f93bebab2c031e113f763f7e5ab9bc / . / library / aes.c
blob: bcdf3c782bce3ec854254820058f1dedd8b9fa37 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]44
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]46
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]47/* Parameter validation macros based on platform_util.h */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]48#define AES_VALIDATE_RET(cond) \
49 MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA)
50#define AES_VALIDATE(cond) \
51 MBEDTLS_INTERNAL_VALIDATE(cond)
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if defined(MBEDTLS_PADLOCK_C) && \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]54 (defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16))
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]55static int aes_padlock_ace = -1;
56#endif
57
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]59/*
60 * Forward S-box
61 */
62static const unsigned char FSb[256] =
63{
64 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
65 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
66 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
67 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
68 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
69 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
70 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
71 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
72 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
73 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
74 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
75 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
76 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
77 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
78 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
79 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
80 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
81 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
82 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
83 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
84 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
85 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
86 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
87 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
88 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
89 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
90 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
91 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
92 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
93 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
94 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
95 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
96};
97
98/*
99 * Forward tables
100 */
101#define FT \
102\
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]103 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
104 V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
105 V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
106 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
107 V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
108 V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
109 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
110 V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
111 V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
112 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
113 V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
114 V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
115 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
116 V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
117 V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
118 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
119 V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
120 V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
121 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
122 V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
123 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
124 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
125 V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
126 V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
127 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
128 V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
129 V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
130 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
131 V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
132 V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
133 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
134 V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
135 V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
136 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
137 V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
138 V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
139 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
140 V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
141 V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
142 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
143 V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
144 V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
145 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
146 V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
147 V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
148 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
149 V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
150 V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
151 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
152 V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
153 V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
154 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
155 V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
156 V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
157 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
158 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
159 V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
160 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
161 V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
162 V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
163 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
164 V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
165 V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
166 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]167
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]168#define V(a, b, c, d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]169static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]170#undef V
171
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]172#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]173
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]174#define V(a, b, c, d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]175static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]176#undef V
177
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]178#define V(a, b, c, d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]179static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]180#undef V
181
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]182#define V(a, b, c, d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]183static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]184#undef V
185
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]186#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]187
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]188#undef FT
189
190/*
191 * Reverse S-box
192 */
193static const unsigned char RSb[256] =
194{
195 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
196 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
197 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
198 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
199 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
200 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
201 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
202 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
203 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
204 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
205 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
206 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
207 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
208 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
209 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
210 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
211 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
212 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
213 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
214 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
215 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
216 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
217 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
218 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
219 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
220 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
221 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
222 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
223 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
224 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
225 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
226 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
227};
228
229/*
230 * Reverse tables
231 */
232#define RT \
233\
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]234 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
235 V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
236 V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
237 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
238 V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
239 V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
240 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
241 V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
242 V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
243 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
244 V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
245 V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
246 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
247 V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
248 V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
249 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
250 V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
251 V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
252 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
253 V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
254 V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
255 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
256 V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
257 V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
258 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
259 V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
260 V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
261 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
262 V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
263 V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
264 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
265 V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
266 V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
267 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
268 V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
269 V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
270 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
271 V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
272 V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
273 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
274 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
275 V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
276 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
277 V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
278 V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
279 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
280 V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
281 V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
282 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
283 V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
284 V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
285 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
286 V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
287 V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
288 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
289 V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
290 V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
291 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
292 V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
293 V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
294 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
295 V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
296 V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
297 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]298
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]299#define V(a, b, c, d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]300static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]301#undef V
302
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]303#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]304
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]305#define V(a, b, c, d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]306static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]307#undef V
308
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]309#define V(a, b, c, d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]310static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]311#undef V
312
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]313#define V(a, b, c, d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]314static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]315#undef V
316
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]317#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]318
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]319#undef RT
320
321/*
322 * Round constants
323 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]324static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]325{
326 0x00000001, 0x00000002, 0x00000004, 0x00000008,
327 0x00000010, 0x00000020, 0x00000040, 0x00000080,
328 0x0000001B, 0x00000036
329};
330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]331#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]332
333/*
334 * Forward S-box & tables
335 */
336static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]337static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]339static uint32_t FT1[256];
340static uint32_t FT2[256];
341static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]342#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343
344/*
345 * Reverse S-box & tables
346 */
347static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]348static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]349#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]350static uint32_t RT1[256];
351static uint32_t RT2[256];
352static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]353#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354
355/*
356 * Round constants
357 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]358static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359
360/*
361 * Tables generation code
362 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]363#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
364#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
365#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]366
367static int aes_init_done = 0;
368
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]369static void aes_gen_tables(void)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]370{
371 int i, x, y, z;
372 int pow[256];
373 int log[256];
374
375 /*
376 * compute pow and log tables over GF(2^8)
377 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]378 for (i = 0, x = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379 pow[i] = x;
380 log[x] = i;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]381 x = MBEDTLS_BYTE_0(x ^ XTIME(x));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382 }
383
384 /*
385 * calculate the round constants
386 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]387 for (i = 0, x = 1; i < 10; i++) {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388 RCON[i] = (uint32_t) x;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]389 x = MBEDTLS_BYTE_0(XTIME(x));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 }
391
392 /*
393 * generate the forward and reverse S-boxes
394 */
395 FSb[0x00] = 0x63;
396 RSb[0x63] = 0x00;
397
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]398 for (i = 1; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399 x = pow[255 - log[i]];
400
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]401 y = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
402 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
403 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
404 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]405 x ^= y ^ 0x63;
406
407 FSb[i] = (unsigned char) x;
408 RSb[x] = (unsigned char) i;
409 }
410
411 /*
412 * generate the forward and reverse tables
413 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]414 for (i = 0; i < 256; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]415 x = FSb[i];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]416 y = MBEDTLS_BYTE_0(XTIME(x));
417 z = MBEDTLS_BYTE_0(y ^ x);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]418
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]419 FT0[i] = ((uint32_t) y) ^
420 ((uint32_t) x << 8) ^
421 ((uint32_t) x << 16) ^
422 ((uint32_t) z << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]423
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]424#if !defined(MBEDTLS_AES_FEWER_TABLES)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]425 FT1[i] = ROTL8(FT0[i]);
426 FT2[i] = ROTL8(FT1[i]);
427 FT3[i] = ROTL8(FT2[i]);
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]428#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]429
430 x = RSb[i];
431
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]432 RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
433 ((uint32_t) MUL(0x09, x) << 8) ^
434 ((uint32_t) MUL(0x0D, x) << 16) ^
435 ((uint32_t) MUL(0x0B, x) << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]437#if !defined(MBEDTLS_AES_FEWER_TABLES)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]438 RT1[i] = ROTL8(RT0[i]);
439 RT2[i] = ROTL8(RT1[i]);
440 RT3[i] = ROTL8(RT2[i]);
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]441#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]442 }
443}
444
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]445#undef ROTL8
446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]447#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]448
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]449#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]450
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]451#define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24))
452#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
453#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8))
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]454
455#define AES_RT0(idx) RT0[idx]
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]456#define AES_RT1(idx) ROTL8(RT0[idx])
457#define AES_RT2(idx) ROTL16(RT0[idx])
458#define AES_RT3(idx) ROTL24(RT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]459
460#define AES_FT0(idx) FT0[idx]
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]461#define AES_FT1(idx) ROTL8(FT0[idx])
462#define AES_FT2(idx) ROTL16(FT0[idx])
463#define AES_FT3(idx) ROTL24(FT0[idx])
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]464
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]465#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]466
467#define AES_RT0(idx) RT0[idx]
468#define AES_RT1(idx) RT1[idx]
469#define AES_RT2(idx) RT2[idx]
470#define AES_RT3(idx) RT3[idx]
471
472#define AES_FT0(idx) FT0[idx]
473#define AES_FT1(idx) FT1[idx]
474#define AES_FT2(idx) FT2[idx]
475#define AES_FT3(idx) FT3[idx]
476
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]477#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]478
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]479void mbedtls_aes_init(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]480{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]481 AES_VALIDATE(ctx != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]482
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]483 memset(ctx, 0, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]484}
485
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]486void mbedtls_aes_free(mbedtls_aes_context *ctx)
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]487{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]488 if (ctx == NULL) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]489 return;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]490 }
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]491
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]492 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]493}
494
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]495#if defined(MBEDTLS_CIPHER_MODE_XTS)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]496void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]497{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]498 AES_VALIDATE(ctx != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]499
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]500 mbedtls_aes_init(&ctx->crypt);
501 mbedtls_aes_init(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]502}
503
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]504void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]505{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]506 if (ctx == NULL) {
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]507 return;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]508 }
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]509
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]510 mbedtls_aes_free(&ctx->crypt);
511 mbedtls_aes_free(&ctx->tweak);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]512}
513#endif /* MBEDTLS_CIPHER_MODE_XTS */
514
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]515/*
516 * AES key schedule (encryption)
517 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]518#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]519int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
520 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]521{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]522 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]523 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]524
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]525 AES_VALIDATE_RET(ctx != NULL);
526 AES_VALIDATE_RET(key != NULL);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]527
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]528 switch (keybits) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]529 case 128: ctx->nr = 10; break;
530 case 192: ctx->nr = 12; break;
531 case 256: ctx->nr = 14; break;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]532 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]533 }
534
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]535#if !defined(MBEDTLS_AES_ROM_TABLES)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]536 if (aes_init_done == 0) {
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537 aes_gen_tables();
538 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]539 }
540#endif
541
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]543 if (aes_padlock_ace == -1) {
544 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
545 }
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]546
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]547 if (aes_padlock_ace) {
548 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
549 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]550#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]551 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]553#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]554 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
555 return mbedtls_aesni_setkey_enc((unsigned char *) ctx->rk, key, keybits);
556 }
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]557#endif
558
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]559 for (i = 0; i < (keybits >> 5); i++) {
560 RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 }
562
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]563 switch (ctx->nr) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564 case 10:
565
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]566 for (i = 0; i < 10; i++, RK += 4) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 RK[4] = RK[0] ^ RCON[i] ^
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]568 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
569 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
570 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
571 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572
573 RK[5] = RK[1] ^ RK[4];
574 RK[6] = RK[2] ^ RK[5];
575 RK[7] = RK[3] ^ RK[6];
576 }
577 break;
578
579 case 12:
580
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]581 for (i = 0; i < 8; i++, RK += 6) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]582 RK[6] = RK[0] ^ RCON[i] ^
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]583 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
584 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
585 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
586 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]587
588 RK[7] = RK[1] ^ RK[6];
589 RK[8] = RK[2] ^ RK[7];
590 RK[9] = RK[3] ^ RK[8];
591 RK[10] = RK[4] ^ RK[9];
592 RK[11] = RK[5] ^ RK[10];
593 }
594 break;
595
596 case 14:
597
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]598 for (i = 0; i < 7; i++, RK += 8) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 RK[8] = RK[0] ^ RCON[i] ^
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]600 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
601 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
602 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
603 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]604
605 RK[9] = RK[1] ^ RK[8];
606 RK[10] = RK[2] ^ RK[9];
607 RK[11] = RK[3] ^ RK[10];
608
609 RK[12] = RK[4] ^
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]610 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
611 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^
612 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
613 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614
615 RK[13] = RK[5] ^ RK[12];
616 RK[14] = RK[6] ^ RK[13];
617 RK[15] = RK[7] ^ RK[14];
618 }
619 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]620 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]621
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]622 return 0;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]624#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]625
626/*
627 * AES key schedule (decryption)
628 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]629#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]630int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
631 unsigned int keybits)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]633 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]634 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]635 uint32_t *RK;
636 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]637
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]638 AES_VALIDATE_RET(ctx != NULL);
639 AES_VALIDATE_RET(key != NULL);
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]640
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]641 mbedtls_aes_init(&cty);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]643#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]644 if (aes_padlock_ace == -1) {
645 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
646 }
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]647
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]648 if (aes_padlock_ace) {
649 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
650 } else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]652 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]654 /* Also checks keybits */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]655 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]656 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]659 ctx->nr = cty.nr;
660
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]661#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]662 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
663 mbedtls_aesni_inverse_key((unsigned char *) ctx->rk,
664 (const unsigned char *) cty.rk, ctx->nr);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]665 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]666 }
667#endif
668
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669 SK = cty.rk + cty.nr * 4;
670
671 *RK++ = *SK++;
672 *RK++ = *SK++;
673 *RK++ = *SK++;
674 *RK++ = *SK++;
675
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]676 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
677 for (j = 0; j < 4; j++, SK++) {
678 *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
679 AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
680 AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
681 AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]682 }
683 }
684
685 *RK++ = *SK++;
686 *RK++ = *SK++;
687 *RK++ = *SK++;
688 *RK++ = *SK++;
689
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]690exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]691 mbedtls_aes_free(&cty);
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]692
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]693 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]695#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]696
697#if defined(MBEDTLS_CIPHER_MODE_XTS)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]698static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
699 unsigned int keybits,
700 const unsigned char **key1,
701 unsigned int *key1bits,
702 const unsigned char **key2,
703 unsigned int *key2bits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]704{
705 const unsigned int half_keybits = keybits / 2;
706 const unsigned int half_keybytes = half_keybits / 8;
707
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]708 switch (keybits) {
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]709 case 256: break;
710 case 512: break;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]711 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]712 }
713
714 *key1bits = half_keybits;
715 *key2bits = half_keybits;
716 *key1 = &key[0];
717 *key2 = &key[half_keybytes];
718
719 return 0;
720}
721
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]722int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
723 const unsigned char *key,
724 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]725{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]726 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]727 const unsigned char *key1, *key2;
728 unsigned int key1bits, key2bits;
729
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]730 AES_VALIDATE_RET(ctx != NULL);
731 AES_VALIDATE_RET(key != NULL);
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]732
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]733 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
734 &key2, &key2bits);
735 if (ret != 0) {
736 return ret;
737 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]738
739 /* Set the tweak key. Always set tweak key for the encryption mode. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]740 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
741 if (ret != 0) {
742 return ret;
743 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]744
745 /* Set crypt key for encryption. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]746 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]747}
748
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]749int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
750 const unsigned char *key,
751 unsigned int keybits)
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]752{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]753 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]754 const unsigned char *key1, *key2;
755 unsigned int key1bits, key2bits;
756
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]757 AES_VALIDATE_RET(ctx != NULL);
758 AES_VALIDATE_RET(key != NULL);
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]759
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]760 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
761 &key2, &key2bits);
762 if (ret != 0) {
763 return ret;
764 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765
766 /* Set the tweak key. Always set tweak key for encryption. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]767 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
768 if (ret != 0) {
769 return ret;
770 }
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771
772 /* Set crypt key for decryption. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]773 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]774}
775#endif /* MBEDTLS_CIPHER_MODE_XTS */
776
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]777#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]778 do \
779 { \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]780 (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \
781 AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \
782 AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \
783 AES_FT3(MBEDTLS_BYTE_3(Y3)); \
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]784 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]785 (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \
786 AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \
787 AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \
788 AES_FT3(MBEDTLS_BYTE_3(Y0)); \
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]789 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]790 (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \
791 AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \
792 AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \
793 AES_FT3(MBEDTLS_BYTE_3(Y1)); \
Joe Subbiani6b897c92021-07-08 14:59:52 +0100[diff] [blame]794 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]795 (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \
796 AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \
797 AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \
798 AES_FT3(MBEDTLS_BYTE_3(Y2)); \
799 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]800
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]801#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]802 do \
803 { \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]804 (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \
805 AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \
806 AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \
807 AES_RT3(MBEDTLS_BYTE_3(Y1)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]808 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]809 (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \
810 AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \
811 AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \
812 AES_RT3(MBEDTLS_BYTE_3(Y2)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]814 (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \
815 AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \
816 AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \
817 AES_RT3(MBEDTLS_BYTE_3(Y3)); \
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]818 \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]819 (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \
820 AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \
821 AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \
822 AES_RT3(MBEDTLS_BYTE_3(Y0)); \
823 } while (0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]824
825/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]826 * AES-ECB block encryption
827 */
828#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]829int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
830 const unsigned char input[16],
831 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]832{
833 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]834 uint32_t *RK = ctx->rk;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]835 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]836 uint32_t X[4];
837 uint32_t Y[4];
838 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]839
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]840 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
841 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
842 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
843 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]844
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]845 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
846 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
847 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]848 }
849
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]850 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]851
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]852 t.X[0] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]853 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
854 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
855 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
856 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]857
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]858 t.X[1] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]859 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
860 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
861 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
862 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]863
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]864 t.X[2] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]865 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
866 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
867 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
868 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]869
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]870 t.X[3] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]871 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
872 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
873 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
874 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]875
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]876 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
877 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
878 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
879 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]880
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]881 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]882
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]883 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]884}
885#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
886
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]887#if !defined(MBEDTLS_DEPRECATED_REMOVED)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]888void mbedtls_aes_encrypt(mbedtls_aes_context *ctx,
889 const unsigned char input[16],
890 unsigned char output[16])
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]891{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]892 MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_encrypt(ctx, input, output));
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]893}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]894#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]895
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]896/*
897 * AES-ECB block decryption
898 */
899#if !defined(MBEDTLS_AES_DECRYPT_ALT)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]900int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
901 const unsigned char input[16],
902 unsigned char output[16])
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]903{
904 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]905 uint32_t *RK = ctx->rk;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]906 struct {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]907 uint32_t X[4];
908 uint32_t Y[4];
909 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]911 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
912 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
913 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
914 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]915
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]916 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
917 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
918 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]919 }
920
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]921 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]922
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]923 t.X[0] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]924 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
925 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
926 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
927 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]928
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]929 t.X[1] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]930 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
931 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
932 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
933 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]934
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]935 t.X[2] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]936 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
937 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
938 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
939 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]940
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]941 t.X[3] = *RK++ ^ \
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]942 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
943 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
944 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
945 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]946
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]947 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
948 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
949 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
950 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]951
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]952 mbedtls_platform_zeroize(&t, sizeof(t));
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]953
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]954 return 0;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]955}
956#endif /* !MBEDTLS_AES_DECRYPT_ALT */
957
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]958#if !defined(MBEDTLS_DEPRECATED_REMOVED)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]959void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
960 const unsigned char input[16],
961 unsigned char output[16])
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]962{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]963 MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_decrypt(ctx, input, output));
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]964}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]965#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]966
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]967/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]968 * AES-ECB block encryption/decryption
969 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]970int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
971 int mode,
972 const unsigned char input[16],
973 unsigned char output[16])
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]974{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]975 AES_VALIDATE_RET(ctx != NULL);
976 AES_VALIDATE_RET(input != NULL);
977 AES_VALIDATE_RET(output != NULL);
978 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
979 mode == MBEDTLS_AES_DECRYPT);
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]980
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]981#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]982 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
983 return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
984 }
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]985#endif
986
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]987#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]988 if (aes_padlock_ace) {
989 if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0) {
990 return 0;
991 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]992
993 // If padlock data misaligned, we just fall back to
994 // unaccelerated mode
995 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]996 }
997#endif
998
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]999 if (mode == MBEDTLS_AES_ENCRYPT) {
1000 return mbedtls_internal_aes_encrypt(ctx, input, output);
1001 } else {
1002 return mbedtls_internal_aes_decrypt(ctx, input, output);
1003 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1004}
1005
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1006#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007/*
1008 * AES-CBC buffer encryption/decryption
1009 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1010int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1011 int mode,
1012 size_t length,
1013 unsigned char iv[16],
1014 const unsigned char *input,
1015 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1016{
1017 int i;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1018 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1019 unsigned char temp[16];
1020
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1021 AES_VALIDATE_RET(ctx != NULL);
1022 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1023 mode == MBEDTLS_AES_DECRYPT);
1024 AES_VALIDATE_RET(iv != NULL);
1025 AES_VALIDATE_RET(input != NULL);
1026 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1027
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1028 if (length % 16) {
1029 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1030 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1031
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1032#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1033 if (aes_padlock_ace) {
1034 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1035 return 0;
1036 }
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1037
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1038 // If padlock data misaligned, we just fall back to
1039 // unaccelerated mode
1040 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1041 }
1042#endif
1043
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1044 if (mode == MBEDTLS_AES_DECRYPT) {
1045 while (length > 0) {
1046 memcpy(temp, input, 16);
1047 ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1048 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1049 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1050 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1052 for (i = 0; i < 16; i++) {
1053 output[i] = (unsigned char) (output[i] ^ iv[i]);
1054 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1056 memcpy(iv, temp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057
1058 input += 16;
1059 output += 16;
1060 length -= 16;
1061 }
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1062 } else {
1063 while (length > 0) {
1064 for (i = 0; i < 16; i++) {
1065 output[i] = (unsigned char) (input[i] ^ iv[i]);
1066 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1068 ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1069 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1070 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1071 }
1072 memcpy(iv, output, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073
1074 input += 16;
1075 output += 16;
1076 length -= 16;
1077 }
1078 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1079 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1080
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1081exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1082 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1083}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1084#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1085
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1086#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1087
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1088typedef unsigned char mbedtls_be128[16];
1089
1090/*
1091 * GF(2^128) multiplication function
1092 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1093 * This function multiplies a field element by x in the polynomial field
1094 * representation. It uses 64-bit word operations to gain speed but compensates
Shaun Case0e7791f2021-12-20 21:14:10 -0800[diff] [blame]1095 * for machine endianness and hence works correctly on both big and little
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1096 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1097 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1098static void mbedtls_gf128mul_x_ble(unsigned char r[16],
1099 const unsigned char x[16])
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1100{
1101 uint64_t a, b, ra, rb;
1102
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1103 a = MBEDTLS_GET_UINT64_LE(x, 0);
1104 b = MBEDTLS_GET_UINT64_LE(x, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1105
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1106 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1107 rb = (a >> 63) | (b << 1);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1108
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1109 MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1110 MBEDTLS_PUT_UINT64_LE(rb, r, 8);
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1111}
1112
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1113/*
1114 * AES-XTS buffer encryption/decryption
1115 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1116int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1117 int mode,
1118 size_t length,
1119 const unsigned char data_unit[16],
1120 const unsigned char *input,
1121 unsigned char *output)
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1122{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1123 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1124 size_t blocks = length / 16;
1125 size_t leftover = length % 16;
1126 unsigned char tweak[16];
1127 unsigned char prev_tweak[16];
1128 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1129
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1130 AES_VALIDATE_RET(ctx != NULL);
1131 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1132 mode == MBEDTLS_AES_DECRYPT);
1133 AES_VALIDATE_RET(data_unit != NULL);
1134 AES_VALIDATE_RET(input != NULL);
1135 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1136
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1137 /* Data units must be at least 16 bytes long. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1138 if (length < 16) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1139 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1140 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1141
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1142 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1143 if (length > (1 << 20) * 16) {
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1144 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1145 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1146
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1147 /* Compute the tweak. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1148 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1149 data_unit, tweak);
1150 if (ret != 0) {
1151 return ret;
1152 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1153
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1154 while (blocks--) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1155 size_t i;
1156
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1157 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1158 /* We are on the last block in a decrypt operation that has
1159 * leftover bytes, so we need to use the next tweak for this block,
Tom Cosgrove49f99bc2022-12-04 16:44:21 +0000[diff] [blame]1160 * and this tweak for the leftover bytes. Save the current tweak for
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1161 * the leftovers and then update the current tweak for use on this,
1162 * the last full block. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1163 memcpy(prev_tweak, tweak, sizeof(tweak));
1164 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1165 }
1166
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1167 for (i = 0; i < 16; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1168 tmp[i] = input[i] ^ tweak[i];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1169 }
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1170
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1171 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1172 if (ret != 0) {
1173 return ret;
1174 }
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1175
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1176 for (i = 0; i < 16; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1177 output[i] = tmp[i] ^ tweak[i];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1178 }
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1179
1180 /* Update the tweak for the next block. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1181 mbedtls_gf128mul_x_ble(tweak, tweak);
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1182
1183 output += 16;
1184 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1185 }
1186
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1187 if (leftover) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1188 /* If we are on the leftover bytes in a decrypt operation, we need to
1189 * use the previous tweak for these bytes (as saved in prev_tweak). */
1190 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1192 /* We are now on the final part of the data unit, which doesn't divide
1193 * evenly by 16. It's time for ciphertext stealing. */
1194 size_t i;
1195 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1196
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1197 /* Copy ciphertext bytes from the previous block to our output for each
Shaun Case0e7791f2021-12-20 21:14:10 -0800[diff] [blame]1198 * byte of ciphertext we won't steal. At the same time, copy the
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1199 * remainder of the input for this final round (since the loop bounds
1200 * are the same). */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1201 for (i = 0; i < leftover; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 output[i] = prev_output[i];
1203 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1204 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1205
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1206 /* Copy ciphertext bytes from the previous block for input in this
1207 * round. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1208 for (; i < 16; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1209 tmp[i] = prev_output[i] ^ t[i];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1210 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1211
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1212 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1213 if (ret != 0) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1214 return ret;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1215 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1216
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1217 /* Write the result back to the previous block, overriding the previous
1218 * output we copied. */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1219 for (i = 0; i < 16; i++) {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1220 prev_output[i] = tmp[i] ^ t[i];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1221 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222 }
1223
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1224 return 0;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225}
1226#endif /* MBEDTLS_CIPHER_MODE_XTS */
1227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1228#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1229/*
1230 * AES-CFB128 buffer encryption/decryption
1231 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1232int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1233 int mode,
1234 size_t length,
1235 size_t *iv_off,
1236 unsigned char iv[16],
1237 const unsigned char *input,
1238 unsigned char *output)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1239{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1240 int c;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1242 size_t n;
1243
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1244 AES_VALIDATE_RET(ctx != NULL);
1245 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1246 mode == MBEDTLS_AES_DECRYPT);
1247 AES_VALIDATE_RET(iv_off != NULL);
1248 AES_VALIDATE_RET(iv != NULL);
1249 AES_VALIDATE_RET(input != NULL);
1250 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1251
1252 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1253
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1254 if (n > 15) {
1255 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1256 }
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1257
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1258 if (mode == MBEDTLS_AES_DECRYPT) {
1259 while (length--) {
1260 if (n == 0) {
1261 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1262 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1263 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1264 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1265 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1266
1267 c = *input++;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1268 *output++ = (unsigned char) (c ^ iv[n]);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 iv[n] = (unsigned char) c;
1270
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1271 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272 }
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1273 } else {
1274 while (length--) {
1275 if (n == 0) {
1276 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1277 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1278 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1279 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1280 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1281
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1282 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1283
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1284 n = (n + 1) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285 }
1286 }
1287
1288 *iv_off = n;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1289 ret = 0;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1290
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1291exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1292 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1294
1295/*
1296 * AES-CFB8 buffer encryption/decryption
1297 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1298int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1299 int mode,
1300 size_t length,
1301 unsigned char iv[16],
1302 const unsigned char *input,
1303 unsigned char *output)
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1304{
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1305 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1306 unsigned char c;
1307 unsigned char ov[17];
1308
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1309 AES_VALIDATE_RET(ctx != NULL);
1310 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1311 mode == MBEDTLS_AES_DECRYPT);
1312 AES_VALIDATE_RET(iv != NULL);
1313 AES_VALIDATE_RET(input != NULL);
1314 AES_VALIDATE_RET(output != NULL);
1315 while (length--) {
1316 memcpy(ov, iv, 16);
1317 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1318 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1319 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1320 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1321
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1322 if (mode == MBEDTLS_AES_DECRYPT) {
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1323 ov[16] = *input;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1324 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1325
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1326 c = *output++ = (unsigned char) (iv[0] ^ *input++);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1327
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1328 if (mode == MBEDTLS_AES_ENCRYPT) {
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1329 ov[16] = c;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1330 }
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1331
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1332 memcpy(iv, ov + 1, 16);
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1333 }
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1334 ret = 0;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1335
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1336exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1337 return ret;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1338}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1339#endif /* MBEDTLS_CIPHER_MODE_CFB */
1340
1341#if defined(MBEDTLS_CIPHER_MODE_OFB)
1342/*
1343 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1344 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1345int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1346 size_t length,
1347 size_t *iv_off,
1348 unsigned char iv[16],
1349 const unsigned char *input,
1350 unsigned char *output)
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1351{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1352 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1353 size_t n;
1354
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1355 AES_VALIDATE_RET(ctx != NULL);
1356 AES_VALIDATE_RET(iv_off != NULL);
1357 AES_VALIDATE_RET(iv != NULL);
1358 AES_VALIDATE_RET(input != NULL);
1359 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1360
1361 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1362
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1363 if (n > 15) {
1364 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1365 }
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1366
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1367 while (length--) {
1368 if (n == 0) {
1369 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1370 if (ret != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1371 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1372 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1373 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1374 *output++ = *input++ ^ iv[n];
1375
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1376 n = (n + 1) & 0x0F;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1377 }
1378
1379 *iv_off = n;
1380
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1381exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1382 return ret;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1383}
1384#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1387/*
1388 * AES-CTR buffer encryption/decryption
1389 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1390int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1391 size_t length,
1392 size_t *nc_off,
1393 unsigned char nonce_counter[16],
1394 unsigned char stream_block[16],
1395 const unsigned char *input,
1396 unsigned char *output)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1397{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1398 int c, i;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1399 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1400 size_t n;
1401
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1402 AES_VALIDATE_RET(ctx != NULL);
1403 AES_VALIDATE_RET(nc_off != NULL);
1404 AES_VALIDATE_RET(nonce_counter != NULL);
1405 AES_VALIDATE_RET(stream_block != NULL);
1406 AES_VALIDATE_RET(input != NULL);
1407 AES_VALIDATE_RET(output != NULL);
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1408
1409 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1410
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1411 if (n > 0x0F) {
1412 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1413 }
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1414
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1415 while (length--) {
1416 if (n == 0) {
1417 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1418 if (ret != 0) {
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1419 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1420 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1421
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1422 for (i = 16; i > 0; i--) {
1423 if (++nonce_counter[i - 1] != 0) {
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1424 break;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1425 }
1426 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1427 }
1428 c = *input++;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1429 *output++ = (unsigned char) (c ^ stream_block[n]);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1430
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1431 n = (n + 1) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1432 }
1433
1434 *nc_off = n;
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1435 ret = 0;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1436
Gilles Peskine377a3102021-07-07 21:08:28 +0200[diff] [blame]1437exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1438 return ret;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1439}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1440#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1441
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1442#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1443
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1444#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1445/*
1446 * AES test vectors from:
1447 *
1448 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1449 */
1450static const unsigned char aes_test_ecb_dec[3][16] =
1451{
1452 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1453 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1454 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1455 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1456 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1457 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1458};
1459
1460static const unsigned char aes_test_ecb_enc[3][16] =
1461{
1462 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1463 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1464 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1465 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1466 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1467 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1468};
1469
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1470#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1471static const unsigned char aes_test_cbc_dec[3][16] =
1472{
1473 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1474 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1475 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1476 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1477 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1478 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1479};
1480
1481static const unsigned char aes_test_cbc_enc[3][16] =
1482{
1483 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1484 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1485 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1486 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1487 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1488 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1489};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1490#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1491
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1492#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1493/*
1494 * AES-CFB128 test vectors from:
1495 *
1496 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1497 */
1498static const unsigned char aes_test_cfb128_key[3][32] =
1499{
1500 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1501 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1502 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1503 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1504 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1505 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1506 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1507 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1508 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1509};
1510
1511static const unsigned char aes_test_cfb128_iv[16] =
1512{
1513 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1514 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1515};
1516
1517static const unsigned char aes_test_cfb128_pt[64] =
1518{
1519 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1520 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1521 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1522 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1523 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1524 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1525 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1526 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1527};
1528
1529static const unsigned char aes_test_cfb128_ct[3][64] =
1530{
1531 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1532 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1533 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1534 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1535 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1536 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1537 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1538 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1539 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1540 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1541 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1542 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1543 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1544 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1545 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1546 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1547 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1548 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1549 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1550 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1551 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1552 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1553 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1554 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1555};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1556#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1557
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1558#if defined(MBEDTLS_CIPHER_MODE_OFB)
1559/*
1560 * AES-OFB test vectors from:
1561 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1562 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1563 */
1564static const unsigned char aes_test_ofb_key[3][32] =
1565{
1566 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1567 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1568 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1569 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1570 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1571 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1572 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1573 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1574 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1575};
1576
1577static const unsigned char aes_test_ofb_iv[16] =
1578{
1579 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1580 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1581};
1582
1583static const unsigned char aes_test_ofb_pt[64] =
1584{
1585 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1586 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1587 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1588 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1589 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1590 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1591 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1592 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1593};
1594
1595static const unsigned char aes_test_ofb_ct[3][64] =
1596{
1597 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1598 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1599 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1600 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1601 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1602 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1603 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1604 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1605 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1606 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1607 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1608 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1609 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1610 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1611 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1612 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1613 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1614 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1615 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1616 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1617 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1618 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1619 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1620 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1621};
1622#endif /* MBEDTLS_CIPHER_MODE_OFB */
1623
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1624#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1625/*
1626 * AES-CTR test vectors from:
1627 *
1628 * http://www.faqs.org/rfcs/rfc3686.html
1629 */
1630
1631static const unsigned char aes_test_ctr_key[3][16] =
1632{
1633 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1634 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1635 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1636 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1637 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1638 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1639};
1640
1641static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1642{
1643 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1645 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1646 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1647 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1648 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1649};
1650
1651static const unsigned char aes_test_ctr_pt[3][48] =
1652{
1653 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1654 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1655
1656 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1658 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1659 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1660
1661 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1662 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1663 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1664 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1665 0x20, 0x21, 0x22, 0x23 }
1666};
1667
1668static const unsigned char aes_test_ctr_ct[3][48] =
1669{
1670 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1671 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1672 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1673 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1674 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1675 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1676 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1677 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1678 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1679 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1680 0x25, 0xB2, 0x07, 0x2F }
1681};
1682
1683static const int aes_test_ctr_len[3] =
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1684{ 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1686
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1687#if defined(MBEDTLS_CIPHER_MODE_XTS)
1688/*
1689 * AES-XTS test vectors from:
1690 *
1691 * IEEE P1619/D16 Annex B
1692 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1693 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1694 */
1695static const unsigned char aes_test_xts_key[][32] =
1696{
1697 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1700 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1701 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1702 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1703 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1704 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1705 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1706 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1707 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1708 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1709};
1710
1711static const unsigned char aes_test_xts_pt32[][32] =
1712{
1713 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1715 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1716 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1717 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1718 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1719 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1720 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1721 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1722 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1723 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1724 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1725};
1726
1727static const unsigned char aes_test_xts_ct32[][32] =
1728{
1729 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1730 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1731 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1732 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1733 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1734 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1735 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1736 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1737 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1738 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1739 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1740 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1741};
1742
1743static const unsigned char aes_test_xts_data_unit[][16] =
1744{
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1745 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1747 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1749 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1751};
1752
1753#endif /* MBEDTLS_CIPHER_MODE_XTS */
1754
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1755/*
1756 * Checkup routine
1757 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1758int mbedtls_aes_self_test(int verbose)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1759{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1760 int ret = 0, i, j, u, mode;
1761 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1762 unsigned char key[32];
1763 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1764 const unsigned char *aes_tests;
Andrzej Kurek8ffd8a62022-09-27 07:54:16 -0400[diff] [blame]1765#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1766 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1767 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1768#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1769#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1770 unsigned char prv[16];
1771#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1772#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1773 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1774 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1775#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1776#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1777 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1778#endif
1779#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1780 unsigned char nonce_counter[16];
1781 unsigned char stream_block[16];
1782#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1783 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1784
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1785 memset(key, 0, 32);
1786 mbedtls_aes_init(&ctx);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787
1788 /*
1789 * ECB mode
1790 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1791 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1793 keybits = 128 + u * 64;
1794 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1795
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1796 if (verbose != 0) {
1797 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1798 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1799 }
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1800
1801 memset(buf, 0, 16);
1802
1803 if (mode == MBEDTLS_AES_DECRYPT) {
1804 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1805 aes_tests = aes_test_ecb_dec[u];
1806 } else {
1807 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1808 aes_tests = aes_test_ecb_enc[u];
1809 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1810
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1811 /*
1812 * AES-192 is an optional feature that may be unavailable when
1813 * there is an alternative underlying implementation i.e. when
1814 * MBEDTLS_AES_ALT is defined.
1815 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1816 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1817 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 continue;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1819 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1820 goto exit;
1821 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1822
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1823 for (j = 0; j < 10000; j++) {
1824 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1825 if (ret != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1826 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1827 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1828 }
1829
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1830 if (memcmp(buf, aes_tests, 16) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1831 ret = 1;
1832 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833 }
1834
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1835 if (verbose != 0) {
1836 mbedtls_printf("passed\n");
1837 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838 }
1839
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1840 if (verbose != 0) {
1841 mbedtls_printf("\n");
1842 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1843
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845 /*
1846 * CBC mode
1847 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1848 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1849 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 keybits = 128 + u * 64;
1851 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1853 if (verbose != 0) {
1854 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1855 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856 }
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1857
1858 memset(iv, 0, 16);
1859 memset(prv, 0, 16);
1860 memset(buf, 0, 16);
1861
1862 if (mode == MBEDTLS_AES_DECRYPT) {
1863 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1864 aes_tests = aes_test_cbc_dec[u];
1865 } else {
1866 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1867 aes_tests = aes_test_cbc_enc[u];
1868 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1869
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1870 /*
1871 * AES-192 is an optional feature that may be unavailable when
1872 * there is an alternative underlying implementation i.e. when
1873 * MBEDTLS_AES_ALT is defined.
1874 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1875 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1876 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1877 continue;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1878 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1879 goto exit;
1880 }
1881
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1882 for (j = 0; j < 10000; j++) {
1883 if (mode == MBEDTLS_AES_ENCRYPT) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884 unsigned char tmp[16];
1885
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1886 memcpy(tmp, prv, 16);
1887 memcpy(prv, buf, 16);
1888 memcpy(buf, tmp, 16);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889 }
1890
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1891 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1892 if (ret != 0) {
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1893 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1894 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1895
1896 }
1897
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1898 if (memcmp(buf, aes_tests, 16) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1899 ret = 1;
1900 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 }
1902
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1903 if (verbose != 0) {
1904 mbedtls_printf("passed\n");
1905 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1906 }
1907
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1908 if (verbose != 0) {
1909 mbedtls_printf("\n");
1910 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1911#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1913#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914 /*
1915 * CFB128 mode
1916 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1917 for (i = 0; i < 6; i++) {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1918 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 keybits = 128 + u * 64;
1920 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1921
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1922 if (verbose != 0) {
1923 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
1924 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1925 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1926
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1927 memcpy(iv, aes_test_cfb128_iv, 16);
1928 memcpy(key, aes_test_cfb128_key[u], keybits / 8);
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1929
1930 offset = 0;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1931 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1932 /*
1933 * AES-192 is an optional feature that may be unavailable when
1934 * there is an alternative underlying implementation i.e. when
1935 * MBEDTLS_AES_ALT is defined.
1936 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1937 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1938 mbedtls_printf("skipped\n");
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1939 continue;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1940 } else if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1941 goto exit;
1942 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1943
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1944 if (mode == MBEDTLS_AES_DECRYPT) {
1945 memcpy(buf, aes_test_cfb128_ct[u], 64);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1946 aes_tests = aes_test_cfb128_pt;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1947 } else {
1948 memcpy(buf, aes_test_cfb128_pt, 64);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 aes_tests = aes_test_cfb128_ct[u];
1950 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1952 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
1953 if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1954 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1955 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1956
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1957 if (memcmp(buf, aes_tests, 64) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1958 ret = 1;
1959 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 }
1961
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1962 if (verbose != 0) {
1963 mbedtls_printf("passed\n");
1964 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1965 }
1966
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1967 if (verbose != 0) {
1968 mbedtls_printf("\n");
1969 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1971
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1972#if defined(MBEDTLS_CIPHER_MODE_OFB)
1973 /*
1974 * OFB mode
1975 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1976 for (i = 0; i < 6; i++) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1977 u = i >> 1;
1978 keybits = 128 + u * 64;
1979 mode = i & 1;
1980
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1981 if (verbose != 0) {
1982 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
1983 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1984 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1985
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1986 memcpy(iv, aes_test_ofb_iv, 16);
1987 memcpy(key, aes_test_ofb_key[u], keybits / 8);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1988
1989 offset = 0;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1990 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1991 /*
1992 * AES-192 is an optional feature that may be unavailable when
1993 * there is an alternative underlying implementation i.e. when
1994 * MBEDTLS_AES_ALT is defined.
1995 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1996 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1997 mbedtls_printf("skipped\n");
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1998 continue;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]1999 } else if (ret != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2000 goto exit;
2001 }
2002
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2003 if (mode == MBEDTLS_AES_DECRYPT) {
2004 memcpy(buf, aes_test_ofb_ct[u], 64);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2005 aes_tests = aes_test_ofb_pt;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2006 } else {
2007 memcpy(buf, aes_test_ofb_pt, 64);
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2008 aes_tests = aes_test_ofb_ct[u];
2009 }
2010
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2011 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2012 if (ret != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2013 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2014 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2015
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2016 if (memcmp(buf, aes_tests, 64) != 0) {
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2017 ret = 1;
2018 goto exit;
2019 }
2020
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2021 if (verbose != 0) {
2022 mbedtls_printf("passed\n");
2023 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2024 }
2025
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2026 if (verbose != 0) {
2027 mbedtls_printf("\n");
2028 }
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2029#endif /* MBEDTLS_CIPHER_MODE_OFB */
2030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2031#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2032 /*
2033 * CTR mode
2034 */
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2035 for (i = 0; i < 6; i++) {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2036 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2037 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2038
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2039 if (verbose != 0) {
2040 mbedtls_printf(" AES-CTR-128 (%s): ",
2041 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2042 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2043
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2044 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2045 memcpy(key, aes_test_ctr_key[u], 16);
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2046
2047 offset = 0;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2048 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2049 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2050 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2051
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2052 len = aes_test_ctr_len[u];
2053
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2054 if (mode == MBEDTLS_AES_DECRYPT) {
2055 memcpy(buf, aes_test_ctr_ct[u], len);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2056 aes_tests = aes_test_ctr_pt[u];
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2057 } else {
2058 memcpy(buf, aes_test_ctr_pt[u], len);
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2059 aes_tests = aes_test_ctr_ct[u];
2060 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2061
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2062 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2063 stream_block, buf, buf);
2064 if (ret != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2065 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2066 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2067
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2068 if (memcmp(buf, aes_tests, len) != 0) {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2069 ret = 1;
2070 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2071 }
2072
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2073 if (verbose != 0) {
2074 mbedtls_printf("passed\n");
2075 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2076 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2077
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2078 if (verbose != 0) {
2079 mbedtls_printf("\n");
2080 }
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2081#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2082
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2083#if defined(MBEDTLS_CIPHER_MODE_XTS)
2084 {
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2085 static const int num_tests =
2086 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2087 mbedtls_aes_xts_context ctx_xts;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2088
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2089 /*
2090 * XTS mode
2091 */
2092 mbedtls_aes_xts_init(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2093
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2094 for (i = 0; i < num_tests << 1; i++) {
2095 const unsigned char *data_unit;
2096 u = i >> 1;
2097 mode = i & 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2098
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2099 if (verbose != 0) {
2100 mbedtls_printf(" AES-XTS-128 (%s): ",
2101 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2102 }
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2103
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2104 memset(key, 0, sizeof(key));
2105 memcpy(key, aes_test_xts_key[u], 32);
2106 data_unit = aes_test_xts_data_unit[u];
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2107
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2108 len = sizeof(*aes_test_xts_ct32);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2109
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2110 if (mode == MBEDTLS_AES_DECRYPT) {
2111 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2112 if (ret != 0) {
2113 goto exit;
2114 }
2115 memcpy(buf, aes_test_xts_ct32[u], len);
2116 aes_tests = aes_test_xts_pt32[u];
2117 } else {
2118 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2119 if (ret != 0) {
2120 goto exit;
2121 }
2122 memcpy(buf, aes_test_xts_pt32[u], len);
2123 aes_tests = aes_test_xts_ct32[u];
2124 }
2125
2126
2127 ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2128 buf, buf);
2129 if (ret != 0) {
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2130 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2131 }
2132
2133 if (memcmp(buf, aes_tests, len) != 0) {
2134 ret = 1;
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2135 goto exit;
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2136 }
2137
2138 if (verbose != 0) {
2139 mbedtls_printf("passed\n");
2140 }
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2141 }
2142
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2143 if (verbose != 0) {
2144 mbedtls_printf("\n");
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2145 }
2146
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2147 mbedtls_aes_xts_free(&ctx_xts);
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2148 }
2149#endif /* MBEDTLS_CIPHER_MODE_XTS */
2150
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2151 ret = 0;
2152
2153exit:
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2154 if (ret != 0 && verbose != 0) {
2155 mbedtls_printf("failed\n");
2156 }
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2157
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2158 mbedtls_aes_free(&ctx);
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2159
David Horstmannceeaeb92023-01-05 15:44:23 +0000[diff] [blame^]2160 return ret;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2161}
2162
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2163#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2164
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2165#endif /* MBEDTLS_AES_C */