TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / e8bd0f2ed0a3d61a78781e34a328383cf8d0e38a / . / library / aes.c
blob: d18278e92723e4a5b936cb36fc7966f1ef76370f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Chris Jones16dbaeb2021-03-09 17:47:55 +0000[diff] [blame]37#include "padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Chris Jones187782f2021-03-09 17:28:35 +0000[diff] [blame]40#include "aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]565 default : return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]588 return mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ;
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]659 return 0 ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]731 return ret ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
gabor-mezei-arm95db3012020-10-26 11:35:23 +0100[diff] [blame]733#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]734
735#if defined(MBEDTLS_CIPHER_MODE_XTS)
736static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
737 unsigned int keybits,
738 const unsigned char **key1,
739 unsigned int *key1bits,
740 const unsigned char **key2,
741 unsigned int *key2bits )
742{
743 const unsigned int half_keybits = keybits / 2;
744 const unsigned int half_keybytes = half_keybits / 8;
745
746 switch( keybits )
747 {
748 case 256: break;
749 case 512: break;
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]750 default : return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]751 }
752
753 *key1bits = half_keybits;
754 *key2bits = half_keybits;
755 *key1 = &key[0];
756 *key2 = &key[half_keybytes];
757
758 return 0;
759}
760
761int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
762 const unsigned char *key,
763 unsigned int keybits)
764{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]765 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]766 const unsigned char *key1, *key2;
767 unsigned int key1bits, key2bits;
768
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]769 AES_VALIDATE_RET( ctx != NULL );
770 AES_VALIDATE_RET( key != NULL );
771
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]772 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
773 &key2, &key2bits );
774 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]775 return ret ;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]776
777 /* Set the tweak key. Always set tweak key for the encryption mode. */
778 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
779 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]780 return ret ;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]781
782 /* Set crypt key for encryption. */
783 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
784}
785
786int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
787 const unsigned char *key,
788 unsigned int keybits)
789{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]790 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]791 const unsigned char *key1, *key2;
792 unsigned int key1bits, key2bits;
793
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]794 AES_VALIDATE_RET( ctx != NULL );
795 AES_VALIDATE_RET( key != NULL );
796
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]797 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
798 &key2, &key2bits );
799 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]800 return ret ;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801
802 /* Set the tweak key. Always set tweak key for encryption. */
803 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
804 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]805 return ret ;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]806
807 /* Set crypt key for decryption. */
808 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
809}
810#endif /* MBEDTLS_CIPHER_MODE_XTS */
811
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]812#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
813 do \
814 { \
815 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
816 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
817 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
818 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
819 \
820 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
821 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
824 \
825 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
826 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
829 \
830 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
831 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
834 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]835
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]836#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
837 do \
838 { \
839 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
840 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
841 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
842 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
843 \
844 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
845 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
846 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
847 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
848 \
849 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
850 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
851 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
852 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
853 \
854 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
855 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
856 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
857 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
858 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]859
860/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]861 * AES-ECB block encryption
862 */
863#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]864int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
865 const unsigned char input[16],
866 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867{
868 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]869 uint32_t *RK = ctx->rk;
870 struct
871 {
872 uint32_t X[4];
873 uint32_t Y[4];
874 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]875
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]876 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
877 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
878 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
879 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]880
881 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
882 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]883 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
884 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]885 }
886
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]887 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]888
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]889 t.X[0] = *RK++ ^ \
890 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
891 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
892 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
893 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]894
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]895 t.X[1] = *RK++ ^ \
896 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
897 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
898 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
899 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]900
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]901 t.X[2] = *RK++ ^ \
902 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
903 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
904 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
905 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]906
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]907 t.X[3] = *RK++ ^ \
908 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
909 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
910 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
911 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]912
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]913 PUT_UINT32_LE( t.X[0], output, 0 );
914 PUT_UINT32_LE( t.X[1], output, 4 );
915 PUT_UINT32_LE( t.X[2], output, 8 );
916 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]917
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]918 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]919
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]920 return 0 ;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921}
922#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
923
924/*
925 * AES-ECB block decryption
926 */
927#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]928int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
929 const unsigned char input[16],
930 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]931{
932 int i;
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]933 uint32_t *RK = ctx->rk;
934 struct
935 {
936 uint32_t X[4];
937 uint32_t Y[4];
938 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]939
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]940 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
941 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
942 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
943 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]944
945 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
946 {
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]947 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
948 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]949 }
950
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]951 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]952
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]953 t.X[0] = *RK++ ^ \
954 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
955 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
956 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
957 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]958
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]959 t.X[1] = *RK++ ^ \
960 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
961 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
962 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
963 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]964
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]965 t.X[2] = *RK++ ^ \
966 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
967 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
968 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
969 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]970
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]971 t.X[3] = *RK++ ^ \
972 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
973 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]976
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]977 PUT_UINT32_LE( t.X[0], output, 0 );
978 PUT_UINT32_LE( t.X[1], output, 4 );
979 PUT_UINT32_LE( t.X[2], output, 8 );
980 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]981
Gilles Peskine5197c662020-08-26 17:03:24 +0200[diff] [blame]982 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]983
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]984 return 0 ;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]985}
986#endif /* !MBEDTLS_AES_DECRYPT_ALT */
987
988/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989 * AES-ECB block encryption/decryption
990 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]991int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]992 int mode,
993 const unsigned char input[16],
994 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]995{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]996 AES_VALIDATE_RET( ctx != NULL );
997 AES_VALIDATE_RET( input != NULL );
998 AES_VALIDATE_RET( output != NULL );
999 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1000 mode == MBEDTLS_AES_DECRYPT );
1001
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1002#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1003 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1004 return mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ;
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1005#endif
1006
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1007#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]1008 if( aes_padlock_ace > 0)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1009 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1010 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1011 return 0 ;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1012
1013 // If padlock data misaligned, we just fall back to
1014 // unaccelerated mode
1015 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1016 }
1017#endif
1018
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1019 if( mode == MBEDTLS_AES_ENCRYPT )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1020 return mbedtls_internal_aes_encrypt( ctx, input, output ) ;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1021 else
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1022 return mbedtls_internal_aes_decrypt( ctx, input, output ) ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1023}
1024
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1025#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1026/*
1027 * AES-CBC buffer encryption/decryption
1028 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1030 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1031 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1032 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1033 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034 unsigned char *output )
1035{
1036 int i;
1037 unsigned char temp[16];
1038
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1039 AES_VALIDATE_RET( ctx != NULL );
1040 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1041 mode == MBEDTLS_AES_DECRYPT );
1042 AES_VALIDATE_RET( iv != NULL );
1043 AES_VALIDATE_RET( input != NULL );
1044 AES_VALIDATE_RET( output != NULL );
1045
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1046 if( length % 16 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1047 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1048
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1049#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Xiang Xiao12e18362021-05-07 00:55:52 -0700[diff] [blame]1050 if( aes_padlock_ace > 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1053 return 0 ;
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1054
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1055 // If padlock data misaligned, we just fall back to
1056 // unaccelerated mode
1057 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1058 }
1059#endif
1060
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062 {
1063 while( length > 0 )
1064 {
1065 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067
1068 for( i = 0; i < 16; i++ )
1069 output[i] = (unsigned char)( output[i] ^ iv[i] );
1070
1071 memcpy( iv, temp, 16 );
1072
1073 input += 16;
1074 output += 16;
1075 length -= 16;
1076 }
1077 }
1078 else
1079 {
1080 while( length > 0 )
1081 {
1082 for( i = 0; i < 16; i++ )
1083 output[i] = (unsigned char)( input[i] ^ iv[i] );
1084
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086 memcpy( iv, output, 16 );
1087
1088 input += 16;
1089 output += 16;
1090 length -= 16;
1091 }
1092 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1093
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1094 return 0 ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1096#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1098#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1099
1100/* Endianess with 64 bits values */
1101#ifndef GET_UINT64_LE
1102#define GET_UINT64_LE(n,b,i) \
1103{ \
1104 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1105 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1106 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1107 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1108 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1109 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1110 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1111 | ( (uint64_t) (b)[(i) ] ); \
1112}
1113#endif
1114
1115#ifndef PUT_UINT64_LE
1116#define PUT_UINT64_LE(n,b,i) \
1117{ \
1118 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1119 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1120 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1121 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1122 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1123 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1124 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1125 (b)[(i) ] = (unsigned char) ( (n) ); \
1126}
1127#endif
1128
1129typedef unsigned char mbedtls_be128[16];
1130
1131/*
1132 * GF(2^128) multiplication function
1133 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1134 * This function multiplies a field element by x in the polynomial field
1135 * representation. It uses 64-bit word operations to gain speed but compensates
1136 * for machine endianess and hence works correctly on both big and little
1137 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1138 */
1139static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1140 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1141{
1142 uint64_t a, b, ra, rb;
1143
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1144 GET_UINT64_LE( a, x, 0 );
1145 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1146
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1147 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1148 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1149
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1150 PUT_UINT64_LE( ra, r, 0 );
1151 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1152}
1153
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1154/*
1155 * AES-XTS buffer encryption/decryption
1156 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1157int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1158 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1159 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1160 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1161 const unsigned char *input,
1162 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1163{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1164 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1165 size_t blocks = length / 16;
1166 size_t leftover = length % 16;
1167 unsigned char tweak[16];
1168 unsigned char prev_tweak[16];
1169 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1170
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1171 AES_VALIDATE_RET( ctx != NULL );
1172 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1173 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1174 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1175 AES_VALIDATE_RET( input != NULL );
1176 AES_VALIDATE_RET( output != NULL );
1177
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1178 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1179 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1180 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1181
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1182 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1183 if( length > ( 1 << 20 ) * 16 )
1184 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1185
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1186 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1187 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1188 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1189 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1190 return ret ;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1191
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1192 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1193 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1194 size_t i;
1195
1196 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1197 {
1198 /* We are on the last block in a decrypt operation that has
1199 * leftover bytes, so we need to use the next tweak for this block,
1200 * and this tweak for the lefover bytes. Save the current tweak for
1201 * the leftovers and then update the current tweak for use on this,
1202 * the last full block. */
1203 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1204 mbedtls_gf128mul_x_ble( tweak, tweak );
1205 }
1206
1207 for( i = 0; i < 16; i++ )
1208 tmp[i] = input[i] ^ tweak[i];
1209
1210 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1211 if( ret != 0 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1212 return ret ;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1213
1214 for( i = 0; i < 16; i++ )
1215 output[i] = tmp[i] ^ tweak[i];
1216
1217 /* Update the tweak for the next block. */
1218 mbedtls_gf128mul_x_ble( tweak, tweak );
1219
1220 output += 16;
1221 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1222 }
1223
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1224 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1225 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1226 /* If we are on the leftover bytes in a decrypt operation, we need to
1227 * use the previous tweak for these bytes (as saved in prev_tweak). */
1228 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1229
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1230 /* We are now on the final part of the data unit, which doesn't divide
1231 * evenly by 16. It's time for ciphertext stealing. */
1232 size_t i;
1233 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1234
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1235 /* Copy ciphertext bytes from the previous block to our output for each
1236 * byte of cyphertext we won't steal. At the same time, copy the
1237 * remainder of the input for this final round (since the loop bounds
1238 * are the same). */
1239 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1240 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1241 output[i] = prev_output[i];
1242 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1243 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1244
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1245 /* Copy ciphertext bytes from the previous block for input in this
1246 * round. */
1247 for( ; i < 16; i++ )
1248 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1249
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1250 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1251 if( ret != 0 )
1252 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1253
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1254 /* Write the result back to the previous block, overriding the previous
1255 * output we copied. */
1256 for( i = 0; i < 16; i++ )
1257 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258 }
1259
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1260 return 0 ;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1261}
1262#endif /* MBEDTLS_CIPHER_MODE_XTS */
1263
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1264#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265/*
1266 * AES-CFB128 buffer encryption/decryption
1267 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1268int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1269 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1270 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1271 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1272 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1273 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1274 unsigned char *output )
1275{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1276 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1277 size_t n;
1278
1279 AES_VALIDATE_RET( ctx != NULL );
1280 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1281 mode == MBEDTLS_AES_DECRYPT );
1282 AES_VALIDATE_RET( iv_off != NULL );
1283 AES_VALIDATE_RET( iv != NULL );
1284 AES_VALIDATE_RET( input != NULL );
1285 AES_VALIDATE_RET( output != NULL );
1286
1287 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1288
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1289 if( n > 15 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1290 return MBEDTLS_ERR_AES_BAD_INPUT_DATA ;
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1292 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 {
1294 while( length-- )
1295 {
1296 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298
1299 c = *input++;
1300 *output++ = (unsigned char)( c ^ iv[n] );
1301 iv[n] = (unsigned char) c;
1302
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1303 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304 }
1305 }
1306 else
1307 {
1308 while( length-- )
1309 {
1310 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1311 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312
1313 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1314
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1315 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1316 }
1317 }
1318
1319 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1320
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1321 return 0 ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1323
1324/*
1325 * AES-CFB8 buffer encryption/decryption
1326 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1328 int mode,
1329 size_t length,
1330 unsigned char iv[16],
1331 const unsigned char *input,
1332 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1333{
1334 unsigned char c;
1335 unsigned char ov[17];
1336
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1337 AES_VALIDATE_RET( ctx != NULL );
1338 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1339 mode == MBEDTLS_AES_DECRYPT );
1340 AES_VALIDATE_RET( iv != NULL );
1341 AES_VALIDATE_RET( input != NULL );
1342 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1343 while( length-- )
1344 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1345 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1346 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1347
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1348 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1349 ov[16] = *input;
1350
1351 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1352
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1353 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1354 ov[16] = c;
1355
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1356 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1357 }
1358
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1359 return 0 ;
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1360}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1361#endif /* MBEDTLS_CIPHER_MODE_CFB */
1362
1363#if defined(MBEDTLS_CIPHER_MODE_OFB)
1364/*
1365 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1366 */
1367int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1368 size_t length,
1369 size_t *iv_off,
1370 unsigned char iv[16],
1371 const unsigned char *input,
1372 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1373{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1374 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1375 size_t n;
1376
1377 AES_VALIDATE_RET( ctx != NULL );
1378 AES_VALIDATE_RET( iv_off != NULL );
1379 AES_VALIDATE_RET( iv != NULL );
1380 AES_VALIDATE_RET( input != NULL );
1381 AES_VALIDATE_RET( output != NULL );
1382
1383 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1384
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1385 if( n > 15 )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1386 return MBEDTLS_ERR_AES_BAD_INPUT_DATA ;
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1387
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1388 while( length-- )
1389 {
1390 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1391 {
1392 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1393 if( ret != 0 )
1394 goto exit;
1395 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1396 *output++ = *input++ ^ iv[n];
1397
1398 n = ( n + 1 ) & 0x0F;
1399 }
1400
1401 *iv_off = n;
1402
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1403exit:
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1404 return ret ;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1405}
1406#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1407
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1408#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1409/*
1410 * AES-CTR buffer encryption/decryption
1411 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1412int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1413 size_t length,
1414 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1415 unsigned char nonce_counter[16],
1416 unsigned char stream_block[16],
1417 const unsigned char *input,
1418 unsigned char *output )
1419{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1420 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1421 size_t n;
1422
1423 AES_VALIDATE_RET( ctx != NULL );
1424 AES_VALIDATE_RET( nc_off != NULL );
1425 AES_VALIDATE_RET( nonce_counter != NULL );
1426 AES_VALIDATE_RET( stream_block != NULL );
1427 AES_VALIDATE_RET( input != NULL );
1428 AES_VALIDATE_RET( output != NULL );
1429
1430 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1431
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1432 if ( n > 0x0F )
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1433 return MBEDTLS_ERR_AES_BAD_INPUT_DATA ;
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1434
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1435 while( length-- )
1436 {
1437 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1438 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1439
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1440 for( i = 16; i > 0; i-- )
1441 if( ++nonce_counter[i - 1] != 0 )
1442 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1443 }
1444 c = *input++;
1445 *output++ = (unsigned char)( c ^ stream_block[n] );
1446
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1447 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1448 }
1449
1450 *nc_off = n;
1451
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]1452 return 0 ;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1453}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1454#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1456#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1458#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1459/*
1460 * AES test vectors from:
1461 *
1462 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1463 */
1464static const unsigned char aes_test_ecb_dec[3][16] =
1465{
1466 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1467 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1468 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1469 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1470 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1471 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1472};
1473
1474static const unsigned char aes_test_ecb_enc[3][16] =
1475{
1476 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1477 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1478 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1479 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1480 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1481 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1482};
1483
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1484#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1485static const unsigned char aes_test_cbc_dec[3][16] =
1486{
1487 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1488 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1489 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1490 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1491 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1492 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1493};
1494
1495static const unsigned char aes_test_cbc_enc[3][16] =
1496{
1497 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1498 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1499 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1500 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1501 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1502 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1503};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1504#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1506#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1507/*
1508 * AES-CFB128 test vectors from:
1509 *
1510 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1511 */
1512static const unsigned char aes_test_cfb128_key[3][32] =
1513{
1514 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1515 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1516 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1517 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1518 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1519 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1520 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1521 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1522 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1523};
1524
1525static const unsigned char aes_test_cfb128_iv[16] =
1526{
1527 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1528 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1529};
1530
1531static const unsigned char aes_test_cfb128_pt[64] =
1532{
1533 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1534 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1535 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1536 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1537 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1538 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1539 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1540 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1541};
1542
1543static const unsigned char aes_test_cfb128_ct[3][64] =
1544{
1545 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1546 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1547 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1548 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1549 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1550 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1551 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1552 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1553 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1554 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1555 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1556 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1557 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1558 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1559 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1560 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1561 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1562 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1563 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1564 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1565 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1566 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1567 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1568 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1569};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1570#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1571
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1572#if defined(MBEDTLS_CIPHER_MODE_OFB)
1573/*
1574 * AES-OFB test vectors from:
1575 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1576 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1577 */
1578static const unsigned char aes_test_ofb_key[3][32] =
1579{
1580 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1581 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1582 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1583 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1584 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1585 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1586 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1587 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1588 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1589};
1590
1591static const unsigned char aes_test_ofb_iv[16] =
1592{
1593 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1594 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1595};
1596
1597static const unsigned char aes_test_ofb_pt[64] =
1598{
1599 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1600 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1601 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1602 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1603 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1604 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1605 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1606 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1607};
1608
1609static const unsigned char aes_test_ofb_ct[3][64] =
1610{
1611 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1612 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1613 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1614 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1615 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1616 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1617 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1618 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1619 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1620 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1621 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1622 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1623 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1624 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1625 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1626 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1627 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1628 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1629 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1630 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1631 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1632 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1633 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1634 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1635};
1636#endif /* MBEDTLS_CIPHER_MODE_OFB */
1637
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1638#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1639/*
1640 * AES-CTR test vectors from:
1641 *
1642 * http://www.faqs.org/rfcs/rfc3686.html
1643 */
1644
1645static const unsigned char aes_test_ctr_key[3][16] =
1646{
1647 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1648 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1649 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1650 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1651 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1652 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1653};
1654
1655static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1656{
1657 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1659 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1660 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1661 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1662 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1663};
1664
1665static const unsigned char aes_test_ctr_pt[3][48] =
1666{
1667 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1668 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1669
1670 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1671 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1672 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1673 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1674
1675 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1676 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1677 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1678 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1679 0x20, 0x21, 0x22, 0x23 }
1680};
1681
1682static const unsigned char aes_test_ctr_ct[3][48] =
1683{
1684 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1685 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1686 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1687 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1688 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1689 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1690 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1691 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1692 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1693 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1694 0x25, 0xB2, 0x07, 0x2F }
1695};
1696
1697static const int aes_test_ctr_len[3] =
1698 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1699#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1700
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1701#if defined(MBEDTLS_CIPHER_MODE_XTS)
1702/*
1703 * AES-XTS test vectors from:
1704 *
1705 * IEEE P1619/D16 Annex B
1706 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1707 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1708 */
1709static const unsigned char aes_test_xts_key[][32] =
1710{
1711 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1712 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1713 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1715 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1716 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1717 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1718 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1719 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1720 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1721 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1722 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1723};
1724
1725static const unsigned char aes_test_xts_pt32[][32] =
1726{
1727 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1731 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1732 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1733 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1734 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1735 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1736 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1737 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1738 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1739};
1740
1741static const unsigned char aes_test_xts_ct32[][32] =
1742{
1743 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1744 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1745 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1746 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1747 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1748 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1749 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1750 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1751 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1752 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1753 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1754 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1755};
1756
1757static const unsigned char aes_test_xts_data_unit[][16] =
1758{
1759 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1761 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1763 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1765};
1766
1767#endif /* MBEDTLS_CIPHER_MODE_XTS */
1768
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1769/*
1770 * Checkup routine
1771 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1772int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1774 int ret = 0, i, j, u, mode;
1775 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776 unsigned char key[32];
1777 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1778 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1779#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1781#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1782#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1783 unsigned char prv[16];
1784#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1785#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1786 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1787 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1788#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1789#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1790 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1791#endif
1792#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1793 unsigned char nonce_counter[16];
1794 unsigned char stream_block[16];
1795#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1796 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797
1798 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1799 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1800
1801 /*
1802 * ECB mode
1803 */
1804 for( i = 0; i < 6; i++ )
1805 {
1806 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1807 keybits = 128 + u * 64;
1808 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809
1810 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1811 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1812 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813
1814 memset( buf, 0, 16 );
1815
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1816 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1819 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820 }
1821 else
1822 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1823 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1824 aes_tests = aes_test_ecb_enc[u];
1825 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1826
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1827 /*
1828 * AES-192 is an optional feature that may be unavailable when
1829 * there is an alternative underlying implementation i.e. when
1830 * MBEDTLS_AES_ALT is defined.
1831 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1832 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1833 {
1834 mbedtls_printf( "skipped\n" );
1835 continue;
1836 }
1837 else if( ret != 0 )
1838 {
1839 goto exit;
1840 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1841
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1842 for( j = 0; j < 10000; j++ )
1843 {
1844 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1845 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1846 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 }
1848
1849 if( memcmp( buf, aes_tests, 16 ) != 0 )
1850 {
1851 ret = 1;
1852 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 }
1854
1855 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1856 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857 }
1858
1859 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1860 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1862#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1863 /*
1864 * CBC mode
1865 */
1866 for( i = 0; i < 6; i++ )
1867 {
1868 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1869 keybits = 128 + u * 64;
1870 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1871
1872 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1873 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1874 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1875
1876 memset( iv , 0, 16 );
1877 memset( prv, 0, 16 );
1878 memset( buf, 0, 16 );
1879
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1881 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1882 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1883 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1884 }
1885 else
1886 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1887 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1888 aes_tests = aes_test_cbc_enc[u];
1889 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1891 /*
1892 * AES-192 is an optional feature that may be unavailable when
1893 * there is an alternative underlying implementation i.e. when
1894 * MBEDTLS_AES_ALT is defined.
1895 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1896 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1897 {
1898 mbedtls_printf( "skipped\n" );
1899 continue;
1900 }
1901 else if( ret != 0 )
1902 {
1903 goto exit;
1904 }
1905
1906 for( j = 0; j < 10000; j++ )
1907 {
1908 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909 {
1910 unsigned char tmp[16];
1911
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1912 memcpy( tmp, prv, 16 );
1913 memcpy( prv, buf, 16 );
1914 memcpy( buf, tmp, 16 );
1915 }
1916
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1917 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1918 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1919 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920
1921 }
1922
1923 if( memcmp( buf, aes_tests, 16 ) != 0 )
1924 {
1925 ret = 1;
1926 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1927 }
1928
1929 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1930 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931 }
1932
1933 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1934 mbedtls_printf( "\n" );
1935#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1936
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1937#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938 /*
1939 * CFB128 mode
1940 */
1941 for( i = 0; i < 6; i++ )
1942 {
1943 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1944 keybits = 128 + u * 64;
1945 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1946
1947 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1948 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950
1951 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1952 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953
1954 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1955 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1956 /*
1957 * AES-192 is an optional feature that may be unavailable when
1958 * there is an alternative underlying implementation i.e. when
1959 * MBEDTLS_AES_ALT is defined.
1960 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1961 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1962 {
1963 mbedtls_printf( "skipped\n" );
1964 continue;
1965 }
1966 else if( ret != 0 )
1967 {
1968 goto exit;
1969 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1970
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1971 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1972 {
1973 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1974 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975 }
1976 else
1977 {
1978 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1979 aes_tests = aes_test_cfb128_ct[u];
1980 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1981
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1982 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1983 if( ret != 0 )
1984 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 if( memcmp( buf, aes_tests, 64 ) != 0 )
1987 {
1988 ret = 1;
1989 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1990 }
1991
1992 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1993 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994 }
1995
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1996 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1997 mbedtls_printf( "\n" );
1998#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1999
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2000#if defined(MBEDTLS_CIPHER_MODE_OFB)
2001 /*
2002 * OFB mode
2003 */
2004 for( i = 0; i < 6; i++ )
2005 {
2006 u = i >> 1;
2007 keybits = 128 + u * 64;
2008 mode = i & 1;
2009
2010 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2011 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2012 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2013
2014 memcpy( iv, aes_test_ofb_iv, 16 );
2015 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2016
2017 offset = 0;
2018 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2019 /*
2020 * AES-192 is an optional feature that may be unavailable when
2021 * there is an alternative underlying implementation i.e. when
2022 * MBEDTLS_AES_ALT is defined.
2023 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2024 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2025 {
2026 mbedtls_printf( "skipped\n" );
2027 continue;
2028 }
2029 else if( ret != 0 )
2030 {
2031 goto exit;
2032 }
2033
2034 if( mode == MBEDTLS_AES_DECRYPT )
2035 {
2036 memcpy( buf, aes_test_ofb_ct[u], 64 );
2037 aes_tests = aes_test_ofb_pt;
2038 }
2039 else
2040 {
2041 memcpy( buf, aes_test_ofb_pt, 64 );
2042 aes_tests = aes_test_ofb_ct[u];
2043 }
2044
2045 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2046 if( ret != 0 )
2047 goto exit;
2048
2049 if( memcmp( buf, aes_tests, 64 ) != 0 )
2050 {
2051 ret = 1;
2052 goto exit;
2053 }
2054
2055 if( verbose != 0 )
2056 mbedtls_printf( "passed\n" );
2057 }
2058
2059 if( verbose != 0 )
2060 mbedtls_printf( "\n" );
2061#endif /* MBEDTLS_CIPHER_MODE_OFB */
2062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2063#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2064 /*
2065 * CTR mode
2066 */
2067 for( i = 0; i < 6; i++ )
2068 {
2069 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2070 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2071
2072 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2073 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2074 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2075
2076 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2077 memcpy( key, aes_test_ctr_key[u], 16 );
2078
2079 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2080 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2081 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2082
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2083 len = aes_test_ctr_len[u];
2084
2085 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2086 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2087 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2088 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2089 }
2090 else
2091 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2092 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2093 aes_tests = aes_test_ctr_ct[u];
2094 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2095
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2096 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2097 stream_block, buf, buf );
2098 if( ret != 0 )
2099 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2100
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2101 if( memcmp( buf, aes_tests, len ) != 0 )
2102 {
2103 ret = 1;
2104 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2105 }
2106
2107 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2108 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2109 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2110
2111 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112 mbedtls_printf( "\n" );
2113#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2114
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2115#if defined(MBEDTLS_CIPHER_MODE_XTS)
2116 {
2117 static const int num_tests =
2118 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2119 mbedtls_aes_xts_context ctx_xts;
2120
2121 /*
2122 * XTS mode
2123 */
2124 mbedtls_aes_xts_init( &ctx_xts );
2125
2126 for( i = 0; i < num_tests << 1; i++ )
2127 {
2128 const unsigned char *data_unit;
2129 u = i >> 1;
2130 mode = i & 1;
2131
2132 if( verbose != 0 )
2133 mbedtls_printf( " AES-XTS-128 (%s): ",
2134 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2135
2136 memset( key, 0, sizeof( key ) );
2137 memcpy( key, aes_test_xts_key[u], 32 );
2138 data_unit = aes_test_xts_data_unit[u];
2139
2140 len = sizeof( *aes_test_xts_ct32 );
2141
2142 if( mode == MBEDTLS_AES_DECRYPT )
2143 {
2144 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2145 if( ret != 0)
2146 goto exit;
2147 memcpy( buf, aes_test_xts_ct32[u], len );
2148 aes_tests = aes_test_xts_pt32[u];
2149 }
2150 else
2151 {
2152 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2153 if( ret != 0)
2154 goto exit;
2155 memcpy( buf, aes_test_xts_pt32[u], len );
2156 aes_tests = aes_test_xts_ct32[u];
2157 }
2158
2159
2160 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2161 buf, buf );
2162 if( ret != 0 )
2163 goto exit;
2164
2165 if( memcmp( buf, aes_tests, len ) != 0 )
2166 {
2167 ret = 1;
2168 goto exit;
2169 }
2170
2171 if( verbose != 0 )
2172 mbedtls_printf( "passed\n" );
2173 }
2174
2175 if( verbose != 0 )
2176 mbedtls_printf( "\n" );
2177
2178 mbedtls_aes_xts_free( &ctx_xts );
2179 }
2180#endif /* MBEDTLS_CIPHER_MODE_XTS */
2181
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2182 ret = 0;
2183
2184exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2185 if( ret != 0 && verbose != 0 )
2186 mbedtls_printf( "failed\n" );
2187
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2188 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2189
Mateusz Starzyke36f5b12021-07-22 16:43:35 +0200[diff] [blame]2190 return ret ;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2191}
2192
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2193#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2195#endif /* MBEDTLS_AES_C */