TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ab6b9758d6b1431e4adc4bc8852540c5515e72af / . / library / aes.c
blob: 818c5991b47c9e99d29f66a6309c16fc1cd193f7 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
398#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
399#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
400#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
578
579 }
580#endif
581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]582#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585
586 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]595#endif
596
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]597 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]599 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601
602 switch( ctx->nr )
603 {
604 case 10:
605
606 for( i = 0; i < 10; i++, RK += 4 )
607 {
608 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 RK[5] = RK[1] ^ RK[4];
615 RK[6] = RK[2] ^ RK[5];
616 RK[7] = RK[3] ^ RK[6];
617 }
618 break;
619
620 case 12:
621
622 for( i = 0; i < 8; i++, RK += 6 )
623 {
624 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[7] = RK[1] ^ RK[6];
631 RK[8] = RK[2] ^ RK[7];
632 RK[9] = RK[3] ^ RK[8];
633 RK[10] = RK[4] ^ RK[9];
634 RK[11] = RK[5] ^ RK[10];
635 }
636 break;
637
638 case 14:
639
640 for( i = 0; i < 7; i++, RK += 8 )
641 {
642 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 RK[9] = RK[1] ^ RK[8];
649 RK[10] = RK[2] ^ RK[9];
650 RK[11] = RK[3] ^ RK[10];
651
652 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
658 RK[13] = RK[5] ^ RK[12];
659 RK[14] = RK[6] ^ RK[13];
660 RK[15] = RK[7] ^ RK[14];
661 }
662 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]664
665 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]667#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669/*
670 * AES key schedule (decryption)
671 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]672#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]674 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]678 uint32_t *RK;
679 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]681 AES_VALIDATE_RET( ctx != NULL );
682 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]687 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689
690 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]692 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]696 /* Also checks keybits */
697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]699
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]700 ctx->nr = cty.nr;
701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 }
709#endif
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 SK = cty.rk + cty.nr * 4;
712
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717
718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 {
720 for( j = 0; j < 4; j++, SK++ )
721 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 }
728
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]735 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]736
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
770 int ret;
771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]774 AES_VALIDATE_RET( ctx != NULL );
775 AES_VALIDATE_RET( key != NULL );
776
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
778 &key2, &key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set the tweak key. Always set tweak key for the encryption mode. */
783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
784 if( ret != 0 )
785 return( ret );
786
787 /* Set crypt key for encryption. */
788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
789}
790
791int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
795 int ret;
796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for encryption. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for decryption. */
813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814}
815#endif /* MBEDTLS_CIPHER_MODE_XTS */
816
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]817#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]819#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
820{ \
821 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
822 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
825 \
826 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
827 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
830 \
831 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
832 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
835 \
836 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
837 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
838 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
839 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]840}
841
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]842#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843{ \
844 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
845 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
846 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
847 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
848 \
849 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
850 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
851 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
852 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
853 \
854 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
855 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
856 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
857 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
858 \
859 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
860 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
861 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
862 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]863}
864
865/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]866 * AES-ECB block encryption
867 */
868#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]869int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
870 const unsigned char input[16],
871 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]872{
873 int i;
874 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
875
876 RK = ctx->rk;
877
878 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
879 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
880 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
881 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
882
883 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
884 {
885 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
886 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
887 }
888
889 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
890
891 X0 = *RK++ ^ \
892 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
893 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
894 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
895 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
896
897 X1 = *RK++ ^ \
898 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
899 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
900 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
901 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
902
903 X2 = *RK++ ^ \
904 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
905 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
906 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
907 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
908
909 X3 = *RK++ ^ \
910 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
911 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
912 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
913 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
914
915 PUT_UINT32_LE( X0, output, 0 );
916 PUT_UINT32_LE( X1, output, 4 );
917 PUT_UINT32_LE( X2, output, 8 );
918 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]919
920 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]921}
922#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
923
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]924#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]925void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
926 const unsigned char input[16],
927 unsigned char output[16] )
928{
929 mbedtls_internal_aes_encrypt( ctx, input, output );
930}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]931#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]932
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]933/*
934 * AES-ECB block decryption
935 */
936#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]937int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
938 const unsigned char input[16],
939 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]940{
941 int i;
942 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
943
944 RK = ctx->rk;
945
946 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
947 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
948 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
949 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
950
951 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
952 {
953 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
954 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
955 }
956
957 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
958
959 X0 = *RK++ ^ \
960 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
961 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
962 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
963 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
964
965 X1 = *RK++ ^ \
966 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
967 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
968 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
969 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
970
971 X2 = *RK++ ^ \
972 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
973 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
974 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
975 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
976
977 X3 = *RK++ ^ \
978 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
979 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
980 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
981 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
982
983 PUT_UINT32_LE( X0, output, 0 );
984 PUT_UINT32_LE( X1, output, 4 );
985 PUT_UINT32_LE( X2, output, 8 );
986 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]987
988 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]989}
990#endif /* !MBEDTLS_AES_DECRYPT_ALT */
991
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]992#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]993void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
994 const unsigned char input[16],
995 unsigned char output[16] )
996{
997 mbedtls_internal_aes_decrypt( ctx, input, output );
998}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]999#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1000
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1001/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1002 * AES-ECB block encryption/decryption
1003 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1004int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1006 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1007 unsigned char output[16] )
1008{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1009 AES_VALIDATE_RET( ctx != NULL );
1010 AES_VALIDATE_RET( input != NULL );
1011 AES_VALIDATE_RET( output != NULL );
1012 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1013 mode == MBEDTLS_AES_DECRYPT );
1014
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1015#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1016 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1017 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1018#endif
1019
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1020#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1021 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1023 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1024 return( 0 );
1025
1026 // If padlock data misaligned, we just fall back to
1027 // unaccelerated mode
1028 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029 }
1030#endif
1031
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1032 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1033 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1034 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1035 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1036}
1037
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1038#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1039/*
1040 * AES-CBC buffer encryption/decryption
1041 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1044 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1045 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1046 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 unsigned char *output )
1048{
1049 int i;
1050 unsigned char temp[16];
1051
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1052 AES_VALIDATE_RET( ctx != NULL );
1053 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1054 mode == MBEDTLS_AES_DECRYPT );
1055 AES_VALIDATE_RET( iv != NULL );
1056 AES_VALIDATE_RET( input != NULL );
1057 AES_VALIDATE_RET( output != NULL );
1058
1059
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1060 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1064 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1066 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1067 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1068
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1069 // If padlock data misaligned, we just fall back to
1070 // unaccelerated mode
1071 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 }
1073#endif
1074
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076 {
1077 while( length > 0 )
1078 {
1079 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1081
1082 for( i = 0; i < 16; i++ )
1083 output[i] = (unsigned char)( output[i] ^ iv[i] );
1084
1085 memcpy( iv, temp, 16 );
1086
1087 input += 16;
1088 output += 16;
1089 length -= 16;
1090 }
1091 }
1092 else
1093 {
1094 while( length > 0 )
1095 {
1096 for( i = 0; i < 16; i++ )
1097 output[i] = (unsigned char)( input[i] ^ iv[i] );
1098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 memcpy( iv, output, 16 );
1101
1102 input += 16;
1103 output += 16;
1104 length -= 16;
1105 }
1106 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1107
1108 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1109}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1110#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1111
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1112#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1113
1114/* Endianess with 64 bits values */
1115#ifndef GET_UINT64_LE
1116#define GET_UINT64_LE(n,b,i) \
1117{ \
1118 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1119 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1120 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1121 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1122 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1123 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1124 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1125 | ( (uint64_t) (b)[(i) ] ); \
1126}
1127#endif
1128
1129#ifndef PUT_UINT64_LE
1130#define PUT_UINT64_LE(n,b,i) \
1131{ \
1132 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1133 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1134 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1135 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1136 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1137 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1138 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1139 (b)[(i) ] = (unsigned char) ( (n) ); \
1140}
1141#endif
1142
1143typedef unsigned char mbedtls_be128[16];
1144
1145/*
1146 * GF(2^128) multiplication function
1147 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1148 * This function multiplies a field element by x in the polynomial field
1149 * representation. It uses 64-bit word operations to gain speed but compensates
1150 * for machine endianess and hence works correctly on both big and little
1151 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1152 */
1153static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1154 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1155{
1156 uint64_t a, b, ra, rb;
1157
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1158 GET_UINT64_LE( a, x, 0 );
1159 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1160
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1161 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1162 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1163
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1164 PUT_UINT64_LE( ra, r, 0 );
1165 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1166}
1167
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1168/*
1169 * AES-XTS buffer encryption/decryption
1170 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1171int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1172 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1173 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1174 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1175 const unsigned char *input,
1176 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1177{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1178 int ret;
1179 size_t blocks = length / 16;
1180 size_t leftover = length % 16;
1181 unsigned char tweak[16];
1182 unsigned char prev_tweak[16];
1183 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1184
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1185 AES_VALIDATE_RET( ctx != NULL );
1186 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1187 mode == MBEDTLS_AES_DECRYPT );
1188 AES_VALIDATE_RET( input != NULL );
1189 AES_VALIDATE_RET( output != NULL );
1190
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1191 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1192 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1193 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1194
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1195 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1196 if( length > ( 1 << 20 ) * 16 )
1197 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1198
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1199 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1200 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1201 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 if( ret != 0 )
1203 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1204
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1205 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1206 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1207 size_t i;
1208
1209 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1210 {
1211 /* We are on the last block in a decrypt operation that has
1212 * leftover bytes, so we need to use the next tweak for this block,
1213 * and this tweak for the lefover bytes. Save the current tweak for
1214 * the leftovers and then update the current tweak for use on this,
1215 * the last full block. */
1216 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1217 mbedtls_gf128mul_x_ble( tweak, tweak );
1218 }
1219
1220 for( i = 0; i < 16; i++ )
1221 tmp[i] = input[i] ^ tweak[i];
1222
1223 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1224 if( ret != 0 )
1225 return( ret );
1226
1227 for( i = 0; i < 16; i++ )
1228 output[i] = tmp[i] ^ tweak[i];
1229
1230 /* Update the tweak for the next block. */
1231 mbedtls_gf128mul_x_ble( tweak, tweak );
1232
1233 output += 16;
1234 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1235 }
1236
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1237 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1238 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1239 /* If we are on the leftover bytes in a decrypt operation, we need to
1240 * use the previous tweak for these bytes (as saved in prev_tweak). */
1241 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1242
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1243 /* We are now on the final part of the data unit, which doesn't divide
1244 * evenly by 16. It's time for ciphertext stealing. */
1245 size_t i;
1246 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1247
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1248 /* Copy ciphertext bytes from the previous block to our output for each
1249 * byte of cyphertext we won't steal. At the same time, copy the
1250 * remainder of the input for this final round (since the loop bounds
1251 * are the same). */
1252 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1253 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1254 output[i] = prev_output[i];
1255 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1256 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1257
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1258 /* Copy ciphertext bytes from the previous block for input in this
1259 * round. */
1260 for( ; i < 16; i++ )
1261 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1263 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1264 if( ret != 0 )
1265 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1266
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1267 /* Write the result back to the previous block, overriding the previous
1268 * output we copied. */
1269 for( i = 0; i < 16; i++ )
1270 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1271 }
1272
1273 return( 0 );
1274}
1275#endif /* MBEDTLS_CIPHER_MODE_XTS */
1276
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1277#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1278/*
1279 * AES-CFB128 buffer encryption/decryption
1280 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1281int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1282 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1283 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1284 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1285 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1286 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1287 unsigned char *output )
1288{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1289 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1290 size_t n;
1291
1292 AES_VALIDATE_RET( ctx != NULL );
1293 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1294 mode == MBEDTLS_AES_DECRYPT );
1295 AES_VALIDATE_RET( iv_off != NULL );
1296 AES_VALIDATE_RET( iv != NULL );
1297 AES_VALIDATE_RET( input != NULL );
1298 AES_VALIDATE_RET( output != NULL );
1299
1300 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1302 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303 {
1304 while( length-- )
1305 {
1306 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308
1309 c = *input++;
1310 *output++ = (unsigned char)( c ^ iv[n] );
1311 iv[n] = (unsigned char) c;
1312
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1313 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1314 }
1315 }
1316 else
1317 {
1318 while( length-- )
1319 {
1320 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1321 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322
1323 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1324
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1325 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 }
1327 }
1328
1329 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1330
1331 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1333
1334/*
1335 * AES-CFB8 buffer encryption/decryption
1336 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1337int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1338 int mode,
1339 size_t length,
1340 unsigned char iv[16],
1341 const unsigned char *input,
1342 unsigned char *output )
1343{
1344 unsigned char c;
1345 unsigned char ov[17];
1346
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1347 AES_VALIDATE_RET( ctx != NULL );
1348 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1349 mode == MBEDTLS_AES_DECRYPT );
1350 AES_VALIDATE_RET( iv != NULL );
1351 AES_VALIDATE_RET( input != NULL );
1352 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1353 while( length-- )
1354 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1355 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1356 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1358 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1359 ov[16] = *input;
1360
1361 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1362
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1363 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1364 ov[16] = c;
1365
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1366 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1367 }
1368
1369 return( 0 );
1370}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1371#endif /* MBEDTLS_CIPHER_MODE_CFB */
1372
1373#if defined(MBEDTLS_CIPHER_MODE_OFB)
1374/*
1375 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1376 */
1377int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1378 size_t length,
1379 size_t *iv_off,
1380 unsigned char iv[16],
1381 const unsigned char *input,
1382 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1383{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1384 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1385 size_t n;
1386
1387 AES_VALIDATE_RET( ctx != NULL );
1388 AES_VALIDATE_RET( iv_off != NULL );
1389 AES_VALIDATE_RET( iv != NULL );
1390 AES_VALIDATE_RET( input != NULL );
1391 AES_VALIDATE_RET( output != NULL );
1392
1393 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1394
1395 while( length-- )
1396 {
1397 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1398 {
1399 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1400 if( ret != 0 )
1401 goto exit;
1402 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1403 *output++ = *input++ ^ iv[n];
1404
1405 n = ( n + 1 ) & 0x0F;
1406 }
1407
1408 *iv_off = n;
1409
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1410exit:
1411 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1412}
1413#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1414
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1415#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1416/*
1417 * AES-CTR buffer encryption/decryption
1418 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1419int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1420 size_t length,
1421 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1422 unsigned char nonce_counter[16],
1423 unsigned char stream_block[16],
1424 const unsigned char *input,
1425 unsigned char *output )
1426{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1427 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1428 size_t n;
1429
1430 AES_VALIDATE_RET( ctx != NULL );
1431 AES_VALIDATE_RET( nc_off != NULL );
1432 AES_VALIDATE_RET( nonce_counter != NULL );
1433 AES_VALIDATE_RET( stream_block != NULL );
1434 AES_VALIDATE_RET( input != NULL );
1435 AES_VALIDATE_RET( output != NULL );
1436
1437 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1438
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1439 if ( n > 0x0F )
1440 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1441
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1442 while( length-- )
1443 {
1444 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1445 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1446
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1447 for( i = 16; i > 0; i-- )
1448 if( ++nonce_counter[i - 1] != 0 )
1449 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1450 }
1451 c = *input++;
1452 *output++ = (unsigned char)( c ^ stream_block[n] );
1453
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1454 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1455 }
1456
1457 *nc_off = n;
1458
1459 return( 0 );
1460}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1461#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1462
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1463#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1464
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1465#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1466/*
1467 * AES test vectors from:
1468 *
1469 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1470 */
1471static const unsigned char aes_test_ecb_dec[3][16] =
1472{
1473 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1474 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1475 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1476 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1477 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1478 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1479};
1480
1481static const unsigned char aes_test_ecb_enc[3][16] =
1482{
1483 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1484 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1485 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1486 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1487 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1488 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1489};
1490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492static const unsigned char aes_test_cbc_dec[3][16] =
1493{
1494 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1495 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1496 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1497 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1498 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1499 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1500};
1501
1502static const unsigned char aes_test_cbc_enc[3][16] =
1503{
1504 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1505 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1506 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1507 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1508 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1509 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1510};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1511#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1513#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1514/*
1515 * AES-CFB128 test vectors from:
1516 *
1517 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1518 */
1519static const unsigned char aes_test_cfb128_key[3][32] =
1520{
1521 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1522 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1523 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1524 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1525 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1526 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1527 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1528 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1529 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1530};
1531
1532static const unsigned char aes_test_cfb128_iv[16] =
1533{
1534 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1535 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1536};
1537
1538static const unsigned char aes_test_cfb128_pt[64] =
1539{
1540 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1541 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1542 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1543 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1544 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1545 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1546 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1547 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1548};
1549
1550static const unsigned char aes_test_cfb128_ct[3][64] =
1551{
1552 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1553 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1554 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1555 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1556 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1557 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1558 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1559 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1560 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1561 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1562 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1563 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1564 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1565 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1566 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1567 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1568 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1569 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1570 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1571 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1572 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1573 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1574 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1575 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1576};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1578
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1579#if defined(MBEDTLS_CIPHER_MODE_OFB)
1580/*
1581 * AES-OFB test vectors from:
1582 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1583 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1584 */
1585static const unsigned char aes_test_ofb_key[3][32] =
1586{
1587 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1588 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1589 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1590 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1591 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1592 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1593 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1594 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1595 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1596};
1597
1598static const unsigned char aes_test_ofb_iv[16] =
1599{
1600 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1601 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1602};
1603
1604static const unsigned char aes_test_ofb_pt[64] =
1605{
1606 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1607 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1608 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1609 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1610 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1611 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1612 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1613 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1614};
1615
1616static const unsigned char aes_test_ofb_ct[3][64] =
1617{
1618 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1619 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1620 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1621 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1622 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1623 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1624 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1625 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1626 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1627 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1628 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1629 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1630 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1631 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1632 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1633 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1634 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1635 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1636 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1637 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1638 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1639 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1640 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1641 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1642};
1643#endif /* MBEDTLS_CIPHER_MODE_OFB */
1644
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1645#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1646/*
1647 * AES-CTR test vectors from:
1648 *
1649 * http://www.faqs.org/rfcs/rfc3686.html
1650 */
1651
1652static const unsigned char aes_test_ctr_key[3][16] =
1653{
1654 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1655 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1656 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1657 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1658 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1659 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1660};
1661
1662static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1663{
1664 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1665 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1666 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1667 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1668 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1669 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1670};
1671
1672static const unsigned char aes_test_ctr_pt[3][48] =
1673{
1674 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1675 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1676
1677 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1678 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1679 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1680 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1681
1682 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1683 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1684 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1685 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1686 0x20, 0x21, 0x22, 0x23 }
1687};
1688
1689static const unsigned char aes_test_ctr_ct[3][48] =
1690{
1691 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1692 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1693 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1694 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1695 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1696 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1697 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1698 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1699 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1700 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1701 0x25, 0xB2, 0x07, 0x2F }
1702};
1703
1704static const int aes_test_ctr_len[3] =
1705 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1706#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1707
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1708#if defined(MBEDTLS_CIPHER_MODE_XTS)
1709/*
1710 * AES-XTS test vectors from:
1711 *
1712 * IEEE P1619/D16 Annex B
1713 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1714 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1715 */
1716static const unsigned char aes_test_xts_key[][32] =
1717{
1718 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1719 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1720 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1722 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1723 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1724 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1725 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1726 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1727 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1728 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1729 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1730};
1731
1732static const unsigned char aes_test_xts_pt32[][32] =
1733{
1734 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1735 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1737 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1738 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1739 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1740 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1741 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1742 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1743 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1744 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1745 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1746};
1747
1748static const unsigned char aes_test_xts_ct32[][32] =
1749{
1750 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1751 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1752 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1753 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1754 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1755 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1756 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1757 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1758 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1759 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1760 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1761 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1762};
1763
1764static const unsigned char aes_test_xts_data_unit[][16] =
1765{
1766 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1768 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1770 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1771 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1772};
1773
1774#endif /* MBEDTLS_CIPHER_MODE_XTS */
1775
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1776/*
1777 * Checkup routine
1778 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1779int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1780{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1781 int ret = 0, i, j, u, mode;
1782 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1783 unsigned char key[32];
1784 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1785 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1786#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1787 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1788#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1789#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1790 unsigned char prv[16];
1791#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1792#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1793 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1794 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1795#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1796#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1797 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1798#endif
1799#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1800 unsigned char nonce_counter[16];
1801 unsigned char stream_block[16];
1802#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1803 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1804
1805 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1806 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1807
1808 /*
1809 * ECB mode
1810 */
1811 for( i = 0; i < 6; i++ )
1812 {
1813 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1814 keybits = 128 + u * 64;
1815 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1816
1817 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1818 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1819 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1820
1821 memset( buf, 0, 16 );
1822
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1823 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1825 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1826 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1827 }
1828 else
1829 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1830 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1831 aes_tests = aes_test_ecb_enc[u];
1832 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1834 /*
1835 * AES-192 is an optional feature that may be unavailable when
1836 * there is an alternative underlying implementation i.e. when
1837 * MBEDTLS_AES_ALT is defined.
1838 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1839 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1840 {
1841 mbedtls_printf( "skipped\n" );
1842 continue;
1843 }
1844 else if( ret != 0 )
1845 {
1846 goto exit;
1847 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1849 for( j = 0; j < 10000; j++ )
1850 {
1851 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1852 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1853 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1854 }
1855
1856 if( memcmp( buf, aes_tests, 16 ) != 0 )
1857 {
1858 ret = 1;
1859 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1860 }
1861
1862 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1863 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864 }
1865
1866 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1867 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1869#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1870 /*
1871 * CBC mode
1872 */
1873 for( i = 0; i < 6; i++ )
1874 {
1875 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1876 keybits = 128 + u * 64;
1877 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1878
1879 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1881 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1882
1883 memset( iv , 0, 16 );
1884 memset( prv, 0, 16 );
1885 memset( buf, 0, 16 );
1886
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1887 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1888 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1889 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1890 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891 }
1892 else
1893 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1894 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1895 aes_tests = aes_test_cbc_enc[u];
1896 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1897
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1898 /*
1899 * AES-192 is an optional feature that may be unavailable when
1900 * there is an alternative underlying implementation i.e. when
1901 * MBEDTLS_AES_ALT is defined.
1902 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1903 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1904 {
1905 mbedtls_printf( "skipped\n" );
1906 continue;
1907 }
1908 else if( ret != 0 )
1909 {
1910 goto exit;
1911 }
1912
1913 for( j = 0; j < 10000; j++ )
1914 {
1915 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1916 {
1917 unsigned char tmp[16];
1918
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919 memcpy( tmp, prv, 16 );
1920 memcpy( prv, buf, 16 );
1921 memcpy( buf, tmp, 16 );
1922 }
1923
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1924 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1925 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1926 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1927
1928 }
1929
1930 if( memcmp( buf, aes_tests, 16 ) != 0 )
1931 {
1932 ret = 1;
1933 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1934 }
1935
1936 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1937 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938 }
1939
1940 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1941 mbedtls_printf( "\n" );
1942#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1943
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1944#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 /*
1946 * CFB128 mode
1947 */
1948 for( i = 0; i < 6; i++ )
1949 {
1950 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1951 keybits = 128 + u * 64;
1952 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1953
1954 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1955 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1956 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957
1958 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1959 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960
1961 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1962 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1963 /*
1964 * AES-192 is an optional feature that may be unavailable when
1965 * there is an alternative underlying implementation i.e. when
1966 * MBEDTLS_AES_ALT is defined.
1967 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1968 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1969 {
1970 mbedtls_printf( "skipped\n" );
1971 continue;
1972 }
1973 else if( ret != 0 )
1974 {
1975 goto exit;
1976 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1978 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979 {
1980 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1981 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1982 }
1983 else
1984 {
1985 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 aes_tests = aes_test_cfb128_ct[u];
1987 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1989 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1990 if( ret != 0 )
1991 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 if( memcmp( buf, aes_tests, 64 ) != 0 )
1994 {
1995 ret = 1;
1996 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1997 }
1998
1999 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2000 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001 }
2002
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2003 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2004 mbedtls_printf( "\n" );
2005#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2006
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2007#if defined(MBEDTLS_CIPHER_MODE_OFB)
2008 /*
2009 * OFB mode
2010 */
2011 for( i = 0; i < 6; i++ )
2012 {
2013 u = i >> 1;
2014 keybits = 128 + u * 64;
2015 mode = i & 1;
2016
2017 if( verbose != 0 )
2018 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2019 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2020
2021 memcpy( iv, aes_test_ofb_iv, 16 );
2022 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2023
2024 offset = 0;
2025 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2026 /*
2027 * AES-192 is an optional feature that may be unavailable when
2028 * there is an alternative underlying implementation i.e. when
2029 * MBEDTLS_AES_ALT is defined.
2030 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2031 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2032 {
2033 mbedtls_printf( "skipped\n" );
2034 continue;
2035 }
2036 else if( ret != 0 )
2037 {
2038 goto exit;
2039 }
2040
2041 if( mode == MBEDTLS_AES_DECRYPT )
2042 {
2043 memcpy( buf, aes_test_ofb_ct[u], 64 );
2044 aes_tests = aes_test_ofb_pt;
2045 }
2046 else
2047 {
2048 memcpy( buf, aes_test_ofb_pt, 64 );
2049 aes_tests = aes_test_ofb_ct[u];
2050 }
2051
2052 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2053 if( ret != 0 )
2054 goto exit;
2055
2056 if( memcmp( buf, aes_tests, 64 ) != 0 )
2057 {
2058 ret = 1;
2059 goto exit;
2060 }
2061
2062 if( verbose != 0 )
2063 mbedtls_printf( "passed\n" );
2064 }
2065
2066 if( verbose != 0 )
2067 mbedtls_printf( "\n" );
2068#endif /* MBEDTLS_CIPHER_MODE_OFB */
2069
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2070#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2071 /*
2072 * CTR mode
2073 */
2074 for( i = 0; i < 6; i++ )
2075 {
2076 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2077 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2078
2079 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2080 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2081 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2082
2083 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2084 memcpy( key, aes_test_ctr_key[u], 16 );
2085
2086 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2087 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2088 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2089
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2090 len = aes_test_ctr_len[u];
2091
2092 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2093 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2094 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2095 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2096 }
2097 else
2098 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2099 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2100 aes_tests = aes_test_ctr_ct[u];
2101 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2102
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2104 stream_block, buf, buf );
2105 if( ret != 0 )
2106 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2107
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2108 if( memcmp( buf, aes_tests, len ) != 0 )
2109 {
2110 ret = 1;
2111 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2112 }
2113
2114 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2115 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2116 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2117
2118 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2119 mbedtls_printf( "\n" );
2120#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2121
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2122#if defined(MBEDTLS_CIPHER_MODE_XTS)
2123 {
2124 static const int num_tests =
2125 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2126 mbedtls_aes_xts_context ctx_xts;
2127
2128 /*
2129 * XTS mode
2130 */
2131 mbedtls_aes_xts_init( &ctx_xts );
2132
2133 for( i = 0; i < num_tests << 1; i++ )
2134 {
2135 const unsigned char *data_unit;
2136 u = i >> 1;
2137 mode = i & 1;
2138
2139 if( verbose != 0 )
2140 mbedtls_printf( " AES-XTS-128 (%s): ",
2141 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2142
2143 memset( key, 0, sizeof( key ) );
2144 memcpy( key, aes_test_xts_key[u], 32 );
2145 data_unit = aes_test_xts_data_unit[u];
2146
2147 len = sizeof( *aes_test_xts_ct32 );
2148
2149 if( mode == MBEDTLS_AES_DECRYPT )
2150 {
2151 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2152 if( ret != 0)
2153 goto exit;
2154 memcpy( buf, aes_test_xts_ct32[u], len );
2155 aes_tests = aes_test_xts_pt32[u];
2156 }
2157 else
2158 {
2159 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2160 if( ret != 0)
2161 goto exit;
2162 memcpy( buf, aes_test_xts_pt32[u], len );
2163 aes_tests = aes_test_xts_ct32[u];
2164 }
2165
2166
2167 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2168 buf, buf );
2169 if( ret != 0 )
2170 goto exit;
2171
2172 if( memcmp( buf, aes_tests, len ) != 0 )
2173 {
2174 ret = 1;
2175 goto exit;
2176 }
2177
2178 if( verbose != 0 )
2179 mbedtls_printf( "passed\n" );
2180 }
2181
2182 if( verbose != 0 )
2183 mbedtls_printf( "\n" );
2184
2185 mbedtls_aes_xts_free( &ctx_xts );
2186 }
2187#endif /* MBEDTLS_CIPHER_MODE_XTS */
2188
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2189 ret = 0;
2190
2191exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2192 if( ret != 0 && verbose != 0 )
2193 mbedtls_printf( "failed\n" );
2194
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2195 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2196
2197 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2198}
2199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2200#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2202#endif /* MBEDTLS_AES_C */