TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f18de50b49784e82ebca2914b487b5a1ad576f7c / . / library / aes.c
blob: 02a7986b59c3a965fb8ea99332a18c5a4571b5ce [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
225/*
226 * Reverse S-box
227 */
228static const unsigned char RSb[256] =
229{
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262};
263
264/*
265 * Reverse tables
266 */
267#define RT \
268\
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]335static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]336#undef V
337
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]338#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]339
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]340#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]341static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]342#undef V
343
344#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]345static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]346#undef V
347
348#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]349static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350#undef V
351
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]352#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]353
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]354#undef RT
355
356/*
357 * Round constants
358 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]359static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360{
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364};
365
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]366#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367
368/*
369 * Forward S-box & tables
370 */
371static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]372static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]373#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]374static uint32_t FT1[256];
375static uint32_t FT2[256];
376static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378
379/*
380 * Reverse S-box & tables
381 */
382static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]383static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]384#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]385static uint32_t RT1[256];
386static uint32_t RT2[256];
387static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]388#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Round constants
392 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]393static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]394
395/*
396 * Tables generation code
397 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]398#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
399#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]400#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]401
402static int aes_init_done = 0;
403
404static void aes_gen_tables( void )
405{
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]425 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]463#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]467#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
469 x = RSb[i];
470
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]476#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]480#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]481 }
482}
483
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484#undef ROTL8
485
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]486#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]489
490#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494#define AES_RT0(idx) RT0[idx]
495#define AES_RT1(idx) ROTL8( RT0[idx] )
496#define AES_RT2(idx) ROTL16( RT0[idx] )
497#define AES_RT3(idx) ROTL24( RT0[idx] )
498
499#define AES_FT0(idx) FT0[idx]
500#define AES_FT1(idx) ROTL8( FT0[idx] )
501#define AES_FT2(idx) ROTL16( FT0[idx] )
502#define AES_FT3(idx) ROTL24( FT0[idx] )
503
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]504#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]505
506#define AES_RT0(idx) RT0[idx]
507#define AES_RT1(idx) RT1[idx]
508#define AES_RT2(idx) RT2[idx]
509#define AES_RT3(idx) RT3[idx]
510
511#define AES_FT0(idx) FT0[idx]
512#define AES_FT1(idx) FT1[idx]
513#define AES_FT2(idx) FT2[idx]
514#define AES_FT3(idx) FT3[idx]
515
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]516#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]517
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]518void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]519{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]520 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]523}
524
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]525void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526{
527 if( ctx == NULL )
528 return;
529
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]531}
532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533#if defined(MBEDTLS_CIPHER_MODE_XTS)
534void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]536 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]537
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540}
541
542void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]544 if( ctx == NULL )
545 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549}
550#endif /* MBEDTLS_CIPHER_MODE_XTS */
551
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]552/*
553 * AES key schedule (encryption)
554 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]555#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]556int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]557 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]558{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]559 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]560 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]564
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]565 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]571 }
572
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573#if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]578 }
579#endif
580
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584
585 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]587 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]588#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]589 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]594#endif
595
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]596 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]597 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]598 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]599 }
600
601 switch( ctx->nr )
602 {
603 case 10:
604
605 for( i = 0; i < 10; i++, RK += 4 )
606 {
607 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]612
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
616 }
617 break;
618
619 case 12:
620
621 for( i = 0; i < 8; i++, RK += 6 )
622 {
623 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]628
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
634 }
635 break;
636
637 case 14:
638
639 for( i = 0; i < 7; i++, RK += 8 )
640 {
641 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]646
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
650
651 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
660 }
661 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]663
664 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
668/*
669 * AES key schedule (decryption)
670 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]671#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]672int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]673 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]674{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]675 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]676 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 uint32_t *RK;
678 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]679
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]682
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]683 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]684
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688
689 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]691 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]693 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]694
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]697 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]698
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]699 ctx->nr = cty.nr;
700
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]703 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]705 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]706 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]707 }
708#endif
709
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 SK = cty.rk + cty.nr * 4;
711
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
718 {
719 for( j = 0; j < 4; j++, SK++ )
720 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]725 }
726 }
727
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]733exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]734 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]735
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]736 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]737}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]738
739#if defined(MBEDTLS_CIPHER_MODE_XTS)
740static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
741 unsigned int keybits,
742 const unsigned char **key1,
743 unsigned int *key1bits,
744 const unsigned char **key2,
745 unsigned int *key2bits )
746{
747 const unsigned int half_keybits = keybits / 2;
748 const unsigned int half_keybytes = half_keybits / 8;
749
750 switch( keybits )
751 {
752 case 256: break;
753 case 512: break;
754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
755 }
756
757 *key1bits = half_keybits;
758 *key2bits = half_keybits;
759 *key1 = &key[0];
760 *key2 = &key[half_keybytes];
761
762 return 0;
763}
764
765int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
768{
769 int ret;
770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
772
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
775
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for the encryption mode. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for encryption. */
787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
788}
789
790int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793{
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for encryption. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for decryption. */
812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
813}
814#endif /* MBEDTLS_CIPHER_MODE_XTS */
815
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]816#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]817
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]818#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
819 do \
820 { \
821 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
825 \
826 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
830 \
831 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
835 \
836 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
837 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
838 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
839 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
840 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]841
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]842#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843 do \
844 { \
845 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
849 \
850 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
854 \
855 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
859 \
860 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
862 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
864 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865
866/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]867 * AES-ECB block encryption
868 */
869#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]870int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
871 const unsigned char input[16],
872 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]873{
874 int i;
875 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
876
877 RK = ctx->rk;
878
879 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
880 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
881 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
882 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
883
884 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
885 {
886 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
887 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
888 }
889
890 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
891
892 X0 = *RK++ ^ \
893 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
894 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
895 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
897
898 X1 = *RK++ ^ \
899 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
900 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
901 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
903
904 X2 = *RK++ ^ \
905 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
906 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
907 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
908 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
909
910 X3 = *RK++ ^ \
911 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
912 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
913 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
914 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
915
916 PUT_UINT32_LE( X0, output, 0 );
917 PUT_UINT32_LE( X1, output, 4 );
918 PUT_UINT32_LE( X2, output, 8 );
919 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]920
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame^]921 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
922 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
923 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
924 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
925
926 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
927 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
928 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
929 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
930
931 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
932
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]933 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]934}
935#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
936
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]937#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]938void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
939 const unsigned char input[16],
940 unsigned char output[16] )
941{
942 mbedtls_internal_aes_encrypt( ctx, input, output );
943}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]944#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]945
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]946/*
947 * AES-ECB block decryption
948 */
949#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]950int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
951 const unsigned char input[16],
952 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]953{
954 int i;
955 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
956
957 RK = ctx->rk;
958
959 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
960 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
961 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
962 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
963
964 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
965 {
966 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
967 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
968 }
969
970 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
971
972 X0 = *RK++ ^ \
973 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
974 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
975 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
976 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
977
978 X1 = *RK++ ^ \
979 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
980 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
981 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
982 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
983
984 X2 = *RK++ ^ \
985 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
986 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
987 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
988 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
989
990 X3 = *RK++ ^ \
991 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
992 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
993 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
994 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
995
996 PUT_UINT32_LE( X0, output, 0 );
997 PUT_UINT32_LE( X1, output, 4 );
998 PUT_UINT32_LE( X2, output, 8 );
999 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1000
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame^]1001 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1002 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1003 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1004 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1005
1006 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1007 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1008 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1009 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1010
1011 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1012
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1013 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1014}
1015#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1016
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1017#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1018void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1019 const unsigned char input[16],
1020 unsigned char output[16] )
1021{
1022 mbedtls_internal_aes_decrypt( ctx, input, output );
1023}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1024#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1025
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1026/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1027 * AES-ECB block encryption/decryption
1028 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1029int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1030 int mode,
1031 const unsigned char input[16],
1032 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1033{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1034 AES_VALIDATE_RET( ctx != NULL );
1035 AES_VALIDATE_RET( input != NULL );
1036 AES_VALIDATE_RET( output != NULL );
1037 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1038 mode == MBEDTLS_AES_DECRYPT );
1039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1041 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1042 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1043#endif
1044
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1046 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1047 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1048 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1049 return( 0 );
1050
1051 // If padlock data misaligned, we just fall back to
1052 // unaccelerated mode
1053 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1054 }
1055#endif
1056
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1057 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1058 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1059 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1060 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1061}
1062
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1063#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064/*
1065 * AES-CBC buffer encryption/decryption
1066 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1067int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1069 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1070 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1071 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1072 unsigned char *output )
1073{
1074 int i;
1075 unsigned char temp[16];
1076
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1077 AES_VALIDATE_RET( ctx != NULL );
1078 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1079 mode == MBEDTLS_AES_DECRYPT );
1080 AES_VALIDATE_RET( iv != NULL );
1081 AES_VALIDATE_RET( input != NULL );
1082 AES_VALIDATE_RET( output != NULL );
1083
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1084 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1086
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1087#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1088 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1089 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1090 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1091 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1092
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1093 // If padlock data misaligned, we just fall back to
1094 // unaccelerated mode
1095 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1096 }
1097#endif
1098
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100 {
1101 while( length > 0 )
1102 {
1103 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1105
1106 for( i = 0; i < 16; i++ )
1107 output[i] = (unsigned char)( output[i] ^ iv[i] );
1108
1109 memcpy( iv, temp, 16 );
1110
1111 input += 16;
1112 output += 16;
1113 length -= 16;
1114 }
1115 }
1116 else
1117 {
1118 while( length > 0 )
1119 {
1120 for( i = 0; i < 16; i++ )
1121 output[i] = (unsigned char)( input[i] ^ iv[i] );
1122
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1123 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1124 memcpy( iv, output, 16 );
1125
1126 input += 16;
1127 output += 16;
1128 length -= 16;
1129 }
1130 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1131
1132 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1133}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1134#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1135
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1136#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1137
1138/* Endianess with 64 bits values */
1139#ifndef GET_UINT64_LE
1140#define GET_UINT64_LE(n,b,i) \
1141{ \
1142 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1143 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1144 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1145 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1146 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1147 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1148 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1149 | ( (uint64_t) (b)[(i) ] ); \
1150}
1151#endif
1152
1153#ifndef PUT_UINT64_LE
1154#define PUT_UINT64_LE(n,b,i) \
1155{ \
1156 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1157 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1158 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1159 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1160 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1161 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1162 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1163 (b)[(i) ] = (unsigned char) ( (n) ); \
1164}
1165#endif
1166
1167typedef unsigned char mbedtls_be128[16];
1168
1169/*
1170 * GF(2^128) multiplication function
1171 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1172 * This function multiplies a field element by x in the polynomial field
1173 * representation. It uses 64-bit word operations to gain speed but compensates
1174 * for machine endianess and hence works correctly on both big and little
1175 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1176 */
1177static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1178 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1179{
1180 uint64_t a, b, ra, rb;
1181
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1182 GET_UINT64_LE( a, x, 0 );
1183 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1184
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1185 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1186 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1187
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1188 PUT_UINT64_LE( ra, r, 0 );
1189 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1190}
1191
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1192/*
1193 * AES-XTS buffer encryption/decryption
1194 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1195int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1196 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1197 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1198 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1199 const unsigned char *input,
1200 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1201{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1202 int ret;
1203 size_t blocks = length / 16;
1204 size_t leftover = length % 16;
1205 unsigned char tweak[16];
1206 unsigned char prev_tweak[16];
1207 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1208
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1209 AES_VALIDATE_RET( ctx != NULL );
1210 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1211 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1212 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1213 AES_VALIDATE_RET( input != NULL );
1214 AES_VALIDATE_RET( output != NULL );
1215
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1216 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1217 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1218 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1219
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1220 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1221 if( length > ( 1 << 20 ) * 16 )
1222 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1223
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1224 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1225 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1226 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1227 if( ret != 0 )
1228 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1229
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1230 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1231 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1232 size_t i;
1233
1234 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1235 {
1236 /* We are on the last block in a decrypt operation that has
1237 * leftover bytes, so we need to use the next tweak for this block,
1238 * and this tweak for the lefover bytes. Save the current tweak for
1239 * the leftovers and then update the current tweak for use on this,
1240 * the last full block. */
1241 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1242 mbedtls_gf128mul_x_ble( tweak, tweak );
1243 }
1244
1245 for( i = 0; i < 16; i++ )
1246 tmp[i] = input[i] ^ tweak[i];
1247
1248 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1249 if( ret != 0 )
1250 return( ret );
1251
1252 for( i = 0; i < 16; i++ )
1253 output[i] = tmp[i] ^ tweak[i];
1254
1255 /* Update the tweak for the next block. */
1256 mbedtls_gf128mul_x_ble( tweak, tweak );
1257
1258 output += 16;
1259 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1260 }
1261
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1262 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1263 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1264 /* If we are on the leftover bytes in a decrypt operation, we need to
1265 * use the previous tweak for these bytes (as saved in prev_tweak). */
1266 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1267
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1268 /* We are now on the final part of the data unit, which doesn't divide
1269 * evenly by 16. It's time for ciphertext stealing. */
1270 size_t i;
1271 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1272
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1273 /* Copy ciphertext bytes from the previous block to our output for each
1274 * byte of cyphertext we won't steal. At the same time, copy the
1275 * remainder of the input for this final round (since the loop bounds
1276 * are the same). */
1277 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1278 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1279 output[i] = prev_output[i];
1280 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1281 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1283 /* Copy ciphertext bytes from the previous block for input in this
1284 * round. */
1285 for( ; i < 16; i++ )
1286 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1287
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1288 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1289 if( ret != 0 )
1290 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1291
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1292 /* Write the result back to the previous block, overriding the previous
1293 * output we copied. */
1294 for( i = 0; i < 16; i++ )
1295 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1296 }
1297
1298 return( 0 );
1299}
1300#endif /* MBEDTLS_CIPHER_MODE_XTS */
1301
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1302#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303/*
1304 * AES-CFB128 buffer encryption/decryption
1305 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1306int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1308 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1309 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1310 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1311 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1312 unsigned char *output )
1313{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1314 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1315 size_t n;
1316
1317 AES_VALIDATE_RET( ctx != NULL );
1318 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1319 mode == MBEDTLS_AES_DECRYPT );
1320 AES_VALIDATE_RET( iv_off != NULL );
1321 AES_VALIDATE_RET( iv != NULL );
1322 AES_VALIDATE_RET( input != NULL );
1323 AES_VALIDATE_RET( output != NULL );
1324
1325 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1327 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1328 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1329
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331 {
1332 while( length-- )
1333 {
1334 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1335 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
1337 c = *input++;
1338 *output++ = (unsigned char)( c ^ iv[n] );
1339 iv[n] = (unsigned char) c;
1340
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1341 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1342 }
1343 }
1344 else
1345 {
1346 while( length-- )
1347 {
1348 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1349 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1350
1351 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1352
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1353 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1354 }
1355 }
1356
1357 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1358
1359 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1360}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1361
1362/*
1363 * AES-CFB8 buffer encryption/decryption
1364 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1366 int mode,
1367 size_t length,
1368 unsigned char iv[16],
1369 const unsigned char *input,
1370 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371{
1372 unsigned char c;
1373 unsigned char ov[17];
1374
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1375 AES_VALIDATE_RET( ctx != NULL );
1376 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1377 mode == MBEDTLS_AES_DECRYPT );
1378 AES_VALIDATE_RET( iv != NULL );
1379 AES_VALIDATE_RET( input != NULL );
1380 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1381 while( length-- )
1382 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1383 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1384 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1387 ov[16] = *input;
1388
1389 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1391 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1392 ov[16] = c;
1393
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1394 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1395 }
1396
1397 return( 0 );
1398}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1399#endif /* MBEDTLS_CIPHER_MODE_CFB */
1400
1401#if defined(MBEDTLS_CIPHER_MODE_OFB)
1402/*
1403 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1404 */
1405int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1406 size_t length,
1407 size_t *iv_off,
1408 unsigned char iv[16],
1409 const unsigned char *input,
1410 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1411{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1412 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1413 size_t n;
1414
1415 AES_VALIDATE_RET( ctx != NULL );
1416 AES_VALIDATE_RET( iv_off != NULL );
1417 AES_VALIDATE_RET( iv != NULL );
1418 AES_VALIDATE_RET( input != NULL );
1419 AES_VALIDATE_RET( output != NULL );
1420
1421 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1422
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1423 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1424 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1425
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1426 while( length-- )
1427 {
1428 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1429 {
1430 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1431 if( ret != 0 )
1432 goto exit;
1433 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1434 *output++ = *input++ ^ iv[n];
1435
1436 n = ( n + 1 ) & 0x0F;
1437 }
1438
1439 *iv_off = n;
1440
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1441exit:
1442 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1443}
1444#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1445
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1446#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1447/*
1448 * AES-CTR buffer encryption/decryption
1449 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1450int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1451 size_t length,
1452 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1453 unsigned char nonce_counter[16],
1454 unsigned char stream_block[16],
1455 const unsigned char *input,
1456 unsigned char *output )
1457{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1458 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1459 size_t n;
1460
1461 AES_VALIDATE_RET( ctx != NULL );
1462 AES_VALIDATE_RET( nc_off != NULL );
1463 AES_VALIDATE_RET( nonce_counter != NULL );
1464 AES_VALIDATE_RET( stream_block != NULL );
1465 AES_VALIDATE_RET( input != NULL );
1466 AES_VALIDATE_RET( output != NULL );
1467
1468 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1469
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1470 if ( n > 0x0F )
1471 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1472
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1473 while( length-- )
1474 {
1475 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1476 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1477
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1478 for( i = 16; i > 0; i-- )
1479 if( ++nonce_counter[i - 1] != 0 )
1480 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1481 }
1482 c = *input++;
1483 *output++ = (unsigned char)( c ^ stream_block[n] );
1484
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1485 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1486 }
1487
1488 *nc_off = n;
1489
1490 return( 0 );
1491}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1492#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1493
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1494#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1495
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1496#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1497/*
1498 * AES test vectors from:
1499 *
1500 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1501 */
1502static const unsigned char aes_test_ecb_dec[3][16] =
1503{
1504 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1505 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1506 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1507 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1508 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1509 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1510};
1511
1512static const unsigned char aes_test_ecb_enc[3][16] =
1513{
1514 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1515 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1516 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1517 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1518 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1519 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1520};
1521
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1522#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1523static const unsigned char aes_test_cbc_dec[3][16] =
1524{
1525 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1526 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1527 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1528 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1529 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1530 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1531};
1532
1533static const unsigned char aes_test_cbc_enc[3][16] =
1534{
1535 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1536 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1537 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1538 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1539 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1540 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1541};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1542#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1544#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1545/*
1546 * AES-CFB128 test vectors from:
1547 *
1548 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1549 */
1550static const unsigned char aes_test_cfb128_key[3][32] =
1551{
1552 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1553 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1554 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1555 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1556 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1557 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1558 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1559 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1560 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1561};
1562
1563static const unsigned char aes_test_cfb128_iv[16] =
1564{
1565 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1566 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1567};
1568
1569static const unsigned char aes_test_cfb128_pt[64] =
1570{
1571 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1572 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1573 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1574 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1575 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1576 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1577 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1578 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1579};
1580
1581static const unsigned char aes_test_cfb128_ct[3][64] =
1582{
1583 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1584 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1585 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1586 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1587 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1588 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1589 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1590 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1591 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1592 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1593 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1594 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1595 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1596 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1597 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1598 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1599 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1600 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1601 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1602 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1603 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1604 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1605 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1606 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1607};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1608#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1609
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1610#if defined(MBEDTLS_CIPHER_MODE_OFB)
1611/*
1612 * AES-OFB test vectors from:
1613 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1614 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1615 */
1616static const unsigned char aes_test_ofb_key[3][32] =
1617{
1618 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1619 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1620 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1621 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1622 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1623 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1624 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1625 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1626 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1627};
1628
1629static const unsigned char aes_test_ofb_iv[16] =
1630{
1631 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1632 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1633};
1634
1635static const unsigned char aes_test_ofb_pt[64] =
1636{
1637 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1638 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1639 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1640 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1641 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1642 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1643 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1644 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1645};
1646
1647static const unsigned char aes_test_ofb_ct[3][64] =
1648{
1649 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1650 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1651 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1652 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1653 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1654 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1655 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1656 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1657 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1658 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1659 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1660 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1661 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1662 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1663 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1664 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1665 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1666 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1667 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1668 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1669 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1670 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1671 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1672 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1673};
1674#endif /* MBEDTLS_CIPHER_MODE_OFB */
1675
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1676#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1677/*
1678 * AES-CTR test vectors from:
1679 *
1680 * http://www.faqs.org/rfcs/rfc3686.html
1681 */
1682
1683static const unsigned char aes_test_ctr_key[3][16] =
1684{
1685 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1686 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1687 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1688 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1689 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1690 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1691};
1692
1693static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1694{
1695 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1697 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1698 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1699 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1700 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1701};
1702
1703static const unsigned char aes_test_ctr_pt[3][48] =
1704{
1705 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1706 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1707
1708 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1709 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1710 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1711 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1712
1713 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1714 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1715 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1716 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1717 0x20, 0x21, 0x22, 0x23 }
1718};
1719
1720static const unsigned char aes_test_ctr_ct[3][48] =
1721{
1722 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1723 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1724 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1725 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1726 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1727 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1728 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1729 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1730 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1731 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1732 0x25, 0xB2, 0x07, 0x2F }
1733};
1734
1735static const int aes_test_ctr_len[3] =
1736 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1739#if defined(MBEDTLS_CIPHER_MODE_XTS)
1740/*
1741 * AES-XTS test vectors from:
1742 *
1743 * IEEE P1619/D16 Annex B
1744 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1745 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1746 */
1747static const unsigned char aes_test_xts_key[][32] =
1748{
1749 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1753 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1754 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1755 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1757 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1758 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1759 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1761};
1762
1763static const unsigned char aes_test_xts_pt32[][32] =
1764{
1765 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1769 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1773 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1774 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1777};
1778
1779static const unsigned char aes_test_xts_ct32[][32] =
1780{
1781 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1782 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1783 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1784 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1785 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1786 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1787 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1788 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1789 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1790 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1791 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1792 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1793};
1794
1795static const unsigned char aes_test_xts_data_unit[][16] =
1796{
1797 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1799 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1801 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1803};
1804
1805#endif /* MBEDTLS_CIPHER_MODE_XTS */
1806
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1807/*
1808 * Checkup routine
1809 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1810int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1812 int ret = 0, i, j, u, mode;
1813 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814 unsigned char key[32];
1815 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1816 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1817#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1818 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1819#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1820#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1821 unsigned char prv[16];
1822#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1823#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1824 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1825 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1826#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1827#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1828 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1829#endif
1830#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1831 unsigned char nonce_counter[16];
1832 unsigned char stream_block[16];
1833#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1834 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1835
1836 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1837 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1838
1839 /*
1840 * ECB mode
1841 */
1842 for( i = 0; i < 6; i++ )
1843 {
1844 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 keybits = 128 + u * 64;
1846 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1847
1848 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1849 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1850 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851
1852 memset( buf, 0, 16 );
1853
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1854 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1857 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1858 }
1859 else
1860 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1861 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1862 aes_tests = aes_test_ecb_enc[u];
1863 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1864
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1865 /*
1866 * AES-192 is an optional feature that may be unavailable when
1867 * there is an alternative underlying implementation i.e. when
1868 * MBEDTLS_AES_ALT is defined.
1869 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1870 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1871 {
1872 mbedtls_printf( "skipped\n" );
1873 continue;
1874 }
1875 else if( ret != 0 )
1876 {
1877 goto exit;
1878 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1879
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 for( j = 0; j < 10000; j++ )
1881 {
1882 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1883 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1884 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1885 }
1886
1887 if( memcmp( buf, aes_tests, 16 ) != 0 )
1888 {
1889 ret = 1;
1890 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1891 }
1892
1893 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1894 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1895 }
1896
1897 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1898 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1899
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1900#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 /*
1902 * CBC mode
1903 */
1904 for( i = 0; i < 6; i++ )
1905 {
1906 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 keybits = 128 + u * 64;
1908 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909
1910 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1911 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1912 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1913
1914 memset( iv , 0, 16 );
1915 memset( prv, 0, 16 );
1916 memset( buf, 0, 16 );
1917
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1918 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1921 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1922 }
1923 else
1924 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1925 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1926 aes_tests = aes_test_cbc_enc[u];
1927 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1928
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1929 /*
1930 * AES-192 is an optional feature that may be unavailable when
1931 * there is an alternative underlying implementation i.e. when
1932 * MBEDTLS_AES_ALT is defined.
1933 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1934 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1935 {
1936 mbedtls_printf( "skipped\n" );
1937 continue;
1938 }
1939 else if( ret != 0 )
1940 {
1941 goto exit;
1942 }
1943
1944 for( j = 0; j < 10000; j++ )
1945 {
1946 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1947 {
1948 unsigned char tmp[16];
1949
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1950 memcpy( tmp, prv, 16 );
1951 memcpy( prv, buf, 16 );
1952 memcpy( buf, tmp, 16 );
1953 }
1954
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1955 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1956 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1957 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1958
1959 }
1960
1961 if( memcmp( buf, aes_tests, 16 ) != 0 )
1962 {
1963 ret = 1;
1964 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1965 }
1966
1967 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1968 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969 }
1970
1971 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1972 mbedtls_printf( "\n" );
1973#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1974
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1975#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1976 /*
1977 * CFB128 mode
1978 */
1979 for( i = 0; i < 6; i++ )
1980 {
1981 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1982 keybits = 128 + u * 64;
1983 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984
1985 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1986 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1987 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1988
1989 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1990 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1991
1992 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1993 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1994 /*
1995 * AES-192 is an optional feature that may be unavailable when
1996 * there is an alternative underlying implementation i.e. when
1997 * MBEDTLS_AES_ALT is defined.
1998 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1999 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2000 {
2001 mbedtls_printf( "skipped\n" );
2002 continue;
2003 }
2004 else if( ret != 0 )
2005 {
2006 goto exit;
2007 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2009 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2010 {
2011 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2012 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2013 }
2014 else
2015 {
2016 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2017 aes_tests = aes_test_cfb128_ct[u];
2018 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2019
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2020 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2021 if( ret != 0 )
2022 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2023
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2024 if( memcmp( buf, aes_tests, 64 ) != 0 )
2025 {
2026 ret = 1;
2027 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028 }
2029
2030 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2031 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2032 }
2033
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2034 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2035 mbedtls_printf( "\n" );
2036#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2037
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2038#if defined(MBEDTLS_CIPHER_MODE_OFB)
2039 /*
2040 * OFB mode
2041 */
2042 for( i = 0; i < 6; i++ )
2043 {
2044 u = i >> 1;
2045 keybits = 128 + u * 64;
2046 mode = i & 1;
2047
2048 if( verbose != 0 )
2049 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2050 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2051
2052 memcpy( iv, aes_test_ofb_iv, 16 );
2053 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2054
2055 offset = 0;
2056 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2057 /*
2058 * AES-192 is an optional feature that may be unavailable when
2059 * there is an alternative underlying implementation i.e. when
2060 * MBEDTLS_AES_ALT is defined.
2061 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2062 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2063 {
2064 mbedtls_printf( "skipped\n" );
2065 continue;
2066 }
2067 else if( ret != 0 )
2068 {
2069 goto exit;
2070 }
2071
2072 if( mode == MBEDTLS_AES_DECRYPT )
2073 {
2074 memcpy( buf, aes_test_ofb_ct[u], 64 );
2075 aes_tests = aes_test_ofb_pt;
2076 }
2077 else
2078 {
2079 memcpy( buf, aes_test_ofb_pt, 64 );
2080 aes_tests = aes_test_ofb_ct[u];
2081 }
2082
2083 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2084 if( ret != 0 )
2085 goto exit;
2086
2087 if( memcmp( buf, aes_tests, 64 ) != 0 )
2088 {
2089 ret = 1;
2090 goto exit;
2091 }
2092
2093 if( verbose != 0 )
2094 mbedtls_printf( "passed\n" );
2095 }
2096
2097 if( verbose != 0 )
2098 mbedtls_printf( "\n" );
2099#endif /* MBEDTLS_CIPHER_MODE_OFB */
2100
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2101#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2102 /*
2103 * CTR mode
2104 */
2105 for( i = 0; i < 6; i++ )
2106 {
2107 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2108 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2109
2110 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2112 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2113
2114 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2115 memcpy( key, aes_test_ctr_key[u], 16 );
2116
2117 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2118 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2119 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2120
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2121 len = aes_test_ctr_len[u];
2122
2123 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2124 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2125 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2126 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2127 }
2128 else
2129 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2130 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2131 aes_tests = aes_test_ctr_ct[u];
2132 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2133
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2134 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2135 stream_block, buf, buf );
2136 if( ret != 0 )
2137 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2139 if( memcmp( buf, aes_tests, len ) != 0 )
2140 {
2141 ret = 1;
2142 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2143 }
2144
2145 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2146 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2147 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2148
2149 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2150 mbedtls_printf( "\n" );
2151#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2152
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2153#if defined(MBEDTLS_CIPHER_MODE_XTS)
2154 {
2155 static const int num_tests =
2156 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2157 mbedtls_aes_xts_context ctx_xts;
2158
2159 /*
2160 * XTS mode
2161 */
2162 mbedtls_aes_xts_init( &ctx_xts );
2163
2164 for( i = 0; i < num_tests << 1; i++ )
2165 {
2166 const unsigned char *data_unit;
2167 u = i >> 1;
2168 mode = i & 1;
2169
2170 if( verbose != 0 )
2171 mbedtls_printf( " AES-XTS-128 (%s): ",
2172 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2173
2174 memset( key, 0, sizeof( key ) );
2175 memcpy( key, aes_test_xts_key[u], 32 );
2176 data_unit = aes_test_xts_data_unit[u];
2177
2178 len = sizeof( *aes_test_xts_ct32 );
2179
2180 if( mode == MBEDTLS_AES_DECRYPT )
2181 {
2182 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2183 if( ret != 0)
2184 goto exit;
2185 memcpy( buf, aes_test_xts_ct32[u], len );
2186 aes_tests = aes_test_xts_pt32[u];
2187 }
2188 else
2189 {
2190 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2191 if( ret != 0)
2192 goto exit;
2193 memcpy( buf, aes_test_xts_pt32[u], len );
2194 aes_tests = aes_test_xts_ct32[u];
2195 }
2196
2197
2198 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2199 buf, buf );
2200 if( ret != 0 )
2201 goto exit;
2202
2203 if( memcmp( buf, aes_tests, len ) != 0 )
2204 {
2205 ret = 1;
2206 goto exit;
2207 }
2208
2209 if( verbose != 0 )
2210 mbedtls_printf( "passed\n" );
2211 }
2212
2213 if( verbose != 0 )
2214 mbedtls_printf( "\n" );
2215
2216 mbedtls_aes_xts_free( &ctx_xts );
2217 }
2218#endif /* MBEDTLS_CIPHER_MODE_XTS */
2219
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2220 ret = 0;
2221
2222exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2223 if( ret != 0 && verbose != 0 )
2224 mbedtls_printf( "failed\n" );
2225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2226 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2227
2228 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2229}
2230
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2231#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2232
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2233#endif /* MBEDTLS_AES_C */