TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / f93d55e3ce4e230a9518431927388e5e1c885911 / . / library / aes.c
blob: 9361edbf3b21f831a082da837d136360d305a484 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]41#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]42#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]43#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]44#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]46#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]47
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#if defined(MBEDTLS_SELF_TEST)
49#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]50#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]52#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#define mbedtls_printf printf
54#endif /* MBEDTLS_PLATFORM_C */
55#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]56
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]57#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]58
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]59/* Parameter validation macros based on platform_util.h */
60#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]62#define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65/*
66 * 32-bit integer manipulation macros (little endian)
67 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]68#ifndef GET_UINT32_LE
69#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]75}
76#endif
77
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]78#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]79#define PUT_UINT32_LE(n,b,i) \
80{ \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85}
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]90static int aes_padlock_ace = -1;
91#endif
92
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]93#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94/*
95 * Forward S-box
96 */
97static const unsigned char FSb[256] =
98{
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131};
132
133/*
134 * Forward tables
135 */
136#define FT \
137\
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]204static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]205#undef V
206
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]207#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]208
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]209#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]210static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211#undef V
212
213#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]214static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]215#undef V
216
217#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]218static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]219#undef V
220
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]221#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]222
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223#undef FT
224
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]225#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]264#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]265
266/*
267 * Reverse tables
268 */
269#define RT \
270\
271 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
272 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
273 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
274 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
275 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
276 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
277 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
278 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
279 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
280 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
281 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
282 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
283 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
284 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
285 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
286 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
287 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
288 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
289 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
290 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
291 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
292 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
293 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
294 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
295 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
296 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
297 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
298 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
299 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
300 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
301 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
302 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
303 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
304 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
305 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
306 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
307 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
308 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
309 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
310 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
311 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
312 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
313 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
314 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
315 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
316 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
317 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
318 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
319 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
320 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
321 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
322 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
323 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
324 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
325 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
326 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
327 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
328 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
329 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
330 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
331 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
332 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
333 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
334 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
335
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]336#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]341#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]342
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
347#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]348static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef V
350
351#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353#undef V
354
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]355#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]356#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]357
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358#undef RT
359
360/*
361 * Round constants
362 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]363static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]364{
365 0x00000001, 0x00000002, 0x00000004, 0x00000008,
366 0x00000010, 0x00000020, 0x00000040, 0x00000080,
367 0x0000001B, 0x00000036
368};
369
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]370#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Forward S-box & tables
374 */
375static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]376static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]378static uint32_t FT1[256];
379static uint32_t FT2[256];
380static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Reverse S-box & tables
385 */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]386#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]389#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]390static uint32_t RT1[256];
391static uint32_t RT2[256];
392static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]393#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]394#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Round constants
398 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]399static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]400
401/*
402 * Tables generation code
403 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]404#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
405#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]406#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]407
408static int aes_init_done = 0;
409
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]410/*
411 * SCA CM table position check
412 */
413#define SCA_CM_TBL_MATCH(tbl, n) ( tbl[0] == ( n ) || \
414 tbl[1] == ( n ) || \
415 tbl[2] == ( n ) )
416
417/*
418 * SCA CM always true check
419 */
420#define SCA_CM_ALWAYS_TRUE(tbl, n) ( tbl[0] != ( n ) || \
421 tbl[1] != ( n ) || \
422 tbl[2] != tbl[0] )
423/*
424 * Number of SCA CM dummy rounds.
425 */
426#define SCA_CM_DUMMY_ROUND_COUNT 3
427
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]428static void aes_gen_tables( void )
429{
430 int i, x, y, z;
431 int pow[256];
432 int log[256];
433
434 /*
435 * compute pow and log tables over GF(2^8)
436 */
437 for( i = 0, x = 1; i < 256; i++ )
438 {
439 pow[i] = x;
440 log[x] = i;
441 x = ( x ^ XTIME( x ) ) & 0xFF;
442 }
443
444 /*
445 * calculate the round constants
446 */
447 for( i = 0, x = 1; i < 10; i++ )
448 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]449 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]450 x = XTIME( x ) & 0xFF;
451 }
452
453 /*
454 * generate the forward and reverse S-boxes
455 */
456 FSb[0x00] = 0x63;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]457#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]458 RSb[0x63] = 0x00;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]459#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461 for( i = 1; i < 256; i++ )
462 {
463 x = pow[255 - log[i]];
464
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]465 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
468 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469 x ^= y ^ 0x63;
470
471 FSb[i] = (unsigned char) x;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]472#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]473 RSb[x] = (unsigned char) i;
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]474#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]475 }
476
477 /*
478 * generate the forward and reverse tables
479 */
480 for( i = 0; i < 256; i++ )
481 {
482 x = FSb[i];
483 y = XTIME( x ) & 0xFF;
484 z = ( y ^ x ) & 0xFF;
485
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]486 FT0[i] = ( (uint32_t) y ) ^
487 ( (uint32_t) x << 8 ) ^
488 ( (uint32_t) x << 16 ) ^
489 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]490
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]491#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]492 FT1[i] = ROTL8( FT0[i] );
493 FT2[i] = ROTL8( FT1[i] );
494 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]495#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]496
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]497#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]498 x = RSb[i];
499
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]500 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
501 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
502 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
503 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]504
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]505#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 RT1[i] = ROTL8( RT0[i] );
507 RT2[i] = ROTL8( RT1[i] );
508 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]509#endif /* !MBEDTLS_AES_FEWER_TABLES */
Arto Kinnunen0fa65aa2019-10-21 14:43:37 +0300[diff] [blame]510#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]511 }
512}
513
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514#undef ROTL8
515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]516#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]517
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]518#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]519
520#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
521#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
522#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
523
524#define AES_RT0(idx) RT0[idx]
525#define AES_RT1(idx) ROTL8( RT0[idx] )
526#define AES_RT2(idx) ROTL16( RT0[idx] )
527#define AES_RT3(idx) ROTL24( RT0[idx] )
528
529#define AES_FT0(idx) FT0[idx]
530#define AES_FT1(idx) ROTL8( FT0[idx] )
531#define AES_FT2(idx) ROTL16( FT0[idx] )
532#define AES_FT3(idx) ROTL24( FT0[idx] )
533
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]534#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]535
536#define AES_RT0(idx) RT0[idx]
537#define AES_RT1(idx) RT1[idx]
538#define AES_RT2(idx) RT2[idx]
539#define AES_RT3(idx) RT3[idx]
540
541#define AES_FT0(idx) FT0[idx]
542#define AES_FT1(idx) FT1[idx]
543#define AES_FT2(idx) FT2[idx]
544#define AES_FT3(idx) FT3[idx]
545
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]546#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]547
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]548// TODO, replace with proper flagging
549
550#if /* defined(AES_128_SCA_CM) &&*/ defined(MBEDTLS_ENTROPY_HARDWARE_ALT)
551#define AES_SCA_COUNTERMEASURES
552#endif
553
554#if defined(AES_SCA_COUNTERMEASURES)
555static void aes_sca_rand_tbl_fill(uint8_t *tbl, uint8_t tbl_len, uint8_t max_num)
556{
557 int i, j, is_unique_number;
558 uint8_t *cur_num;
559 uint8_t num;
560
561 cur_num = tbl;
562
563 for ( i = 0; i < tbl_len; i++ )
564 {
565 do {
566 is_unique_number = 1;
567 num = mbedtls_platform_random_in_range( max_num + 1 );
568
569 for ( j = 0; j < i; j++ )
570 {
571 if (num == tbl[j])
572 {
573 is_unique_number = 0;
574 break;
575 }
576 }
577 } while ( is_unique_number == 0 );
578
579 *cur_num++ = num;
580 }
581}
582#endif
583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]584void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]585{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]586 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]587
Manuel Pégourié-Gonnard99419332019-10-03 10:40:57 +0200[diff] [blame]588 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]589}
590
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]591void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]592{
593 if( ctx == NULL )
594 return;
595
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]596 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]597}
598
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]599#if defined(MBEDTLS_CIPHER_MODE_XTS)
600void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
601{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]602 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]604 mbedtls_aes_init( &ctx->crypt );
605 mbedtls_aes_init( &ctx->tweak );
606}
607
608void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
609{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]610 if( ctx == NULL )
611 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]612
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]613 mbedtls_aes_free( &ctx->crypt );
614 mbedtls_aes_free( &ctx->tweak );
615}
616#endif /* MBEDTLS_CIPHER_MODE_XTS */
617
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]618/*
619 * AES key schedule (encryption)
620 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]621#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]622int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]623 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]625 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]626 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]627
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]628 AES_VALIDATE_RET( ctx != NULL );
629 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]630
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]631 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632 {
633 case 128: ctx->nr = 10; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]634#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]635 case 192: ctx->nr = 12; break;
636 case 256: ctx->nr = 14; break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]637#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]638 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]639 }
640
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]641#if !defined(MBEDTLS_AES_ROM_TABLES)
642 if( aes_init_done == 0 )
643 {
644 aes_gen_tables();
645 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]646 }
647#endif
648
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]649#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]650 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]651 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]652
653 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]654 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]655 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]656#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]657 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]658
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]659#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]660 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]661 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]662#endif
663
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]664 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]665 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]666 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667 }
668
669 switch( ctx->nr )
670 {
671 case 10:
672
673 for( i = 0; i < 10; i++, RK += 4 )
674 {
675 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]676 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
677 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
678 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
679 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]680
681 RK[5] = RK[1] ^ RK[4];
682 RK[6] = RK[2] ^ RK[5];
683 RK[7] = RK[3] ^ RK[6];
684 }
685 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]686#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 case 12:
688
689 for( i = 0; i < 8; i++, RK += 6 )
690 {
691 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]692 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
693 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
694 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
695 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]696
697 RK[7] = RK[1] ^ RK[6];
698 RK[8] = RK[2] ^ RK[7];
699 RK[9] = RK[3] ^ RK[8];
700 RK[10] = RK[4] ^ RK[9];
701 RK[11] = RK[5] ^ RK[10];
702 }
703 break;
704
705 case 14:
706
707 for( i = 0; i < 7; i++, RK += 8 )
708 {
709 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]710 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
711 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
712 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
713 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]714
715 RK[9] = RK[1] ^ RK[8];
716 RK[10] = RK[2] ^ RK[9];
717 RK[11] = RK[3] ^ RK[10];
718
719 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]720 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
721 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
722 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
723 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]724
725 RK[13] = RK[5] ^ RK[12];
726 RK[14] = RK[6] ^ RK[13];
727 RK[15] = RK[7] ^ RK[14];
728 }
729 break;
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]730#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]731 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]732
733 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]734}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]735#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]736
737/*
738 * AES key schedule (decryption)
739 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]740#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]741int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]742 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]743{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]744#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
745 (void) ctx;
746 (void) key;
747 (void) keybits;
748
749 return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
750#else /* */
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]751 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]752 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]753 uint32_t *RK;
754 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]755
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]756 AES_VALIDATE_RET( ctx != NULL );
757 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]758
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]760
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]761#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]762 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]763 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]764
765 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]766 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]767 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]768#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]769 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]770
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]771 /* Also checks keybits */
772 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]773 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]774
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]775 ctx->nr = cty.nr;
776
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]777#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]778 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]779 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]780 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]781 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]782 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]783 }
784#endif
785
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]786 SK = cty.rk + cty.nr * 4;
787
788 *RK++ = *SK++;
789 *RK++ = *SK++;
790 *RK++ = *SK++;
791 *RK++ = *SK++;
792
793 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
794 {
795 for( j = 0; j < 4; j++, SK++ )
796 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]797 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
798 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
799 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
800 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]801 }
802 }
803
804 *RK++ = *SK++;
805 *RK++ = *SK++;
806 *RK++ = *SK++;
807 *RK++ = *SK++;
808
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]809exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]810 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]811
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]812 return( ret );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]813#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]814}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]815
816#if defined(MBEDTLS_CIPHER_MODE_XTS)
817static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
818 unsigned int keybits,
819 const unsigned char **key1,
820 unsigned int *key1bits,
821 const unsigned char **key2,
822 unsigned int *key2bits )
823{
824 const unsigned int half_keybits = keybits / 2;
825 const unsigned int half_keybytes = half_keybits / 8;
826
827 switch( keybits )
828 {
829 case 256: break;
830 case 512: break;
831 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
832 }
833
834 *key1bits = half_keybits;
835 *key2bits = half_keybits;
836 *key1 = &key[0];
837 *key2 = &key[half_keybytes];
838
839 return 0;
840}
841
842int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
843 const unsigned char *key,
844 unsigned int keybits)
845{
846 int ret;
847 const unsigned char *key1, *key2;
848 unsigned int key1bits, key2bits;
849
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]850 AES_VALIDATE_RET( ctx != NULL );
851 AES_VALIDATE_RET( key != NULL );
852
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]853 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
854 &key2, &key2bits );
855 if( ret != 0 )
856 return( ret );
857
858 /* Set the tweak key. Always set tweak key for the encryption mode. */
859 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
860 if( ret != 0 )
861 return( ret );
862
863 /* Set crypt key for encryption. */
864 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
865}
866
867int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
868 const unsigned char *key,
869 unsigned int keybits)
870{
871 int ret;
872 const unsigned char *key1, *key2;
873 unsigned int key1bits, key2bits;
874
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]875 AES_VALIDATE_RET( ctx != NULL );
876 AES_VALIDATE_RET( key != NULL );
877
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]878 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
879 &key2, &key2bits );
880 if( ret != 0 )
881 return( ret );
882
883 /* Set the tweak key. Always set tweak key for encryption. */
884 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
885 if( ret != 0 )
886 return( ret );
887
888 /* Set crypt key for decryption. */
889 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
890}
891#endif /* MBEDTLS_CIPHER_MODE_XTS */
892
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]893#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]894
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]895#define AES_FROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
896 do \
897 { \
898 (X0) = *(R)++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
899 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
900 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
901 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
902 \
903 (X1) = *(R)++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
904 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
905 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
906 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
907 \
908 (X2) = *(R)++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
909 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
910 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
911 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
912 \
913 (X3) = *(R)++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
914 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
915 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
916 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]917 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]918
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]919#define AES_FROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
920 do { \
921 (X0) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y0) ) & 0xFF ] ) ^ \
922 ( (uint32_t) FSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
923 ( (uint32_t) FSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
924 ( (uint32_t) FSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
925 \
926 (X1) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y1) ) & 0xFF ] ) ^ \
927 ( (uint32_t) FSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
928 ( (uint32_t) FSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
929 ( (uint32_t) FSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
930 \
931 (X2) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y2) ) & 0xFF ] ) ^ \
932 ( (uint32_t) FSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
933 ( (uint32_t) FSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
934 ( (uint32_t) FSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
935 \
936 (X3) = *(R)++ ^ ( (uint32_t) FSb[ ( (Y3) ) & 0xFF ] ) ^ \
937 ( (uint32_t) FSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
938 ( (uint32_t) FSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
939 ( (uint32_t) FSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
940 } while ( 0 )
941
942#define AES_RROUND(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
943 do \
944 { \
945 (X0) = *(R)++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
946 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
947 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
948 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
949 \
950 (X1) = *(R)++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
951 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
952 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
953 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
954 \
955 (X2) = *(R)++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
956 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
957 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
958 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
959 \
960 (X3) = *(R)++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
961 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
962 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
963 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
964 } while( 0 )
965
966#define AES_RROUND_F(R,X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
967 do \
968 { \
969 (X0) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y0) ) & 0xFF ] ) ^ \
970 ( (uint32_t) RSb[ ( (Y3) >> 8 ) & 0xFF ] << 8 ) ^ \
971 ( (uint32_t) RSb[ ( (Y2) >> 16 ) & 0xFF ] << 16 ) ^ \
972 ( (uint32_t) RSb[ ( (Y1) >> 24 ) & 0xFF ] << 24 ); \
973 \
974 (X1) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y1) ) & 0xFF ] ) ^ \
975 ( (uint32_t) RSb[ ( (Y0) >> 8 ) & 0xFF ] << 8 ) ^ \
976 ( (uint32_t) RSb[ ( (Y3) >> 16 ) & 0xFF ] << 16 ) ^ \
977 ( (uint32_t) RSb[ ( (Y2) >> 24 ) & 0xFF ] << 24 ); \
978 \
979 (X2) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y2) ) & 0xFF ] ) ^ \
980 ( (uint32_t) RSb[ ( (Y1) >> 8 ) & 0xFF ] << 8 ) ^ \
981 ( (uint32_t) RSb[ ( (Y0) >> 16 ) & 0xFF ] << 16 ) ^ \
982 ( (uint32_t) RSb[ ( (Y3) >> 24 ) & 0xFF ] << 24 ); \
983 \
984 (X3) = *(R)++ ^ ( (uint32_t) RSb[ ( (Y3) ) & 0xFF ] ) ^ \
985 ( (uint32_t) RSb[ ( (Y2) >> 8 ) & 0xFF ] << 8 ) ^ \
986 ( (uint32_t) RSb[ ( (Y1) >> 16 ) & 0xFF ] << 16 ) ^ \
987 ( (uint32_t) RSb[ ( (Y0) >> 24 ) & 0xFF ] << 24 ); \
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]988 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]989
990/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991 * AES-ECB block encryption
992 */
993#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]994int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
995 const unsigned char input[16],
996 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]997{
998 int i;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]999 uint32_t *RK, X0, X1, X2, X3, Y0 = 0, Y1 = 0, Y2 = 0, Y3 = 0;
1000
1001#ifdef AES_SCA_COUNTERMEASURES
1002 uint32_t *RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA;
1003 uint8_t sca_cm_pos_tbl[SCA_CM_DUMMY_ROUND_COUNT]; // position for SCA countermeasure dummy rounds, not in any order
1004
1005 aes_sca_rand_tbl_fill(sca_cm_pos_tbl, SCA_CM_DUMMY_ROUND_COUNT, ctx->nr);
1006
1007 X0_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1008 X1_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1009 X2_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1010 X3_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1011#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1012
1013 RK = ctx->rk;
1014
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1015#ifdef AES_SCA_COUNTERMEASURES
1016 RK_SCA = RK;
1017
1018 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, ctx->nr ) )
1019 {
1020 /* LE conversions to Xn, Xn_SCA randomized */
1021 GET_UINT32_LE( X0, input, 0 ); X0_SCA ^= *RK_SCA++;
1022 GET_UINT32_LE( X1, input, 4 ); X1_SCA ^= *RK_SCA++;
1023 GET_UINT32_LE( X2, input, 8 ); X2_SCA ^= *RK_SCA++;
1024 GET_UINT32_LE( X3, input, 12 ); X3_SCA ^= *RK_SCA++;
1025 }
1026#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1027 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1028 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1029 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1030 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
1031
1032 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
1033 {
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1034#ifdef AES_SCA_COUNTERMEASURES
1035 // Would random delay before each round be necessary?
1036 //
1037 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 ) )
1038 AES_FROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1039 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
1040
1041 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i* 2 ) )
1042 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1043
1044 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 + 1 ) )
1045 AES_FROUND( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1046 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA);
1047
1048 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i * 2 + 1 ) )
1049 AES_FROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1050#else /* AES_SCA_COUNTERMEASURES */
1051 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1052 AES_FROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1053#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1054 }
1055
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1056#ifdef AES_SCA_COUNTERMEASURES
1057 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 1 ) )
1058 AES_FROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1059 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1060
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1061 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 1 ) )
1062 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1063
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1064 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 0 ) )
1065 AES_FROUND_F( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1066 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1067
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1068 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 0 ) )
1069 AES_FROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1070
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1071#else
1072 AES_FROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1073 AES_FROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1074#endif
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1075
1076 PUT_UINT32_LE( X0, output, 0 );
1077 PUT_UINT32_LE( X1, output, 4 );
1078 PUT_UINT32_LE( X2, output, 8 );
1079 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1080
1081 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1082}
1083#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
1084
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1085#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1086void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
1087 const unsigned char input[16],
1088 unsigned char output[16] )
1089{
1090 mbedtls_internal_aes_encrypt( ctx, input, output );
1091}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1092#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1093
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1094/*
1095 * AES-ECB block decryption
1096 */
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1097
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1098#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1099#if !defined(MBEDTLS_AES_ONLY_ENCRYPT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1100int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
1101 const unsigned char input[16],
1102 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1103{
1104 int i;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1105 uint32_t *RK, X0, X1, X2, X3, Y0 = 0, Y1 = 0, Y2 = 0, Y3 = 0;
1106
1107#ifdef AES_SCA_COUNTERMEASURES
1108 uint32_t *RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA;
1109 uint8_t sca_cm_pos_tbl[SCA_CM_DUMMY_ROUND_COUNT]; // position for SCA countermeasure dummy rounds, not in any order
1110
1111 aes_sca_rand_tbl_fill(sca_cm_pos_tbl, SCA_CM_DUMMY_ROUND_COUNT, ctx->nr);
1112
1113 X0_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1114 X1_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1115 X2_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1116 X3_SCA = mbedtls_platform_random_in_range( 0xffffffff );
1117#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1118
1119 RK = ctx->rk;
1120
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1121#ifdef AES_SCA_COUNTERMEASURES
1122 RK_SCA = RK;
1123 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, ctx->nr ) )
1124 {
1125 GET_UINT32_LE( X0, input, 0 ); X0_SCA ^= *RK_SCA++;
1126 GET_UINT32_LE( X1, input, 4 ); X1_SCA ^= *RK_SCA++;
1127 GET_UINT32_LE( X2, input, 8 ); X2_SCA ^= *RK_SCA++;
1128 GET_UINT32_LE( X3, input, 12 ); X3_SCA ^= *RK_SCA++;
1129 }
1130
1131 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, ctx->nr ) )
1132 {
1133 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1134 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1135 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1136 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
1137 }
1138#else /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1139 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
1140 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
1141 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
1142 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1143#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1144
1145 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
1146 {
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1147#ifdef AES_SCA_COUNTERMEASURES
1148 // Would random delay before each round be necessary?
1149 //
1150 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 ) )
1151 AES_RROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1152 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
1153
1154 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i* 2 ) )
1155 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1156
1157 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, i * 2 + 1 ) )
1158 AES_RROUND( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1159 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA);
1160
1161 if ( SCA_CM_ALWAYS_TRUE( sca_cm_pos_tbl, i * 2 + 1 ) )
1162 AES_RROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1163#else /* AES_SCA_COUNTERMEASURES */
1164 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1165 AES_RROUND( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1166#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1167 }
1168
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1169#ifdef AES_SCA_COUNTERMEASURES
1170 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 1 ) )
1171 AES_RROUND( RK_SCA, Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA,
1172 X0_SCA, X1_SCA, X2_SCA, X3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1173
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1174 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 1 ) )
1175 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1176
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1177 if ( SCA_CM_TBL_MATCH( sca_cm_pos_tbl, 0 ) )
1178 AES_RROUND_F( RK_SCA, X0_SCA, X1_SCA, X2_SCA, X3_SCA,
1179 Y0_SCA, Y1_SCA, Y2_SCA, Y3_SCA );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1180
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1181 if ( SCA_CM_ALWAYS_TRUE ( sca_cm_pos_tbl, 0 ) )
1182 AES_RROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1183
Arto Kinnunenf93d55e2019-10-11 11:15:57 +0300[diff] [blame^]1184#else /* AES_SCA_COUNTERMEASURES */
1185 AES_RROUND( RK, Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
1186 AES_RROUND_F( RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
1187#endif /* AES_SCA_COUNTERMEASURES */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1188
1189 PUT_UINT32_LE( X0, output, 0 );
1190 PUT_UINT32_LE( X1, output, 4 );
1191 PUT_UINT32_LE( X2, output, 8 );
1192 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1193
1194 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1195}
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1196#endif /* !MBEDTLS_AES_ONLY_ENCRYPT */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1197#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1198
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1199#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1200void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1201 const unsigned char input[16],
1202 unsigned char output[16] )
1203{
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1204#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1205 (void) ctx;
1206 (void) input;
1207 (void) output;
1208#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1209 mbedtls_internal_aes_decrypt( ctx, input, output );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1210#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1211}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1212#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1213
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1214/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1215 * AES-ECB block encryption/decryption
1216 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1217int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1218 int mode,
1219 const unsigned char input[16],
1220 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1221{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1222 AES_VALIDATE_RET( ctx != NULL );
1223 AES_VALIDATE_RET( input != NULL );
1224 AES_VALIDATE_RET( output != NULL );
1225 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1226 mode == MBEDTLS_AES_DECRYPT );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1227 (void) mode;
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1228
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1229#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1230 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1231 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1232#endif
1233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1234#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1235 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1236 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1237 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1238 return( 0 );
1239
1240 // If padlock data misaligned, we just fall back to
1241 // unaccelerated mode
1242 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1243 }
1244#endif
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1245#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
1246 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1247#else /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1248
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1249 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1250 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1251 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1252 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Arto Kinnunen14804442019-10-16 13:43:59 +0300[diff] [blame]1253#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1254}
1255
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1256#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1257/*
1258 * AES-CBC buffer encryption/decryption
1259 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1260int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1261 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1262 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1263 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1264 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1265 unsigned char *output )
1266{
1267 int i;
1268 unsigned char temp[16];
1269
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1270 AES_VALIDATE_RET( ctx != NULL );
1271 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1272 mode == MBEDTLS_AES_DECRYPT );
1273 AES_VALIDATE_RET( iv != NULL );
1274 AES_VALIDATE_RET( input != NULL );
1275 AES_VALIDATE_RET( output != NULL );
1276
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1277 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1278 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1279
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1280#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1281 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1282 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1283 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1284 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1285
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1286 // If padlock data misaligned, we just fall back to
1287 // unaccelerated mode
1288 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1289 }
1290#endif
1291
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1292 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1293 {
1294 while( length > 0 )
1295 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1296 mbedtls_platform_memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298
1299 for( i = 0; i < 16; i++ )
1300 output[i] = (unsigned char)( output[i] ^ iv[i] );
1301
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1302 mbedtls_platform_memcpy( iv, temp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1303
1304 input += 16;
1305 output += 16;
1306 length -= 16;
1307 }
1308 }
1309 else
1310 {
1311 while( length > 0 )
1312 {
1313 for( i = 0; i < 16; i++ )
1314 output[i] = (unsigned char)( input[i] ^ iv[i] );
1315
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1317 mbedtls_platform_memcpy( iv, output, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318
1319 input += 16;
1320 output += 16;
1321 length -= 16;
1322 }
1323 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1324
1325 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1327#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1328
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1329#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1330
1331/* Endianess with 64 bits values */
1332#ifndef GET_UINT64_LE
1333#define GET_UINT64_LE(n,b,i) \
1334{ \
1335 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1336 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1337 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1338 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1339 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1340 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1341 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1342 | ( (uint64_t) (b)[(i) ] ); \
1343}
1344#endif
1345
1346#ifndef PUT_UINT64_LE
1347#define PUT_UINT64_LE(n,b,i) \
1348{ \
1349 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1350 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1351 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1352 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1353 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1354 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1355 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1356 (b)[(i) ] = (unsigned char) ( (n) ); \
1357}
1358#endif
1359
1360typedef unsigned char mbedtls_be128[16];
1361
1362/*
1363 * GF(2^128) multiplication function
1364 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1365 * This function multiplies a field element by x in the polynomial field
1366 * representation. It uses 64-bit word operations to gain speed but compensates
1367 * for machine endianess and hence works correctly on both big and little
1368 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1369 */
1370static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1371 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1372{
1373 uint64_t a, b, ra, rb;
1374
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1375 GET_UINT64_LE( a, x, 0 );
1376 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1377
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1378 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1379 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1380
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1381 PUT_UINT64_LE( ra, r, 0 );
1382 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1383}
1384
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1385/*
1386 * AES-XTS buffer encryption/decryption
1387 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1388int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1389 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1390 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1391 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1392 const unsigned char *input,
1393 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1394{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1395 int ret;
1396 size_t blocks = length / 16;
1397 size_t leftover = length % 16;
1398 unsigned char tweak[16];
1399 unsigned char prev_tweak[16];
1400 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1401
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1402 AES_VALIDATE_RET( ctx != NULL );
1403 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1404 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1405 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1406 AES_VALIDATE_RET( input != NULL );
1407 AES_VALIDATE_RET( output != NULL );
1408
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1409 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1410 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1411 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1412
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1413 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1414 if( length > ( 1 << 20 ) * 16 )
1415 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1416
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1417 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1418 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1419 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1420 if( ret != 0 )
1421 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1422
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1423 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1424 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1425 size_t i;
1426
1427 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1428 {
1429 /* We are on the last block in a decrypt operation that has
1430 * leftover bytes, so we need to use the next tweak for this block,
1431 * and this tweak for the lefover bytes. Save the current tweak for
1432 * the leftovers and then update the current tweak for use on this,
1433 * the last full block. */
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1434 mbedtls_platform_memcpy( prev_tweak, tweak, sizeof( tweak ) );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1435 mbedtls_gf128mul_x_ble( tweak, tweak );
1436 }
1437
1438 for( i = 0; i < 16; i++ )
1439 tmp[i] = input[i] ^ tweak[i];
1440
1441 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1442 if( ret != 0 )
1443 return( ret );
1444
1445 for( i = 0; i < 16; i++ )
1446 output[i] = tmp[i] ^ tweak[i];
1447
1448 /* Update the tweak for the next block. */
1449 mbedtls_gf128mul_x_ble( tweak, tweak );
1450
1451 output += 16;
1452 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1453 }
1454
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1455 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1456 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1457 /* If we are on the leftover bytes in a decrypt operation, we need to
1458 * use the previous tweak for these bytes (as saved in prev_tweak). */
1459 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1460
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1461 /* We are now on the final part of the data unit, which doesn't divide
1462 * evenly by 16. It's time for ciphertext stealing. */
1463 size_t i;
1464 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1465
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1466 /* Copy ciphertext bytes from the previous block to our output for each
1467 * byte of cyphertext we won't steal. At the same time, copy the
1468 * remainder of the input for this final round (since the loop bounds
1469 * are the same). */
1470 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1471 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1472 output[i] = prev_output[i];
1473 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1474 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1475
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1476 /* Copy ciphertext bytes from the previous block for input in this
1477 * round. */
1478 for( ; i < 16; i++ )
1479 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1480
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1481 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1482 if( ret != 0 )
1483 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1484
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1485 /* Write the result back to the previous block, overriding the previous
1486 * output we copied. */
1487 for( i = 0; i < 16; i++ )
1488 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1489 }
1490
1491 return( 0 );
1492}
1493#endif /* MBEDTLS_CIPHER_MODE_XTS */
1494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1495#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496/*
1497 * AES-CFB128 buffer encryption/decryption
1498 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1500 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1501 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1502 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1503 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1504 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505 unsigned char *output )
1506{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1507 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1508 size_t n;
1509
1510 AES_VALIDATE_RET( ctx != NULL );
1511 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1512 mode == MBEDTLS_AES_DECRYPT );
1513 AES_VALIDATE_RET( iv_off != NULL );
1514 AES_VALIDATE_RET( iv != NULL );
1515 AES_VALIDATE_RET( input != NULL );
1516 AES_VALIDATE_RET( output != NULL );
1517
1518 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1519
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1520 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1521 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524 {
1525 while( length-- )
1526 {
1527 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1528 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1529
1530 c = *input++;
1531 *output++ = (unsigned char)( c ^ iv[n] );
1532 iv[n] = (unsigned char) c;
1533
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1534 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1535 }
1536 }
1537 else
1538 {
1539 while( length-- )
1540 {
1541 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1542 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1543
1544 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1545
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1546 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1547 }
1548 }
1549
1550 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1551
1552 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1554
1555/*
1556 * AES-CFB8 buffer encryption/decryption
1557 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1558int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1559 int mode,
1560 size_t length,
1561 unsigned char iv[16],
1562 const unsigned char *input,
1563 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1564{
1565 unsigned char c;
1566 unsigned char ov[17];
1567
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1568 AES_VALIDATE_RET( ctx != NULL );
1569 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1570 mode == MBEDTLS_AES_DECRYPT );
1571 AES_VALIDATE_RET( iv != NULL );
1572 AES_VALIDATE_RET( input != NULL );
1573 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1574 while( length-- )
1575 {
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1576 mbedtls_platform_memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1577 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1578
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1579 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1580 ov[16] = *input;
1581
1582 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1583
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1584 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1585 ov[16] = c;
1586
Teppo Järvelin91d79382019-10-02 09:09:31 +0300[diff] [blame]1587 mbedtls_platform_memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1588 }
1589
1590 return( 0 );
1591}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1592#endif /* MBEDTLS_CIPHER_MODE_CFB */
1593
1594#if defined(MBEDTLS_CIPHER_MODE_OFB)
1595/*
1596 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1597 */
1598int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1599 size_t length,
1600 size_t *iv_off,
1601 unsigned char iv[16],
1602 const unsigned char *input,
1603 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1604{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1605 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1606 size_t n;
1607
1608 AES_VALIDATE_RET( ctx != NULL );
1609 AES_VALIDATE_RET( iv_off != NULL );
1610 AES_VALIDATE_RET( iv != NULL );
1611 AES_VALIDATE_RET( input != NULL );
1612 AES_VALIDATE_RET( output != NULL );
1613
1614 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1615
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1616 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1617 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1618
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1619 while( length-- )
1620 {
1621 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1622 {
1623 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1624 if( ret != 0 )
1625 goto exit;
1626 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1627 *output++ = *input++ ^ iv[n];
1628
1629 n = ( n + 1 ) & 0x0F;
1630 }
1631
1632 *iv_off = n;
1633
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1634exit:
1635 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1636}
1637#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1638
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1639#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1640/*
1641 * AES-CTR buffer encryption/decryption
1642 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1643int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1644 size_t length,
1645 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1646 unsigned char nonce_counter[16],
1647 unsigned char stream_block[16],
1648 const unsigned char *input,
1649 unsigned char *output )
1650{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1651 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1652 size_t n;
1653
1654 AES_VALIDATE_RET( ctx != NULL );
1655 AES_VALIDATE_RET( nc_off != NULL );
1656 AES_VALIDATE_RET( nonce_counter != NULL );
1657 AES_VALIDATE_RET( stream_block != NULL );
1658 AES_VALIDATE_RET( input != NULL );
1659 AES_VALIDATE_RET( output != NULL );
1660
1661 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1662
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1663 if ( n > 0x0F )
1664 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1665
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1666 while( length-- )
1667 {
1668 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1669 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1670
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1671 for( i = 16; i > 0; i-- )
1672 if( ++nonce_counter[i - 1] != 0 )
1673 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1674 }
1675 c = *input++;
1676 *output++ = (unsigned char)( c ^ stream_block[n] );
1677
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1678 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1679 }
1680
1681 *nc_off = n;
1682
1683 return( 0 );
1684}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1685#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1686
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1687#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1688
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1689#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1690/*
1691 * AES test vectors from:
1692 *
1693 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1694 */
1695static const unsigned char aes_test_ecb_dec[3][16] =
1696{
1697 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1698 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1699 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1700 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1701 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1702 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1703};
1704
1705static const unsigned char aes_test_ecb_enc[3][16] =
1706{
1707 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1708 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1709 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1710 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1711 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1712 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1713};
1714
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1715#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1716static const unsigned char aes_test_cbc_dec[3][16] =
1717{
1718 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1719 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1720 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1721 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1722 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1723 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1724};
1725
1726static const unsigned char aes_test_cbc_enc[3][16] =
1727{
1728 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1729 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1730 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1731 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1732 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1733 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1734};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1735#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1736
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1737#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1738/*
1739 * AES-CFB128 test vectors from:
1740 *
1741 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1742 */
1743static const unsigned char aes_test_cfb128_key[3][32] =
1744{
1745 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1746 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1747 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1748 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1749 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1750 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1751 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1752 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1753 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1754};
1755
1756static const unsigned char aes_test_cfb128_iv[16] =
1757{
1758 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1759 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1760};
1761
1762static const unsigned char aes_test_cfb128_pt[64] =
1763{
1764 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1765 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1766 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1767 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1768 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1769 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1770 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1771 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1772};
1773
1774static const unsigned char aes_test_cfb128_ct[3][64] =
1775{
1776 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1777 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1778 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1779 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1780 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1781 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1782 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1783 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1784 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1785 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1786 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1787 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1788 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1789 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1790 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1791 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1792 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1793 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1794 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1795 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1796 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1797 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1798 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1799 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1800};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1801#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1802
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1803#if defined(MBEDTLS_CIPHER_MODE_OFB)
1804/*
1805 * AES-OFB test vectors from:
1806 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1807 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1808 */
1809static const unsigned char aes_test_ofb_key[3][32] =
1810{
1811 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1812 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1813 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1814 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1815 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1816 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1817 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1818 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1819 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1820};
1821
1822static const unsigned char aes_test_ofb_iv[16] =
1823{
1824 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1825 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1826};
1827
1828static const unsigned char aes_test_ofb_pt[64] =
1829{
1830 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1831 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1832 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1833 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1834 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1835 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1836 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1837 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1838};
1839
1840static const unsigned char aes_test_ofb_ct[3][64] =
1841{
1842 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1843 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1844 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1845 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1846 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1847 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1848 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1849 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1850 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1851 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1852 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1853 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1854 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1855 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1856 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1857 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1858 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1859 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1860 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1861 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1862 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1863 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1864 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1865 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1866};
1867#endif /* MBEDTLS_CIPHER_MODE_OFB */
1868
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1869#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1870/*
1871 * AES-CTR test vectors from:
1872 *
1873 * http://www.faqs.org/rfcs/rfc3686.html
1874 */
1875
1876static const unsigned char aes_test_ctr_key[3][16] =
1877{
1878 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1879 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1880 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1881 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1882 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1883 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1884};
1885
1886static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1887{
1888 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1890 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1891 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1892 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1893 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1894};
1895
1896static const unsigned char aes_test_ctr_pt[3][48] =
1897{
1898 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1899 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1900
1901 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1902 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1903 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1904 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1905
1906 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1907 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1908 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1909 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1910 0x20, 0x21, 0x22, 0x23 }
1911};
1912
1913static const unsigned char aes_test_ctr_ct[3][48] =
1914{
1915 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1916 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1917 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1918 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1919 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1920 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1921 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1922 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1923 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1924 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1925 0x25, 0xB2, 0x07, 0x2F }
1926};
1927
1928static const int aes_test_ctr_len[3] =
1929 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1930#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1931
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1932#if defined(MBEDTLS_CIPHER_MODE_XTS)
1933/*
1934 * AES-XTS test vectors from:
1935 *
1936 * IEEE P1619/D16 Annex B
1937 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1938 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1939 */
1940static const unsigned char aes_test_xts_key[][32] =
1941{
1942 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1943 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1944 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1945 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1946 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1947 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1948 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1949 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1950 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1951 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1952 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1953 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1954};
1955
1956static const unsigned char aes_test_xts_pt32[][32] =
1957{
1958 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1959 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1960 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1961 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1962 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1963 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1964 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1965 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1966 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1967 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1968 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1969 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1970};
1971
1972static const unsigned char aes_test_xts_ct32[][32] =
1973{
1974 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1975 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1976 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1977 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1978 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1979 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1980 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1981 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1982 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1983 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1984 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1985 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1986};
1987
1988static const unsigned char aes_test_xts_data_unit[][16] =
1989{
1990 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1992 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1994 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1995 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1996};
1997
1998#endif /* MBEDTLS_CIPHER_MODE_XTS */
1999
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2000/*
2001 * Checkup routine
2002 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2003int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2004{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2005 int ret = 0, i, j, u, mode;
2006 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2007 unsigned char key[32];
2008 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2009 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2010#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]2012#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2013#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]2014 unsigned char prv[16];
2015#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]2016#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
2017 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]2018 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2019#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2020#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]2021 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]2022#endif
2023#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2024 unsigned char nonce_counter[16];
2025 unsigned char stream_block[16];
2026#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2027 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2028
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2029 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2030 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2031
2032 /*
2033 * ECB mode
2034 */
2035 for( i = 0; i < 6; i++ )
2036 {
2037 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2038 keybits = 128 + u * 64;
2039 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2040
2041 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2042 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
2043 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2044
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2045#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2046 if( keybits > 128 )
2047 {
2048 mbedtls_printf( "skipped\n" );
2049 continue;
2050 }
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2051#endif /* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
2052
2053#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2054 if( mode == MBEDTLS_AES_DECRYPT )
2055 {
2056 mbedtls_printf( "skipped\n" );
2057 continue;
2058 }
2059#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2060
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2061 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2062
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2063 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2064 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2065 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2066 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2067 }
2068 else
2069 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2070 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2071 aes_tests = aes_test_ecb_enc[u];
2072 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2073
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2074 /*
2075 * AES-192 is an optional feature that may be unavailable when
2076 * there is an alternative underlying implementation i.e. when
2077 * MBEDTLS_AES_ALT is defined.
2078 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2079 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2080 {
2081 mbedtls_printf( "skipped\n" );
2082 continue;
2083 }
2084 else if( ret != 0 )
2085 {
2086 goto exit;
2087 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2088
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2089 for( j = 0; j < 10000; j++ )
2090 {
2091 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
2092 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2093 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2094 }
2095
2096 if( memcmp( buf, aes_tests, 16 ) != 0 )
2097 {
2098 ret = 1;
2099 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2100 }
2101
2102 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2103 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2104 }
2105
2106 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2107 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2109#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2110 /*
2111 * CBC mode
2112 */
2113 for( i = 0; i < 6; i++ )
2114 {
2115 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2116 keybits = 128 + u * 64;
2117 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2118
2119 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2120 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
2121 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2122
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2123#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2124 if( keybits > 128 )
2125 {
2126 mbedtls_printf( "skipped\n" );
2127 continue;
2128 }
2129#endif
2130
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2131#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2132 if( mode == MBEDTLS_AES_DECRYPT )
2133 {
2134 mbedtls_printf( "skipped\n" );
2135 continue;
2136 }
2137#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2138
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2139 memset( iv , 0, 16 );
2140 memset( prv, 0, 16 );
2141 memset( buf, 0, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2142
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2143 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2144 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2145 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
2146 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2147 }
2148 else
2149 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2150 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2151 aes_tests = aes_test_cbc_enc[u];
2152 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2153
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2154 /*
2155 * AES-192 is an optional feature that may be unavailable when
2156 * there is an alternative underlying implementation i.e. when
2157 * MBEDTLS_AES_ALT is defined.
2158 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2159 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2160 {
2161 mbedtls_printf( "skipped\n" );
2162 continue;
2163 }
2164 else if( ret != 0 )
2165 {
2166 goto exit;
2167 }
2168
2169 for( j = 0; j < 10000; j++ )
2170 {
2171 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2172 {
2173 unsigned char tmp[16];
2174
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2175 memcpy( tmp, prv, 16 );
2176 memcpy( prv, buf, 16 );
2177 memcpy( buf, tmp, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2178 }
2179
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2180 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
2181 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2182 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2183
2184 }
2185
2186 if( memcmp( buf, aes_tests, 16 ) != 0 )
2187 {
2188 ret = 1;
2189 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2190 }
2191
2192 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2193 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2194 }
2195
2196 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2197 mbedtls_printf( "\n" );
2198#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2199
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2200#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2201 /*
2202 * CFB128 mode
2203 */
2204 for( i = 0; i < 6; i++ )
2205 {
2206 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2207 keybits = 128 + u * 64;
2208 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2209
2210 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2211 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2212 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2213
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2214#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2215 if( keybits > 128 )
2216 {
2217 mbedtls_printf( "skipped\n" );
2218 continue;
2219 }
2220#endif
2221
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2222#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2223 if( mode == MBEDTLS_AES_DECRYPT )
2224 {
2225 mbedtls_printf( "skipped\n" );
2226 continue;
2227 }
2228#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2229
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2230 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2231 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2232
2233 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2234 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2235 /*
2236 * AES-192 is an optional feature that may be unavailable when
2237 * there is an alternative underlying implementation i.e. when
2238 * MBEDTLS_AES_ALT is defined.
2239 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2240 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2241 {
2242 mbedtls_printf( "skipped\n" );
2243 continue;
2244 }
2245 else if( ret != 0 )
2246 {
2247 goto exit;
2248 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2249
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2250 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2251 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2252 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2253 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2254 }
2255 else
2256 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2257 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2258 aes_tests = aes_test_cfb128_ct[u];
2259 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2260
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2261 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2262 if( ret != 0 )
2263 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2264
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2265 if( memcmp( buf, aes_tests, 64 ) != 0 )
2266 {
2267 ret = 1;
2268 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2269 }
2270
2271 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2272 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2273 }
2274
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2275 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2276 mbedtls_printf( "\n" );
2277#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2278
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2279#if defined(MBEDTLS_CIPHER_MODE_OFB)
2280 /*
2281 * OFB mode
2282 */
2283 for( i = 0; i < 6; i++ )
2284 {
2285 u = i >> 1;
2286 keybits = 128 + u * 64;
2287 mode = i & 1;
2288
2289 if( verbose != 0 )
2290 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2291 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2292
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2293#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2294 if( keybits > 128 )
2295 {
2296 mbedtls_printf( "skipped\n" );
2297 continue;
2298 }
2299#endif
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2300
2301#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2302 if( mode == MBEDTLS_AES_DECRYPT )
2303 {
2304 mbedtls_printf( "skipped\n" );
2305 continue;
2306 }
2307#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2308
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2309 memcpy( iv, aes_test_ofb_iv, 16 );
2310 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2311
2312 offset = 0;
2313 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2314 /*
2315 * AES-192 is an optional feature that may be unavailable when
2316 * there is an alternative underlying implementation i.e. when
2317 * MBEDTLS_AES_ALT is defined.
2318 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2319 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2320 {
2321 mbedtls_printf( "skipped\n" );
2322 continue;
2323 }
2324 else if( ret != 0 )
2325 {
2326 goto exit;
2327 }
2328
2329 if( mode == MBEDTLS_AES_DECRYPT )
2330 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2331 memcpy( buf, aes_test_ofb_ct[u], 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2332 aes_tests = aes_test_ofb_pt;
2333 }
2334 else
2335 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2336 memcpy( buf, aes_test_ofb_pt, 64 );
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2337 aes_tests = aes_test_ofb_ct[u];
2338 }
2339
2340 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2341 if( ret != 0 )
2342 goto exit;
2343
2344 if( memcmp( buf, aes_tests, 64 ) != 0 )
2345 {
2346 ret = 1;
2347 goto exit;
2348 }
2349
2350 if( verbose != 0 )
2351 mbedtls_printf( "passed\n" );
2352 }
2353
2354 if( verbose != 0 )
2355 mbedtls_printf( "\n" );
2356#endif /* MBEDTLS_CIPHER_MODE_OFB */
2357
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2358#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2359 /*
2360 * CTR mode
2361 */
2362 for( i = 0; i < 6; i++ )
2363 {
2364 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2365 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2366
2367 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2368 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2369 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2370
Arto Kinnunen77b9cfc2019-08-30 11:43:21 +0300[diff] [blame]2371#if defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
2372 if( keybits > 128 )
2373 {
2374 mbedtls_printf( "skipped\n" );
2375 continue;
2376 }
2377#endif
2378
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2379#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2380 if( mode == MBEDTLS_AES_DECRYPT )
2381 {
2382 mbedtls_printf( "skipped\n" );
2383 continue;
2384 }
2385#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2386
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2387 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2388 memcpy( key, aes_test_ctr_key[u], 16 );
2389
2390 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2391 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2392 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2393
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2394 len = aes_test_ctr_len[u];
2395
2396 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2397 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2398 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2399 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2400 }
2401 else
2402 {
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2403 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2404 aes_tests = aes_test_ctr_ct[u];
2405 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2406
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2407 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2408 stream_block, buf, buf );
2409 if( ret != 0 )
2410 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2411
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2412 if( memcmp( buf, aes_tests, len ) != 0 )
2413 {
2414 ret = 1;
2415 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2416 }
2417
2418 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2419 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2420 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2421
2422 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2423 mbedtls_printf( "\n" );
2424#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2425
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2426#if defined(MBEDTLS_CIPHER_MODE_XTS)
2427 {
2428 static const int num_tests =
2429 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2430 mbedtls_aes_xts_context ctx_xts;
2431
2432 /*
2433 * XTS mode
2434 */
2435 mbedtls_aes_xts_init( &ctx_xts );
2436
2437 for( i = 0; i < num_tests << 1; i++ )
2438 {
2439 const unsigned char *data_unit;
2440 u = i >> 1;
2441 mode = i & 1;
2442
2443 if( verbose != 0 )
2444 mbedtls_printf( " AES-XTS-128 (%s): ",
2445 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2446
Arto Kinnunenc0a8bd42019-10-16 14:23:14 +0300[diff] [blame]2447#if defined(MBEDTLS_AES_ONLY_ENCRYPT)
2448 if( mode == MBEDTLS_AES_DECRYPT )
2449 {
2450 mbedtls_printf( "skipped\n" );
2451 continue;
2452 }
2453#endif /* MBEDTLS_AES_ONLY_ENCRYPT */
2454
Teppo Järvelind49d2b62019-10-30 13:48:12 +0200[diff] [blame]2455 memset( key, 0, sizeof( key ) );
2456 memcpy( key, aes_test_xts_key[u], 32 );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2457 data_unit = aes_test_xts_data_unit[u];
2458
2459 len = sizeof( *aes_test_xts_ct32 );
2460
2461 if( mode == MBEDTLS_AES_DECRYPT )
2462 {
2463 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2464 if( ret != 0)
2465 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2466 memcpy( buf, aes_test_xts_ct32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2467 aes_tests = aes_test_xts_pt32[u];
2468 }
2469 else
2470 {
2471 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2472 if( ret != 0)
2473 goto exit;
Teppo Järvelinb5c46712019-10-04 13:35:55 +0300[diff] [blame]2474 memcpy( buf, aes_test_xts_pt32[u], len );
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2475 aes_tests = aes_test_xts_ct32[u];
2476 }
2477
2478
2479 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2480 buf, buf );
2481 if( ret != 0 )
2482 goto exit;
2483
2484 if( memcmp( buf, aes_tests, len ) != 0 )
2485 {
2486 ret = 1;
2487 goto exit;
2488 }
2489
2490 if( verbose != 0 )
2491 mbedtls_printf( "passed\n" );
2492 }
2493
2494 if( verbose != 0 )
2495 mbedtls_printf( "\n" );
2496
2497 mbedtls_aes_xts_free( &ctx_xts );
2498 }
2499#endif /* MBEDTLS_CIPHER_MODE_XTS */
2500
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2501 ret = 0;
2502
2503exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2504 if( ret != 0 && verbose != 0 )
2505 mbedtls_printf( "failed\n" );
2506
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2507 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2508
2509 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2510}
2511
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2512#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2513
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2514#endif /* MBEDTLS_AES_C */