TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/alert_bugfixes_2.16 / . / library / aes.c
blob: da0e5b6bdced4dc3d1556fecf0dd633b69021552 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkútia2947ac2020-08-19 16:37:36 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]24 *
Bence Szépkútif744bd72020-06-05 13:02:18 +0200[diff] [blame]25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]45 */
46/*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]53#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]54#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]55#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]57#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]59#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]61#include <string.h>
62
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]63#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]64#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]65#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]67#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]68#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]69#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]70#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]71#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]72
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]73#if defined(MBEDTLS_SELF_TEST)
74#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]75#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]76#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]77#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]78#define mbedtls_printf printf
79#endif /* MBEDTLS_PLATFORM_C */
80#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]81
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]82#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]83
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]84/* Parameter validation macros based on platform_util.h */
85#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]87#define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90/*
91 * 32-bit integer manipulation macros (little endian)
92 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]93#ifndef GET_UINT32_LE
94#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]100}
101#endif
102
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]103#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]104#define PUT_UINT32_LE(n,b,i) \
105{ \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]110}
111#endif
112
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113#if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]115static int aes_padlock_ace = -1;
116#endif
117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]118#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]119/*
120 * Forward S-box
121 */
122static const unsigned char FSb[256] =
123{
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156};
157
158/*
159 * Forward tables
160 */
161#define FT \
162\
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]229static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]230#undef V
231
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]232#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]233
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]234#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]235static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]236#undef V
237
238#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]239static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]240#undef V
241
242#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]243static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244#undef V
245
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]246#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]247
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]248#undef FT
249
250/*
251 * Reverse S-box
252 */
253static const unsigned char RSb[256] =
254{
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287};
288
289/*
290 * Reverse tables
291 */
292#define RT \
293\
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361#undef V
362
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]363#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]364
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]365#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]366static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]367#undef V
368
369#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]370static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371#undef V
372
373#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]374static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]375#undef V
376
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]377#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]378
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379#undef RT
380
381/*
382 * Round constants
383 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]385{
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389};
390
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]391#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]392
393/*
394 * Forward S-box & tables
395 */
396static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]397static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]398#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]399static uint32_t FT1[256];
400static uint32_t FT2[256];
401static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]402#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]403
404/*
405 * Reverse S-box & tables
406 */
407static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]408static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]409#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]410static uint32_t RT1[256];
411static uint32_t RT2[256];
412static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]413#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]414
415/*
416 * Round constants
417 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419
420/*
421 * Tables generation code
422 */
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]423#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker3ac21ac2018-10-26 09:13:26 +0100[diff] [blame]425#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]426
427static int aes_init_done = 0;
428
429static void aes_gen_tables( void )
430{
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]450 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]487
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]488#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]492#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]493
494 x = RSb[i];
495
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]500
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]501#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]506 }
507}
508
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]509#undef ROTL8
510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]513#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]514
515#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519#define AES_RT0(idx) RT0[idx]
520#define AES_RT1(idx) ROTL8( RT0[idx] )
521#define AES_RT2(idx) ROTL16( RT0[idx] )
522#define AES_RT3(idx) ROTL24( RT0[idx] )
523
524#define AES_FT0(idx) FT0[idx]
525#define AES_FT1(idx) ROTL8( FT0[idx] )
526#define AES_FT2(idx) ROTL16( FT0[idx] )
527#define AES_FT3(idx) ROTL24( FT0[idx] )
528
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]529#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]530
531#define AES_RT0(idx) RT0[idx]
532#define AES_RT1(idx) RT1[idx]
533#define AES_RT2(idx) RT2[idx]
534#define AES_RT3(idx) RT3[idx]
535
536#define AES_FT0(idx) FT0[idx]
537#define AES_FT1(idx) FT1[idx]
538#define AES_FT2(idx) FT2[idx]
539#define AES_FT3(idx) FT3[idx]
540
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]541#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]542
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]543void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]544{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]545 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]546
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]548}
549
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]550void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]551{
552 if( ctx == NULL )
553 return;
554
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]556}
557
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]558#if defined(MBEDTLS_CIPHER_MODE_XTS)
559void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]561 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]562
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565}
566
567void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]569 if( ctx == NULL )
570 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]571
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574}
575#endif /* MBEDTLS_CIPHER_MODE_XTS */
576
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]577/*
578 * AES key schedule (encryption)
579 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]580#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]584 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]585 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]586
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]590 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]596 }
597
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]598#if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]603 }
604#endif
605
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]606#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]607 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]609
610 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]612 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]614 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]616#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]619#endif
620
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]621 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]622 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]623 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]688
689 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]690}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]691#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]692
693/*
694 * AES key schedule (decryption)
695 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]696#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]697int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]698 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]699{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]700 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]701 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]702 uint32_t *RK;
703 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]704
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]707
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]708 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]709
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]710#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]711 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]713
714 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]716 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]717#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]718 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]719
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]722 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]723
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]724 ctx->nr = cty.nr;
725
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]726#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]728 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]730 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]732 }
733#endif
734
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]758exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]759 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]760
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]761 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]762}
gabor-mezei-arm13b8a262020-10-26 11:35:23 +0100[diff] [blame]763#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]764
765#if defined(MBEDTLS_CIPHER_MODE_XTS)
766static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
767 unsigned int keybits,
768 const unsigned char **key1,
769 unsigned int *key1bits,
770 const unsigned char **key2,
771 unsigned int *key2bits )
772{
773 const unsigned int half_keybits = keybits / 2;
774 const unsigned int half_keybytes = half_keybits / 8;
775
776 switch( keybits )
777 {
778 case 256: break;
779 case 512: break;
780 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
781 }
782
783 *key1bits = half_keybits;
784 *key2bits = half_keybits;
785 *key1 = &key[0];
786 *key2 = &key[half_keybytes];
787
788 return 0;
789}
790
791int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
795 int ret;
796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for the encryption mode. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for encryption. */
813 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
814}
815
816int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
817 const unsigned char *key,
818 unsigned int keybits)
819{
820 int ret;
821 const unsigned char *key1, *key2;
822 unsigned int key1bits, key2bits;
823
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]824 AES_VALIDATE_RET( ctx != NULL );
825 AES_VALIDATE_RET( key != NULL );
826
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]827 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
828 &key2, &key2bits );
829 if( ret != 0 )
830 return( ret );
831
832 /* Set the tweak key. Always set tweak key for encryption. */
833 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
834 if( ret != 0 )
835 return( ret );
836
837 /* Set crypt key for decryption. */
838 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
839}
840#endif /* MBEDTLS_CIPHER_MODE_XTS */
841
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]842#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843 do \
844 { \
845 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
847 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
849 \
850 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
852 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
854 \
855 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
857 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
859 \
860 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
862 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
864 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]865
Hanno Beckerd6028a12018-10-15 12:01:35 +0100[diff] [blame]866#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
867 do \
868 { \
869 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
870 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
871 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
872 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
873 \
874 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
875 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
876 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
877 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
878 \
879 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
880 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
881 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
882 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
883 \
884 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
885 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
886 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
887 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
888 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]889
890/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]891 * AES-ECB block encryption
892 */
893#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]894int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
895 const unsigned char input[16],
896 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]897{
898 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]899 uint32_t *RK = ctx->rk;
900 struct
901 {
902 uint32_t X[4];
903 uint32_t Y[4];
904 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]905
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]906 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
907 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
908 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
909 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]910
911 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
912 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]913 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
914 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]915 }
916
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]917 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]918
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]919 t.X[0] = *RK++ ^ \
920 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
921 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
922 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
923 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]924
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]925 t.X[1] = *RK++ ^ \
926 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
927 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
928 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
929 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]930
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]931 t.X[2] = *RK++ ^ \
932 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
933 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
934 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
935 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]936
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]937 t.X[3] = *RK++ ^ \
938 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
939 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
940 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
941 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]942
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]943 PUT_UINT32_LE( t.X[0], output, 0 );
944 PUT_UINT32_LE( t.X[1], output, 4 );
945 PUT_UINT32_LE( t.X[2], output, 8 );
946 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]947
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]948 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]949
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]950 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]951}
952#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
953
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]954#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]955void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
956 const unsigned char input[16],
957 unsigned char output[16] )
958{
959 mbedtls_internal_aes_encrypt( ctx, input, output );
960}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]961#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]962
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]963/*
964 * AES-ECB block decryption
965 */
966#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]967int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
968 const unsigned char input[16],
969 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]970{
971 int i;
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]972 uint32_t *RK = ctx->rk;
973 struct
974 {
975 uint32_t X[4];
976 uint32_t Y[4];
977 } t;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]978
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]979 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
980 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
981 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
982 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]983
984 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
985 {
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]986 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
987 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]988 }
989
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]990 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]991
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]992 t.X[0] = *RK++ ^ \
993 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
994 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
995 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
996 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]997
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]998 t.X[1] = *RK++ ^ \
999 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
1000 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
1001 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
1002 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1003
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1004 t.X[2] = *RK++ ^ \
1005 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
1006 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
1007 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
1008 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1009
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1010 t.X[3] = *RK++ ^ \
1011 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
1012 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
1013 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
1014 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1015
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1016 PUT_UINT32_LE( t.X[0], output, 0 );
1017 PUT_UINT32_LE( t.X[1], output, 4 );
1018 PUT_UINT32_LE( t.X[2], output, 8 );
1019 PUT_UINT32_LE( t.X[3], output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1020
Gilles Peskine91ee7632020-08-26 17:03:24 +0200[diff] [blame]1021 mbedtls_platform_zeroize( &t, sizeof( t ) );
Andrzej Kurekf18de502019-11-12 03:34:03 -0500[diff] [blame]1022
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1023 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1024}
1025#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1026
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1027#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1028void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1029 const unsigned char input[16],
1030 unsigned char output[16] )
1031{
1032 mbedtls_internal_aes_decrypt( ctx, input, output );
1033}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1034#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1035
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1036/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1037 * AES-ECB block encryption/decryption
1038 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1040 int mode,
1041 const unsigned char input[16],
1042 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1043{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1044 AES_VALIDATE_RET( ctx != NULL );
1045 AES_VALIDATE_RET( input != NULL );
1046 AES_VALIDATE_RET( output != NULL );
1047 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1048 mode == MBEDTLS_AES_DECRYPT );
1049
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1050#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1051 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1052 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1053#endif
1054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1055#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1056 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1059 return( 0 );
1060
1061 // If padlock data misaligned, we just fall back to
1062 // unaccelerated mode
1063 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1064 }
1065#endif
1066
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1067 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1068 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1069 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1070 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071}
1072
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1073#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1074/*
1075 * AES-CBC buffer encryption/decryption
1076 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1077int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1078 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1079 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1081 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1082 unsigned char *output )
1083{
1084 int i;
1085 unsigned char temp[16];
1086
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1087 AES_VALIDATE_RET( ctx != NULL );
1088 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1089 mode == MBEDTLS_AES_DECRYPT );
1090 AES_VALIDATE_RET( iv != NULL );
1091 AES_VALIDATE_RET( input != NULL );
1092 AES_VALIDATE_RET( output != NULL );
1093
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1094 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1095 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1096
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1097#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1098 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1099 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1101 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1102
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1103 // If padlock data misaligned, we just fall back to
1104 // unaccelerated mode
1105 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106 }
1107#endif
1108
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1109 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1110 {
1111 while( length > 0 )
1112 {
1113 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1114 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1115
1116 for( i = 0; i < 16; i++ )
1117 output[i] = (unsigned char)( output[i] ^ iv[i] );
1118
1119 memcpy( iv, temp, 16 );
1120
1121 input += 16;
1122 output += 16;
1123 length -= 16;
1124 }
1125 }
1126 else
1127 {
1128 while( length > 0 )
1129 {
1130 for( i = 0; i < 16; i++ )
1131 output[i] = (unsigned char)( input[i] ^ iv[i] );
1132
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1133 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134 memcpy( iv, output, 16 );
1135
1136 input += 16;
1137 output += 16;
1138 length -= 16;
1139 }
1140 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1141
1142 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1143}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1144#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1145
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1146#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1147
1148/* Endianess with 64 bits values */
1149#ifndef GET_UINT64_LE
1150#define GET_UINT64_LE(n,b,i) \
1151{ \
1152 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1153 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1154 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1155 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1156 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1157 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1158 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1159 | ( (uint64_t) (b)[(i) ] ); \
1160}
1161#endif
1162
1163#ifndef PUT_UINT64_LE
1164#define PUT_UINT64_LE(n,b,i) \
1165{ \
1166 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1167 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1168 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1169 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1170 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1171 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1172 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1173 (b)[(i) ] = (unsigned char) ( (n) ); \
1174}
1175#endif
1176
1177typedef unsigned char mbedtls_be128[16];
1178
1179/*
1180 * GF(2^128) multiplication function
1181 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1182 * This function multiplies a field element by x in the polynomial field
1183 * representation. It uses 64-bit word operations to gain speed but compensates
1184 * for machine endianess and hence works correctly on both big and little
1185 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1186 */
1187static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1188 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1189{
1190 uint64_t a, b, ra, rb;
1191
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1192 GET_UINT64_LE( a, x, 0 );
1193 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1194
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1195 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1196 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1197
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1198 PUT_UINT64_LE( ra, r, 0 );
1199 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1200}
1201
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1202/*
1203 * AES-XTS buffer encryption/decryption
1204 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1205int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1206 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1207 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1208 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1209 const unsigned char *input,
1210 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1211{
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1212 int ret;
1213 size_t blocks = length / 16;
1214 size_t leftover = length % 16;
1215 unsigned char tweak[16];
1216 unsigned char prev_tweak[16];
1217 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1219 AES_VALIDATE_RET( ctx != NULL );
1220 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1221 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1222 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1223 AES_VALIDATE_RET( input != NULL );
1224 AES_VALIDATE_RET( output != NULL );
1225
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1226 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1227 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1228 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1229
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1230 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1231 if( length > ( 1 << 20 ) * 16 )
1232 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1233
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1234 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1235 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1236 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1237 if( ret != 0 )
1238 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1239
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1240 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1241 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1242 size_t i;
1243
1244 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1245 {
1246 /* We are on the last block in a decrypt operation that has
1247 * leftover bytes, so we need to use the next tweak for this block,
1248 * and this tweak for the lefover bytes. Save the current tweak for
1249 * the leftovers and then update the current tweak for use on this,
1250 * the last full block. */
1251 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1252 mbedtls_gf128mul_x_ble( tweak, tweak );
1253 }
1254
1255 for( i = 0; i < 16; i++ )
1256 tmp[i] = input[i] ^ tweak[i];
1257
1258 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1259 if( ret != 0 )
1260 return( ret );
1261
1262 for( i = 0; i < 16; i++ )
1263 output[i] = tmp[i] ^ tweak[i];
1264
1265 /* Update the tweak for the next block. */
1266 mbedtls_gf128mul_x_ble( tweak, tweak );
1267
1268 output += 16;
1269 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1270 }
1271
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1272 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1274 /* If we are on the leftover bytes in a decrypt operation, we need to
1275 * use the previous tweak for these bytes (as saved in prev_tweak). */
1276 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1278 /* We are now on the final part of the data unit, which doesn't divide
1279 * evenly by 16. It's time for ciphertext stealing. */
1280 size_t i;
1281 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1283 /* Copy ciphertext bytes from the previous block to our output for each
1284 * byte of cyphertext we won't steal. At the same time, copy the
1285 * remainder of the input for this final round (since the loop bounds
1286 * are the same). */
1287 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 output[i] = prev_output[i];
1290 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1291 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1292
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1293 /* Copy ciphertext bytes from the previous block for input in this
1294 * round. */
1295 for( ; i < 16; i++ )
1296 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1297
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1298 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1299 if( ret != 0 )
1300 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1301
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1302 /* Write the result back to the previous block, overriding the previous
1303 * output we copied. */
1304 for( i = 0; i < 16; i++ )
1305 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1306 }
1307
1308 return( 0 );
1309}
1310#endif /* MBEDTLS_CIPHER_MODE_XTS */
1311
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1312#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313/*
1314 * AES-CFB128 buffer encryption/decryption
1315 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1316int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1317 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1318 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1319 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1321 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1322 unsigned char *output )
1323{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1324 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1325 size_t n;
1326
1327 AES_VALIDATE_RET( ctx != NULL );
1328 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1329 mode == MBEDTLS_AES_DECRYPT );
1330 AES_VALIDATE_RET( iv_off != NULL );
1331 AES_VALIDATE_RET( iv != NULL );
1332 AES_VALIDATE_RET( input != NULL );
1333 AES_VALIDATE_RET( output != NULL );
1334
1335 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1336
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1337 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1338 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1339
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1340 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1341 {
1342 while( length-- )
1343 {
1344 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346
1347 c = *input++;
1348 *output++ = (unsigned char)( c ^ iv[n] );
1349 iv[n] = (unsigned char) c;
1350
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1351 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1352 }
1353 }
1354 else
1355 {
1356 while( length-- )
1357 {
1358 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1359 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1360
1361 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1362
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1363 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1364 }
1365 }
1366
1367 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1368
1369 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1370}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1371
1372/*
1373 * AES-CFB8 buffer encryption/decryption
1374 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1375int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1376 int mode,
1377 size_t length,
1378 unsigned char iv[16],
1379 const unsigned char *input,
1380 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1381{
1382 unsigned char c;
1383 unsigned char ov[17];
1384
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1385 AES_VALIDATE_RET( ctx != NULL );
1386 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1387 mode == MBEDTLS_AES_DECRYPT );
1388 AES_VALIDATE_RET( iv != NULL );
1389 AES_VALIDATE_RET( input != NULL );
1390 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1391 while( length-- )
1392 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1393 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1394 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1395
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1396 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1397 ov[16] = *input;
1398
1399 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1400
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1401 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1402 ov[16] = c;
1403
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1404 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1405 }
1406
1407 return( 0 );
1408}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1409#endif /* MBEDTLS_CIPHER_MODE_CFB */
1410
1411#if defined(MBEDTLS_CIPHER_MODE_OFB)
1412/*
1413 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1414 */
1415int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1416 size_t length,
1417 size_t *iv_off,
1418 unsigned char iv[16],
1419 const unsigned char *input,
1420 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1421{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1422 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1423 size_t n;
1424
1425 AES_VALIDATE_RET( ctx != NULL );
1426 AES_VALIDATE_RET( iv_off != NULL );
1427 AES_VALIDATE_RET( iv != NULL );
1428 AES_VALIDATE_RET( input != NULL );
1429 AES_VALIDATE_RET( output != NULL );
1430
1431 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1432
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1433 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1434 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1435
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1436 while( length-- )
1437 {
1438 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1439 {
1440 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1441 if( ret != 0 )
1442 goto exit;
1443 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1444 *output++ = *input++ ^ iv[n];
1445
1446 n = ( n + 1 ) & 0x0F;
1447 }
1448
1449 *iv_off = n;
1450
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1451exit:
1452 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1453}
1454#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1455
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1456#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1457/*
1458 * AES-CTR buffer encryption/decryption
1459 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1460int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1461 size_t length,
1462 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1463 unsigned char nonce_counter[16],
1464 unsigned char stream_block[16],
1465 const unsigned char *input,
1466 unsigned char *output )
1467{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1468 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1469 size_t n;
1470
1471 AES_VALIDATE_RET( ctx != NULL );
1472 AES_VALIDATE_RET( nc_off != NULL );
1473 AES_VALIDATE_RET( nonce_counter != NULL );
1474 AES_VALIDATE_RET( stream_block != NULL );
1475 AES_VALIDATE_RET( input != NULL );
1476 AES_VALIDATE_RET( output != NULL );
1477
1478 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1479
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1480 if ( n > 0x0F )
1481 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1482
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1483 while( length-- )
1484 {
1485 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1486 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1487
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1488 for( i = 16; i > 0; i-- )
1489 if( ++nonce_counter[i - 1] != 0 )
1490 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1491 }
1492 c = *input++;
1493 *output++ = (unsigned char)( c ^ stream_block[n] );
1494
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1495 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1496 }
1497
1498 *nc_off = n;
1499
1500 return( 0 );
1501}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1502#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1503
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1504#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1505
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1506#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1507/*
1508 * AES test vectors from:
1509 *
1510 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1511 */
1512static const unsigned char aes_test_ecb_dec[3][16] =
1513{
1514 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1515 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1516 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1517 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1518 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1519 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1520};
1521
1522static const unsigned char aes_test_ecb_enc[3][16] =
1523{
1524 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1525 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1526 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1527 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1528 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1529 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1530};
1531
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1532#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1533static const unsigned char aes_test_cbc_dec[3][16] =
1534{
1535 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1536 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1537 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1538 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1539 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1540 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1541};
1542
1543static const unsigned char aes_test_cbc_enc[3][16] =
1544{
1545 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1546 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1547 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1548 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1549 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1550 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1551};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1552#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1553
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1554#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1555/*
1556 * AES-CFB128 test vectors from:
1557 *
1558 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1559 */
1560static const unsigned char aes_test_cfb128_key[3][32] =
1561{
1562 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1563 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1564 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1565 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1566 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1567 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1568 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1569 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1570 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1571};
1572
1573static const unsigned char aes_test_cfb128_iv[16] =
1574{
1575 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1576 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1577};
1578
1579static const unsigned char aes_test_cfb128_pt[64] =
1580{
1581 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1582 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1583 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1584 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1585 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1586 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1587 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1588 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1589};
1590
1591static const unsigned char aes_test_cfb128_ct[3][64] =
1592{
1593 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1594 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1595 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1596 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1597 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1598 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1599 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1600 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1601 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1602 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1603 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1604 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1605 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1606 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1607 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1608 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1609 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1610 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1611 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1612 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1613 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1614 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1615 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1616 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1617};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1618#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1619
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1620#if defined(MBEDTLS_CIPHER_MODE_OFB)
1621/*
1622 * AES-OFB test vectors from:
1623 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1624 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1625 */
1626static const unsigned char aes_test_ofb_key[3][32] =
1627{
1628 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1629 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1630 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1631 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1632 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1633 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1634 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1635 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1636 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1637};
1638
1639static const unsigned char aes_test_ofb_iv[16] =
1640{
1641 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1642 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1643};
1644
1645static const unsigned char aes_test_ofb_pt[64] =
1646{
1647 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1648 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1649 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1650 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1651 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1652 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1653 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1654 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1655};
1656
1657static const unsigned char aes_test_ofb_ct[3][64] =
1658{
1659 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1660 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1661 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1662 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1663 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1664 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1665 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1666 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1667 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1668 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1669 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1670 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1671 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1672 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1673 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1674 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1675 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1676 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1677 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1678 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1679 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1680 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1681 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1682 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1683};
1684#endif /* MBEDTLS_CIPHER_MODE_OFB */
1685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1686#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1687/*
1688 * AES-CTR test vectors from:
1689 *
1690 * http://www.faqs.org/rfcs/rfc3686.html
1691 */
1692
1693static const unsigned char aes_test_ctr_key[3][16] =
1694{
1695 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1696 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1697 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1698 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1699 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1700 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1701};
1702
1703static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1704{
1705 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1707 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1708 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1709 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1710 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1711};
1712
1713static const unsigned char aes_test_ctr_pt[3][48] =
1714{
1715 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1716 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1717
1718 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1719 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1720 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1721 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1722
1723 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1724 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1725 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1726 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1727 0x20, 0x21, 0x22, 0x23 }
1728};
1729
1730static const unsigned char aes_test_ctr_ct[3][48] =
1731{
1732 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1733 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1734 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1735 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1736 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1737 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1738 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1739 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1740 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1741 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1742 0x25, 0xB2, 0x07, 0x2F }
1743};
1744
1745static const int aes_test_ctr_len[3] =
1746 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1747#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1748
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1749#if defined(MBEDTLS_CIPHER_MODE_XTS)
1750/*
1751 * AES-XTS test vectors from:
1752 *
1753 * IEEE P1619/D16 Annex B
1754 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1755 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1756 */
1757static const unsigned char aes_test_xts_key[][32] =
1758{
1759 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1763 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1764 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1765 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1766 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1767 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1768 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1769 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1770 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1771};
1772
1773static const unsigned char aes_test_xts_pt32[][32] =
1774{
1775 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1779 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1783 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1784 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1785 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1786 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1787};
1788
1789static const unsigned char aes_test_xts_ct32[][32] =
1790{
1791 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1792 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1793 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1794 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1795 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1796 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1797 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1798 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1799 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1800 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1801 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1802 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1803};
1804
1805static const unsigned char aes_test_xts_data_unit[][16] =
1806{
1807 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1809 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1811 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1812 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1813};
1814
1815#endif /* MBEDTLS_CIPHER_MODE_XTS */
1816
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1817/*
1818 * Checkup routine
1819 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1820int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1821{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1822 int ret = 0, i, j, u, mode;
1823 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1824 unsigned char key[32];
1825 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1826 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1827#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1828 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1829#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1830#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1831 unsigned char prv[16];
1832#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1833#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1834 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1835 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1836#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1837#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1838 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1839#endif
1840#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1841 unsigned char nonce_counter[16];
1842 unsigned char stream_block[16];
1843#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1844 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1845
1846 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1847 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
1849 /*
1850 * ECB mode
1851 */
1852 for( i = 0; i < 6; i++ )
1853 {
1854 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1855 keybits = 128 + u * 64;
1856 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1857
1858 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1859 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1860 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1861
1862 memset( buf, 0, 16 );
1863
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1864 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1866 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1867 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1868 }
1869 else
1870 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1871 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1872 aes_tests = aes_test_ecb_enc[u];
1873 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1875 /*
1876 * AES-192 is an optional feature that may be unavailable when
1877 * there is an alternative underlying implementation i.e. when
1878 * MBEDTLS_AES_ALT is defined.
1879 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1880 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1881 {
1882 mbedtls_printf( "skipped\n" );
1883 continue;
1884 }
1885 else if( ret != 0 )
1886 {
1887 goto exit;
1888 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1889
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1890 for( j = 0; j < 10000; j++ )
1891 {
1892 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1893 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1894 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1895 }
1896
1897 if( memcmp( buf, aes_tests, 16 ) != 0 )
1898 {
1899 ret = 1;
1900 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1901 }
1902
1903 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1904 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1905 }
1906
1907 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1908 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1909
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1910#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1911 /*
1912 * CBC mode
1913 */
1914 for( i = 0; i < 6; i++ )
1915 {
1916 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1917 keybits = 128 + u * 64;
1918 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1919
1920 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1921 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1922 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
1924 memset( iv , 0, 16 );
1925 memset( prv, 0, 16 );
1926 memset( buf, 0, 16 );
1927
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1928 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1929 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1930 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1931 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1932 }
1933 else
1934 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1935 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1936 aes_tests = aes_test_cbc_enc[u];
1937 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1938
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1939 /*
1940 * AES-192 is an optional feature that may be unavailable when
1941 * there is an alternative underlying implementation i.e. when
1942 * MBEDTLS_AES_ALT is defined.
1943 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1944 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1945 {
1946 mbedtls_printf( "skipped\n" );
1947 continue;
1948 }
1949 else if( ret != 0 )
1950 {
1951 goto exit;
1952 }
1953
1954 for( j = 0; j < 10000; j++ )
1955 {
1956 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1957 {
1958 unsigned char tmp[16];
1959
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 memcpy( tmp, prv, 16 );
1961 memcpy( prv, buf, 16 );
1962 memcpy( buf, tmp, 16 );
1963 }
1964
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1965 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1966 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1967 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1968
1969 }
1970
1971 if( memcmp( buf, aes_tests, 16 ) != 0 )
1972 {
1973 ret = 1;
1974 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975 }
1976
1977 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1978 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979 }
1980
1981 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1982 mbedtls_printf( "\n" );
1983#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1984
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1985#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986 /*
1987 * CFB128 mode
1988 */
1989 for( i = 0; i < 6; i++ )
1990 {
1991 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1992 keybits = 128 + u * 64;
1993 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1994
1995 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1996 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1997 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1998
1999 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2000 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2001
2002 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2003 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]2004 /*
2005 * AES-192 is an optional feature that may be unavailable when
2006 * there is an alternative underlying implementation i.e. when
2007 * MBEDTLS_AES_ALT is defined.
2008 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2009 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2010 {
2011 mbedtls_printf( "skipped\n" );
2012 continue;
2013 }
2014 else if( ret != 0 )
2015 {
2016 goto exit;
2017 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020 {
2021 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2022 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2023 }
2024 else
2025 {
2026 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2027 aes_tests = aes_test_cfb128_ct[u];
2028 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2030 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2031 if( ret != 0 )
2032 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2034 if( memcmp( buf, aes_tests, 64 ) != 0 )
2035 {
2036 ret = 1;
2037 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2038 }
2039
2040 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2041 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2042 }
2043
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2044 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2045 mbedtls_printf( "\n" );
2046#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2047
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2048#if defined(MBEDTLS_CIPHER_MODE_OFB)
2049 /*
2050 * OFB mode
2051 */
2052 for( i = 0; i < 6; i++ )
2053 {
2054 u = i >> 1;
2055 keybits = 128 + u * 64;
2056 mode = i & 1;
2057
2058 if( verbose != 0 )
2059 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2060 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2061
2062 memcpy( iv, aes_test_ofb_iv, 16 );
2063 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2064
2065 offset = 0;
2066 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2067 /*
2068 * AES-192 is an optional feature that may be unavailable when
2069 * there is an alternative underlying implementation i.e. when
2070 * MBEDTLS_AES_ALT is defined.
2071 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2072 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2073 {
2074 mbedtls_printf( "skipped\n" );
2075 continue;
2076 }
2077 else if( ret != 0 )
2078 {
2079 goto exit;
2080 }
2081
2082 if( mode == MBEDTLS_AES_DECRYPT )
2083 {
2084 memcpy( buf, aes_test_ofb_ct[u], 64 );
2085 aes_tests = aes_test_ofb_pt;
2086 }
2087 else
2088 {
2089 memcpy( buf, aes_test_ofb_pt, 64 );
2090 aes_tests = aes_test_ofb_ct[u];
2091 }
2092
2093 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2094 if( ret != 0 )
2095 goto exit;
2096
2097 if( memcmp( buf, aes_tests, 64 ) != 0 )
2098 {
2099 ret = 1;
2100 goto exit;
2101 }
2102
2103 if( verbose != 0 )
2104 mbedtls_printf( "passed\n" );
2105 }
2106
2107 if( verbose != 0 )
2108 mbedtls_printf( "\n" );
2109#endif /* MBEDTLS_CIPHER_MODE_OFB */
2110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2111#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2112 /*
2113 * CTR mode
2114 */
2115 for( i = 0; i < 6; i++ )
2116 {
2117 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2118 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119
2120 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2121 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2122 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2123
2124 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2125 memcpy( key, aes_test_ctr_key[u], 16 );
2126
2127 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2128 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2129 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2130
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2131 len = aes_test_ctr_len[u];
2132
2133 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2134 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2135 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2136 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2137 }
2138 else
2139 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2140 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2141 aes_tests = aes_test_ctr_ct[u];
2142 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2143
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2144 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2145 stream_block, buf, buf );
2146 if( ret != 0 )
2147 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2148
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2149 if( memcmp( buf, aes_tests, len ) != 0 )
2150 {
2151 ret = 1;
2152 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2153 }
2154
2155 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2156 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2157 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2158
2159 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2160 mbedtls_printf( "\n" );
2161#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2162
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2163#if defined(MBEDTLS_CIPHER_MODE_XTS)
2164 {
2165 static const int num_tests =
2166 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2167 mbedtls_aes_xts_context ctx_xts;
2168
2169 /*
2170 * XTS mode
2171 */
2172 mbedtls_aes_xts_init( &ctx_xts );
2173
2174 for( i = 0; i < num_tests << 1; i++ )
2175 {
2176 const unsigned char *data_unit;
2177 u = i >> 1;
2178 mode = i & 1;
2179
2180 if( verbose != 0 )
2181 mbedtls_printf( " AES-XTS-128 (%s): ",
2182 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2183
2184 memset( key, 0, sizeof( key ) );
2185 memcpy( key, aes_test_xts_key[u], 32 );
2186 data_unit = aes_test_xts_data_unit[u];
2187
2188 len = sizeof( *aes_test_xts_ct32 );
2189
2190 if( mode == MBEDTLS_AES_DECRYPT )
2191 {
2192 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2193 if( ret != 0)
2194 goto exit;
2195 memcpy( buf, aes_test_xts_ct32[u], len );
2196 aes_tests = aes_test_xts_pt32[u];
2197 }
2198 else
2199 {
2200 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2201 if( ret != 0)
2202 goto exit;
2203 memcpy( buf, aes_test_xts_pt32[u], len );
2204 aes_tests = aes_test_xts_ct32[u];
2205 }
2206
2207
2208 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2209 buf, buf );
2210 if( ret != 0 )
2211 goto exit;
2212
2213 if( memcmp( buf, aes_tests, len ) != 0 )
2214 {
2215 ret = 1;
2216 goto exit;
2217 }
2218
2219 if( verbose != 0 )
2220 mbedtls_printf( "passed\n" );
2221 }
2222
2223 if( verbose != 0 )
2224 mbedtls_printf( "\n" );
2225
2226 mbedtls_aes_xts_free( &ctx_xts );
2227 }
2228#endif /* MBEDTLS_CIPHER_MODE_XTS */
2229
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2230 ret = 0;
2231
2232exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2233 if( ret != 0 && verbose != 0 )
2234 mbedtls_printf( "failed\n" );
2235
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2236 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2237
2238 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2239}
2240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2241#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2242
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2243#endif /* MBEDTLS_AES_C */