TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/dev/mbedtls-2.10.0-preview / . / library / aes.c
blob: 66af3e1c6734959f2cb367dc9fdd425033a4c48e [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]39#include "mbedtls/platform_util.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]40#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]42#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]44#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]45#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]47#if defined(MBEDTLS_SELF_TEST)
48#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]49#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]50#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]51#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#define mbedtls_printf printf
53#endif /* MBEDTLS_PLATFORM_C */
54#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]55
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]56#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58/*
59 * 32-bit integer manipulation macros (little endian)
60 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]61#ifndef GET_UINT32_LE
62#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]63{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]64 (n) = ( (uint32_t) (b)[(i) ] ) \
65 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
66 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
67 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]68}
69#endif
70
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]71#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]72#define PUT_UINT32_LE(n,b,i) \
73{ \
74 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
75 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
76 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
77 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78}
79#endif
80
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]81#if defined(MBEDTLS_PADLOCK_C) && \
82 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]83static int aes_padlock_ace = -1;
84#endif
85
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]86#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]87/*
88 * Forward S-box
89 */
90static const unsigned char FSb[256] =
91{
92 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
93 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
94 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
95 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
96 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
97 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
98 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
99 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
100 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
101 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
102 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
103 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
104 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
105 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
106 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
107 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
108 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
109 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
110 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
111 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
112 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
113 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
114 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
115 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
116 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
117 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
118 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
119 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
120 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
121 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
122 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
123 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
124};
125
126/*
127 * Forward tables
128 */
129#define FT \
130\
131 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
132 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
133 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
134 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
135 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
136 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
137 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
138 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
139 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
140 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
141 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
142 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
143 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
144 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
145 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
146 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
147 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
148 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
149 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
150 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
151 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
152 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
153 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
154 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
155 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
156 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
157 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
158 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
159 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
160 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
161 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
162 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
163 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
164 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
165 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
166 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
167 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
168 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
169 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
170 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
171 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
172 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
173 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
174 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
175 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
176 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
177 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
178 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
179 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
180 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
181 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
182 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
183 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
184 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
185 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
186 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
187 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
188 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
189 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
190 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
191 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
192 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
193 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
194 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
195
196#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]197static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]198#undef V
199
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]200#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]201
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]202#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]203static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#undef V
205
206#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]207static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]208#undef V
209
210#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]214#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]215
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef FT
217
218/*
219 * Reverse S-box
220 */
221static const unsigned char RSb[256] =
222{
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255};
256
257/*
258 * Reverse tables
259 */
260#define RT \
261\
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]328static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]329#undef V
330
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]331#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]332
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]333#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]334static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#undef V
336
337#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]338static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339#undef V
340
341#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]345#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]346
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef RT
348
349/*
350 * Round constants
351 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]352static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]353{
354 0x00000001, 0x00000002, 0x00000004, 0x00000008,
355 0x00000010, 0x00000020, 0x00000040, 0x00000080,
356 0x0000001B, 0x00000036
357};
358
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]359#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]360
361/*
362 * Forward S-box & tables
363 */
364static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]365static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]366#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT1[256];
368static uint32_t FT2[256];
369static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]370#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]371
372/*
373 * Reverse S-box & tables
374 */
375static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]376static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]377#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT1[256];
379static uint32_t RT2[256];
380static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]381#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383/*
384 * Round constants
385 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]387
388/*
389 * Tables generation code
390 */
391#define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
392#define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
393#define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
394
395static int aes_init_done = 0;
396
397static void aes_gen_tables( void )
398{
399 int i, x, y, z;
400 int pow[256];
401 int log[256];
402
403 /*
404 * compute pow and log tables over GF(2^8)
405 */
406 for( i = 0, x = 1; i < 256; i++ )
407 {
408 pow[i] = x;
409 log[x] = i;
410 x = ( x ^ XTIME( x ) ) & 0xFF;
411 }
412
413 /*
414 * calculate the round constants
415 */
416 for( i = 0, x = 1; i < 10; i++ )
417 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]418 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]419 x = XTIME( x ) & 0xFF;
420 }
421
422 /*
423 * generate the forward and reverse S-boxes
424 */
425 FSb[0x00] = 0x63;
426 RSb[0x63] = 0x00;
427
428 for( i = 1; i < 256; i++ )
429 {
430 x = pow[255 - log[i]];
431
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]432 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
433 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
434 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]436 x ^= y ^ 0x63;
437
438 FSb[i] = (unsigned char) x;
439 RSb[x] = (unsigned char) i;
440 }
441
442 /*
443 * generate the forward and reverse tables
444 */
445 for( i = 0; i < 256; i++ )
446 {
447 x = FSb[i];
448 y = XTIME( x ) & 0xFF;
449 z = ( y ^ x ) & 0xFF;
450
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]451 FT0[i] = ( (uint32_t) y ) ^
452 ( (uint32_t) x << 8 ) ^
453 ( (uint32_t) x << 16 ) ^
454 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]455
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]456#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457 FT1[i] = ROTL8( FT0[i] );
458 FT2[i] = ROTL8( FT1[i] );
459 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]460#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]461
462 x = RSb[i];
463
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]464 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
465 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
466 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
467 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]468
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]469#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470 RT1[i] = ROTL8( RT0[i] );
471 RT2[i] = ROTL8( RT1[i] );
472 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]473#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474 }
475}
476
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]477#undef ROTL8
478
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]479#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]480
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]481#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]482
483#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
484#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
485#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
486
487#define AES_RT0(idx) RT0[idx]
488#define AES_RT1(idx) ROTL8( RT0[idx] )
489#define AES_RT2(idx) ROTL16( RT0[idx] )
490#define AES_RT3(idx) ROTL24( RT0[idx] )
491
492#define AES_FT0(idx) FT0[idx]
493#define AES_FT1(idx) ROTL8( FT0[idx] )
494#define AES_FT2(idx) ROTL16( FT0[idx] )
495#define AES_FT3(idx) ROTL24( FT0[idx] )
496
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]497#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]498
499#define AES_RT0(idx) RT0[idx]
500#define AES_RT1(idx) RT1[idx]
501#define AES_RT2(idx) RT2[idx]
502#define AES_RT3(idx) RT3[idx]
503
504#define AES_FT0(idx) FT0[idx]
505#define AES_FT1(idx) FT1[idx]
506#define AES_FT2(idx) FT2[idx]
507#define AES_FT3(idx) FT3[idx]
508
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]509#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]510
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]511void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]512{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514}
515
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]516void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]517{
518 if( ctx == NULL )
519 return;
520
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]521 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]522}
523
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]524#if defined(MBEDTLS_CIPHER_MODE_XTS)
525void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
526{
527 mbedtls_aes_init( &ctx->crypt );
528 mbedtls_aes_init( &ctx->tweak );
529}
530
531void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
532{
533 mbedtls_aes_free( &ctx->crypt );
534 mbedtls_aes_free( &ctx->tweak );
535}
536#endif /* MBEDTLS_CIPHER_MODE_XTS */
537
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]538/*
539 * AES key schedule (encryption)
540 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]541#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]542int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]543 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]544{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]545 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]546 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547
Simon Butcher1a925bc2018-05-14 13:58:22 +0100[diff] [blame]548 MBEDTLS_AES_VALIDATE( ctx != NULL && key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]549
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]550 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]551 {
552 case 128: ctx->nr = 10; break;
553 case 192: ctx->nr = 12; break;
554 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]555 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556 }
557
Simon Butcher1a925bc2018-05-14 13:58:22 +0100[diff] [blame]558#if !defined(MBEDTLS_AES_ROM_TABLES)
559 if( aes_init_done == 0 )
560 {
561 aes_gen_tables();
562 aes_init_done = 1;
563
564 }
565#endif
566
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]567#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]568 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]569 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]570
571 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]572 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]573 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]575 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]576
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]577#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]579 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]580#endif
581
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]582 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]584 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585 }
586
587 switch( ctx->nr )
588 {
589 case 10:
590
591 for( i = 0; i < 10; i++, RK += 4 )
592 {
593 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]594 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
595 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
596 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
597 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598
599 RK[5] = RK[1] ^ RK[4];
600 RK[6] = RK[2] ^ RK[5];
601 RK[7] = RK[3] ^ RK[6];
602 }
603 break;
604
605 case 12:
606
607 for( i = 0; i < 8; i++, RK += 6 )
608 {
609 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]610 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
611 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
612 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
613 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]614
615 RK[7] = RK[1] ^ RK[6];
616 RK[8] = RK[2] ^ RK[7];
617 RK[9] = RK[3] ^ RK[8];
618 RK[10] = RK[4] ^ RK[9];
619 RK[11] = RK[5] ^ RK[10];
620 }
621 break;
622
623 case 14:
624
625 for( i = 0; i < 7; i++, RK += 8 )
626 {
627 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]628 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
629 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
630 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
631 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]632
633 RK[9] = RK[1] ^ RK[8];
634 RK[10] = RK[2] ^ RK[9];
635 RK[11] = RK[3] ^ RK[10];
636
637 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]638 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
639 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
640 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
641 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]642
643 RK[13] = RK[5] ^ RK[12];
644 RK[14] = RK[6] ^ RK[13];
645 RK[15] = RK[7] ^ RK[14];
646 }
647 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]648 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]649
650 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]652#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]653
654/*
655 * AES key schedule (decryption)
656 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]657#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]658int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]659 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]661 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]662 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]663 uint32_t *RK;
664 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]665
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]666 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]667
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]668#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]669 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]670 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]671
672 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]674 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]676 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]677
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]678 /* Also checks keybits */
679 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]681
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]682 ctx->nr = cty.nr;
683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]685 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]686 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]687 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]688 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]689 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]690 }
691#endif
692
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693 SK = cty.rk + cty.nr * 4;
694
695 *RK++ = *SK++;
696 *RK++ = *SK++;
697 *RK++ = *SK++;
698 *RK++ = *SK++;
699
700 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
701 {
702 for( j = 0; j < 4; j++, SK++ )
703 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]704 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
705 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
706 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
707 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708 }
709 }
710
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]716exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]717 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]718
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]719 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720}
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]721
722#if defined(MBEDTLS_CIPHER_MODE_XTS)
723static int mbedtls_aes_xts_setkey( mbedtls_aes_xts_context *ctx,
724 const unsigned char *key,
725 unsigned int keybits,
726 int (*setkey1)( mbedtls_aes_context *ctx,
727 const unsigned char *key,
728 unsigned int keybits ) )
729{
730 const unsigned int key1bits = keybits / 2;
731 const unsigned int key2bits = keybits / 2;
732 const unsigned int key1bytes = key1bits / 8;
733 const unsigned char *key1 = &key[0];
734 const unsigned char *key2 = &key[key1bytes];
735 int ret;
736
737 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
738
739 if( ret )
740 return( ret );
741
742 return( setkey1( &ctx->crypt, key1, key1bits ) );
743}
744
745int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
746 const unsigned char *key,
747 unsigned int keybits)
748{
749 return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_enc );
750}
751
752int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
753 const unsigned char *key,
754 unsigned int keybits)
755{
756 return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_dec );
757}
758#endif /* MBEDTLS_CIPHER_MODE_XTS */
759
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]760#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]761
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]762#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
763{ \
764 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
765 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
766 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
767 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
768 \
769 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
770 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
771 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
772 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
773 \
774 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
775 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
776 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
777 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
778 \
779 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
780 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
781 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
782 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]783}
784
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]785#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
786{ \
787 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
788 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
789 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
790 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
791 \
792 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
793 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
794 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
795 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
796 \
797 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
798 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
799 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
800 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
801 \
802 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
803 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
804 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
805 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]806}
807
808/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]809 * AES-ECB block encryption
810 */
811#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]812int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
813 const unsigned char input[16],
814 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]815{
816 int i;
817 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
818
819 RK = ctx->rk;
820
821 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
822 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
823 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
824 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
825
826 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
827 {
828 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
829 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
830 }
831
832 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
833
834 X0 = *RK++ ^ \
835 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
836 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
837 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
838 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
839
840 X1 = *RK++ ^ \
841 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
842 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
843 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
844 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
845
846 X2 = *RK++ ^ \
847 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
848 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
849 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
850 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
851
852 X3 = *RK++ ^ \
853 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
854 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
855 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
856 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
857
858 PUT_UINT32_LE( X0, output, 0 );
859 PUT_UINT32_LE( X1, output, 4 );
860 PUT_UINT32_LE( X2, output, 8 );
861 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]862
863 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]864}
865#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
866
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]867#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]868void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
869 const unsigned char input[16],
870 unsigned char output[16] )
871{
872 mbedtls_internal_aes_encrypt( ctx, input, output );
873}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]874#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]875
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]876/*
877 * AES-ECB block decryption
878 */
879#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]880int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
881 const unsigned char input[16],
882 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]883{
884 int i;
885 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
886
887 RK = ctx->rk;
888
889 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
890 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
891 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
892 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
893
894 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
895 {
896 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
897 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
898 }
899
900 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
901
902 X0 = *RK++ ^ \
903 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
904 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
905 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
906 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
907
908 X1 = *RK++ ^ \
909 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
910 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
911 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
912 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
913
914 X2 = *RK++ ^ \
915 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
916 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
917 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
918 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
919
920 X3 = *RK++ ^ \
921 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
922 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
923 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
924 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
925
926 PUT_UINT32_LE( X0, output, 0 );
927 PUT_UINT32_LE( X1, output, 4 );
928 PUT_UINT32_LE( X2, output, 8 );
929 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]930
931 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]932}
933#endif /* !MBEDTLS_AES_DECRYPT_ALT */
934
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]935#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]936void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
937 const unsigned char input[16],
938 unsigned char output[16] )
939{
940 mbedtls_internal_aes_decrypt( ctx, input, output );
941}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]942#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]943
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]944/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]945 * AES-ECB block encryption/decryption
946 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]947int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]948 int mode,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]949 const unsigned char input[16],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]950 unsigned char output[16] )
951{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]952#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]953 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]954 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]955#endif
956
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]957#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]958 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]959 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]960 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]961 return( 0 );
962
963 // If padlock data misaligned, we just fall back to
964 // unaccelerated mode
965 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]966 }
967#endif
968
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]969 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]970 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]971 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]972 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]973}
974
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]975#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]976/*
977 * AES-CBC buffer encryption/decryption
978 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]979int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]980 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]981 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]982 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]983 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]984 unsigned char *output )
985{
986 int i;
987 unsigned char temp[16];
988
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]989 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]990 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]991
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]992#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]993 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]994 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]995 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]996 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]997
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]998 // If padlock data misaligned, we just fall back to
999 // unaccelerated mode
1000 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1001 }
1002#endif
1003
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1004 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1005 {
1006 while( length > 0 )
1007 {
1008 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1009 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1010
1011 for( i = 0; i < 16; i++ )
1012 output[i] = (unsigned char)( output[i] ^ iv[i] );
1013
1014 memcpy( iv, temp, 16 );
1015
1016 input += 16;
1017 output += 16;
1018 length -= 16;
1019 }
1020 }
1021 else
1022 {
1023 while( length > 0 )
1024 {
1025 for( i = 0; i < 16; i++ )
1026 output[i] = (unsigned char)( input[i] ^ iv[i] );
1027
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1028 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1029 memcpy( iv, output, 16 );
1030
1031 input += 16;
1032 output += 16;
1033 length -= 16;
1034 }
1035 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1036
1037 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1038}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1039#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042/*
1043 * AES-CFB128 buffer encryption/decryption
1044 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1045int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1046 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1047 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1048 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1050 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1051 unsigned char *output )
1052{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1053 int c;
1054 size_t n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1056 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1057 {
1058 while( length-- )
1059 {
1060 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1061 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062
1063 c = *input++;
1064 *output++ = (unsigned char)( c ^ iv[n] );
1065 iv[n] = (unsigned char) c;
1066
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1067 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1068 }
1069 }
1070 else
1071 {
1072 while( length-- )
1073 {
1074 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1075 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1076
1077 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1078
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1079 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1080 }
1081 }
1082
1083 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1084
1085 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1086}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1087
1088/*
1089 * AES-CFB8 buffer encryption/decryption
1090 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1092 int mode,
1093 size_t length,
1094 unsigned char iv[16],
1095 const unsigned char *input,
1096 unsigned char *output )
1097{
1098 unsigned char c;
1099 unsigned char ov[17];
1100
1101 while( length-- )
1102 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1103 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1104 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1105
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1106 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1107 ov[16] = *input;
1108
1109 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1111 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1112 ov[16] = c;
1113
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1114 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1115 }
1116
1117 return( 0 );
1118}
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1119#endif /* MBEDTLS_CIPHER_MODE_CFB */
1120
1121#if defined(MBEDTLS_CIPHER_MODE_OFB)
1122/*
1123 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1124 */
1125int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1126 size_t length,
1127 size_t *iv_off,
1128 unsigned char iv[16],
1129 const unsigned char *input,
1130 unsigned char *output )
1131{
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1132 int ret = 0;
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1133 size_t n = *iv_off;
1134
1135 while( length-- )
1136 {
1137 if( n == 0 )
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1138 {
1139 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1140 if( ret != 0 )
1141 goto exit;
1142 }
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1143 *output++ = *input++ ^ iv[n];
1144
1145 n = ( n + 1 ) & 0x0F;
1146 }
1147
1148 *iv_off = n;
1149
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1150exit:
1151 return( ret );
Simon Butcherfb9f6612018-04-22 22:57:27 +0100[diff] [blame]1152}
1153#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1154
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1155#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1156/*
1157 * AES-CTR buffer encryption/decryption
1158 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1159int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1160 size_t length,
1161 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1162 unsigned char nonce_counter[16],
1163 unsigned char stream_block[16],
1164 const unsigned char *input,
1165 unsigned char *output )
1166{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1167 int c, i;
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1168 size_t n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1169
1170 while( length-- )
1171 {
1172 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1173 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1174
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1175 for( i = 16; i > 0; i-- )
1176 if( ++nonce_counter[i - 1] != 0 )
1177 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1178 }
1179 c = *input++;
1180 *output++ = (unsigned char)( c ^ stream_block[n] );
1181
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1182 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1183 }
1184
1185 *nc_off = n;
1186
1187 return( 0 );
1188}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1189#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1190
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1191#if defined(MBEDTLS_CIPHER_MODE_XTS)
1192/*
1193 * AES-XTS buffer encryption/decryption
1194 */
1195
1196/* Multiplication by x in the Galois field of GF(2^n) (aka 2, or left shift) */
1197static void multiply_by_x_gf128( const unsigned char *in, unsigned char *out )
1198{
1199 size_t i;
1200 const unsigned char overflow = in[15] >> 0x07;
1201
1202 /* XXX speed up multiplication by going 32-bit at a time instead of 8-bit
1203 * */
1204 /* Don't we already have functions that can multiply n-bit numbers
1205 * efficiently? bignum... mpi... Maybe AES NI can do this multiplication
1206 * (galois field 128 multiplication by x, or some sort of lfsr))?*/
1207 /* Feedback polynomial: x**128 + x**7 + x**3 + x + 1 (0b10000111)*/
1208 i = 16;
1209 while( --i ) {
1210 const unsigned char carry = in[i - 1] >> 0x07;
1211 out[i] = (in[i] << 1) | carry;
1212 }
1213 out[0] = (in[0] << 1) ^ (overflow ? 0x87 : 0x00);
1214}
1215
1216int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1217 int mode,
1218 size_t length,
1219 const unsigned char data_unit[16],
1220 const unsigned char *input,
1221 unsigned char *output )
1222{
1223 size_t blocks = length / 16;
1224 size_t leftover = length % 16;
1225 unsigned char tweak[16];
1226 unsigned char tweak_tmp[16];
1227 unsigned char tmp[16];
1228
1229 /* Sectors must be at least 16 bytes. */
1230 if( length < 16)
1231 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1232
1233 /* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
1234 if( (blocks > 0x100000) || (blocks == 0x100000 && leftover > 0))
1235 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1236
1237 /* Compute the tweak. */
1238 memcpy( tweak, data_unit, sizeof(tweak) );
1239 mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, tweak, tweak );
1240
1241 while( blocks-- ) {
1242 size_t i;
1243
1244 /* XXX Code review: Sucks to have conditionals inside this loop.
1245 * Suggestions as to whether its worth extracting this outside the toop
1246 * are welcome. */
1247 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1248 {
1249 /* We are on the last block in a decrypt operation that has
1250 * leftover bytes, so we need to use the next tweak for this block,
1251 * and this tweak for the lefover bytes. Save the current tweak for
1252 * the leftovers and then update the current tweak for use on this,
1253 * the last full block. */
1254 memcpy( tweak_tmp, tweak, sizeof(tweak));
1255 multiply_by_x_gf128( tweak, tweak );
1256 }
1257
1258 /* XXX Code review: Don't we have any functions to more efficiently xor
1259 * big nums together than byte-by-byte? */
1260 for( i = 0; i < 16; i++ )
1261 tmp[i] = input[i] ^ tweak[i];
1262
1263 mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1264
1265 for( i = 0; i < 16; i++ )
1266 output[i] = tmp[i] ^ tweak[i];
1267
1268 /* Update the tweak for the next block */
1269 multiply_by_x_gf128( tweak, tweak );
1270
1271 output += 16;
1272 input += 16;
1273 }
1274
1275 if( leftover )
1276 {
1277 /* If we are on the leftover bytes in a decrypt operation, we need to
1278 * use the previous tweak for these bytes (as saved in tweak_tmp). */
1279 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? tweak_tmp : tweak;
1280
1281 /* We are now on the final part of the data unit, which doesn't divide
1282 * evenly by 16. It's time for ciphertext stealing. */
1283 size_t i;
1284 unsigned char *prev_output = output - 16;
1285
1286 /* Copy ciphertext bytes from previous block to our output for each
1287 * byte of cyphertext we won't steal. At the same time, the remainder
1288 * of input for this final round (since the loop bounds are the same).
1289 * */
1290 /* XXX if we use faster xor functions later here, we'll likely have to
1291 * break apart the loop. we might not be able to use faster xor, since
1292 * the leftovers could be any number of bytes (not multiples of
1293 * 16) (our faster xor would need to support aligned and unaligned
1294 * sizes) */
1295 for( i = 0; i < leftover; i++ )
1296 {
1297 output[i] = prev_output[i];
1298 tmp[i] = input[i] ^ t[i];
1299 }
1300
1301 /* Copy ciphertext bytes from the previous block for input in this round. */
1302 for( ; i < 16; i++)
1303 tmp[i] = prev_output[i] ^ t[i];
1304
1305 mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1306
1307 /* Write the result back to the previous block, overriding the previous
1308 * output we copied. */
1309 for( i = 0; i < 16; i++ )
1310 prev_output[i] = tmp[i] ^ t[i];
1311 }
1312
1313 return( 0 );
1314}
1315#endif /* MBEDTLS_CIPHER_MODE_XTS */
1316
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1317#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1318
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1319#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1320/*
1321 * AES test vectors from:
1322 *
1323 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1324 */
1325static const unsigned char aes_test_ecb_dec[3][16] =
1326{
1327 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1328 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1329 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1330 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1331 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1332 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1333};
1334
1335static const unsigned char aes_test_ecb_enc[3][16] =
1336{
1337 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1338 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1339 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1340 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1341 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1342 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1343};
1344
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1345#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1346static const unsigned char aes_test_cbc_dec[3][16] =
1347{
1348 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1349 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1350 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1351 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1352 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1353 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1354};
1355
1356static const unsigned char aes_test_cbc_enc[3][16] =
1357{
1358 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1359 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1360 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1361 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1362 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1363 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1364};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1365#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1367#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1368/*
1369 * AES-CFB128 test vectors from:
1370 *
1371 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1372 */
1373static const unsigned char aes_test_cfb128_key[3][32] =
1374{
1375 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1376 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1377 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1378 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1379 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1380 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1381 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1382 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1383 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1384};
1385
1386static const unsigned char aes_test_cfb128_iv[16] =
1387{
1388 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1389 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1390};
1391
1392static const unsigned char aes_test_cfb128_pt[64] =
1393{
1394 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1395 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1396 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1397 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1398 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1399 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1400 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1401 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1402};
1403
1404static const unsigned char aes_test_cfb128_ct[3][64] =
1405{
1406 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1407 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1408 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1409 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1410 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1411 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1412 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1413 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1414 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1415 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1416 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1417 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1418 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1419 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1420 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1421 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1422 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1423 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1424 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1425 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1426 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1427 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1428 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1429 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1430};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1431#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1432
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1433#if defined(MBEDTLS_CIPHER_MODE_OFB)
1434/*
1435 * AES-OFB test vectors from:
1436 *
1437 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1438 */
1439static const unsigned char aes_test_ofb_key[3][32] =
1440{
1441 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1442 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1443 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1444 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1445 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1446 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1447 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1448 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1449 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1450};
1451
1452static const unsigned char aes_test_ofb_iv[16] =
1453{
1454 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1455 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1456};
1457
1458static const unsigned char aes_test_ofb_pt[64] =
1459{
1460 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1461 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1462 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1463 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1464 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1465 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1466 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1467 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1468};
1469
1470static const unsigned char aes_test_ofb_ct[3][64] =
1471{
1472 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1473 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1474 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1475 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1476 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1477 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1478 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1479 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1480 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1481 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1482 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1483 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1484 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1485 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1486 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1487 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1488 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1489 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1490 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1491 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1492 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1493 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1494 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1495 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1496};
1497#endif /* MBEDTLS_CIPHER_MODE_OFB */
1498
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1499#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1500/*
1501 * AES-CTR test vectors from:
1502 *
1503 * http://www.faqs.org/rfcs/rfc3686.html
1504 */
1505
1506static const unsigned char aes_test_ctr_key[3][16] =
1507{
1508 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1509 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1510 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1511 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1512 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1513 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1514};
1515
1516static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1517{
1518 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1519 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1520 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1521 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1522 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1523 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1524};
1525
1526static const unsigned char aes_test_ctr_pt[3][48] =
1527{
1528 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1529 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1530
1531 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1532 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1533 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1534 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1535
1536 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1537 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1538 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1539 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1540 0x20, 0x21, 0x22, 0x23 }
1541};
1542
1543static const unsigned char aes_test_ctr_ct[3][48] =
1544{
1545 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1546 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1547 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1548 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1549 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1550 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1551 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1552 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1553 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1554 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1555 0x25, 0xB2, 0x07, 0x2F }
1556};
1557
1558static const int aes_test_ctr_len[3] =
1559 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1560#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1561
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1562#if defined(MBEDTLS_CIPHER_MODE_XTS)
1563/*
1564 * AES-XTS test vectors from:
1565 *
1566 * IEEE P1619/D16 Annex B
1567 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1568 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1569 */
1570static const unsigned char aes_test_xts_key[][32] =
1571{
1572 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1574 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1576 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1577 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1578 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1579 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1580 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1581 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1582 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1583 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1584};
1585
1586static const unsigned char aes_test_xts_pt32[][32] =
1587{
1588 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1589 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1590 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1591 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1592 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1593 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1594 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1595 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1596 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1597 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1598 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1599 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1600};
1601
1602static const unsigned char aes_test_xts_ct32[][32] =
1603{
1604 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1605 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1606 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1607 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1608 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1609 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1610 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1611 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1612 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1613 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1614 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1615 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1616};
1617
1618static const unsigned char aes_test_xts_data_unit[][16] =
1619{
1620 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1622 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1623 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1624 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1626};
1627
1628#endif /* MBEDTLS_CIPHER_MODE_XTS */
1629
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1630/*
1631 * Checkup routine
1632 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1633int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1634{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1635 int ret = 0, i, j, u, mode;
1636 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1637 unsigned char key[32];
1638 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1639 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1640#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1641 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1642#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1643#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1644 unsigned char prv[16];
1645#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1646#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1647 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1648#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1649#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1650 int len;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1651 unsigned char nonce_counter[16];
1652 unsigned char stream_block[16];
1653#endif
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1654#if defined(MBEDTLS_CIPHER_MODE_XTS)
1655 mbedtls_aes_xts_context ctx_xts;
1656#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1657 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1658
1659 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1660 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1661
1662 /*
1663 * ECB mode
1664 */
1665 for( i = 0; i < 6; i++ )
1666 {
1667 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1668 keybits = 128 + u * 64;
1669 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1670
1671 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1672 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1673 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1674
1675 memset( buf, 0, 16 );
1676
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1677 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1678 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1679 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1680 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1681 }
1682 else
1683 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1684 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1685 aes_tests = aes_test_ecb_enc[u];
1686 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1687
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1688 /*
1689 * AES-192 is an optional feature that may be unavailable when
1690 * there is an alternative underlying implementation i.e. when
1691 * MBEDTLS_AES_ALT is defined.
1692 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1693 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1694 {
1695 mbedtls_printf( "skipped\n" );
1696 continue;
1697 }
1698 else if( ret != 0 )
1699 {
1700 goto exit;
1701 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1702
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1703 for( j = 0; j < 10000; j++ )
1704 {
1705 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1706 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1707 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1708 }
1709
1710 if( memcmp( buf, aes_tests, 16 ) != 0 )
1711 {
1712 ret = 1;
1713 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1714 }
1715
1716 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1717 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1718 }
1719
1720 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1721 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1722
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1723#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1724 /*
1725 * CBC mode
1726 */
1727 for( i = 0; i < 6; i++ )
1728 {
1729 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1730 keybits = 128 + u * 64;
1731 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1732
1733 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1734 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1735 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1736
1737 memset( iv , 0, 16 );
1738 memset( prv, 0, 16 );
1739 memset( buf, 0, 16 );
1740
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1741 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1742 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1743 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1744 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1745 }
1746 else
1747 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1748 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1749 aes_tests = aes_test_cbc_enc[u];
1750 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1751
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1752 /*
1753 * AES-192 is an optional feature that may be unavailable when
1754 * there is an alternative underlying implementation i.e. when
1755 * MBEDTLS_AES_ALT is defined.
1756 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1757 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1758 {
1759 mbedtls_printf( "skipped\n" );
1760 continue;
1761 }
1762 else if( ret != 0 )
1763 {
1764 goto exit;
1765 }
1766
1767 for( j = 0; j < 10000; j++ )
1768 {
1769 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1770 {
1771 unsigned char tmp[16];
1772
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1773 memcpy( tmp, prv, 16 );
1774 memcpy( prv, buf, 16 );
1775 memcpy( buf, tmp, 16 );
1776 }
1777
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1778 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1779 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1780 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1781
1782 }
1783
1784 if( memcmp( buf, aes_tests, 16 ) != 0 )
1785 {
1786 ret = 1;
1787 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1788 }
1789
1790 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1791 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1792 }
1793
1794 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1795 mbedtls_printf( "\n" );
1796#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1797
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1798#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1799 /*
1800 * CFB128 mode
1801 */
1802 for( i = 0; i < 6; i++ )
1803 {
1804 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1805 keybits = 128 + u * 64;
1806 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1807
1808 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1809 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1810 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1811
1812 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1813 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1814
1815 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1816 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1817 /*
1818 * AES-192 is an optional feature that may be unavailable when
1819 * there is an alternative underlying implementation i.e. when
1820 * MBEDTLS_AES_ALT is defined.
1821 */
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1822 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1823 {
1824 mbedtls_printf( "skipped\n" );
1825 continue;
1826 }
1827 else if( ret != 0 )
1828 {
1829 goto exit;
1830 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1831
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1832 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833 {
1834 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1835 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836 }
1837 else
1838 {
1839 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1840 aes_tests = aes_test_cfb128_ct[u];
1841 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1843 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1844 if( ret != 0 )
1845 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1847 if( memcmp( buf, aes_tests, 64 ) != 0 )
1848 {
1849 ret = 1;
1850 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1851 }
1852
1853 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1854 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1855 }
1856
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1857 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1858 mbedtls_printf( "\n" );
1859#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1860
Simon Butcher7ac93f42018-04-29 00:43:47 +0100[diff] [blame]1861#if defined(MBEDTLS_CIPHER_MODE_OFB)
1862 /*
1863 * OFB mode
1864 */
1865 for( i = 0; i < 6; i++ )
1866 {
1867 u = i >> 1;
1868 keybits = 128 + u * 64;
1869 mode = i & 1;
1870
1871 if( verbose != 0 )
1872 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
1873 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1874
1875 memcpy( iv, aes_test_ofb_iv, 16 );
1876 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1877
1878 offset = 0;
1879 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1880 /*
1881 * AES-192 is an optional feature that may be unavailable when
1882 * there is an alternative underlying implementation i.e. when
1883 * MBEDTLS_AES_ALT is defined.
1884 */
1885 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1886 {
1887 mbedtls_printf( "skipped\n" );
1888 continue;
1889 }
1890 else if( ret != 0 )
1891 {
1892 goto exit;
1893 }
1894
1895 if( mode == MBEDTLS_AES_DECRYPT )
1896 {
1897 memcpy( buf, aes_test_ofb_ct[u], 64 );
1898 aes_tests = aes_test_ofb_pt;
1899 }
1900 else
1901 {
1902 memcpy( buf, aes_test_ofb_pt, 64 );
1903 aes_tests = aes_test_ofb_ct[u];
1904 }
1905
1906 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1907 if( ret != 0 )
1908 goto exit;
1909
1910 if( memcmp( buf, aes_tests, 64 ) != 0 )
1911 {
1912 ret = 1;
1913 goto exit;
1914 }
1915
1916 if( verbose != 0 )
1917 mbedtls_printf( "passed\n" );
1918 }
1919
1920 if( verbose != 0 )
1921 mbedtls_printf( "\n" );
1922#endif /* MBEDTLS_CIPHER_MODE_OFB */
1923
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1924#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1925 /*
1926 * CTR mode
1927 */
1928 for( i = 0; i < 6; i++ )
1929 {
1930 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1931 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1932
1933 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1934 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1935 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1936
1937 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1938 memcpy( key, aes_test_ctr_key[u], 16 );
1939
1940 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1941 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1942 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1943
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1944 len = aes_test_ctr_len[u];
1945
1946 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1947 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1948 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1949 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1950 }
1951 else
1952 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1953 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1954 aes_tests = aes_test_ctr_ct[u];
1955 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1956
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1957 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1958 stream_block, buf, buf );
1959 if( ret != 0 )
1960 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1961
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1962 if( memcmp( buf, aes_tests, len ) != 0 )
1963 {
1964 ret = 1;
1965 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1966 }
1967
1968 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1970 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971
1972 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1973 mbedtls_printf( "\n" );
1974#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975
Jaeden Amero9d3eba42018-04-28 15:02:45 +0100[diff] [blame]1976#if defined(MBEDTLS_CIPHER_MODE_XTS)
1977 {
1978 static const int num_tests =
1979 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
1980
1981 /*
1982 * XTS mode
1983 */
1984 mbedtls_aes_xts_init( &ctx_xts );
1985
1986 for( i = 0; i < num_tests << 1; i++ )
1987 {
1988 const unsigned char *data_unit;
1989 u = i >> 1;
1990 mode = i & 1;
1991
1992 if( verbose != 0 )
1993 mbedtls_printf( " AES-XTS-128 (%s): ",
1994 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1995
1996 memset( key, 0, sizeof( key ) );
1997 memcpy( key, aes_test_xts_key[u], 32 );
1998 data_unit = aes_test_xts_data_unit[u];
1999
2000 len = sizeof( *aes_test_xts_ct32 );
2001
2002 if( mode == MBEDTLS_AES_DECRYPT )
2003 {
2004 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2005 if( ret )
2006 goto exit;
2007 memcpy( buf, aes_test_xts_ct32[u], len );
2008 aes_tests = aes_test_xts_pt32[u];
2009 }
2010 else
2011 {
2012 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2013 if( ret )
2014 goto exit;
2015 memcpy( buf, aes_test_xts_pt32[u], len );
2016 aes_tests = aes_test_xts_ct32[u];
2017 }
2018
2019
2020 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2021 buf, buf );
2022 if( ret != 0 )
2023 goto exit;
2024
2025 if( memcmp( buf, aes_tests, len ) != 0 )
2026 {
2027 ret = 1;
2028 goto exit;
2029 }
2030
2031 if( verbose != 0 )
2032 mbedtls_printf( "passed\n" );
2033 }
2034
2035 if( verbose != 0 )
2036 mbedtls_printf( "\n" );
2037
2038 mbedtls_aes_xts_free( &ctx_xts );
2039 }
2040#endif /* MBEDTLS_CIPHER_MODE_XTS */
2041
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2042 ret = 0;
2043
2044exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2045 if( ret != 0 && verbose != 0 )
2046 mbedtls_printf( "failed\n" );
2047
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2048 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2049
2050 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2051}
2052
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2053#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2054
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2055#endif /* MBEDTLS_AES_C */