TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/better-cf-padding-checks / . / library / aes.c
blob: ed48b24d3b42b6ccc4c413231c272ee006d30eca [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Bence Szépkúti1e148272020-08-07 13:07:28 +0200[diff] [blame]4 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]18 */
19/*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
Gilles Peskinedb09ef62020-06-03 01:43:33 +0200[diff] [blame]26#include "common.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]29
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]30#include <string.h>
31
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]32#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]33#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]34#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]35#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]36#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]37#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]38#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]39#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]40#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]41#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]42
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]43#if defined(MBEDTLS_SELF_TEST)
44#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]45#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]46#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]47#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]48#define mbedtls_printf printf
49#endif /* MBEDTLS_PLATFORM_C */
50#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]51
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]52#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]53
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]54/* Parameter validation macros based on platform_util.h */
55#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]57#define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]60/*
61 * 32-bit integer manipulation macros (little endian)
62 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]63#ifndef GET_UINT32_LE
64#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]65{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]70}
71#endif
72
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]73#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]74#define PUT_UINT32_LE(n,b,i) \
75{ \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]80}
81#endif
82
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]83#if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]85static int aes_padlock_ace = -1;
86#endif
87
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]88#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89/*
90 * Forward S-box
91 */
92static const unsigned char FSb[256] =
93{
94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
126};
127
128/*
129 * Forward tables
130 */
131#define FT \
132\
133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
197
198#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]199static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200#undef V
201
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]202#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]203
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]204#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
208#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]209static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#undef V
211
212#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]213static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]214#undef V
215
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]216#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]217
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]218#undef FT
219
220/*
221 * Reverse S-box
222 */
223static const unsigned char RSb[256] =
224{
225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
257};
258
259/*
260 * Reverse tables
261 */
262#define RT \
263\
264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
328
329#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]330static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]331#undef V
332
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]333#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]334
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]335#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
339#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]340static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#undef V
342
343#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]344static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345#undef V
346
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]347#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]348
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349#undef RT
350
351/*
352 * Round constants
353 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]354static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355{
356 0x00000001, 0x00000002, 0x00000004, 0x00000008,
357 0x00000010, 0x00000020, 0x00000040, 0x00000080,
358 0x0000001B, 0x00000036
359};
360
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]361#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]362
363/*
364 * Forward S-box & tables
365 */
366static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]367static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]368#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]369static uint32_t FT1[256];
370static uint32_t FT2[256];
371static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]372#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]373
374/*
375 * Reverse S-box & tables
376 */
377static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]378static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]379#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]380static uint32_t RT1[256];
381static uint32_t RT2[256];
382static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]383#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]384
385/*
386 * Round constants
387 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]388static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]389
390/*
391 * Tables generation code
392 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]393#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
394#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]395#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]396
397static int aes_init_done = 0;
398
399static void aes_gen_tables( void )
400{
401 int i, x, y, z;
402 int pow[256];
403 int log[256];
404
405 /*
406 * compute pow and log tables over GF(2^8)
407 */
408 for( i = 0, x = 1; i < 256; i++ )
409 {
410 pow[i] = x;
411 log[x] = i;
412 x = ( x ^ XTIME( x ) ) & 0xFF;
413 }
414
415 /*
416 * calculate the round constants
417 */
418 for( i = 0, x = 1; i < 10; i++ )
419 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]420 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 x = XTIME( x ) & 0xFF;
422 }
423
424 /*
425 * generate the forward and reverse S-boxes
426 */
427 FSb[0x00] = 0x63;
428 RSb[0x63] = 0x00;
429
430 for( i = 1; i < 256; i++ )
431 {
432 x = pow[255 - log[i]];
433
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]438 x ^= y ^ 0x63;
439
440 FSb[i] = (unsigned char) x;
441 RSb[x] = (unsigned char) i;
442 }
443
444 /*
445 * generate the forward and reverse tables
446 */
447 for( i = 0; i < 256; i++ )
448 {
449 x = FSb[i];
450 y = XTIME( x ) & 0xFF;
451 z = ( y ^ x ) & 0xFF;
452
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]453 FT0[i] = ( (uint32_t) y ) ^
454 ( (uint32_t) x << 8 ) ^
455 ( (uint32_t) x << 16 ) ^
456 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]458#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459 FT1[i] = ROTL8( FT0[i] );
460 FT2[i] = ROTL8( FT1[i] );
461 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]462#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
464 x = RSb[i];
465
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
469 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]470
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]471#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]472 RT1[i] = ROTL8( RT0[i] );
473 RT2[i] = ROTL8( RT1[i] );
474 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]475#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476 }
477}
478
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]479#undef ROTL8
480
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]481#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]483#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]484
485#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
486#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
487#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
488
489#define AES_RT0(idx) RT0[idx]
490#define AES_RT1(idx) ROTL8( RT0[idx] )
491#define AES_RT2(idx) ROTL16( RT0[idx] )
492#define AES_RT3(idx) ROTL24( RT0[idx] )
493
494#define AES_FT0(idx) FT0[idx]
495#define AES_FT1(idx) ROTL8( FT0[idx] )
496#define AES_FT2(idx) ROTL16( FT0[idx] )
497#define AES_FT3(idx) ROTL24( FT0[idx] )
498
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]499#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]500
501#define AES_RT0(idx) RT0[idx]
502#define AES_RT1(idx) RT1[idx]
503#define AES_RT2(idx) RT2[idx]
504#define AES_RT3(idx) RT3[idx]
505
506#define AES_FT0(idx) FT0[idx]
507#define AES_FT1(idx) FT1[idx]
508#define AES_FT2(idx) FT2[idx]
509#define AES_FT3(idx) FT3[idx]
510
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]511#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]512
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]513void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]514{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]515 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]517 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]518}
519
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]520void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]521{
522 if( ctx == NULL )
523 return;
524
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]526}
527
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]528#if defined(MBEDTLS_CIPHER_MODE_XTS)
529void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
530{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]531 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]532
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]533 mbedtls_aes_init( &ctx->crypt );
534 mbedtls_aes_init( &ctx->tweak );
535}
536
537void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
538{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]539 if( ctx == NULL )
540 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]541
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]542 mbedtls_aes_free( &ctx->crypt );
543 mbedtls_aes_free( &ctx->tweak );
544}
545#endif /* MBEDTLS_CIPHER_MODE_XTS */
546
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]547/*
548 * AES key schedule (encryption)
549 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]550#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]551int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]552 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]554 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]555 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]556
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]557 AES_VALIDATE_RET( ctx != NULL );
558 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]560 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561 {
562 case 128: ctx->nr = 10; break;
563 case 192: ctx->nr = 12; break;
564 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]566 }
567
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]568#if !defined(MBEDTLS_AES_ROM_TABLES)
569 if( aes_init_done == 0 )
570 {
571 aes_gen_tables();
572 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]573 }
574#endif
575
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]576#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]577 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]579
580 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]582 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]583#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]584 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]585
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]586#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]589#endif
590
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]591 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]592 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]593 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]594 }
595
596 switch( ctx->nr )
597 {
598 case 10:
599
600 for( i = 0; i < 10; i++, RK += 4 )
601 {
602 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]607
608 RK[5] = RK[1] ^ RK[4];
609 RK[6] = RK[2] ^ RK[5];
610 RK[7] = RK[3] ^ RK[6];
611 }
612 break;
613
614 case 12:
615
616 for( i = 0; i < 8; i++, RK += 6 )
617 {
618 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623
624 RK[7] = RK[1] ^ RK[6];
625 RK[8] = RK[2] ^ RK[7];
626 RK[9] = RK[3] ^ RK[8];
627 RK[10] = RK[4] ^ RK[9];
628 RK[11] = RK[5] ^ RK[10];
629 }
630 break;
631
632 case 14:
633
634 for( i = 0; i < 7; i++, RK += 8 )
635 {
636 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]641
642 RK[9] = RK[1] ^ RK[8];
643 RK[10] = RK[2] ^ RK[9];
644 RK[11] = RK[3] ^ RK[10];
645
646 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]651
652 RK[13] = RK[5] ^ RK[12];
653 RK[14] = RK[6] ^ RK[13];
654 RK[15] = RK[7] ^ RK[14];
655 }
656 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]658
659 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]660}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]661#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]662
663/*
664 * AES key schedule (decryption)
665 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]666#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]667int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]668 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]669{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]670 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]671 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]672 uint32_t *RK;
673 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]674
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]675 AES_VALIDATE_RET( ctx != NULL );
676 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]677
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]678 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]679
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]680#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]681 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]683
684 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]686 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]687#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]688 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]689
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]690 /* Also checks keybits */
691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]692 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]693
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]694 ctx->nr = cty.nr;
695
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]696#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]698 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]700 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]701 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]702 }
703#endif
704
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]705 SK = cty.rk + cty.nr * 4;
706
707 *RK++ = *SK++;
708 *RK++ = *SK++;
709 *RK++ = *SK++;
710 *RK++ = *SK++;
711
712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
713 {
714 for( j = 0; j < 4; j++, SK++ )
715 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]720 }
721 }
722
723 *RK++ = *SK++;
724 *RK++ = *SK++;
725 *RK++ = *SK++;
726 *RK++ = *SK++;
727
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]728exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]729 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]730
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]731 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]732}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]733
734#if defined(MBEDTLS_CIPHER_MODE_XTS)
735static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
736 unsigned int keybits,
737 const unsigned char **key1,
738 unsigned int *key1bits,
739 const unsigned char **key2,
740 unsigned int *key2bits )
741{
742 const unsigned int half_keybits = keybits / 2;
743 const unsigned int half_keybytes = half_keybits / 8;
744
745 switch( keybits )
746 {
747 case 256: break;
748 case 512: break;
749 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
750 }
751
752 *key1bits = half_keybits;
753 *key2bits = half_keybits;
754 *key1 = &key[0];
755 *key2 = &key[half_keybytes];
756
757 return 0;
758}
759
760int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
761 const unsigned char *key,
762 unsigned int keybits)
763{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]764 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]765 const unsigned char *key1, *key2;
766 unsigned int key1bits, key2bits;
767
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]768 AES_VALIDATE_RET( ctx != NULL );
769 AES_VALIDATE_RET( key != NULL );
770
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
772 &key2, &key2bits );
773 if( ret != 0 )
774 return( ret );
775
776 /* Set the tweak key. Always set tweak key for the encryption mode. */
777 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set crypt key for encryption. */
782 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
783}
784
785int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
786 const unsigned char *key,
787 unsigned int keybits)
788{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]789 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]790 const unsigned char *key1, *key2;
791 unsigned int key1bits, key2bits;
792
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]793 AES_VALIDATE_RET( ctx != NULL );
794 AES_VALIDATE_RET( key != NULL );
795
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
797 &key2, &key2bits );
798 if( ret != 0 )
799 return( ret );
800
801 /* Set the tweak key. Always set tweak key for encryption. */
802 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set crypt key for decryption. */
807 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
808}
809#endif /* MBEDTLS_CIPHER_MODE_XTS */
810
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]811#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]812
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]813#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
814 do \
815 { \
816 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
817 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
818 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
819 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
820 \
821 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
822 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
823 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
824 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
825 \
826 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
827 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
828 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
829 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
830 \
831 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
832 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
833 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
834 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
835 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]836
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]837#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
838 do \
839 { \
840 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
841 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
842 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
843 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
844 \
845 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
846 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
847 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
848 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
849 \
850 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
851 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
852 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
853 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
854 \
855 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
856 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
857 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
858 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
859 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]860
861/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]862 * AES-ECB block encryption
863 */
864#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]865int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
866 const unsigned char input[16],
867 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868{
869 int i;
870 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
871
872 RK = ctx->rk;
873
874 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
875 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
876 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
877 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
878
879 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
880 {
881 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
882 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
883 }
884
885 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
886
887 X0 = *RK++ ^ \
888 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
889 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
890 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
891 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
892
893 X1 = *RK++ ^ \
894 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
895 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
896 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
897 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
898
899 X2 = *RK++ ^ \
900 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
901 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
902 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
903 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
904
905 X3 = *RK++ ^ \
906 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
907 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
908 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
909 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
910
911 PUT_UINT32_LE( X0, output, 0 );
912 PUT_UINT32_LE( X1, output, 4 );
913 PUT_UINT32_LE( X2, output, 8 );
914 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]915
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]916 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
917 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
918 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
919 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
920
921 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
922 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
923 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
924 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
925
926 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
927
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]928 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]929}
930#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
931
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]932#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]933void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
934 const unsigned char input[16],
935 unsigned char output[16] )
936{
937 mbedtls_internal_aes_encrypt( ctx, input, output );
938}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]939#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]940
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]941/*
942 * AES-ECB block decryption
943 */
944#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]945int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
946 const unsigned char input[16],
947 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]948{
949 int i;
950 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
951
952 RK = ctx->rk;
953
954 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
955 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
956 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
957 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
958
959 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
960 {
961 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
962 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
963 }
964
965 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
966
967 X0 = *RK++ ^ \
968 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
969 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
970 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
971 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
972
973 X1 = *RK++ ^ \
974 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
975 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
976 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
977 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
978
979 X2 = *RK++ ^ \
980 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
981 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
982 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
983 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
984
985 X3 = *RK++ ^ \
986 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
987 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
988 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
989 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
990
991 PUT_UINT32_LE( X0, output, 0 );
992 PUT_UINT32_LE( X1, output, 4 );
993 PUT_UINT32_LE( X2, output, 8 );
994 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]995
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]996 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
997 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
998 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
999 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1000
1001 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1002 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1003 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1004 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1005
1006 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1007
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1008 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1009}
1010#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1011
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1012#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1013void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1014 const unsigned char input[16],
1015 unsigned char output[16] )
1016{
1017 mbedtls_internal_aes_decrypt( ctx, input, output );
1018}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1019#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1020
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1021/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1022 * AES-ECB block encryption/decryption
1023 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1024int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1025 int mode,
1026 const unsigned char input[16],
1027 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1029 AES_VALIDATE_RET( ctx != NULL );
1030 AES_VALIDATE_RET( input != NULL );
1031 AES_VALIDATE_RET( output != NULL );
1032 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1033 mode == MBEDTLS_AES_DECRYPT );
1034
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1035#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1036 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1037 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1038#endif
1039
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1040#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1041 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1042 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1044 return( 0 );
1045
1046 // If padlock data misaligned, we just fall back to
1047 // unaccelerated mode
1048 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1049 }
1050#endif
1051
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1052 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1053 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1054 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1055 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1056}
1057
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1058#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1059/*
1060 * AES-CBC buffer encryption/decryption
1061 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1062int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1063 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1064 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1066 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1067 unsigned char *output )
1068{
1069 int i;
1070 unsigned char temp[16];
1071
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1072 AES_VALIDATE_RET( ctx != NULL );
1073 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1074 mode == MBEDTLS_AES_DECRYPT );
1075 AES_VALIDATE_RET( iv != NULL );
1076 AES_VALIDATE_RET( input != NULL );
1077 AES_VALIDATE_RET( output != NULL );
1078
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1079 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1080 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1081
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1082#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1083 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1084 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1085 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1086 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1087
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1088 // If padlock data misaligned, we just fall back to
1089 // unaccelerated mode
1090 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1091 }
1092#endif
1093
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1094 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1095 {
1096 while( length > 0 )
1097 {
1098 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1099 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1100
1101 for( i = 0; i < 16; i++ )
1102 output[i] = (unsigned char)( output[i] ^ iv[i] );
1103
1104 memcpy( iv, temp, 16 );
1105
1106 input += 16;
1107 output += 16;
1108 length -= 16;
1109 }
1110 }
1111 else
1112 {
1113 while( length > 0 )
1114 {
1115 for( i = 0; i < 16; i++ )
1116 output[i] = (unsigned char)( input[i] ^ iv[i] );
1117
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1118 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1119 memcpy( iv, output, 16 );
1120
1121 input += 16;
1122 output += 16;
1123 length -= 16;
1124 }
1125 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1126
1127 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1128}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1129#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1130
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1131#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1132
1133/* Endianess with 64 bits values */
1134#ifndef GET_UINT64_LE
1135#define GET_UINT64_LE(n,b,i) \
1136{ \
1137 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1138 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1139 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1140 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1141 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1142 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1143 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1144 | ( (uint64_t) (b)[(i) ] ); \
1145}
1146#endif
1147
1148#ifndef PUT_UINT64_LE
1149#define PUT_UINT64_LE(n,b,i) \
1150{ \
1151 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1152 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1153 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1154 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1155 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1156 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1157 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1158 (b)[(i) ] = (unsigned char) ( (n) ); \
1159}
1160#endif
1161
1162typedef unsigned char mbedtls_be128[16];
1163
1164/*
1165 * GF(2^128) multiplication function
1166 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1167 * This function multiplies a field element by x in the polynomial field
1168 * representation. It uses 64-bit word operations to gain speed but compensates
1169 * for machine endianess and hence works correctly on both big and little
1170 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1171 */
1172static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1173 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1174{
1175 uint64_t a, b, ra, rb;
1176
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1177 GET_UINT64_LE( a, x, 0 );
1178 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1179
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1180 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1181 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1182
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1183 PUT_UINT64_LE( ra, r, 0 );
1184 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1185}
1186
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1187/*
1188 * AES-XTS buffer encryption/decryption
1189 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1190int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1191 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1192 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1193 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1194 const unsigned char *input,
1195 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1196{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1197 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1198 size_t blocks = length / 16;
1199 size_t leftover = length % 16;
1200 unsigned char tweak[16];
1201 unsigned char prev_tweak[16];
1202 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1203
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1204 AES_VALIDATE_RET( ctx != NULL );
1205 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1206 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1207 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1208 AES_VALIDATE_RET( input != NULL );
1209 AES_VALIDATE_RET( output != NULL );
1210
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1211 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1212 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1213 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1214
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1215 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1216 if( length > ( 1 << 20 ) * 16 )
1217 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1220 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1221 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1222 if( ret != 0 )
1223 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1224
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1225 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1226 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1227 size_t i;
1228
1229 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1230 {
1231 /* We are on the last block in a decrypt operation that has
1232 * leftover bytes, so we need to use the next tweak for this block,
1233 * and this tweak for the lefover bytes. Save the current tweak for
1234 * the leftovers and then update the current tweak for use on this,
1235 * the last full block. */
1236 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1237 mbedtls_gf128mul_x_ble( tweak, tweak );
1238 }
1239
1240 for( i = 0; i < 16; i++ )
1241 tmp[i] = input[i] ^ tweak[i];
1242
1243 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1244 if( ret != 0 )
1245 return( ret );
1246
1247 for( i = 0; i < 16; i++ )
1248 output[i] = tmp[i] ^ tweak[i];
1249
1250 /* Update the tweak for the next block. */
1251 mbedtls_gf128mul_x_ble( tweak, tweak );
1252
1253 output += 16;
1254 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1255 }
1256
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1257 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1258 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1259 /* If we are on the leftover bytes in a decrypt operation, we need to
1260 * use the previous tweak for these bytes (as saved in prev_tweak). */
1261 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1262
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1263 /* We are now on the final part of the data unit, which doesn't divide
1264 * evenly by 16. It's time for ciphertext stealing. */
1265 size_t i;
1266 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1267
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1268 /* Copy ciphertext bytes from the previous block to our output for each
1269 * byte of cyphertext we won't steal. At the same time, copy the
1270 * remainder of the input for this final round (since the loop bounds
1271 * are the same). */
1272 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1274 output[i] = prev_output[i];
1275 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1276 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1277
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1278 /* Copy ciphertext bytes from the previous block for input in this
1279 * round. */
1280 for( ; i < 16; i++ )
1281 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1283 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1284 if( ret != 0 )
1285 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1286
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1287 /* Write the result back to the previous block, overriding the previous
1288 * output we copied. */
1289 for( i = 0; i < 16; i++ )
1290 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1291 }
1292
1293 return( 0 );
1294}
1295#endif /* MBEDTLS_CIPHER_MODE_XTS */
1296
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1297#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1298/*
1299 * AES-CFB128 buffer encryption/decryption
1300 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1301int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1302 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1303 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1304 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1305 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1306 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1307 unsigned char *output )
1308{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1309 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1310 size_t n;
1311
1312 AES_VALIDATE_RET( ctx != NULL );
1313 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1314 mode == MBEDTLS_AES_DECRYPT );
1315 AES_VALIDATE_RET( iv_off != NULL );
1316 AES_VALIDATE_RET( iv != NULL );
1317 AES_VALIDATE_RET( input != NULL );
1318 AES_VALIDATE_RET( output != NULL );
1319
1320 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1321
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1322 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1323 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1324
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1325 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1326 {
1327 while( length-- )
1328 {
1329 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1330 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1331
1332 c = *input++;
1333 *output++ = (unsigned char)( c ^ iv[n] );
1334 iv[n] = (unsigned char) c;
1335
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1336 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337 }
1338 }
1339 else
1340 {
1341 while( length-- )
1342 {
1343 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1344 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1345
1346 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1347
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1348 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1349 }
1350 }
1351
1352 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1353
1354 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1356
1357/*
1358 * AES-CFB8 buffer encryption/decryption
1359 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1360int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1361 int mode,
1362 size_t length,
1363 unsigned char iv[16],
1364 const unsigned char *input,
1365 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1366{
1367 unsigned char c;
1368 unsigned char ov[17];
1369
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1370 AES_VALIDATE_RET( ctx != NULL );
1371 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1372 mode == MBEDTLS_AES_DECRYPT );
1373 AES_VALIDATE_RET( iv != NULL );
1374 AES_VALIDATE_RET( input != NULL );
1375 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1376 while( length-- )
1377 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1378 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1379 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1380
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1381 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1382 ov[16] = *input;
1383
1384 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1385
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1386 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1387 ov[16] = c;
1388
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1389 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1390 }
1391
1392 return( 0 );
1393}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1394#endif /* MBEDTLS_CIPHER_MODE_CFB */
1395
1396#if defined(MBEDTLS_CIPHER_MODE_OFB)
1397/*
1398 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1399 */
1400int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1401 size_t length,
1402 size_t *iv_off,
1403 unsigned char iv[16],
1404 const unsigned char *input,
1405 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1406{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1407 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1408 size_t n;
1409
1410 AES_VALIDATE_RET( ctx != NULL );
1411 AES_VALIDATE_RET( iv_off != NULL );
1412 AES_VALIDATE_RET( iv != NULL );
1413 AES_VALIDATE_RET( input != NULL );
1414 AES_VALIDATE_RET( output != NULL );
1415
1416 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1417
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1418 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1419 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1420
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1421 while( length-- )
1422 {
1423 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1424 {
1425 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1426 if( ret != 0 )
1427 goto exit;
1428 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1429 *output++ = *input++ ^ iv[n];
1430
1431 n = ( n + 1 ) & 0x0F;
1432 }
1433
1434 *iv_off = n;
1435
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1436exit:
1437 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1438}
1439#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1440
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1441#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1442/*
1443 * AES-CTR buffer encryption/decryption
1444 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1445int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1446 size_t length,
1447 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1448 unsigned char nonce_counter[16],
1449 unsigned char stream_block[16],
1450 const unsigned char *input,
1451 unsigned char *output )
1452{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1453 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1454 size_t n;
1455
1456 AES_VALIDATE_RET( ctx != NULL );
1457 AES_VALIDATE_RET( nc_off != NULL );
1458 AES_VALIDATE_RET( nonce_counter != NULL );
1459 AES_VALIDATE_RET( stream_block != NULL );
1460 AES_VALIDATE_RET( input != NULL );
1461 AES_VALIDATE_RET( output != NULL );
1462
1463 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1464
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1465 if ( n > 0x0F )
1466 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1467
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1468 while( length-- )
1469 {
1470 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1471 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1472
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1473 for( i = 16; i > 0; i-- )
1474 if( ++nonce_counter[i - 1] != 0 )
1475 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1476 }
1477 c = *input++;
1478 *output++ = (unsigned char)( c ^ stream_block[n] );
1479
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1480 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1481 }
1482
1483 *nc_off = n;
1484
1485 return( 0 );
1486}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1487#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1488
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1489#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1490
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1491#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1492/*
1493 * AES test vectors from:
1494 *
1495 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1496 */
1497static const unsigned char aes_test_ecb_dec[3][16] =
1498{
1499 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1500 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1501 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1502 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1503 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1504 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1505};
1506
1507static const unsigned char aes_test_ecb_enc[3][16] =
1508{
1509 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1510 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1511 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1512 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1513 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1514 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1515};
1516
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1517#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1518static const unsigned char aes_test_cbc_dec[3][16] =
1519{
1520 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1521 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1522 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1523 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1524 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1525 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1526};
1527
1528static const unsigned char aes_test_cbc_enc[3][16] =
1529{
1530 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1531 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1532 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1533 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1534 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1535 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1536};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1537#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1538
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1539#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1540/*
1541 * AES-CFB128 test vectors from:
1542 *
1543 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1544 */
1545static const unsigned char aes_test_cfb128_key[3][32] =
1546{
1547 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1548 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1549 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1550 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1551 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1552 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1553 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1554 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1555 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1556};
1557
1558static const unsigned char aes_test_cfb128_iv[16] =
1559{
1560 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1561 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1562};
1563
1564static const unsigned char aes_test_cfb128_pt[64] =
1565{
1566 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1567 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1568 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1569 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1570 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1571 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1572 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1573 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1574};
1575
1576static const unsigned char aes_test_cfb128_ct[3][64] =
1577{
1578 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1579 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1580 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1581 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1582 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1583 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1584 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1585 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1586 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1587 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1588 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1589 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1590 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1591 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1592 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1593 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1594 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1595 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1596 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1597 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1598 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1599 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1600 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1601 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1602};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1603#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1604
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1605#if defined(MBEDTLS_CIPHER_MODE_OFB)
1606/*
1607 * AES-OFB test vectors from:
1608 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1609 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1610 */
1611static const unsigned char aes_test_ofb_key[3][32] =
1612{
1613 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1614 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1615 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1616 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1617 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1618 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1619 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1620 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1621 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1622};
1623
1624static const unsigned char aes_test_ofb_iv[16] =
1625{
1626 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1627 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1628};
1629
1630static const unsigned char aes_test_ofb_pt[64] =
1631{
1632 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1633 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1634 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1635 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1636 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1637 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1638 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1639 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1640};
1641
1642static const unsigned char aes_test_ofb_ct[3][64] =
1643{
1644 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1645 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1646 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1647 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1648 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1649 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1650 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1651 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1652 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1653 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1654 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1655 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1656 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1657 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1658 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1659 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1660 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1661 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1662 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1663 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1664 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1665 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1666 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1667 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1668};
1669#endif /* MBEDTLS_CIPHER_MODE_OFB */
1670
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1671#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1672/*
1673 * AES-CTR test vectors from:
1674 *
1675 * http://www.faqs.org/rfcs/rfc3686.html
1676 */
1677
1678static const unsigned char aes_test_ctr_key[3][16] =
1679{
1680 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1681 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1682 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1683 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1684 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1685 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1686};
1687
1688static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1689{
1690 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1692 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1693 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1694 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1695 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1696};
1697
1698static const unsigned char aes_test_ctr_pt[3][48] =
1699{
1700 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1701 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1702
1703 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1704 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1705 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1706 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1707
1708 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1709 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1710 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1711 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1712 0x20, 0x21, 0x22, 0x23 }
1713};
1714
1715static const unsigned char aes_test_ctr_ct[3][48] =
1716{
1717 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1718 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1719 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1720 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1721 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1722 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1723 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1724 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1725 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1726 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1727 0x25, 0xB2, 0x07, 0x2F }
1728};
1729
1730static const int aes_test_ctr_len[3] =
1731 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1732#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1733
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1734#if defined(MBEDTLS_CIPHER_MODE_XTS)
1735/*
1736 * AES-XTS test vectors from:
1737 *
1738 * IEEE P1619/D16 Annex B
1739 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1740 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1741 */
1742static const unsigned char aes_test_xts_key[][32] =
1743{
1744 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1748 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1749 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1750 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1751 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1752 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1753 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1754 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1755 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1756};
1757
1758static const unsigned char aes_test_xts_pt32[][32] =
1759{
1760 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1764 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1765 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1766 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1767 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1768 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1769 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1772};
1773
1774static const unsigned char aes_test_xts_ct32[][32] =
1775{
1776 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1777 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1778 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1779 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1780 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1781 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1782 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1783 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1784 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1785 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1786 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1787 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1788};
1789
1790static const unsigned char aes_test_xts_data_unit[][16] =
1791{
1792 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1794 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1796 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1797 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1798};
1799
1800#endif /* MBEDTLS_CIPHER_MODE_XTS */
1801
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1802/*
1803 * Checkup routine
1804 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1805int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1806{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1807 int ret = 0, i, j, u, mode;
1808 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1809 unsigned char key[32];
1810 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1811 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1812#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1813 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1814#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1815#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1816 unsigned char prv[16];
1817#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1818#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1819 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1820 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1821#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1822#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1823 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1824#endif
1825#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1826 unsigned char nonce_counter[16];
1827 unsigned char stream_block[16];
1828#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1829 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1830
1831 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1832 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1833
1834 /*
1835 * ECB mode
1836 */
1837 for( i = 0; i < 6; i++ )
1838 {
1839 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1840 keybits = 128 + u * 64;
1841 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1842
1843 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1844 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1845 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1846
1847 memset( buf, 0, 16 );
1848
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1849 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1850 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1851 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1852 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1853 }
1854 else
1855 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1856 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1857 aes_tests = aes_test_ecb_enc[u];
1858 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1860 /*
1861 * AES-192 is an optional feature that may be unavailable when
1862 * there is an alternative underlying implementation i.e. when
1863 * MBEDTLS_AES_ALT is defined.
1864 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1865 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1866 {
1867 mbedtls_printf( "skipped\n" );
1868 continue;
1869 }
1870 else if( ret != 0 )
1871 {
1872 goto exit;
1873 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1874
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1875 for( j = 0; j < 10000; j++ )
1876 {
1877 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1878 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1879 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1880 }
1881
1882 if( memcmp( buf, aes_tests, 16 ) != 0 )
1883 {
1884 ret = 1;
1885 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1886 }
1887
1888 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1889 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1890 }
1891
1892 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1893 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1894
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1895#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 /*
1897 * CBC mode
1898 */
1899 for( i = 0; i < 6; i++ )
1900 {
1901 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1902 keybits = 128 + u * 64;
1903 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1904
1905 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1906 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1907 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1908
1909 memset( iv , 0, 16 );
1910 memset( prv, 0, 16 );
1911 memset( buf, 0, 16 );
1912
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1913 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1915 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1916 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1917 }
1918 else
1919 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1920 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1921 aes_tests = aes_test_cbc_enc[u];
1922 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1924 /*
1925 * AES-192 is an optional feature that may be unavailable when
1926 * there is an alternative underlying implementation i.e. when
1927 * MBEDTLS_AES_ALT is defined.
1928 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1929 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1930 {
1931 mbedtls_printf( "skipped\n" );
1932 continue;
1933 }
1934 else if( ret != 0 )
1935 {
1936 goto exit;
1937 }
1938
1939 for( j = 0; j < 10000; j++ )
1940 {
1941 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1942 {
1943 unsigned char tmp[16];
1944
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1945 memcpy( tmp, prv, 16 );
1946 memcpy( prv, buf, 16 );
1947 memcpy( buf, tmp, 16 );
1948 }
1949
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1950 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1951 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1952 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1953
1954 }
1955
1956 if( memcmp( buf, aes_tests, 16 ) != 0 )
1957 {
1958 ret = 1;
1959 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1960 }
1961
1962 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1963 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1964 }
1965
1966 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1967 mbedtls_printf( "\n" );
1968#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1969
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1970#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1971 /*
1972 * CFB128 mode
1973 */
1974 for( i = 0; i < 6; i++ )
1975 {
1976 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1977 keybits = 128 + u * 64;
1978 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1979
1980 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]1981 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1982 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1983
1984 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1985 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1986
1987 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1988 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1989 /*
1990 * AES-192 is an optional feature that may be unavailable when
1991 * there is an alternative underlying implementation i.e. when
1992 * MBEDTLS_AES_ALT is defined.
1993 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1994 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1995 {
1996 mbedtls_printf( "skipped\n" );
1997 continue;
1998 }
1999 else if( ret != 0 )
2000 {
2001 goto exit;
2002 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2003
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2004 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2005 {
2006 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2007 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2008 }
2009 else
2010 {
2011 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2012 aes_tests = aes_test_cfb128_ct[u];
2013 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2015 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2016 if( ret != 0 )
2017 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2018
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2019 if( memcmp( buf, aes_tests, 64 ) != 0 )
2020 {
2021 ret = 1;
2022 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2023 }
2024
2025 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2026 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2027 }
2028
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2029 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2030 mbedtls_printf( "\n" );
2031#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2032
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2033#if defined(MBEDTLS_CIPHER_MODE_OFB)
2034 /*
2035 * OFB mode
2036 */
2037 for( i = 0; i < 6; i++ )
2038 {
2039 u = i >> 1;
2040 keybits = 128 + u * 64;
2041 mode = i & 1;
2042
2043 if( verbose != 0 )
Kenneth Soerensen518d4352020-04-01 17:22:45 +0200[diff] [blame]2044 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2045 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2046
2047 memcpy( iv, aes_test_ofb_iv, 16 );
2048 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2049
2050 offset = 0;
2051 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2052 /*
2053 * AES-192 is an optional feature that may be unavailable when
2054 * there is an alternative underlying implementation i.e. when
2055 * MBEDTLS_AES_ALT is defined.
2056 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2057 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2058 {
2059 mbedtls_printf( "skipped\n" );
2060 continue;
2061 }
2062 else if( ret != 0 )
2063 {
2064 goto exit;
2065 }
2066
2067 if( mode == MBEDTLS_AES_DECRYPT )
2068 {
2069 memcpy( buf, aes_test_ofb_ct[u], 64 );
2070 aes_tests = aes_test_ofb_pt;
2071 }
2072 else
2073 {
2074 memcpy( buf, aes_test_ofb_pt, 64 );
2075 aes_tests = aes_test_ofb_ct[u];
2076 }
2077
2078 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2079 if( ret != 0 )
2080 goto exit;
2081
2082 if( memcmp( buf, aes_tests, 64 ) != 0 )
2083 {
2084 ret = 1;
2085 goto exit;
2086 }
2087
2088 if( verbose != 0 )
2089 mbedtls_printf( "passed\n" );
2090 }
2091
2092 if( verbose != 0 )
2093 mbedtls_printf( "\n" );
2094#endif /* MBEDTLS_CIPHER_MODE_OFB */
2095
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2096#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2097 /*
2098 * CTR mode
2099 */
2100 for( i = 0; i < 6; i++ )
2101 {
2102 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2103 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2104
2105 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2106 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2107 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2108
2109 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2110 memcpy( key, aes_test_ctr_key[u], 16 );
2111
2112 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2113 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2114 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2115
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2116 len = aes_test_ctr_len[u];
2117
2118 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2119 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2120 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2121 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2122 }
2123 else
2124 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2125 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2126 aes_tests = aes_test_ctr_ct[u];
2127 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2128
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2129 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2130 stream_block, buf, buf );
2131 if( ret != 0 )
2132 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2133
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2134 if( memcmp( buf, aes_tests, len ) != 0 )
2135 {
2136 ret = 1;
2137 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2138 }
2139
2140 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2141 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2142 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2143
2144 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2145 mbedtls_printf( "\n" );
2146#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2147
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2148#if defined(MBEDTLS_CIPHER_MODE_XTS)
2149 {
2150 static const int num_tests =
2151 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2152 mbedtls_aes_xts_context ctx_xts;
2153
2154 /*
2155 * XTS mode
2156 */
2157 mbedtls_aes_xts_init( &ctx_xts );
2158
2159 for( i = 0; i < num_tests << 1; i++ )
2160 {
2161 const unsigned char *data_unit;
2162 u = i >> 1;
2163 mode = i & 1;
2164
2165 if( verbose != 0 )
2166 mbedtls_printf( " AES-XTS-128 (%s): ",
2167 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2168
2169 memset( key, 0, sizeof( key ) );
2170 memcpy( key, aes_test_xts_key[u], 32 );
2171 data_unit = aes_test_xts_data_unit[u];
2172
2173 len = sizeof( *aes_test_xts_ct32 );
2174
2175 if( mode == MBEDTLS_AES_DECRYPT )
2176 {
2177 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2178 if( ret != 0)
2179 goto exit;
2180 memcpy( buf, aes_test_xts_ct32[u], len );
2181 aes_tests = aes_test_xts_pt32[u];
2182 }
2183 else
2184 {
2185 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2186 if( ret != 0)
2187 goto exit;
2188 memcpy( buf, aes_test_xts_pt32[u], len );
2189 aes_tests = aes_test_xts_ct32[u];
2190 }
2191
2192
2193 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2194 buf, buf );
2195 if( ret != 0 )
2196 goto exit;
2197
2198 if( memcmp( buf, aes_tests, len ) != 0 )
2199 {
2200 ret = 1;
2201 goto exit;
2202 }
2203
2204 if( verbose != 0 )
2205 mbedtls_printf( "passed\n" );
2206 }
2207
2208 if( verbose != 0 )
2209 mbedtls_printf( "\n" );
2210
2211 mbedtls_aes_xts_free( &ctx_xts );
2212 }
2213#endif /* MBEDTLS_CIPHER_MODE_XTS */
2214
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2215 ret = 0;
2216
2217exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2218 if( ret != 0 && verbose != 0 )
2219 mbedtls_printf( "failed\n" );
2220
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2221 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2222
2223 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2224}
2225
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2226#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2227
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2228#endif /* MBEDTLS_AES_C */