Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / aead02cce9abecf6e229cc86035683ecb0650c93 / . / library / aes.c
blob: 604d0f3d7f7c9450f65d1f0b48781df0e3fc0fc1 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-197 compliant AES implementation
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21/*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]30#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]31#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]32#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]34#if defined(MBEDTLS_AES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]36#include <string.h>
37
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]38#include "mbedtls/aes.h"
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]39#include "mbedtls/platform.h"
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]40#include "mbedtls/platform_util.h"
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]41#include "mbedtls/error.h"
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]42#if defined(MBEDTLS_PADLOCK_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]43#include "mbedtls/padlock.h"
Paul Bakker67820bd2012-06-04 12:47:23 +0000[diff] [blame]44#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]45#if defined(MBEDTLS_AESNI_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]46#include "mbedtls/aesni.h"
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]47#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]49#if defined(MBEDTLS_SELF_TEST)
50#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]51#include "mbedtls/platform.h"
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]52#else
Rich Evans00ab4702015-02-06 13:43:58 +0000[diff] [blame]53#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]54#define mbedtls_printf printf
55#endif /* MBEDTLS_PLATFORM_C */
56#endif /* MBEDTLS_SELF_TEST */
Paul Bakker7dc4c442014-02-01 22:50:26 +0100[diff] [blame]57
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]58#if !defined(MBEDTLS_AES_ALT)
Paul Bakker90995b52013-06-24 19:20:35 +0200[diff] [blame]59
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]60/* Parameter validation macros based on platform_util.h */
61#define AES_VALIDATE_RET( cond ) \
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]62 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]63#define AES_VALIDATE( cond ) \
64 MBEDTLS_INTERNAL_VALIDATE( cond )
65
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]66/*
67 * 32-bit integer manipulation macros (little endian)
68 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]69#ifndef GET_UINT32_LE
70#define GET_UINT32_LE(n,b,i) \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]71{ \
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]72 (n) = ( (uint32_t) (b)[(i) ] ) \
73 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
74 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
75 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]76}
77#endif
78
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]79#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnardceedb822015-01-23 15:02:43 +0000[diff] [blame]80#define PUT_UINT32_LE(n,b,i) \
81{ \
82 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
83 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
84 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
85 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86}
87#endif
88
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]89#if defined(MBEDTLS_PADLOCK_C) && \
90 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]91static int aes_padlock_ace = -1;
92#endif
93
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]94#if defined(MBEDTLS_AES_ROM_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95/*
96 * Forward S-box
97 */
98static const unsigned char FSb[256] =
99{
100 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
101 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
102 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
103 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
104 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
105 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
106 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
107 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
108 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
109 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
110 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
111 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
112 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
113 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
114 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
115 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
116 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
117 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
118 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
119 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
120 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
121 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
122 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
123 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
124 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
125 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
126 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
127 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
128 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
129 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
130 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
131 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
132};
133
134/*
135 * Forward tables
136 */
137#define FT \
138\
139 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
140 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
141 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
142 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
143 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
144 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
145 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
146 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
147 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
148 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
149 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
150 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
151 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
152 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
153 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
154 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
155 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
156 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
157 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
158 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
159 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
160 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
161 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
162 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
163 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
164 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
165 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
166 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
167 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
168 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
169 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
170 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
171 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
172 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
173 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
174 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
175 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
176 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
177 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
178 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
179 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
180 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
181 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
182 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
183 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
184 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
185 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
186 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
187 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
188 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
189 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
190 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
191 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
192 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
193 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
194 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
195 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
196 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
197 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
198 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
199 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
200 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
201 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
202 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
203
204#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]205static const uint32_t FT0[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]206#undef V
207
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]208#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]209
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]211static const uint32_t FT1[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]212#undef V
213
214#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]215static const uint32_t FT2[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]216#undef V
217
218#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]219static const uint32_t FT3[256] = { FT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]220#undef V
221
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]222#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]223
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]224#undef FT
225
226/*
227 * Reverse S-box
228 */
229static const unsigned char RSb[256] =
230{
231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
263};
264
265/*
266 * Reverse tables
267 */
268#define RT \
269\
270 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
271 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
272 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
273 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
274 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
275 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
276 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
277 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
278 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
279 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
280 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
281 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
282 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
283 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
284 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
285 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
286 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
287 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
288 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
289 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
290 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
291 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
292 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
293 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
294 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
295 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
296 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
297 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
298 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
299 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
300 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
301 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
302 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
303 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
304 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
305 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
306 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
307 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
308 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
309 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
310 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
311 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
312 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
313 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
314 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
315 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
316 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
317 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
318 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
319 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
320 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
321 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
322 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
323 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
324 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
325 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
326 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
327 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
328 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
329 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
330 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
331 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
332 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
333 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
334
335#define V(a,b,c,d) 0x##a##b##c##d
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]336static const uint32_t RT0[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]337#undef V
338
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]339#if !defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]340
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]341#define V(a,b,c,d) 0x##b##c##d##a
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]342static const uint32_t RT1[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]343#undef V
344
345#define V(a,b,c,d) 0x##c##d##a##b
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]346static const uint32_t RT2[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]347#undef V
348
349#define V(a,b,c,d) 0x##d##a##b##c
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]350static const uint32_t RT3[256] = { RT };
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]351#undef V
352
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]353#endif /* !MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]354
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]355#undef RT
356
357/*
358 * Round constants
359 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]360static const uint32_t RCON[10] =
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]361{
362 0x00000001, 0x00000002, 0x00000004, 0x00000008,
363 0x00000010, 0x00000020, 0x00000040, 0x00000080,
364 0x0000001B, 0x00000036
365};
366
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]367#else /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]368
369/*
370 * Forward S-box & tables
371 */
372static unsigned char FSb[256];
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]373static uint32_t FT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]374#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]375static uint32_t FT1[256];
376static uint32_t FT2[256];
377static uint32_t FT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]378#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]379
380/*
381 * Reverse S-box & tables
382 */
383static unsigned char RSb[256];
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]384static uint32_t RT0[256];
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]385#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]386static uint32_t RT1[256];
387static uint32_t RT2[256];
388static uint32_t RT3[256];
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]389#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390
391/*
392 * Round constants
393 */
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]394static uint32_t RCON[10];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]395
396/*
397 * Tables generation code
398 */
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]399#define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
400#define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
Hanno Becker818bac52018-10-26 09:13:26 +0100[diff] [blame]401#define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]402
403static int aes_init_done = 0;
404
405static void aes_gen_tables( void )
406{
407 int i, x, y, z;
408 int pow[256];
409 int log[256];
410
411 /*
412 * compute pow and log tables over GF(2^8)
413 */
414 for( i = 0, x = 1; i < 256; i++ )
415 {
416 pow[i] = x;
417 log[x] = i;
418 x = ( x ^ XTIME( x ) ) & 0xFF;
419 }
420
421 /*
422 * calculate the round constants
423 */
424 for( i = 0, x = 1; i < 10; i++ )
425 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]426 RCON[i] = (uint32_t) x;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]427 x = XTIME( x ) & 0xFF;
428 }
429
430 /*
431 * generate the forward and reverse S-boxes
432 */
433 FSb[0x00] = 0x63;
434 RSb[0x63] = 0x00;
435
436 for( i = 1; i < 256; i++ )
437 {
438 x = pow[255 - log[i]];
439
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]440 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
443 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444 x ^= y ^ 0x63;
445
446 FSb[i] = (unsigned char) x;
447 RSb[x] = (unsigned char) i;
448 }
449
450 /*
451 * generate the forward and reverse tables
452 */
453 for( i = 0; i < 256; i++ )
454 {
455 x = FSb[i];
456 y = XTIME( x ) & 0xFF;
457 z = ( y ^ x ) & 0xFF;
458
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]459 FT0[i] = ( (uint32_t) y ) ^
460 ( (uint32_t) x << 8 ) ^
461 ( (uint32_t) x << 16 ) ^
462 ( (uint32_t) z << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]463
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]464#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]465 FT1[i] = ROTL8( FT0[i] );
466 FT2[i] = ROTL8( FT1[i] );
467 FT3[i] = ROTL8( FT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]468#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]469
470 x = RSb[i];
471
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]472 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
473 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
474 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
475 ( (uint32_t) MUL( 0x0B, x ) << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]476
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]477#if !defined(MBEDTLS_AES_FEWER_TABLES)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]478 RT1[i] = ROTL8( RT0[i] );
479 RT2[i] = ROTL8( RT1[i] );
480 RT3[i] = ROTL8( RT2[i] );
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]481#endif /* !MBEDTLS_AES_FEWER_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]482 }
483}
484
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]485#undef ROTL8
486
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]487#endif /* MBEDTLS_AES_ROM_TABLES */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]488
Hanno Beckerad049a92017-06-19 16:31:54 +0100[diff] [blame]489#if defined(MBEDTLS_AES_FEWER_TABLES)
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]490
491#define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
492#define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
493#define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
494
495#define AES_RT0(idx) RT0[idx]
496#define AES_RT1(idx) ROTL8( RT0[idx] )
497#define AES_RT2(idx) ROTL16( RT0[idx] )
498#define AES_RT3(idx) ROTL24( RT0[idx] )
499
500#define AES_FT0(idx) FT0[idx]
501#define AES_FT1(idx) ROTL8( FT0[idx] )
502#define AES_FT2(idx) ROTL16( FT0[idx] )
503#define AES_FT3(idx) ROTL24( FT0[idx] )
504
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]505#else /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]506
507#define AES_RT0(idx) RT0[idx]
508#define AES_RT1(idx) RT1[idx]
509#define AES_RT2(idx) RT2[idx]
510#define AES_RT3(idx) RT3[idx]
511
512#define AES_FT0(idx) FT0[idx]
513#define AES_FT1(idx) FT1[idx]
514#define AES_FT2(idx) FT2[idx]
515#define AES_FT3(idx) FT3[idx]
516
Hanno Becker177d3cf2017-06-07 15:52:48 +0100[diff] [blame]517#endif /* MBEDTLS_AES_FEWER_TABLES */
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]518
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]519void mbedtls_aes_init( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]520{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]521 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]523 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]524}
525
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]526void mbedtls_aes_free( mbedtls_aes_context *ctx )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]527{
528 if( ctx == NULL )
529 return;
530
Andres Amaya Garcia1f6301b2018-04-17 09:51:09 -0500[diff] [blame]531 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]532}
533
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]534#if defined(MBEDTLS_CIPHER_MODE_XTS)
535void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
536{
Manuel Pégourié-Gonnard0e9cddb2018-12-10 16:37:51 +0100[diff] [blame]537 AES_VALIDATE( ctx != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]538
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]539 mbedtls_aes_init( &ctx->crypt );
540 mbedtls_aes_init( &ctx->tweak );
541}
542
543void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
544{
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]545 if( ctx == NULL )
546 return;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]547
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]548 mbedtls_aes_free( &ctx->crypt );
549 mbedtls_aes_free( &ctx->tweak );
550}
551#endif /* MBEDTLS_CIPHER_MODE_XTS */
552
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]553/*
554 * AES key schedule (encryption)
555 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]556#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]557int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]558 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]559{
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]560 unsigned int i;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]561 uint32_t *RK;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]562
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]563 AES_VALIDATE_RET( ctx != NULL );
564 AES_VALIDATE_RET( key != NULL );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]565
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]566 switch( keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567 {
568 case 128: ctx->nr = 10; break;
569 case 192: ctx->nr = 12; break;
570 case 256: ctx->nr = 14; break;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]571 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]572 }
573
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]574#if !defined(MBEDTLS_AES_ROM_TABLES)
575 if( aes_init_done == 0 )
576 {
577 aes_gen_tables();
578 aes_init_done = 1;
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]579 }
580#endif
581
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]582#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]583 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]585
586 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]588 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]589#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]590 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]591
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]592#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
Manuel Pégourié-Gonnard47a35362013-12-28 20:45:04 +0100[diff] [blame]595#endif
596
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]597 for( i = 0; i < ( keybits >> 5 ); i++ )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]598 {
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]599 GET_UINT32_LE( RK[i], key, i << 2 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]600 }
601
602 switch( ctx->nr )
603 {
604 case 10:
605
606 for( i = 0; i < 10; i++, RK += 4 )
607 {
608 RK[4] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613
614 RK[5] = RK[1] ^ RK[4];
615 RK[6] = RK[2] ^ RK[5];
616 RK[7] = RK[3] ^ RK[6];
617 }
618 break;
619
620 case 12:
621
622 for( i = 0; i < 8; i++, RK += 6 )
623 {
624 RK[6] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]629
630 RK[7] = RK[1] ^ RK[6];
631 RK[8] = RK[2] ^ RK[7];
632 RK[9] = RK[3] ^ RK[8];
633 RK[10] = RK[4] ^ RK[9];
634 RK[11] = RK[5] ^ RK[10];
635 }
636 break;
637
638 case 14:
639
640 for( i = 0; i < 7; i++, RK += 8 )
641 {
642 RK[8] = RK[0] ^ RCON[i] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]647
648 RK[9] = RK[1] ^ RK[8];
649 RK[10] = RK[2] ^ RK[9];
650 RK[11] = RK[3] ^ RK[10];
651
652 RK[12] = RK[4] ^
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657
658 RK[13] = RK[5] ^ RK[12];
659 RK[14] = RK[6] ^ RK[13];
660 RK[15] = RK[7] ^ RK[14];
661 }
662 break;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]663 }
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]664
665 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]666}
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]667#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]668
669/*
670 * AES key schedule (decryption)
671 */
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]672#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]673int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]674 unsigned int keybits )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]675{
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]676 int i, j, ret;
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]677 mbedtls_aes_context cty;
Paul Bakker5c2364c2012-10-01 14:41:15 +0000[diff] [blame]678 uint32_t *RK;
679 uint32_t *SK;
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]680
Manuel Pégourié-Gonnard44c5d582018-12-10 16:56:14 +0100[diff] [blame]681 AES_VALIDATE_RET( ctx != NULL );
682 AES_VALIDATE_RET( key != NULL );
Simon Butcher5201e412018-12-06 17:40:14 +0000[diff] [blame]683
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]684 mbedtls_aes_init( &cty );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]685
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]686#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]687 if( aes_padlock_ace == -1 )
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]689
690 if( aes_padlock_ace )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]692 else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]693#endif
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]694 ctx->rk = RK = ctx->buf;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]695
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200[diff] [blame]696 /* Also checks keybits */
697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]698 goto exit;
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]699
Manuel Pégourié-Gonnardafd5a082014-05-28 21:52:59 +0200[diff] [blame]700 ctx->nr = cty.nr;
701
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]702#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]704 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]706 (const unsigned char *) cty.rk, ctx->nr );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]707 goto exit;
Manuel Pégourié-Gonnard01e31bb2013-12-28 15:58:30 +0100[diff] [blame]708 }
709#endif
710
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]711 SK = cty.rk + cty.nr * 4;
712
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716 *RK++ = *SK++;
717
718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
719 {
720 for( j = 0; j < 4; j++, SK++ )
721 {
Jussi Kivilinna2fd1bb82015-11-12 16:38:31 +0200[diff] [blame]722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]726 }
727 }
728
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732 *RK++ = *SK++;
733
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]734exit:
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]735 mbedtls_aes_free( &cty );
Paul Bakker2b222c82009-07-27 21:03:45 +0000[diff] [blame]736
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]737 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]738}
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]739
740#if defined(MBEDTLS_CIPHER_MODE_XTS)
741static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
742 unsigned int keybits,
743 const unsigned char **key1,
744 unsigned int *key1bits,
745 const unsigned char **key2,
746 unsigned int *key2bits )
747{
748 const unsigned int half_keybits = keybits / 2;
749 const unsigned int half_keybytes = half_keybits / 8;
750
751 switch( keybits )
752 {
753 case 256: break;
754 case 512: break;
755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
756 }
757
758 *key1bits = half_keybits;
759 *key2bits = half_keybits;
760 *key1 = &key[0];
761 *key2 = &key[half_keybytes];
762
763 return 0;
764}
765
766int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
767 const unsigned char *key,
768 unsigned int keybits)
769{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]771 const unsigned char *key1, *key2;
772 unsigned int key1bits, key2bits;
773
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]774 AES_VALIDATE_RET( ctx != NULL );
775 AES_VALIDATE_RET( key != NULL );
776
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
778 &key2, &key2bits );
779 if( ret != 0 )
780 return( ret );
781
782 /* Set the tweak key. Always set tweak key for the encryption mode. */
783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
784 if( ret != 0 )
785 return( ret );
786
787 /* Set crypt key for encryption. */
788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
789}
790
791int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
Manuel Pégourié-Gonnard68e3dff2018-12-12 12:48:04 +0100[diff] [blame]799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for encryption. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for decryption. */
813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
814}
815#endif /* MBEDTLS_CIPHER_MODE_XTS */
816
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]817#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]818
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]819#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
820 do \
821 { \
822 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
823 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
824 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
825 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
826 \
827 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
828 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
829 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
830 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
831 \
832 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
833 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
834 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
835 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
836 \
837 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
838 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
839 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
840 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
841 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]842
Hanno Becker1eeca412018-10-15 12:01:35 +0100[diff] [blame]843#define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
848 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
853 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
858 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
863 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
865 } while( 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]866
867/*
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]868 * AES-ECB block encryption
869 */
870#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]871int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
872 const unsigned char input[16],
873 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]874{
875 int i;
876 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
877
878 RK = ctx->rk;
879
880 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
881 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
882 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
883 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
884
885 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
886 {
887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
888 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
889 }
890
891 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
892
893 X0 = *RK++ ^ \
894 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
895 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
896 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
897 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
898
899 X1 = *RK++ ^ \
900 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
901 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
902 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
903 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
904
905 X2 = *RK++ ^ \
906 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
907 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
908 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
909 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
910
911 X3 = *RK++ ^ \
912 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
913 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
914 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
915 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
916
917 PUT_UINT32_LE( X0, output, 0 );
918 PUT_UINT32_LE( X1, output, 4 );
919 PUT_UINT32_LE( X2, output, 8 );
920 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]921
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]922 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
923 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
924 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
925 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
926
927 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
928 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
929 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
930 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
931
932 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
933
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]934 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]935}
936#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
937
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]938#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]939void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
940 const unsigned char input[16],
941 unsigned char output[16] )
942{
943 mbedtls_internal_aes_encrypt( ctx, input, output );
944}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]945#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]946
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]947/*
948 * AES-ECB block decryption
949 */
950#if !defined(MBEDTLS_AES_DECRYPT_ALT)
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]951int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
952 const unsigned char input[16],
953 unsigned char output[16] )
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]954{
955 int i;
956 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
957
958 RK = ctx->rk;
959
960 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
961 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
962 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
963 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
964
965 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
966 {
967 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
968 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
969 }
970
971 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
972
973 X0 = *RK++ ^ \
974 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
975 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
976 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
977 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
978
979 X1 = *RK++ ^ \
980 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
981 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
982 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
983 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
984
985 X2 = *RK++ ^ \
986 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
987 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
988 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
989 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
990
991 X3 = *RK++ ^ \
992 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
993 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
994 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
995 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
996
997 PUT_UINT32_LE( X0, output, 0 );
998 PUT_UINT32_LE( X1, output, 4 );
999 PUT_UINT32_LE( X2, output, 8 );
1000 PUT_UINT32_LE( X3, output, 12 );
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1001
Andrzej Kurek96ae5cd2019-11-12 03:05:51 -0500[diff] [blame]1002 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1003 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1004 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1005 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1006
1007 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1008 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1009 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1010 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1011
1012 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1013
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1014 return( 0 );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1015}
1016#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1017
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1018#if !defined(MBEDTLS_DEPRECATED_REMOVED)
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1019void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1020 const unsigned char input[16],
1021 unsigned char output[16] )
1022{
1023 mbedtls_internal_aes_decrypt( ctx, input, output );
1024}
Gilles Peskine8db3efb2018-02-21 19:16:20 +0100[diff] [blame]1025#endif /* !MBEDTLS_DEPRECATED_REMOVED */
Hanno Beckerbedc2052017-06-26 12:46:56 +0100[diff] [blame]1026
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1027/*
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1028 * AES-ECB block encryption/decryption
1029 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1030int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1031 int mode,
1032 const unsigned char input[16],
1033 unsigned char output[16] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1034{
Manuel Pégourié-Gonnard1aca2602018-12-12 12:56:55 +0100[diff] [blame]1035 AES_VALIDATE_RET( ctx != NULL );
1036 AES_VALIDATE_RET( input != NULL );
1037 AES_VALIDATE_RET( output != NULL );
1038 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1039 mode == MBEDTLS_AES_DECRYPT );
1040
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1041#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
Manuel Pégourié-Gonnardc730ed32015-06-02 10:38:50 +0100[diff] [blame]1042 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1043 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
Manuel Pégourié-Gonnard5b685652013-12-18 11:45:21 +0100[diff] [blame]1044#endif
1045
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1046#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1047 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1048 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1049 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1050 return( 0 );
1051
1052 // If padlock data misaligned, we just fall back to
1053 // unaccelerated mode
1054 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1055 }
1056#endif
1057
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1058 if( mode == MBEDTLS_AES_ENCRYPT )
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1059 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
Manuel Pégourié-Gonnard31993f22015-05-12 15:41:08 +0200[diff] [blame]1060 else
Andres AGf5bf7182017-03-03 14:09:56 +0000[diff] [blame]1061 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1062}
1063
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1064#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1065/*
1066 * AES-CBC buffer encryption/decryption
1067 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1068int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1069 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1070 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1071 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1072 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1073 unsigned char *output )
1074{
1075 int i;
1076 unsigned char temp[16];
1077
Manuel Pégourié-Gonnard3178d1a2018-12-12 13:05:00 +0100[diff] [blame]1078 AES_VALIDATE_RET( ctx != NULL );
1079 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1080 mode == MBEDTLS_AES_DECRYPT );
1081 AES_VALIDATE_RET( iv != NULL );
1082 AES_VALIDATE_RET( input != NULL );
1083 AES_VALIDATE_RET( output != NULL );
1084
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1085 if( length % 16 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1086 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1087
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1088#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
Paul Bakker048d04e2012-02-12 17:31:04 +0000[diff] [blame]1089 if( aes_padlock_ace )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1090 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1091 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1092 return( 0 );
Paul Bakker9af723c2014-05-01 13:03:14 +0200[diff] [blame]1093
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1094 // If padlock data misaligned, we just fall back to
1095 // unaccelerated mode
1096 //
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1097 }
1098#endif
1099
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1100 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1101 {
1102 while( length > 0 )
1103 {
1104 memcpy( temp, input, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1105 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1106
1107 for( i = 0; i < 16; i++ )
1108 output[i] = (unsigned char)( output[i] ^ iv[i] );
1109
1110 memcpy( iv, temp, 16 );
1111
1112 input += 16;
1113 output += 16;
1114 length -= 16;
1115 }
1116 }
1117 else
1118 {
1119 while( length > 0 )
1120 {
1121 for( i = 0; i < 16; i++ )
1122 output[i] = (unsigned char)( input[i] ^ iv[i] );
1123
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1124 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1125 memcpy( iv, output, 16 );
1126
1127 input += 16;
1128 output += 16;
1129 length -= 16;
1130 }
1131 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1132
1133 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1134}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1135#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1136
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1137#if defined(MBEDTLS_CIPHER_MODE_XTS)
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1138
1139/* Endianess with 64 bits values */
1140#ifndef GET_UINT64_LE
1141#define GET_UINT64_LE(n,b,i) \
1142{ \
1143 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1144 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1145 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1146 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1147 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1148 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1149 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1150 | ( (uint64_t) (b)[(i) ] ); \
1151}
1152#endif
1153
1154#ifndef PUT_UINT64_LE
1155#define PUT_UINT64_LE(n,b,i) \
1156{ \
1157 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1158 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1159 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1160 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1161 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1162 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1163 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1164 (b)[(i) ] = (unsigned char) ( (n) ); \
1165}
1166#endif
1167
1168typedef unsigned char mbedtls_be128[16];
1169
1170/*
1171 * GF(2^128) multiplication function
1172 *
Jaeden Amero5f0b06a2018-05-31 09:23:32 +0100[diff] [blame]1173 * This function multiplies a field element by x in the polynomial field
1174 * representation. It uses 64-bit word operations to gain speed but compensates
1175 * for machine endianess and hence works correctly on both big and little
1176 * endian machines.
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1177 */
1178static void mbedtls_gf128mul_x_ble( unsigned char r[16],
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1179 const unsigned char x[16] )
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1180{
1181 uint64_t a, b, ra, rb;
1182
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1183 GET_UINT64_LE( a, x, 0 );
1184 GET_UINT64_LE( b, x, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1185
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1186 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1187 rb = ( a >> 63 ) | ( b << 1 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1188
Jaeden Amero8cfc75f2018-05-31 16:53:08 +0100[diff] [blame]1189 PUT_UINT64_LE( ra, r, 0 );
1190 PUT_UINT64_LE( rb, r, 8 );
Jaeden Amero010c2cb2018-05-29 17:00:47 +0100[diff] [blame]1191}
1192
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1193/*
1194 * AES-XTS buffer encryption/decryption
1195 */
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1196int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1197 int mode,
Jaeden Amero5162b932018-05-29 12:55:24 +0100[diff] [blame]1198 size_t length,
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1199 const unsigned char data_unit[16],
Jaeden Amero9366feb2018-05-29 18:55:17 +0100[diff] [blame]1200 const unsigned char *input,
1201 unsigned char *output )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1202{
Janos Follath24eed8d2019-11-22 13:21:35 +0000[diff] [blame]1203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1204 size_t blocks = length / 16;
1205 size_t leftover = length % 16;
1206 unsigned char tweak[16];
1207 unsigned char prev_tweak[16];
1208 unsigned char tmp[16];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1209
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1210 AES_VALIDATE_RET( ctx != NULL );
1211 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1212 mode == MBEDTLS_AES_DECRYPT );
Manuel Pégourié-Gonnard998a3582018-12-18 10:03:13 +0100[diff] [blame]1213 AES_VALIDATE_RET( data_unit != NULL );
Manuel Pégourié-Gonnard191af132018-12-13 10:15:30 +0100[diff] [blame]1214 AES_VALIDATE_RET( input != NULL );
1215 AES_VALIDATE_RET( output != NULL );
1216
Jaeden Amero8381fcb2018-10-11 12:06:15 +0100[diff] [blame]1217 /* Data units must be at least 16 bytes long. */
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1218 if( length < 16 )
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1219 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1220
Jaeden Ameroa74faba2018-10-11 12:07:43 +0100[diff] [blame]1221 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
Jaeden Amero0a8b0202018-05-30 15:36:06 +0100[diff] [blame]1222 if( length > ( 1 << 20 ) * 16 )
1223 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1224
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1225 /* Compute the tweak. */
Jaeden Amerocd9fc5e2018-05-30 15:23:24 +0100[diff] [blame]1226 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1227 data_unit, tweak );
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1228 if( ret != 0 )
1229 return( ret );
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1230
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1231 while( blocks-- )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1232 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1233 size_t i;
1234
1235 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1236 {
1237 /* We are on the last block in a decrypt operation that has
1238 * leftover bytes, so we need to use the next tweak for this block,
1239 * and this tweak for the lefover bytes. Save the current tweak for
1240 * the leftovers and then update the current tweak for use on this,
1241 * the last full block. */
1242 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1243 mbedtls_gf128mul_x_ble( tweak, tweak );
1244 }
1245
1246 for( i = 0; i < 16; i++ )
1247 tmp[i] = input[i] ^ tweak[i];
1248
1249 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1250 if( ret != 0 )
1251 return( ret );
1252
1253 for( i = 0; i < 16; i++ )
1254 output[i] = tmp[i] ^ tweak[i];
1255
1256 /* Update the tweak for the next block. */
1257 mbedtls_gf128mul_x_ble( tweak, tweak );
1258
1259 output += 16;
1260 input += 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1261 }
1262
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1263 if( leftover )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1264 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1265 /* If we are on the leftover bytes in a decrypt operation, we need to
1266 * use the previous tweak for these bytes (as saved in prev_tweak). */
1267 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1268
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1269 /* We are now on the final part of the data unit, which doesn't divide
1270 * evenly by 16. It's time for ciphertext stealing. */
1271 size_t i;
1272 unsigned char *prev_output = output - 16;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1273
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1274 /* Copy ciphertext bytes from the previous block to our output for each
1275 * byte of cyphertext we won't steal. At the same time, copy the
1276 * remainder of the input for this final round (since the loop bounds
1277 * are the same). */
1278 for( i = 0; i < leftover; i++ )
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1279 {
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1280 output[i] = prev_output[i];
1281 tmp[i] = input[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1282 }
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1283
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1284 /* Copy ciphertext bytes from the previous block for input in this
1285 * round. */
1286 for( ; i < 16; i++ )
1287 tmp[i] = prev_output[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1288
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1289 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1290 if( ret != 0 )
1291 return ret;
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1292
Jaeden Amerod82cd862018-04-28 15:02:45 +0100[diff] [blame]1293 /* Write the result back to the previous block, overriding the previous
1294 * output we copied. */
1295 for( i = 0; i < 16; i++ )
1296 prev_output[i] = tmp[i] ^ t[i];
Aorimn5f778012016-06-09 23:22:58 +0200[diff] [blame]1297 }
1298
1299 return( 0 );
1300}
1301#endif /* MBEDTLS_CIPHER_MODE_XTS */
1302
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1303#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1304/*
1305 * AES-CFB128 buffer encryption/decryption
1306 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1307int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1308 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]1309 size_t length,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1310 size_t *iv_off,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1311 unsigned char iv[16],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]1312 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1313 unsigned char *output )
1314{
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1315 int c;
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1316 size_t n;
1317
1318 AES_VALIDATE_RET( ctx != NULL );
1319 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1320 mode == MBEDTLS_AES_DECRYPT );
1321 AES_VALIDATE_RET( iv_off != NULL );
1322 AES_VALIDATE_RET( iv != NULL );
1323 AES_VALIDATE_RET( input != NULL );
1324 AES_VALIDATE_RET( output != NULL );
1325
1326 n = *iv_off;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1327
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1328 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1329 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1330
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1331 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1332 {
1333 while( length-- )
1334 {
1335 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1336 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1337
1338 c = *input++;
1339 *output++ = (unsigned char)( c ^ iv[n] );
1340 iv[n] = (unsigned char) c;
1341
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1342 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1343 }
1344 }
1345 else
1346 {
1347 while( length-- )
1348 {
1349 if( n == 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1350 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1351
1352 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1353
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1354 n = ( n + 1 ) & 0x0F;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1355 }
1356 }
1357
1358 *iv_off = n;
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]1359
1360 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1361}
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1362
1363/*
1364 * AES-CFB8 buffer encryption/decryption
1365 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1366int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
Manuel Pégourié-Gonnardeb6d3962018-12-18 09:59:35 +0100[diff] [blame]1367 int mode,
1368 size_t length,
1369 unsigned char iv[16],
1370 const unsigned char *input,
1371 unsigned char *output )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1372{
1373 unsigned char c;
1374 unsigned char ov[17];
1375
Manuel Pégourié-Gonnard1677cca2018-12-13 10:27:13 +0100[diff] [blame]1376 AES_VALIDATE_RET( ctx != NULL );
1377 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1378 mode == MBEDTLS_AES_DECRYPT );
1379 AES_VALIDATE_RET( iv != NULL );
1380 AES_VALIDATE_RET( input != NULL );
1381 AES_VALIDATE_RET( output != NULL );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1382 while( length-- )
1383 {
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1384 memcpy( ov, iv, 16 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1385 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1386
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1387 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1388 ov[16] = *input;
1389
1390 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1391
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1392 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1393 ov[16] = c;
1394
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1395 memcpy( iv, ov + 1, 16 );
Paul Bakker556efba2014-01-24 15:38:12 +0100[diff] [blame]1396 }
1397
1398 return( 0 );
1399}
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1400#endif /* MBEDTLS_CIPHER_MODE_CFB */
1401
1402#if defined(MBEDTLS_CIPHER_MODE_OFB)
1403/*
1404 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1405 */
1406int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
Simon Butcher00131442018-05-22 22:40:36 +0100[diff] [blame]1407 size_t length,
1408 size_t *iv_off,
1409 unsigned char iv[16],
1410 const unsigned char *input,
1411 unsigned char *output )
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1412{
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1413 int ret = 0;
Manuel Pégourié-Gonnard8e41eb72018-12-13 11:00:56 +0100[diff] [blame]1414 size_t n;
1415
1416 AES_VALIDATE_RET( ctx != NULL );
1417 AES_VALIDATE_RET( iv_off != NULL );
1418 AES_VALIDATE_RET( iv != NULL );
1419 AES_VALIDATE_RET( input != NULL );
1420 AES_VALIDATE_RET( output != NULL );
1421
1422 n = *iv_off;
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1423
Manuel Pégourié-Gonnarde55e1032018-12-18 12:09:02 +0100[diff] [blame]1424 if( n > 15 )
Manuel Pégourié-Gonnard5b89c092018-12-18 10:03:30 +0100[diff] [blame]1425 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1426
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1427 while( length-- )
1428 {
1429 if( n == 0 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1430 {
1431 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1432 if( ret != 0 )
1433 goto exit;
1434 }
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1435 *output++ = *input++ ^ iv[n];
1436
1437 n = ( n + 1 ) & 0x0F;
1438 }
1439
1440 *iv_off = n;
1441
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1442exit:
1443 return( ret );
Simon Butcher76a5b222018-04-22 22:57:27 +0100[diff] [blame]1444}
1445#endif /* MBEDTLS_CIPHER_MODE_OFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1446
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1447#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1448/*
1449 * AES-CTR buffer encryption/decryption
1450 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1451int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1452 size_t length,
1453 size_t *nc_off,
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1454 unsigned char nonce_counter[16],
1455 unsigned char stream_block[16],
1456 const unsigned char *input,
1457 unsigned char *output )
1458{
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1459 int c, i;
Manuel Pégourié-Gonnard2bc535b2018-12-13 11:08:36 +0100[diff] [blame]1460 size_t n;
1461
1462 AES_VALIDATE_RET( ctx != NULL );
1463 AES_VALIDATE_RET( nc_off != NULL );
1464 AES_VALIDATE_RET( nonce_counter != NULL );
1465 AES_VALIDATE_RET( stream_block != NULL );
1466 AES_VALIDATE_RET( input != NULL );
1467 AES_VALIDATE_RET( output != NULL );
1468
1469 n = *nc_off;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1470
Mohammad Azim Khan3f7f8172017-11-23 17:49:05 +0000[diff] [blame]1471 if ( n > 0x0F )
1472 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1473
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1474 while( length-- )
1475 {
1476 if( n == 0 ) {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1477 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1478
Paul Bakker369e14b2012-04-18 14:16:09 +0000[diff] [blame]1479 for( i = 16; i > 0; i-- )
1480 if( ++nonce_counter[i - 1] != 0 )
1481 break;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1482 }
1483 c = *input++;
1484 *output++ = (unsigned char)( c ^ stream_block[n] );
1485
Paul Bakker66d5d072014-06-17 16:39:18 +0200[diff] [blame]1486 n = ( n + 1 ) & 0x0F;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1487 }
1488
1489 *nc_off = n;
1490
1491 return( 0 );
1492}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1493#endif /* MBEDTLS_CIPHER_MODE_CTR */
Manuel Pégourié-Gonnard1ec220b2014-03-10 11:20:17 +0100[diff] [blame]1494
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1495#endif /* !MBEDTLS_AES_ALT */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1496
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1497#if defined(MBEDTLS_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1498/*
1499 * AES test vectors from:
1500 *
1501 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1502 */
1503static const unsigned char aes_test_ecb_dec[3][16] =
1504{
1505 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1506 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1507 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1508 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1509 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1510 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1511};
1512
1513static const unsigned char aes_test_ecb_enc[3][16] =
1514{
1515 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1516 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1517 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1518 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1519 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1520 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1521};
1522
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1523#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1524static const unsigned char aes_test_cbc_dec[3][16] =
1525{
1526 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1527 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1528 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1529 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1530 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1531 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1532};
1533
1534static const unsigned char aes_test_cbc_enc[3][16] =
1535{
1536 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1537 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1538 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1539 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1540 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1541 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1542};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1543#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1544
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1545#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1546/*
1547 * AES-CFB128 test vectors from:
1548 *
1549 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1550 */
1551static const unsigned char aes_test_cfb128_key[3][32] =
1552{
1553 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1554 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1555 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1556 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1557 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1558 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1559 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1560 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1561 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1562};
1563
1564static const unsigned char aes_test_cfb128_iv[16] =
1565{
1566 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1567 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1568};
1569
1570static const unsigned char aes_test_cfb128_pt[64] =
1571{
1572 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1573 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1574 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1575 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1576 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1577 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1578 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1579 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1580};
1581
1582static const unsigned char aes_test_cfb128_ct[3][64] =
1583{
1584 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1585 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1586 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1587 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1588 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1589 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1590 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1591 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1592 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1593 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1594 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1595 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1596 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1597 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1598 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1599 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1600 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1601 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1602 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1603 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1604 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1605 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1606 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1607 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1608};
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1609#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1610
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1611#if defined(MBEDTLS_CIPHER_MODE_OFB)
1612/*
1613 * AES-OFB test vectors from:
1614 *
Simon Butcher5db13622018-06-04 22:11:25 +0100[diff] [blame]1615 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]1616 */
1617static const unsigned char aes_test_ofb_key[3][32] =
1618{
1619 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1620 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1621 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1622 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1623 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1624 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1625 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1626 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1627 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1628};
1629
1630static const unsigned char aes_test_ofb_iv[16] =
1631{
1632 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1633 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1634};
1635
1636static const unsigned char aes_test_ofb_pt[64] =
1637{
1638 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1639 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1640 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1641 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1642 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1643 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1644 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1645 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1646};
1647
1648static const unsigned char aes_test_ofb_ct[3][64] =
1649{
1650 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1651 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1652 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1653 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1654 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1655 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1656 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1657 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1658 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1659 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1660 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1661 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1662 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1663 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1664 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1665 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1666 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1667 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1668 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1669 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1670 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1671 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1672 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1673 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1674};
1675#endif /* MBEDTLS_CIPHER_MODE_OFB */
1676
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1677#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1678/*
1679 * AES-CTR test vectors from:
1680 *
1681 * http://www.faqs.org/rfcs/rfc3686.html
1682 */
1683
1684static const unsigned char aes_test_ctr_key[3][16] =
1685{
1686 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1687 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1688 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1689 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1690 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1691 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1692};
1693
1694static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1695{
1696 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1698 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1699 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1700 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1701 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1702};
1703
1704static const unsigned char aes_test_ctr_pt[3][48] =
1705{
1706 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1707 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1708
1709 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1710 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1711 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1712 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1713
1714 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1715 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1716 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1717 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1718 0x20, 0x21, 0x22, 0x23 }
1719};
1720
1721static const unsigned char aes_test_ctr_ct[3][48] =
1722{
1723 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1724 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1725 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1726 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1727 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1728 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1729 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1730 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1731 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1732 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1733 0x25, 0xB2, 0x07, 0x2F }
1734};
1735
1736static const int aes_test_ctr_len[3] =
1737 { 16, 32, 36 };
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1738#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1739
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]1740#if defined(MBEDTLS_CIPHER_MODE_XTS)
1741/*
1742 * AES-XTS test vectors from:
1743 *
1744 * IEEE P1619/D16 Annex B
1745 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1746 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1747 */
1748static const unsigned char aes_test_xts_key[][32] =
1749{
1750 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1754 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1755 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1757 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1758 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1759 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1761 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1762};
1763
1764static const unsigned char aes_test_xts_pt32[][32] =
1765{
1766 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1770 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1774 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1778};
1779
1780static const unsigned char aes_test_xts_ct32[][32] =
1781{
1782 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1783 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1784 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1785 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1786 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1787 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1788 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1789 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1790 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1791 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1792 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1793 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1794};
1795
1796static const unsigned char aes_test_xts_data_unit[][16] =
1797{
1798 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1800 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1802 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1804};
1805
1806#endif /* MBEDTLS_CIPHER_MODE_XTS */
1807
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1808/*
1809 * Checkup routine
1810 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1811int mbedtls_aes_self_test( int verbose )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1812{
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1813 int ret = 0, i, j, u, mode;
1814 unsigned int keybits;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1815 unsigned char key[32];
1816 unsigned char buf[64];
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1817 const unsigned char *aes_tests;
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1818#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1819 unsigned char iv[16];
Jussi Kivilinna4b541be2016-06-22 18:48:16 +0300[diff] [blame]1820#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1821#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnard92cb1d32013-09-13 16:24:20 +0200[diff] [blame]1822 unsigned char prv[16];
1823#endif
Simon Butcher2ff0e522018-06-14 09:57:07 +0100[diff] [blame]1824#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1825 defined(MBEDTLS_CIPHER_MODE_OFB)
Paul Bakker27fdf462011-06-09 13:55:13 +0000[diff] [blame]1826 size_t offset;
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1827#endif
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1828#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
Paul Bakkere91d01e2011-04-19 15:55:50 +0000[diff] [blame]1829 int len;
Simon Butcher66a89032018-06-15 18:20:29 +0100[diff] [blame]1830#endif
1831#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]1832 unsigned char nonce_counter[16];
1833 unsigned char stream_block[16];
1834#endif
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1835 mbedtls_aes_context ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1836
1837 memset( key, 0, 32 );
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1838 mbedtls_aes_init( &ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1839
1840 /*
1841 * ECB mode
1842 */
1843 for( i = 0; i < 6; i++ )
1844 {
1845 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1846 keybits = 128 + u * 64;
1847 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1848
1849 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1850 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1851 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1852
1853 memset( buf, 0, 16 );
1854
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1855 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1856 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1857 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1858 aes_tests = aes_test_ecb_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1859 }
1860 else
1861 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1862 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1863 aes_tests = aes_test_ecb_enc[u];
1864 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1865
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1866 /*
1867 * AES-192 is an optional feature that may be unavailable when
1868 * there is an alternative underlying implementation i.e. when
1869 * MBEDTLS_AES_ALT is defined.
1870 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1871 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1872 {
1873 mbedtls_printf( "skipped\n" );
1874 continue;
1875 }
1876 else if( ret != 0 )
1877 {
1878 goto exit;
1879 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1880
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1881 for( j = 0; j < 10000; j++ )
1882 {
1883 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1884 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1885 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1886 }
1887
1888 if( memcmp( buf, aes_tests, 16 ) != 0 )
1889 {
1890 ret = 1;
1891 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1892 }
1893
1894 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1895 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1896 }
1897
1898 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1899 mbedtls_printf( "\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1900
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1901#if defined(MBEDTLS_CIPHER_MODE_CBC)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1902 /*
1903 * CBC mode
1904 */
1905 for( i = 0; i < 6; i++ )
1906 {
1907 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1908 keybits = 128 + u * 64;
1909 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1910
1911 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1912 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1913 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1914
1915 memset( iv , 0, 16 );
1916 memset( prv, 0, 16 );
1917 memset( buf, 0, 16 );
1918
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1919 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1920 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1921 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1922 aes_tests = aes_test_cbc_dec[u];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1923 }
1924 else
1925 {
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1926 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1927 aes_tests = aes_test_cbc_enc[u];
1928 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1929
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1930 /*
1931 * AES-192 is an optional feature that may be unavailable when
1932 * there is an alternative underlying implementation i.e. when
1933 * MBEDTLS_AES_ALT is defined.
1934 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]1935 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1936 {
1937 mbedtls_printf( "skipped\n" );
1938 continue;
1939 }
1940 else if( ret != 0 )
1941 {
1942 goto exit;
1943 }
1944
1945 for( j = 0; j < 10000; j++ )
1946 {
1947 if( mode == MBEDTLS_AES_ENCRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1948 {
1949 unsigned char tmp[16];
1950
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1951 memcpy( tmp, prv, 16 );
1952 memcpy( prv, buf, 16 );
1953 memcpy( buf, tmp, 16 );
1954 }
1955
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1956 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1957 if( ret != 0 )
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]1958 goto exit;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1959
1960 }
1961
1962 if( memcmp( buf, aes_tests, 16 ) != 0 )
1963 {
1964 ret = 1;
1965 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1966 }
1967
1968 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1969 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1970 }
1971
1972 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1973 mbedtls_printf( "\n" );
1974#endif /* MBEDTLS_CIPHER_MODE_CBC */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1975
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]1976#if defined(MBEDTLS_CIPHER_MODE_CFB)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1977 /*
1978 * CFB128 mode
1979 */
1980 for( i = 0; i < 6; i++ )
1981 {
1982 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1983 keybits = 128 + u * 64;
1984 mode = i & 1;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1985
1986 if( verbose != 0 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1987 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1988 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1989
1990 memcpy( iv, aes_test_cfb128_iv, 16 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1991 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1992
1993 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]1994 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
Andres Amaya Garciad3e7e7d2017-06-15 16:17:46 +0100[diff] [blame]1995 /*
1996 * AES-192 is an optional feature that may be unavailable when
1997 * there is an alternative underlying implementation i.e. when
1998 * MBEDTLS_AES_ALT is defined.
1999 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2000 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2001 {
2002 mbedtls_printf( "skipped\n" );
2003 continue;
2004 }
2005 else if( ret != 0 )
2006 {
2007 goto exit;
2008 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2009
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2010 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2011 {
2012 memcpy( buf, aes_test_cfb128_ct[u], 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2013 aes_tests = aes_test_cfb128_pt;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2014 }
2015 else
2016 {
2017 memcpy( buf, aes_test_cfb128_pt, 64 );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2018 aes_tests = aes_test_cfb128_ct[u];
2019 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2020
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2021 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2022 if( ret != 0 )
2023 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2024
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2025 if( memcmp( buf, aes_tests, 64 ) != 0 )
2026 {
2027 ret = 1;
2028 goto exit;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2029 }
2030
2031 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2032 mbedtls_printf( "passed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2033 }
2034
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2035 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2036 mbedtls_printf( "\n" );
2037#endif /* MBEDTLS_CIPHER_MODE_CFB */
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2038
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2039#if defined(MBEDTLS_CIPHER_MODE_OFB)
2040 /*
2041 * OFB mode
2042 */
2043 for( i = 0; i < 6; i++ )
2044 {
2045 u = i >> 1;
2046 keybits = 128 + u * 64;
2047 mode = i & 1;
2048
2049 if( verbose != 0 )
2050 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2051 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2052
2053 memcpy( iv, aes_test_ofb_iv, 16 );
2054 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2055
2056 offset = 0;
2057 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2058 /*
2059 * AES-192 is an optional feature that may be unavailable when
2060 * there is an alternative underlying implementation i.e. when
2061 * MBEDTLS_AES_ALT is defined.
2062 */
Ron Eldor9924bdc2018-10-04 10:59:13 +0300[diff] [blame]2063 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
Simon Butcherad4e4932018-04-29 00:43:47 +0100[diff] [blame]2064 {
2065 mbedtls_printf( "skipped\n" );
2066 continue;
2067 }
2068 else if( ret != 0 )
2069 {
2070 goto exit;
2071 }
2072
2073 if( mode == MBEDTLS_AES_DECRYPT )
2074 {
2075 memcpy( buf, aes_test_ofb_ct[u], 64 );
2076 aes_tests = aes_test_ofb_pt;
2077 }
2078 else
2079 {
2080 memcpy( buf, aes_test_ofb_pt, 64 );
2081 aes_tests = aes_test_ofb_ct[u];
2082 }
2083
2084 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2085 if( ret != 0 )
2086 goto exit;
2087
2088 if( memcmp( buf, aes_tests, 64 ) != 0 )
2089 {
2090 ret = 1;
2091 goto exit;
2092 }
2093
2094 if( verbose != 0 )
2095 mbedtls_printf( "passed\n" );
2096 }
2097
2098 if( verbose != 0 )
2099 mbedtls_printf( "\n" );
2100#endif /* MBEDTLS_CIPHER_MODE_OFB */
2101
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2102#if defined(MBEDTLS_CIPHER_MODE_CTR)
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2103 /*
2104 * CTR mode
2105 */
2106 for( i = 0; i < 6; i++ )
2107 {
2108 u = i >> 1;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2109 mode = i & 1;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2110
2111 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2112 mbedtls_printf( " AES-CTR-128 (%s): ",
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2113 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2114
2115 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2116 memcpy( key, aes_test_ctr_key[u], 16 );
2117
2118 offset = 0;
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2119 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2120 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2121
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2122 len = aes_test_ctr_len[u];
2123
2124 if( mode == MBEDTLS_AES_DECRYPT )
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2125 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2126 memcpy( buf, aes_test_ctr_ct[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2127 aes_tests = aes_test_ctr_pt[u];
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2128 }
2129 else
2130 {
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2131 memcpy( buf, aes_test_ctr_pt[u], len );
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2132 aes_tests = aes_test_ctr_ct[u];
2133 }
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2134
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2135 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2136 stream_block, buf, buf );
2137 if( ret != 0 )
2138 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2139
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2140 if( memcmp( buf, aes_tests, len ) != 0 )
2141 {
2142 ret = 1;
2143 goto exit;
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2144 }
2145
2146 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2147 mbedtls_printf( "passed\n" );
Paul Bakkerb6ecaf52011-04-19 14:29:23 +0000[diff] [blame]2148 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2149
2150 if( verbose != 0 )
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2151 mbedtls_printf( "\n" );
2152#endif /* MBEDTLS_CIPHER_MODE_CTR */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2153
Jaeden Amero21d79cf2018-05-23 10:30:18 +0100[diff] [blame]2154#if defined(MBEDTLS_CIPHER_MODE_XTS)
2155 {
2156 static const int num_tests =
2157 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2158 mbedtls_aes_xts_context ctx_xts;
2159
2160 /*
2161 * XTS mode
2162 */
2163 mbedtls_aes_xts_init( &ctx_xts );
2164
2165 for( i = 0; i < num_tests << 1; i++ )
2166 {
2167 const unsigned char *data_unit;
2168 u = i >> 1;
2169 mode = i & 1;
2170
2171 if( verbose != 0 )
2172 mbedtls_printf( " AES-XTS-128 (%s): ",
2173 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2174
2175 memset( key, 0, sizeof( key ) );
2176 memcpy( key, aes_test_xts_key[u], 32 );
2177 data_unit = aes_test_xts_data_unit[u];
2178
2179 len = sizeof( *aes_test_xts_ct32 );
2180
2181 if( mode == MBEDTLS_AES_DECRYPT )
2182 {
2183 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2184 if( ret != 0)
2185 goto exit;
2186 memcpy( buf, aes_test_xts_ct32[u], len );
2187 aes_tests = aes_test_xts_pt32[u];
2188 }
2189 else
2190 {
2191 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2192 if( ret != 0)
2193 goto exit;
2194 memcpy( buf, aes_test_xts_pt32[u], len );
2195 aes_tests = aes_test_xts_ct32[u];
2196 }
2197
2198
2199 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2200 buf, buf );
2201 if( ret != 0 )
2202 goto exit;
2203
2204 if( memcmp( buf, aes_tests, len ) != 0 )
2205 {
2206 ret = 1;
2207 goto exit;
2208 }
2209
2210 if( verbose != 0 )
2211 mbedtls_printf( "passed\n" );
2212 }
2213
2214 if( verbose != 0 )
2215 mbedtls_printf( "\n" );
2216
2217 mbedtls_aes_xts_free( &ctx_xts );
2218 }
2219#endif /* MBEDTLS_CIPHER_MODE_XTS */
2220
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2221 ret = 0;
2222
2223exit:
Andres Amaya Garcia58f98c22017-06-14 16:19:42 +0100[diff] [blame]2224 if( ret != 0 && verbose != 0 )
2225 mbedtls_printf( "failed\n" );
2226
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2227 mbedtls_aes_free( &ctx );
Paul Bakkerc7ea99a2014-06-18 11:12:03 +0200[diff] [blame]2228
2229 return( ret );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2230}
2231
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2232#endif /* MBEDTLS_SELF_TEST */
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]2233
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]2234#endif /* MBEDTLS_AES_C */