1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_AES_C)
60
61 #include <string.h>
62
63 #include "mbedtls/aes.h"
64 #include "mbedtls/platform.h"
65 #include "mbedtls/platform_util.h"
66 #if defined(MBEDTLS_PADLOCK_C)
67 #include "mbedtls/padlock.h"
68 #endif
69 #if defined(MBEDTLS_AESNI_C)
70 #include "mbedtls/aesni.h"
71 #endif
72
73 #if defined(MBEDTLS_SELF_TEST)
74 #if defined(MBEDTLS_PLATFORM_C)
75 #include "mbedtls/platform.h"
76 #else
77 #include <stdio.h>
78 #define mbedtls_printf printf
79 #endif /* MBEDTLS_PLATFORM_C */
80 #endif /* MBEDTLS_SELF_TEST */
81
82 #if !defined(MBEDTLS_AES_ALT)
83
84 /* Parameter validation macros based on platform_util.h */
85 #define AES_VALIDATE_RET( cond ) \
86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
87 #define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
90 /*
91 * 32-bit integer manipulation macros (little endian)
92 */
93 #ifndef GET_UINT32_LE
94 #define GET_UINT32_LE(n,b,i) \
95 { \
96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
100 }
101 #endif
102
103 #ifndef PUT_UINT32_LE
104 #define PUT_UINT32_LE(n,b,i) \
105 { \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
110 }
111 #endif
112
113 #if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
115 static int aes_padlock_ace = -1;
116 #endif
117
118 #if defined(MBEDTLS_AES_ROM_TABLES)
119 /*
120 * Forward S-box
121 */
122 static const unsigned char FSb[256] =
123 {
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156 };
157
158 /*
159 * Forward tables
160 */
161 #define FT \
162 \
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228 #define V(a,b,c,d) 0x##a##b##c##d
229 static const uint32_t FT0[256] = { FT };
230 #undef V
231
232 #if !defined(MBEDTLS_AES_FEWER_TABLES)
233
234 #define V(a,b,c,d) 0x##b##c##d##a
235 static const uint32_t FT1[256] = { FT };
236 #undef V
237
238 #define V(a,b,c,d) 0x##c##d##a##b
239 static const uint32_t FT2[256] = { FT };
240 #undef V
241
242 #define V(a,b,c,d) 0x##d##a##b##c
243 static const uint32_t FT3[256] = { FT };
244 #undef V
245
246 #endif /* !MBEDTLS_AES_FEWER_TABLES */
247
248 #undef FT
249
250 /*
251 * Reverse S-box
252 */
253 static const unsigned char RSb[256] =
254 {
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287 };
288
289 /*
290 * Reverse tables
291 */
292 #define RT \
293 \
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359 #define V(a,b,c,d) 0x##a##b##c##d
360 static const uint32_t RT0[256] = { RT };
361 #undef V
362
363 #if !defined(MBEDTLS_AES_FEWER_TABLES)
364
365 #define V(a,b,c,d) 0x##b##c##d##a
366 static const uint32_t RT1[256] = { RT };
367 #undef V
368
369 #define V(a,b,c,d) 0x##c##d##a##b
370 static const uint32_t RT2[256] = { RT };
371 #undef V
372
373 #define V(a,b,c,d) 0x##d##a##b##c
374 static const uint32_t RT3[256] = { RT };
375 #undef V
376
377 #endif /* !MBEDTLS_AES_FEWER_TABLES */
378
379 #undef RT
380
381 /*
382 * Round constants
383 */
384 static const uint32_t RCON[10] =
385 {
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389 };
390
391 #else /* MBEDTLS_AES_ROM_TABLES */
392
393 /*
394 * Forward S-box & tables
395 */
396 static unsigned char FSb[256];
397 static uint32_t FT0[256];
398 #if !defined(MBEDTLS_AES_FEWER_TABLES)
399 static uint32_t FT1[256];
400 static uint32_t FT2[256];
401 static uint32_t FT3[256];
402 #endif /* !MBEDTLS_AES_FEWER_TABLES */
403
404 /*
405 * Reverse S-box & tables
406 */
407 static unsigned char RSb[256];
408 static uint32_t RT0[256];
409 #if !defined(MBEDTLS_AES_FEWER_TABLES)
410 static uint32_t RT1[256];
411 static uint32_t RT2[256];
412 static uint32_t RT3[256];
413 #endif /* !MBEDTLS_AES_FEWER_TABLES */
414
415 /*
416 * Round constants
417 */
418 static uint32_t RCON[10];
419
420 /*
421 * Tables generation code
422 */
423 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
425 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
426
427 static int aes_init_done = 0;
428
aes_gen_tables(void)429 static void aes_gen_tables( void )
430 {
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
450 RCON[i] = (uint32_t) x;
451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
487
488 #if !defined(MBEDTLS_AES_FEWER_TABLES)
489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
492 #endif /* !MBEDTLS_AES_FEWER_TABLES */
493
494 x = RSb[i];
495
496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
500
501 #if !defined(MBEDTLS_AES_FEWER_TABLES)
502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
505 #endif /* !MBEDTLS_AES_FEWER_TABLES */
506 }
507 }
508
509 #undef ROTL8
510
511 #endif /* MBEDTLS_AES_ROM_TABLES */
512
513 #if defined(MBEDTLS_AES_FEWER_TABLES)
514
515 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519 #define AES_RT0(idx) RT0[idx]
520 #define AES_RT1(idx) ROTL8( RT0[idx] )
521 #define AES_RT2(idx) ROTL16( RT0[idx] )
522 #define AES_RT3(idx) ROTL24( RT0[idx] )
523
524 #define AES_FT0(idx) FT0[idx]
525 #define AES_FT1(idx) ROTL8( FT0[idx] )
526 #define AES_FT2(idx) ROTL16( FT0[idx] )
527 #define AES_FT3(idx) ROTL24( FT0[idx] )
528
529 #else /* MBEDTLS_AES_FEWER_TABLES */
530
531 #define AES_RT0(idx) RT0[idx]
532 #define AES_RT1(idx) RT1[idx]
533 #define AES_RT2(idx) RT2[idx]
534 #define AES_RT3(idx) RT3[idx]
535
536 #define AES_FT0(idx) FT0[idx]
537 #define AES_FT1(idx) FT1[idx]
538 #define AES_FT2(idx) FT2[idx]
539 #define AES_FT3(idx) FT3[idx]
540
541 #endif /* MBEDTLS_AES_FEWER_TABLES */
542
mbedtls_aes_init(mbedtls_aes_context * ctx)543 void mbedtls_aes_init( mbedtls_aes_context *ctx )
544 {
545 AES_VALIDATE( ctx != NULL );
546
547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
548 }
549
mbedtls_aes_free(mbedtls_aes_context * ctx)550 void mbedtls_aes_free( mbedtls_aes_context *ctx )
551 {
552 if( ctx == NULL )
553 return;
554
555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
556 }
557
558 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)559 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560 {
561 AES_VALIDATE( ctx != NULL );
562
563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565 }
566
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)567 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568 {
569 if( ctx == NULL )
570 return;
571
572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574 }
575 #endif /* MBEDTLS_CIPHER_MODE_XTS */
576
577 /*
578 * AES key schedule (encryption)
579 */
580 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)581 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
582 unsigned int keybits )
583 {
584 unsigned int i;
585 uint32_t *RK;
586
587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
589
590 switch( keybits )
591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
596 }
597
598 #if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
603 }
604 #endif
605
606 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
607 if( aes_padlock_ace == -1 )
608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
609
610 if( aes_padlock_ace )
611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
612 else
613 #endif
614 ctx->rk = RK = ctx->buf;
615
616 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
619 #endif
620
621 for( i = 0; i < ( keybits >> 5 ); i++ )
622 {
623 GET_UINT32_LE( RK[i], key, i << 2 );
624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
687 }
688
689 return( 0 );
690 }
691 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
692
693 /*
694 * AES key schedule (decryption)
695 */
696 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)697 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
698 unsigned int keybits )
699 {
700 int i, j, ret;
701 mbedtls_aes_context cty;
702 uint32_t *RK;
703 uint32_t *SK;
704
705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
707
708 mbedtls_aes_init( &cty );
709
710 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
711 if( aes_padlock_ace == -1 )
712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
713
714 if( aes_padlock_ace )
715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
716 else
717 #endif
718 ctx->rk = RK = ctx->buf;
719
720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
722 goto exit;
723
724 ctx->nr = cty.nr;
725
726 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
728 {
729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
730 (const unsigned char *) cty.rk, ctx->nr );
731 goto exit;
732 }
733 #endif
734
735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
758 exit:
759 mbedtls_aes_free( &cty );
760
761 return( ret );
762 }
763 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
764
765 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)766 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
767 unsigned int keybits,
768 const unsigned char **key1,
769 unsigned int *key1bits,
770 const unsigned char **key2,
771 unsigned int *key2bits )
772 {
773 const unsigned int half_keybits = keybits / 2;
774 const unsigned int half_keybytes = half_keybits / 8;
775
776 switch( keybits )
777 {
778 case 256: break;
779 case 512: break;
780 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
781 }
782
783 *key1bits = half_keybits;
784 *key2bits = half_keybits;
785 *key1 = &key[0];
786 *key2 = &key[half_keybytes];
787
788 return 0;
789 }
790
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)791 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
792 const unsigned char *key,
793 unsigned int keybits)
794 {
795 int ret;
796 const unsigned char *key1, *key2;
797 unsigned int key1bits, key2bits;
798
799 AES_VALIDATE_RET( ctx != NULL );
800 AES_VALIDATE_RET( key != NULL );
801
802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
803 &key2, &key2bits );
804 if( ret != 0 )
805 return( ret );
806
807 /* Set the tweak key. Always set tweak key for the encryption mode. */
808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
809 if( ret != 0 )
810 return( ret );
811
812 /* Set crypt key for encryption. */
813 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
814 }
815
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)816 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
817 const unsigned char *key,
818 unsigned int keybits)
819 {
820 int ret;
821 const unsigned char *key1, *key2;
822 unsigned int key1bits, key2bits;
823
824 AES_VALIDATE_RET( ctx != NULL );
825 AES_VALIDATE_RET( key != NULL );
826
827 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
828 &key2, &key2bits );
829 if( ret != 0 )
830 return( ret );
831
832 /* Set the tweak key. Always set tweak key for encryption. */
833 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
834 if( ret != 0 )
835 return( ret );
836
837 /* Set crypt key for decryption. */
838 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
839 }
840 #endif /* MBEDTLS_CIPHER_MODE_XTS */
841
842 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
843 do \
844 { \
845 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
846 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
847 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
848 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
849 \
850 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
851 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
852 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
853 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
854 \
855 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
856 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
857 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
858 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
859 \
860 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
861 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
862 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
863 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
864 } while( 0 )
865
866 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
867 do \
868 { \
869 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
870 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
871 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
872 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
873 \
874 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
875 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
876 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
877 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
878 \
879 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
880 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
881 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
882 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
883 \
884 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
885 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
886 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
887 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
888 } while( 0 )
889
890 /*
891 * AES-ECB block encryption
892 */
893 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])894 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
895 const unsigned char input[16],
896 unsigned char output[16] )
897 {
898 int i;
899 uint32_t *RK = ctx->rk;
900 struct
901 {
902 uint32_t X[4];
903 uint32_t Y[4];
904 } t;
905
906 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
907 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
908 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
909 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
910
911 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
912 {
913 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
914 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
915 }
916
917 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
918
919 t.X[0] = *RK++ ^ \
920 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
921 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
922 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
923 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
924
925 t.X[1] = *RK++ ^ \
926 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
927 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
928 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
929 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
930
931 t.X[2] = *RK++ ^ \
932 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
933 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
934 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
935 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
936
937 t.X[3] = *RK++ ^ \
938 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
939 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
940 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
941 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
942
943 PUT_UINT32_LE( t.X[0], output, 0 );
944 PUT_UINT32_LE( t.X[1], output, 4 );
945 PUT_UINT32_LE( t.X[2], output, 8 );
946 PUT_UINT32_LE( t.X[3], output, 12 );
947
948 mbedtls_platform_zeroize( &t, sizeof( t ) );
949
950 return( 0 );
951 }
952 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
953
954 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])955 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
956 const unsigned char input[16],
957 unsigned char output[16] )
958 {
959 mbedtls_internal_aes_encrypt( ctx, input, output );
960 }
961 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
962
963 /*
964 * AES-ECB block decryption
965 */
966 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])967 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
968 const unsigned char input[16],
969 unsigned char output[16] )
970 {
971 int i;
972 uint32_t *RK = ctx->rk;
973 struct
974 {
975 uint32_t X[4];
976 uint32_t Y[4];
977 } t;
978
979 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
980 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
981 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
982 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
983
984 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
985 {
986 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
987 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
988 }
989
990 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
991
992 t.X[0] = *RK++ ^ \
993 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
994 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
995 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
996 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
997
998 t.X[1] = *RK++ ^ \
999 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
1000 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
1001 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
1002 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
1003
1004 t.X[2] = *RK++ ^ \
1005 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
1006 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
1007 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
1008 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
1009
1010 t.X[3] = *RK++ ^ \
1011 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
1012 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
1013 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
1014 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
1015
1016 PUT_UINT32_LE( t.X[0], output, 0 );
1017 PUT_UINT32_LE( t.X[1], output, 4 );
1018 PUT_UINT32_LE( t.X[2], output, 8 );
1019 PUT_UINT32_LE( t.X[3], output, 12 );
1020
1021 mbedtls_platform_zeroize( &t, sizeof( t ) );
1022
1023 return( 0 );
1024 }
1025 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
1026
1027 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])1028 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1029 const unsigned char input[16],
1030 unsigned char output[16] )
1031 {
1032 mbedtls_internal_aes_decrypt( ctx, input, output );
1033 }
1034 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1035
1036 /*
1037 * AES-ECB block encryption/decryption
1038 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])1039 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
1040 int mode,
1041 const unsigned char input[16],
1042 unsigned char output[16] )
1043 {
1044 AES_VALIDATE_RET( ctx != NULL );
1045 AES_VALIDATE_RET( input != NULL );
1046 AES_VALIDATE_RET( output != NULL );
1047 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1048 mode == MBEDTLS_AES_DECRYPT );
1049
1050 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1051 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
1052 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
1053 #endif
1054
1055 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1056 if( aes_padlock_ace )
1057 {
1058 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
1059 return( 0 );
1060
1061 // If padlock data misaligned, we just fall back to
1062 // unaccelerated mode
1063 //
1064 }
1065 #endif
1066
1067 if( mode == MBEDTLS_AES_ENCRYPT )
1068 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1069 else
1070 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
1071 }
1072
1073 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1074 /*
1075 * AES-CBC buffer encryption/decryption
1076 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1077 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
1078 int mode,
1079 size_t length,
1080 unsigned char iv[16],
1081 const unsigned char *input,
1082 unsigned char *output )
1083 {
1084 int i;
1085 unsigned char temp[16];
1086
1087 AES_VALIDATE_RET( ctx != NULL );
1088 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1089 mode == MBEDTLS_AES_DECRYPT );
1090 AES_VALIDATE_RET( iv != NULL );
1091 AES_VALIDATE_RET( input != NULL );
1092 AES_VALIDATE_RET( output != NULL );
1093
1094 if( length % 16 )
1095 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1096
1097 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1098 if( aes_padlock_ace )
1099 {
1100 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
1101 return( 0 );
1102
1103 // If padlock data misaligned, we just fall back to
1104 // unaccelerated mode
1105 //
1106 }
1107 #endif
1108
1109 if( mode == MBEDTLS_AES_DECRYPT )
1110 {
1111 while( length > 0 )
1112 {
1113 memcpy( temp, input, 16 );
1114 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1115
1116 for( i = 0; i < 16; i++ )
1117 output[i] = (unsigned char)( output[i] ^ iv[i] );
1118
1119 memcpy( iv, temp, 16 );
1120
1121 input += 16;
1122 output += 16;
1123 length -= 16;
1124 }
1125 }
1126 else
1127 {
1128 while( length > 0 )
1129 {
1130 for( i = 0; i < 16; i++ )
1131 output[i] = (unsigned char)( input[i] ^ iv[i] );
1132
1133 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1134 memcpy( iv, output, 16 );
1135
1136 input += 16;
1137 output += 16;
1138 length -= 16;
1139 }
1140 }
1141
1142 return( 0 );
1143 }
1144 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1145
1146 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1147
1148 /* Endianess with 64 bits values */
1149 #ifndef GET_UINT64_LE
1150 #define GET_UINT64_LE(n,b,i) \
1151 { \
1152 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1153 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1154 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1155 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1156 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1157 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1158 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1159 | ( (uint64_t) (b)[(i) ] ); \
1160 }
1161 #endif
1162
1163 #ifndef PUT_UINT64_LE
1164 #define PUT_UINT64_LE(n,b,i) \
1165 { \
1166 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1167 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1168 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1169 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1170 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1171 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1172 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1173 (b)[(i) ] = (unsigned char) ( (n) ); \
1174 }
1175 #endif
1176
1177 typedef unsigned char mbedtls_be128[16];
1178
1179 /*
1180 * GF(2^128) multiplication function
1181 *
1182 * This function multiplies a field element by x in the polynomial field
1183 * representation. It uses 64-bit word operations to gain speed but compensates
1184 * for machine endianess and hence works correctly on both big and little
1185 * endian machines.
1186 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])1187 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1188 const unsigned char x[16] )
1189 {
1190 uint64_t a, b, ra, rb;
1191
1192 GET_UINT64_LE( a, x, 0 );
1193 GET_UINT64_LE( b, x, 8 );
1194
1195 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1196 rb = ( a >> 63 ) | ( b << 1 );
1197
1198 PUT_UINT64_LE( ra, r, 0 );
1199 PUT_UINT64_LE( rb, r, 8 );
1200 }
1201
1202 /*
1203 * AES-XTS buffer encryption/decryption
1204 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1205 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1206 int mode,
1207 size_t length,
1208 const unsigned char data_unit[16],
1209 const unsigned char *input,
1210 unsigned char *output )
1211 {
1212 int ret;
1213 size_t blocks = length / 16;
1214 size_t leftover = length % 16;
1215 unsigned char tweak[16];
1216 unsigned char prev_tweak[16];
1217 unsigned char tmp[16];
1218
1219 AES_VALIDATE_RET( ctx != NULL );
1220 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1221 mode == MBEDTLS_AES_DECRYPT );
1222 AES_VALIDATE_RET( data_unit != NULL );
1223 AES_VALIDATE_RET( input != NULL );
1224 AES_VALIDATE_RET( output != NULL );
1225
1226 /* Data units must be at least 16 bytes long. */
1227 if( length < 16 )
1228 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1229
1230 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1231 if( length > ( 1 << 20 ) * 16 )
1232 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1233
1234 /* Compute the tweak. */
1235 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1236 data_unit, tweak );
1237 if( ret != 0 )
1238 return( ret );
1239
1240 while( blocks-- )
1241 {
1242 size_t i;
1243
1244 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1245 {
1246 /* We are on the last block in a decrypt operation that has
1247 * leftover bytes, so we need to use the next tweak for this block,
1248 * and this tweak for the lefover bytes. Save the current tweak for
1249 * the leftovers and then update the current tweak for use on this,
1250 * the last full block. */
1251 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1252 mbedtls_gf128mul_x_ble( tweak, tweak );
1253 }
1254
1255 for( i = 0; i < 16; i++ )
1256 tmp[i] = input[i] ^ tweak[i];
1257
1258 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1259 if( ret != 0 )
1260 return( ret );
1261
1262 for( i = 0; i < 16; i++ )
1263 output[i] = tmp[i] ^ tweak[i];
1264
1265 /* Update the tweak for the next block. */
1266 mbedtls_gf128mul_x_ble( tweak, tweak );
1267
1268 output += 16;
1269 input += 16;
1270 }
1271
1272 if( leftover )
1273 {
1274 /* If we are on the leftover bytes in a decrypt operation, we need to
1275 * use the previous tweak for these bytes (as saved in prev_tweak). */
1276 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1277
1278 /* We are now on the final part of the data unit, which doesn't divide
1279 * evenly by 16. It's time for ciphertext stealing. */
1280 size_t i;
1281 unsigned char *prev_output = output - 16;
1282
1283 /* Copy ciphertext bytes from the previous block to our output for each
1284 * byte of cyphertext we won't steal. At the same time, copy the
1285 * remainder of the input for this final round (since the loop bounds
1286 * are the same). */
1287 for( i = 0; i < leftover; i++ )
1288 {
1289 output[i] = prev_output[i];
1290 tmp[i] = input[i] ^ t[i];
1291 }
1292
1293 /* Copy ciphertext bytes from the previous block for input in this
1294 * round. */
1295 for( ; i < 16; i++ )
1296 tmp[i] = prev_output[i] ^ t[i];
1297
1298 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1299 if( ret != 0 )
1300 return ret;
1301
1302 /* Write the result back to the previous block, overriding the previous
1303 * output we copied. */
1304 for( i = 0; i < 16; i++ )
1305 prev_output[i] = tmp[i] ^ t[i];
1306 }
1307
1308 return( 0 );
1309 }
1310 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1311
1312 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1313 /*
1314 * AES-CFB128 buffer encryption/decryption
1315 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1316 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1317 int mode,
1318 size_t length,
1319 size_t *iv_off,
1320 unsigned char iv[16],
1321 const unsigned char *input,
1322 unsigned char *output )
1323 {
1324 int c;
1325 size_t n;
1326
1327 AES_VALIDATE_RET( ctx != NULL );
1328 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1329 mode == MBEDTLS_AES_DECRYPT );
1330 AES_VALIDATE_RET( iv_off != NULL );
1331 AES_VALIDATE_RET( iv != NULL );
1332 AES_VALIDATE_RET( input != NULL );
1333 AES_VALIDATE_RET( output != NULL );
1334
1335 n = *iv_off;
1336
1337 if( n > 15 )
1338 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1339
1340 if( mode == MBEDTLS_AES_DECRYPT )
1341 {
1342 while( length-- )
1343 {
1344 if( n == 0 )
1345 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1346
1347 c = *input++;
1348 *output++ = (unsigned char)( c ^ iv[n] );
1349 iv[n] = (unsigned char) c;
1350
1351 n = ( n + 1 ) & 0x0F;
1352 }
1353 }
1354 else
1355 {
1356 while( length-- )
1357 {
1358 if( n == 0 )
1359 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1360
1361 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1362
1363 n = ( n + 1 ) & 0x0F;
1364 }
1365 }
1366
1367 *iv_off = n;
1368
1369 return( 0 );
1370 }
1371
1372 /*
1373 * AES-CFB8 buffer encryption/decryption
1374 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1375 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1376 int mode,
1377 size_t length,
1378 unsigned char iv[16],
1379 const unsigned char *input,
1380 unsigned char *output )
1381 {
1382 unsigned char c;
1383 unsigned char ov[17];
1384
1385 AES_VALIDATE_RET( ctx != NULL );
1386 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1387 mode == MBEDTLS_AES_DECRYPT );
1388 AES_VALIDATE_RET( iv != NULL );
1389 AES_VALIDATE_RET( input != NULL );
1390 AES_VALIDATE_RET( output != NULL );
1391 while( length-- )
1392 {
1393 memcpy( ov, iv, 16 );
1394 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1395
1396 if( mode == MBEDTLS_AES_DECRYPT )
1397 ov[16] = *input;
1398
1399 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1400
1401 if( mode == MBEDTLS_AES_ENCRYPT )
1402 ov[16] = c;
1403
1404 memcpy( iv, ov + 1, 16 );
1405 }
1406
1407 return( 0 );
1408 }
1409 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1410
1411 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1412 /*
1413 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1414 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1415 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1416 size_t length,
1417 size_t *iv_off,
1418 unsigned char iv[16],
1419 const unsigned char *input,
1420 unsigned char *output )
1421 {
1422 int ret = 0;
1423 size_t n;
1424
1425 AES_VALIDATE_RET( ctx != NULL );
1426 AES_VALIDATE_RET( iv_off != NULL );
1427 AES_VALIDATE_RET( iv != NULL );
1428 AES_VALIDATE_RET( input != NULL );
1429 AES_VALIDATE_RET( output != NULL );
1430
1431 n = *iv_off;
1432
1433 if( n > 15 )
1434 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1435
1436 while( length-- )
1437 {
1438 if( n == 0 )
1439 {
1440 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1441 if( ret != 0 )
1442 goto exit;
1443 }
1444 *output++ = *input++ ^ iv[n];
1445
1446 n = ( n + 1 ) & 0x0F;
1447 }
1448
1449 *iv_off = n;
1450
1451 exit:
1452 return( ret );
1453 }
1454 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1455
1456 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1457 /*
1458 * AES-CTR buffer encryption/decryption
1459 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1460 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1461 size_t length,
1462 size_t *nc_off,
1463 unsigned char nonce_counter[16],
1464 unsigned char stream_block[16],
1465 const unsigned char *input,
1466 unsigned char *output )
1467 {
1468 int c, i;
1469 size_t n;
1470
1471 AES_VALIDATE_RET( ctx != NULL );
1472 AES_VALIDATE_RET( nc_off != NULL );
1473 AES_VALIDATE_RET( nonce_counter != NULL );
1474 AES_VALIDATE_RET( stream_block != NULL );
1475 AES_VALIDATE_RET( input != NULL );
1476 AES_VALIDATE_RET( output != NULL );
1477
1478 n = *nc_off;
1479
1480 if ( n > 0x0F )
1481 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1482
1483 while( length-- )
1484 {
1485 if( n == 0 ) {
1486 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1487
1488 for( i = 16; i > 0; i-- )
1489 if( ++nonce_counter[i - 1] != 0 )
1490 break;
1491 }
1492 c = *input++;
1493 *output++ = (unsigned char)( c ^ stream_block[n] );
1494
1495 n = ( n + 1 ) & 0x0F;
1496 }
1497
1498 *nc_off = n;
1499
1500 return( 0 );
1501 }
1502 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1503
1504 #endif /* !MBEDTLS_AES_ALT */
1505
1506 #if defined(MBEDTLS_SELF_TEST)
1507 /*
1508 * AES test vectors from:
1509 *
1510 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1511 */
1512 static const unsigned char aes_test_ecb_dec[3][16] =
1513 {
1514 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1515 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1516 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1517 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1518 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1519 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1520 };
1521
1522 static const unsigned char aes_test_ecb_enc[3][16] =
1523 {
1524 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1525 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1526 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1527 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1528 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1529 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1530 };
1531
1532 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1533 static const unsigned char aes_test_cbc_dec[3][16] =
1534 {
1535 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1536 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1537 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1538 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1539 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1540 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1541 };
1542
1543 static const unsigned char aes_test_cbc_enc[3][16] =
1544 {
1545 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1546 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1547 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1548 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1549 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1550 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1551 };
1552 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1553
1554 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1555 /*
1556 * AES-CFB128 test vectors from:
1557 *
1558 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1559 */
1560 static const unsigned char aes_test_cfb128_key[3][32] =
1561 {
1562 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1563 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1564 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1565 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1566 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1567 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1568 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1569 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1570 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1571 };
1572
1573 static const unsigned char aes_test_cfb128_iv[16] =
1574 {
1575 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1576 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1577 };
1578
1579 static const unsigned char aes_test_cfb128_pt[64] =
1580 {
1581 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1582 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1583 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1584 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1585 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1586 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1587 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1588 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1589 };
1590
1591 static const unsigned char aes_test_cfb128_ct[3][64] =
1592 {
1593 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1594 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1595 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1596 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1597 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1598 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1599 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1600 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1601 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1602 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1603 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1604 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1605 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1606 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1607 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1608 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1609 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1610 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1611 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1612 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1613 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1614 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1615 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1616 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1617 };
1618 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1619
1620 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1621 /*
1622 * AES-OFB test vectors from:
1623 *
1624 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1625 */
1626 static const unsigned char aes_test_ofb_key[3][32] =
1627 {
1628 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1629 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1630 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1631 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1632 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1633 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1634 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1635 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1636 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1637 };
1638
1639 static const unsigned char aes_test_ofb_iv[16] =
1640 {
1641 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1642 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1643 };
1644
1645 static const unsigned char aes_test_ofb_pt[64] =
1646 {
1647 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1648 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1649 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1650 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1651 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1652 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1653 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1654 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1655 };
1656
1657 static const unsigned char aes_test_ofb_ct[3][64] =
1658 {
1659 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1660 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1661 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1662 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1663 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1664 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1665 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1666 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1667 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1668 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1669 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1670 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1671 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1672 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1673 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1674 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1675 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1676 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1677 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1678 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1679 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1680 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1681 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1682 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1683 };
1684 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1685
1686 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1687 /*
1688 * AES-CTR test vectors from:
1689 *
1690 * http://www.faqs.org/rfcs/rfc3686.html
1691 */
1692
1693 static const unsigned char aes_test_ctr_key[3][16] =
1694 {
1695 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1696 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1697 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1698 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1699 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1700 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1701 };
1702
1703 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1704 {
1705 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1707 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1708 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1709 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1710 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1711 };
1712
1713 static const unsigned char aes_test_ctr_pt[3][48] =
1714 {
1715 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1716 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1717
1718 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1719 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1720 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1721 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1722
1723 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1724 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1725 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1726 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1727 0x20, 0x21, 0x22, 0x23 }
1728 };
1729
1730 static const unsigned char aes_test_ctr_ct[3][48] =
1731 {
1732 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1733 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1734 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1735 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1736 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1737 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1738 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1739 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1740 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1741 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1742 0x25, 0xB2, 0x07, 0x2F }
1743 };
1744
1745 static const int aes_test_ctr_len[3] =
1746 { 16, 32, 36 };
1747 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1748
1749 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1750 /*
1751 * AES-XTS test vectors from:
1752 *
1753 * IEEE P1619/D16 Annex B
1754 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1755 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1756 */
1757 static const unsigned char aes_test_xts_key[][32] =
1758 {
1759 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1763 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1764 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1765 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1766 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1767 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1768 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1769 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1770 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1771 };
1772
1773 static const unsigned char aes_test_xts_pt32[][32] =
1774 {
1775 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1779 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1783 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1784 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1785 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1786 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1787 };
1788
1789 static const unsigned char aes_test_xts_ct32[][32] =
1790 {
1791 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1792 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1793 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1794 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1795 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1796 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1797 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1798 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1799 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1800 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1801 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1802 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1803 };
1804
1805 static const unsigned char aes_test_xts_data_unit[][16] =
1806 {
1807 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1809 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1811 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1812 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1813 };
1814
1815 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1816
1817 /*
1818 * Checkup routine
1819 */
mbedtls_aes_self_test(int verbose)1820 int mbedtls_aes_self_test( int verbose )
1821 {
1822 int ret = 0, i, j, u, mode;
1823 unsigned int keybits;
1824 unsigned char key[32];
1825 unsigned char buf[64];
1826 const unsigned char *aes_tests;
1827 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1828 unsigned char iv[16];
1829 #endif
1830 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1831 unsigned char prv[16];
1832 #endif
1833 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1834 defined(MBEDTLS_CIPHER_MODE_OFB)
1835 size_t offset;
1836 #endif
1837 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1838 int len;
1839 #endif
1840 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1841 unsigned char nonce_counter[16];
1842 unsigned char stream_block[16];
1843 #endif
1844 mbedtls_aes_context ctx;
1845
1846 memset( key, 0, 32 );
1847 mbedtls_aes_init( &ctx );
1848
1849 /*
1850 * ECB mode
1851 */
1852 for( i = 0; i < 6; i++ )
1853 {
1854 u = i >> 1;
1855 keybits = 128 + u * 64;
1856 mode = i & 1;
1857
1858 if( verbose != 0 )
1859 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1860 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1861
1862 memset( buf, 0, 16 );
1863
1864 if( mode == MBEDTLS_AES_DECRYPT )
1865 {
1866 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1867 aes_tests = aes_test_ecb_dec[u];
1868 }
1869 else
1870 {
1871 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1872 aes_tests = aes_test_ecb_enc[u];
1873 }
1874
1875 /*
1876 * AES-192 is an optional feature that may be unavailable when
1877 * there is an alternative underlying implementation i.e. when
1878 * MBEDTLS_AES_ALT is defined.
1879 */
1880 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1881 {
1882 mbedtls_printf( "skipped\n" );
1883 continue;
1884 }
1885 else if( ret != 0 )
1886 {
1887 goto exit;
1888 }
1889
1890 for( j = 0; j < 10000; j++ )
1891 {
1892 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1893 if( ret != 0 )
1894 goto exit;
1895 }
1896
1897 if( memcmp( buf, aes_tests, 16 ) != 0 )
1898 {
1899 ret = 1;
1900 goto exit;
1901 }
1902
1903 if( verbose != 0 )
1904 mbedtls_printf( "passed\n" );
1905 }
1906
1907 if( verbose != 0 )
1908 mbedtls_printf( "\n" );
1909
1910 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1911 /*
1912 * CBC mode
1913 */
1914 for( i = 0; i < 6; i++ )
1915 {
1916 u = i >> 1;
1917 keybits = 128 + u * 64;
1918 mode = i & 1;
1919
1920 if( verbose != 0 )
1921 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1922 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1923
1924 memset( iv , 0, 16 );
1925 memset( prv, 0, 16 );
1926 memset( buf, 0, 16 );
1927
1928 if( mode == MBEDTLS_AES_DECRYPT )
1929 {
1930 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1931 aes_tests = aes_test_cbc_dec[u];
1932 }
1933 else
1934 {
1935 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1936 aes_tests = aes_test_cbc_enc[u];
1937 }
1938
1939 /*
1940 * AES-192 is an optional feature that may be unavailable when
1941 * there is an alternative underlying implementation i.e. when
1942 * MBEDTLS_AES_ALT is defined.
1943 */
1944 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1945 {
1946 mbedtls_printf( "skipped\n" );
1947 continue;
1948 }
1949 else if( ret != 0 )
1950 {
1951 goto exit;
1952 }
1953
1954 for( j = 0; j < 10000; j++ )
1955 {
1956 if( mode == MBEDTLS_AES_ENCRYPT )
1957 {
1958 unsigned char tmp[16];
1959
1960 memcpy( tmp, prv, 16 );
1961 memcpy( prv, buf, 16 );
1962 memcpy( buf, tmp, 16 );
1963 }
1964
1965 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1966 if( ret != 0 )
1967 goto exit;
1968
1969 }
1970
1971 if( memcmp( buf, aes_tests, 16 ) != 0 )
1972 {
1973 ret = 1;
1974 goto exit;
1975 }
1976
1977 if( verbose != 0 )
1978 mbedtls_printf( "passed\n" );
1979 }
1980
1981 if( verbose != 0 )
1982 mbedtls_printf( "\n" );
1983 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1984
1985 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1986 /*
1987 * CFB128 mode
1988 */
1989 for( i = 0; i < 6; i++ )
1990 {
1991 u = i >> 1;
1992 keybits = 128 + u * 64;
1993 mode = i & 1;
1994
1995 if( verbose != 0 )
1996 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1997 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1998
1999 memcpy( iv, aes_test_cfb128_iv, 16 );
2000 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
2001
2002 offset = 0;
2003 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2004 /*
2005 * AES-192 is an optional feature that may be unavailable when
2006 * there is an alternative underlying implementation i.e. when
2007 * MBEDTLS_AES_ALT is defined.
2008 */
2009 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2010 {
2011 mbedtls_printf( "skipped\n" );
2012 continue;
2013 }
2014 else if( ret != 0 )
2015 {
2016 goto exit;
2017 }
2018
2019 if( mode == MBEDTLS_AES_DECRYPT )
2020 {
2021 memcpy( buf, aes_test_cfb128_ct[u], 64 );
2022 aes_tests = aes_test_cfb128_pt;
2023 }
2024 else
2025 {
2026 memcpy( buf, aes_test_cfb128_pt, 64 );
2027 aes_tests = aes_test_cfb128_ct[u];
2028 }
2029
2030 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2031 if( ret != 0 )
2032 goto exit;
2033
2034 if( memcmp( buf, aes_tests, 64 ) != 0 )
2035 {
2036 ret = 1;
2037 goto exit;
2038 }
2039
2040 if( verbose != 0 )
2041 mbedtls_printf( "passed\n" );
2042 }
2043
2044 if( verbose != 0 )
2045 mbedtls_printf( "\n" );
2046 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2047
2048 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2049 /*
2050 * OFB mode
2051 */
2052 for( i = 0; i < 6; i++ )
2053 {
2054 u = i >> 1;
2055 keybits = 128 + u * 64;
2056 mode = i & 1;
2057
2058 if( verbose != 0 )
2059 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2060 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2061
2062 memcpy( iv, aes_test_ofb_iv, 16 );
2063 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2064
2065 offset = 0;
2066 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2067 /*
2068 * AES-192 is an optional feature that may be unavailable when
2069 * there is an alternative underlying implementation i.e. when
2070 * MBEDTLS_AES_ALT is defined.
2071 */
2072 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2073 {
2074 mbedtls_printf( "skipped\n" );
2075 continue;
2076 }
2077 else if( ret != 0 )
2078 {
2079 goto exit;
2080 }
2081
2082 if( mode == MBEDTLS_AES_DECRYPT )
2083 {
2084 memcpy( buf, aes_test_ofb_ct[u], 64 );
2085 aes_tests = aes_test_ofb_pt;
2086 }
2087 else
2088 {
2089 memcpy( buf, aes_test_ofb_pt, 64 );
2090 aes_tests = aes_test_ofb_ct[u];
2091 }
2092
2093 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2094 if( ret != 0 )
2095 goto exit;
2096
2097 if( memcmp( buf, aes_tests, 64 ) != 0 )
2098 {
2099 ret = 1;
2100 goto exit;
2101 }
2102
2103 if( verbose != 0 )
2104 mbedtls_printf( "passed\n" );
2105 }
2106
2107 if( verbose != 0 )
2108 mbedtls_printf( "\n" );
2109 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2110
2111 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2112 /*
2113 * CTR mode
2114 */
2115 for( i = 0; i < 6; i++ )
2116 {
2117 u = i >> 1;
2118 mode = i & 1;
2119
2120 if( verbose != 0 )
2121 mbedtls_printf( " AES-CTR-128 (%s): ",
2122 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2123
2124 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2125 memcpy( key, aes_test_ctr_key[u], 16 );
2126
2127 offset = 0;
2128 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2129 goto exit;
2130
2131 len = aes_test_ctr_len[u];
2132
2133 if( mode == MBEDTLS_AES_DECRYPT )
2134 {
2135 memcpy( buf, aes_test_ctr_ct[u], len );
2136 aes_tests = aes_test_ctr_pt[u];
2137 }
2138 else
2139 {
2140 memcpy( buf, aes_test_ctr_pt[u], len );
2141 aes_tests = aes_test_ctr_ct[u];
2142 }
2143
2144 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2145 stream_block, buf, buf );
2146 if( ret != 0 )
2147 goto exit;
2148
2149 if( memcmp( buf, aes_tests, len ) != 0 )
2150 {
2151 ret = 1;
2152 goto exit;
2153 }
2154
2155 if( verbose != 0 )
2156 mbedtls_printf( "passed\n" );
2157 }
2158
2159 if( verbose != 0 )
2160 mbedtls_printf( "\n" );
2161 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2162
2163 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2164 {
2165 static const int num_tests =
2166 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2167 mbedtls_aes_xts_context ctx_xts;
2168
2169 /*
2170 * XTS mode
2171 */
2172 mbedtls_aes_xts_init( &ctx_xts );
2173
2174 for( i = 0; i < num_tests << 1; i++ )
2175 {
2176 const unsigned char *data_unit;
2177 u = i >> 1;
2178 mode = i & 1;
2179
2180 if( verbose != 0 )
2181 mbedtls_printf( " AES-XTS-128 (%s): ",
2182 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2183
2184 memset( key, 0, sizeof( key ) );
2185 memcpy( key, aes_test_xts_key[u], 32 );
2186 data_unit = aes_test_xts_data_unit[u];
2187
2188 len = sizeof( *aes_test_xts_ct32 );
2189
2190 if( mode == MBEDTLS_AES_DECRYPT )
2191 {
2192 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2193 if( ret != 0)
2194 goto exit;
2195 memcpy( buf, aes_test_xts_ct32[u], len );
2196 aes_tests = aes_test_xts_pt32[u];
2197 }
2198 else
2199 {
2200 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2201 if( ret != 0)
2202 goto exit;
2203 memcpy( buf, aes_test_xts_pt32[u], len );
2204 aes_tests = aes_test_xts_ct32[u];
2205 }
2206
2207
2208 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2209 buf, buf );
2210 if( ret != 0 )
2211 goto exit;
2212
2213 if( memcmp( buf, aes_tests, len ) != 0 )
2214 {
2215 ret = 1;
2216 goto exit;
2217 }
2218
2219 if( verbose != 0 )
2220 mbedtls_printf( "passed\n" );
2221 }
2222
2223 if( verbose != 0 )
2224 mbedtls_printf( "\n" );
2225
2226 mbedtls_aes_xts_free( &ctx_xts );
2227 }
2228 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2229
2230 ret = 0;
2231
2232 exit:
2233 if( ret != 0 && verbose != 0 )
2234 mbedtls_printf( "failed\n" );
2235
2236 mbedtls_aes_free( &ctx );
2237
2238 return( ret );
2239 }
2240
2241 #endif /* MBEDTLS_SELF_TEST */
2242
2243 #endif /* MBEDTLS_AES_C */
2244