1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_AES_C)
60
61 #include <string.h>
62
63 #include "mbedtls/aes.h"
64 #if defined(MBEDTLS_PADLOCK_C)
65 #include "mbedtls/padlock.h"
66 #endif
67 #if defined(MBEDTLS_AESNI_C)
68 #include "mbedtls/aesni.h"
69 #endif
70
71 #if defined(MBEDTLS_SELF_TEST)
72 #if defined(MBEDTLS_PLATFORM_C)
73 #include "mbedtls/platform.h"
74 #else
75 #include <stdio.h>
76 #define mbedtls_printf printf
77 #endif /* MBEDTLS_PLATFORM_C */
78 #endif /* MBEDTLS_SELF_TEST */
79
80 #if !defined(MBEDTLS_AES_ALT)
81
82 /* Implementation that should never be optimized out by the compiler */
mbedtls_zeroize(void * v,size_t n)83 static void mbedtls_zeroize( void *v, size_t n ) {
84 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
85 }
86
87 /*
88 * 32-bit integer manipulation macros (little endian)
89 */
90 #ifndef GET_UINT32_LE
91 #define GET_UINT32_LE(n,b,i) \
92 { \
93 (n) = ( (uint32_t) (b)[(i) ] ) \
94 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
95 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
96 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
97 }
98 #endif
99
100 #ifndef PUT_UINT32_LE
101 #define PUT_UINT32_LE(n,b,i) \
102 { \
103 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
104 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
105 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
106 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
107 }
108 #endif
109
110 #if defined(MBEDTLS_PADLOCK_C) && \
111 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
112 static int aes_padlock_ace = -1;
113 #endif
114
115 #if defined(MBEDTLS_AES_ROM_TABLES)
116 /*
117 * Forward S-box
118 */
119 static const unsigned char FSb[256] =
120 {
121 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
122 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
123 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
124 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
125 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
126 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
127 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
128 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
129 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
130 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
131 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
132 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
133 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
134 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
135 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
136 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
137 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
138 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
139 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
140 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
141 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
142 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
143 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
144 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
145 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
146 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
147 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
148 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
149 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
150 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
151 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
152 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
153 };
154
155 /*
156 * Forward tables
157 */
158 #define FT \
159 \
160 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
161 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
162 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
163 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
164 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
165 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
166 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
167 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
168 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
169 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
170 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
171 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
172 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
173 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
174 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
175 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
176 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
177 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
178 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
179 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
180 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
181 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
182 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
183 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
184 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
185 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
186 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
187 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
188 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
189 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
190 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
191 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
192 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
193 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
194 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
195 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
196 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
197 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
198 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
199 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
200 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
201 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
202 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
203 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
204 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
205 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
206 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
207 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
208 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
209 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
210 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
211 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
212 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
213 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
214 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
215 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
216 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
217 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
218 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
219 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
220 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
221 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
222 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
223 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
224
225 #define V(a,b,c,d) 0x##a##b##c##d
226 static const uint32_t FT0[256] = { FT };
227 #undef V
228
229 #define V(a,b,c,d) 0x##b##c##d##a
230 static const uint32_t FT1[256] = { FT };
231 #undef V
232
233 #define V(a,b,c,d) 0x##c##d##a##b
234 static const uint32_t FT2[256] = { FT };
235 #undef V
236
237 #define V(a,b,c,d) 0x##d##a##b##c
238 static const uint32_t FT3[256] = { FT };
239 #undef V
240
241 #undef FT
242
243 /*
244 * Reverse S-box
245 */
246 static const unsigned char RSb[256] =
247 {
248 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
249 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
250 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
251 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
252 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
253 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
254 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
255 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
256 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
257 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
258 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
259 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
260 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
261 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
262 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
263 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
264 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
265 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
266 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
267 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
268 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
269 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
270 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
271 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
272 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
273 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
274 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
275 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
276 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
277 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
278 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
279 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
280 };
281
282 /*
283 * Reverse tables
284 */
285 #define RT \
286 \
287 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
288 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
289 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
290 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
291 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
292 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
293 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
294 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
295 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
296 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
297 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
298 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
299 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
300 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
301 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
302 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
303 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
304 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
305 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
306 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
307 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
308 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
309 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
310 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
311 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
312 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
313 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
314 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
315 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
316 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
317 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
318 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
319 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
320 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
321 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
322 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
323 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
324 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
325 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
326 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
327 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
328 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
329 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
330 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
331 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
332 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
333 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
334 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
335 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
336 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
337 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
338 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
339 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
340 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
341 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
342 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
343 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
344 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
345 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
346 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
347 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
348 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
349 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
350 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
351
352 #define V(a,b,c,d) 0x##a##b##c##d
353 static const uint32_t RT0[256] = { RT };
354 #undef V
355
356 #define V(a,b,c,d) 0x##b##c##d##a
357 static const uint32_t RT1[256] = { RT };
358 #undef V
359
360 #define V(a,b,c,d) 0x##c##d##a##b
361 static const uint32_t RT2[256] = { RT };
362 #undef V
363
364 #define V(a,b,c,d) 0x##d##a##b##c
365 static const uint32_t RT3[256] = { RT };
366 #undef V
367
368 #undef RT
369
370 /*
371 * Round constants
372 */
373 static const uint32_t RCON[10] =
374 {
375 0x00000001, 0x00000002, 0x00000004, 0x00000008,
376 0x00000010, 0x00000020, 0x00000040, 0x00000080,
377 0x0000001B, 0x00000036
378 };
379
380 #else /* MBEDTLS_AES_ROM_TABLES */
381
382 /*
383 * Forward S-box & tables
384 */
385 static unsigned char FSb[256];
386 static uint32_t FT0[256];
387 static uint32_t FT1[256];
388 static uint32_t FT2[256];
389 static uint32_t FT3[256];
390
391 /*
392 * Reverse S-box & tables
393 */
394 static unsigned char RSb[256];
395 static uint32_t RT0[256];
396 static uint32_t RT1[256];
397 static uint32_t RT2[256];
398 static uint32_t RT3[256];
399
400 /*
401 * Round constants
402 */
403 static uint32_t RCON[10];
404
405 /*
406 * Tables generation code
407 */
408 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
409 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
410 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
411
412 static int aes_init_done = 0;
413
aes_gen_tables(void)414 static void aes_gen_tables( void )
415 {
416 int i, x, y, z;
417 int pow[256];
418 int log[256];
419
420 /*
421 * compute pow and log tables over GF(2^8)
422 */
423 for( i = 0, x = 1; i < 256; i++ )
424 {
425 pow[i] = x;
426 log[x] = i;
427 x = ( x ^ XTIME( x ) ) & 0xFF;
428 }
429
430 /*
431 * calculate the round constants
432 */
433 for( i = 0, x = 1; i < 10; i++ )
434 {
435 RCON[i] = (uint32_t) x;
436 x = XTIME( x ) & 0xFF;
437 }
438
439 /*
440 * generate the forward and reverse S-boxes
441 */
442 FSb[0x00] = 0x63;
443 RSb[0x63] = 0x00;
444
445 for( i = 1; i < 256; i++ )
446 {
447 x = pow[255 - log[i]];
448
449 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
450 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
451 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
452 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
453 x ^= y ^ 0x63;
454
455 FSb[i] = (unsigned char) x;
456 RSb[x] = (unsigned char) i;
457 }
458
459 /*
460 * generate the forward and reverse tables
461 */
462 for( i = 0; i < 256; i++ )
463 {
464 x = FSb[i];
465 y = XTIME( x ) & 0xFF;
466 z = ( y ^ x ) & 0xFF;
467
468 FT0[i] = ( (uint32_t) y ) ^
469 ( (uint32_t) x << 8 ) ^
470 ( (uint32_t) x << 16 ) ^
471 ( (uint32_t) z << 24 );
472
473 FT1[i] = ROTL8( FT0[i] );
474 FT2[i] = ROTL8( FT1[i] );
475 FT3[i] = ROTL8( FT2[i] );
476
477 x = RSb[i];
478
479 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
480 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
481 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
482 ( (uint32_t) MUL( 0x0B, x ) << 24 );
483
484 RT1[i] = ROTL8( RT0[i] );
485 RT2[i] = ROTL8( RT1[i] );
486 RT3[i] = ROTL8( RT2[i] );
487 }
488 }
489
490 #endif /* MBEDTLS_AES_ROM_TABLES */
491
mbedtls_aes_init(mbedtls_aes_context * ctx)492 void mbedtls_aes_init( mbedtls_aes_context *ctx )
493 {
494 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
495 }
496
mbedtls_aes_free(mbedtls_aes_context * ctx)497 void mbedtls_aes_free( mbedtls_aes_context *ctx )
498 {
499 if( ctx == NULL )
500 return;
501
502 mbedtls_zeroize( ctx, sizeof( mbedtls_aes_context ) );
503 }
504
505 /*
506 * AES key schedule (encryption)
507 */
508 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)509 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
510 unsigned int keybits )
511 {
512 unsigned int i;
513 uint32_t *RK;
514
515 #if !defined(MBEDTLS_AES_ROM_TABLES)
516 if( aes_init_done == 0 )
517 {
518 aes_gen_tables();
519 aes_init_done = 1;
520
521 }
522 #endif
523
524 switch( keybits )
525 {
526 case 128: ctx->nr = 10; break;
527 case 192: ctx->nr = 12; break;
528 case 256: ctx->nr = 14; break;
529 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
530 }
531
532 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
533 if( aes_padlock_ace == -1 )
534 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
535
536 if( aes_padlock_ace )
537 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
538 else
539 #endif
540 ctx->rk = RK = ctx->buf;
541
542 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
543 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
544 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
545 #endif
546
547 for( i = 0; i < ( keybits >> 5 ); i++ )
548 {
549 GET_UINT32_LE( RK[i], key, i << 2 );
550 }
551
552 switch( ctx->nr )
553 {
554 case 10:
555
556 for( i = 0; i < 10; i++, RK += 4 )
557 {
558 RK[4] = RK[0] ^ RCON[i] ^
559 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
560 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
561 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
562 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
563
564 RK[5] = RK[1] ^ RK[4];
565 RK[6] = RK[2] ^ RK[5];
566 RK[7] = RK[3] ^ RK[6];
567 }
568 break;
569
570 case 12:
571
572 for( i = 0; i < 8; i++, RK += 6 )
573 {
574 RK[6] = RK[0] ^ RCON[i] ^
575 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
576 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
577 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
578 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
579
580 RK[7] = RK[1] ^ RK[6];
581 RK[8] = RK[2] ^ RK[7];
582 RK[9] = RK[3] ^ RK[8];
583 RK[10] = RK[4] ^ RK[9];
584 RK[11] = RK[5] ^ RK[10];
585 }
586 break;
587
588 case 14:
589
590 for( i = 0; i < 7; i++, RK += 8 )
591 {
592 RK[8] = RK[0] ^ RCON[i] ^
593 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
594 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
595 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
596 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
597
598 RK[9] = RK[1] ^ RK[8];
599 RK[10] = RK[2] ^ RK[9];
600 RK[11] = RK[3] ^ RK[10];
601
602 RK[12] = RK[4] ^
603 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
604 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
605 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
606 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
607
608 RK[13] = RK[5] ^ RK[12];
609 RK[14] = RK[6] ^ RK[13];
610 RK[15] = RK[7] ^ RK[14];
611 }
612 break;
613 }
614
615 return( 0 );
616 }
617 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
618
619 /*
620 * AES key schedule (decryption)
621 */
622 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)623 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
624 unsigned int keybits )
625 {
626 int i, j, ret;
627 mbedtls_aes_context cty;
628 uint32_t *RK;
629 uint32_t *SK;
630
631 mbedtls_aes_init( &cty );
632
633 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
634 if( aes_padlock_ace == -1 )
635 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
636
637 if( aes_padlock_ace )
638 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
639 else
640 #endif
641 ctx->rk = RK = ctx->buf;
642
643 /* Also checks keybits */
644 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
645 goto exit;
646
647 ctx->nr = cty.nr;
648
649 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
650 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
651 {
652 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
653 (const unsigned char *) cty.rk, ctx->nr );
654 goto exit;
655 }
656 #endif
657
658 SK = cty.rk + cty.nr * 4;
659
660 *RK++ = *SK++;
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664
665 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
666 {
667 for( j = 0; j < 4; j++, SK++ )
668 {
669 *RK++ = RT0[ FSb[ ( *SK ) & 0xFF ] ] ^
670 RT1[ FSb[ ( *SK >> 8 ) & 0xFF ] ] ^
671 RT2[ FSb[ ( *SK >> 16 ) & 0xFF ] ] ^
672 RT3[ FSb[ ( *SK >> 24 ) & 0xFF ] ];
673 }
674 }
675
676 *RK++ = *SK++;
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680
681 exit:
682 mbedtls_aes_free( &cty );
683
684 return( ret );
685 }
686 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
687
688 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
689 { \
690 X0 = *RK++ ^ FT0[ ( Y0 ) & 0xFF ] ^ \
691 FT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
692 FT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
693 FT3[ ( Y3 >> 24 ) & 0xFF ]; \
694 \
695 X1 = *RK++ ^ FT0[ ( Y1 ) & 0xFF ] ^ \
696 FT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
697 FT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
698 FT3[ ( Y0 >> 24 ) & 0xFF ]; \
699 \
700 X2 = *RK++ ^ FT0[ ( Y2 ) & 0xFF ] ^ \
701 FT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
702 FT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
703 FT3[ ( Y1 >> 24 ) & 0xFF ]; \
704 \
705 X3 = *RK++ ^ FT0[ ( Y3 ) & 0xFF ] ^ \
706 FT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
707 FT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
708 FT3[ ( Y2 >> 24 ) & 0xFF ]; \
709 }
710
711 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
712 { \
713 X0 = *RK++ ^ RT0[ ( Y0 ) & 0xFF ] ^ \
714 RT1[ ( Y3 >> 8 ) & 0xFF ] ^ \
715 RT2[ ( Y2 >> 16 ) & 0xFF ] ^ \
716 RT3[ ( Y1 >> 24 ) & 0xFF ]; \
717 \
718 X1 = *RK++ ^ RT0[ ( Y1 ) & 0xFF ] ^ \
719 RT1[ ( Y0 >> 8 ) & 0xFF ] ^ \
720 RT2[ ( Y3 >> 16 ) & 0xFF ] ^ \
721 RT3[ ( Y2 >> 24 ) & 0xFF ]; \
722 \
723 X2 = *RK++ ^ RT0[ ( Y2 ) & 0xFF ] ^ \
724 RT1[ ( Y1 >> 8 ) & 0xFF ] ^ \
725 RT2[ ( Y0 >> 16 ) & 0xFF ] ^ \
726 RT3[ ( Y3 >> 24 ) & 0xFF ]; \
727 \
728 X3 = *RK++ ^ RT0[ ( Y3 ) & 0xFF ] ^ \
729 RT1[ ( Y2 >> 8 ) & 0xFF ] ^ \
730 RT2[ ( Y1 >> 16 ) & 0xFF ] ^ \
731 RT3[ ( Y0 >> 24 ) & 0xFF ]; \
732 }
733
734 /*
735 * AES-ECB block encryption
736 */
737 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])738 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
739 const unsigned char input[16],
740 unsigned char output[16] )
741 {
742 int i;
743 uint32_t *RK = ctx->rk;
744 struct
745 {
746 uint32_t X[4];
747 uint32_t Y[4];
748 } t;
749
750 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
751 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
752 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
753 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
754
755 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
756 {
757 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
758 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
759 }
760
761 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
762
763 t.X[0] = *RK++ ^ \
764 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
765 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
766 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
767 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
768
769 t.X[1] = *RK++ ^ \
770 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
771 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
772 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
773 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
774
775 t.X[2] = *RK++ ^ \
776 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
777 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
778 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
779 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
780
781 t.X[3] = *RK++ ^ \
782 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
783 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
784 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
785 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
786
787 PUT_UINT32_LE( t.X[0], output, 0 );
788 PUT_UINT32_LE( t.X[1], output, 4 );
789 PUT_UINT32_LE( t.X[2], output, 8 );
790 PUT_UINT32_LE( t.X[3], output, 12 );
791
792 mbedtls_zeroize( &t, sizeof( t ) );
793
794 return( 0 );
795 }
796 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
797
798 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])799 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
800 const unsigned char input[16],
801 unsigned char output[16] )
802 {
803 mbedtls_internal_aes_encrypt( ctx, input, output );
804 }
805 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
806
807 /*
808 * AES-ECB block decryption
809 */
810 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])811 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
812 const unsigned char input[16],
813 unsigned char output[16] )
814 {
815 int i;
816 uint32_t *RK = ctx->rk;
817 struct
818 {
819 uint32_t X[4];
820 uint32_t Y[4];
821 } t;
822
823 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
824 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
825 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
826 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
827
828 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
829 {
830 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
831 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
832 }
833
834 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
835
836 t.X[0] = *RK++ ^ \
837 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
838 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
839 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
840 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
841
842 t.X[1] = *RK++ ^ \
843 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
844 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
845 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
846 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
847
848 t.X[2] = *RK++ ^ \
849 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
850 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
851 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
852 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
853
854 t.X[3] = *RK++ ^ \
855 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
856 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
857 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
858 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
859
860 PUT_UINT32_LE( t.X[0], output, 0 );
861 PUT_UINT32_LE( t.X[1], output, 4 );
862 PUT_UINT32_LE( t.X[2], output, 8 );
863 PUT_UINT32_LE( t.X[3], output, 12 );
864
865 mbedtls_zeroize( &t, sizeof( t ) );
866
867 return( 0 );
868 }
869 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
870
871 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])872 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
873 const unsigned char input[16],
874 unsigned char output[16] )
875 {
876 mbedtls_internal_aes_decrypt( ctx, input, output );
877 }
878 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
879
880 /*
881 * AES-ECB block encryption/decryption
882 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])883 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
884 int mode,
885 const unsigned char input[16],
886 unsigned char output[16] )
887 {
888 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
889 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
890 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
891 #endif
892
893 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
894 if( aes_padlock_ace )
895 {
896 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
897 return( 0 );
898
899 // If padlock data misaligned, we just fall back to
900 // unaccelerated mode
901 //
902 }
903 #endif
904
905 if( mode == MBEDTLS_AES_ENCRYPT )
906 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
907 else
908 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
909 }
910
911 #if defined(MBEDTLS_CIPHER_MODE_CBC)
912 /*
913 * AES-CBC buffer encryption/decryption
914 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)915 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
916 int mode,
917 size_t length,
918 unsigned char iv[16],
919 const unsigned char *input,
920 unsigned char *output )
921 {
922 int i;
923 unsigned char temp[16];
924
925 if( length % 16 )
926 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
927
928 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
929 if( aes_padlock_ace )
930 {
931 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
932 return( 0 );
933
934 // If padlock data misaligned, we just fall back to
935 // unaccelerated mode
936 //
937 }
938 #endif
939
940 if( mode == MBEDTLS_AES_DECRYPT )
941 {
942 while( length > 0 )
943 {
944 memcpy( temp, input, 16 );
945 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
946
947 for( i = 0; i < 16; i++ )
948 output[i] = (unsigned char)( output[i] ^ iv[i] );
949
950 memcpy( iv, temp, 16 );
951
952 input += 16;
953 output += 16;
954 length -= 16;
955 }
956 }
957 else
958 {
959 while( length > 0 )
960 {
961 for( i = 0; i < 16; i++ )
962 output[i] = (unsigned char)( input[i] ^ iv[i] );
963
964 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
965 memcpy( iv, output, 16 );
966
967 input += 16;
968 output += 16;
969 length -= 16;
970 }
971 }
972
973 return( 0 );
974 }
975 #endif /* MBEDTLS_CIPHER_MODE_CBC */
976
977 #if defined(MBEDTLS_CIPHER_MODE_CFB)
978 /*
979 * AES-CFB128 buffer encryption/decryption
980 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)981 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
982 int mode,
983 size_t length,
984 size_t *iv_off,
985 unsigned char iv[16],
986 const unsigned char *input,
987 unsigned char *output )
988 {
989 int c;
990 size_t n = *iv_off;
991
992 if( mode == MBEDTLS_AES_DECRYPT )
993 {
994 while( length-- )
995 {
996 if( n == 0 )
997 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
998
999 c = *input++;
1000 *output++ = (unsigned char)( c ^ iv[n] );
1001 iv[n] = (unsigned char) c;
1002
1003 n = ( n + 1 ) & 0x0F;
1004 }
1005 }
1006 else
1007 {
1008 while( length-- )
1009 {
1010 if( n == 0 )
1011 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1012
1013 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1014
1015 n = ( n + 1 ) & 0x0F;
1016 }
1017 }
1018
1019 *iv_off = n;
1020
1021 return( 0 );
1022 }
1023
1024 /*
1025 * AES-CFB8 buffer encryption/decryption
1026 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1027 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1028 int mode,
1029 size_t length,
1030 unsigned char iv[16],
1031 const unsigned char *input,
1032 unsigned char *output )
1033 {
1034 unsigned char c;
1035 unsigned char ov[17];
1036
1037 while( length-- )
1038 {
1039 memcpy( ov, iv, 16 );
1040 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1041
1042 if( mode == MBEDTLS_AES_DECRYPT )
1043 ov[16] = *input;
1044
1045 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1046
1047 if( mode == MBEDTLS_AES_ENCRYPT )
1048 ov[16] = c;
1049
1050 memcpy( iv, ov + 1, 16 );
1051 }
1052
1053 return( 0 );
1054 }
1055 #endif /*MBEDTLS_CIPHER_MODE_CFB */
1056
1057 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1058 /*
1059 * AES-CTR buffer encryption/decryption
1060 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1061 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1062 size_t length,
1063 size_t *nc_off,
1064 unsigned char nonce_counter[16],
1065 unsigned char stream_block[16],
1066 const unsigned char *input,
1067 unsigned char *output )
1068 {
1069 int c, i;
1070 size_t n = *nc_off;
1071
1072 while( length-- )
1073 {
1074 if( n == 0 ) {
1075 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1076
1077 for( i = 16; i > 0; i-- )
1078 if( ++nonce_counter[i - 1] != 0 )
1079 break;
1080 }
1081 c = *input++;
1082 *output++ = (unsigned char)( c ^ stream_block[n] );
1083
1084 n = ( n + 1 ) & 0x0F;
1085 }
1086
1087 *nc_off = n;
1088
1089 return( 0 );
1090 }
1091 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1092
1093 #endif /* !MBEDTLS_AES_ALT */
1094
1095 #if defined(MBEDTLS_SELF_TEST)
1096 /*
1097 * AES test vectors from:
1098 *
1099 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1100 */
1101 static const unsigned char aes_test_ecb_dec[3][16] =
1102 {
1103 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1104 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1105 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1106 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1107 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1108 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1109 };
1110
1111 static const unsigned char aes_test_ecb_enc[3][16] =
1112 {
1113 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1114 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1115 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1116 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1117 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1118 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1119 };
1120
1121 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1122 static const unsigned char aes_test_cbc_dec[3][16] =
1123 {
1124 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1125 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1126 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1127 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1128 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1129 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1130 };
1131
1132 static const unsigned char aes_test_cbc_enc[3][16] =
1133 {
1134 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1135 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1136 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1137 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1138 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1139 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1140 };
1141 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1142
1143 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1144 /*
1145 * AES-CFB128 test vectors from:
1146 *
1147 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1148 */
1149 static const unsigned char aes_test_cfb128_key[3][32] =
1150 {
1151 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1152 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1153 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1154 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1155 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1156 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1157 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1158 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1159 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1160 };
1161
1162 static const unsigned char aes_test_cfb128_iv[16] =
1163 {
1164 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1165 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1166 };
1167
1168 static const unsigned char aes_test_cfb128_pt[64] =
1169 {
1170 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1171 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1172 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1173 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1174 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1175 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1176 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1177 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1178 };
1179
1180 static const unsigned char aes_test_cfb128_ct[3][64] =
1181 {
1182 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1183 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1184 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1185 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1186 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1187 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1188 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1189 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1190 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1191 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1192 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1193 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1194 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1195 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1196 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1197 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1198 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1199 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1200 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1201 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1202 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1203 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1204 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1205 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1206 };
1207 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1208
1209 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1210 /*
1211 * AES-CTR test vectors from:
1212 *
1213 * http://www.faqs.org/rfcs/rfc3686.html
1214 */
1215
1216 static const unsigned char aes_test_ctr_key[3][16] =
1217 {
1218 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1219 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1220 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1221 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1222 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1223 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1224 };
1225
1226 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1227 {
1228 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1229 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1230 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1231 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1232 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1233 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1234 };
1235
1236 static const unsigned char aes_test_ctr_pt[3][48] =
1237 {
1238 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1239 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1240
1241 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1242 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1243 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1244 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1245
1246 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1247 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1248 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1249 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1250 0x20, 0x21, 0x22, 0x23 }
1251 };
1252
1253 static const unsigned char aes_test_ctr_ct[3][48] =
1254 {
1255 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1256 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1257 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1258 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1259 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1260 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1261 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1262 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1263 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1264 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1265 0x25, 0xB2, 0x07, 0x2F }
1266 };
1267
1268 static const int aes_test_ctr_len[3] =
1269 { 16, 32, 36 };
1270 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1271
1272 /*
1273 * Checkup routine
1274 */
mbedtls_aes_self_test(int verbose)1275 int mbedtls_aes_self_test( int verbose )
1276 {
1277 int ret = 0, i, j, u, mode;
1278 unsigned int keybits;
1279 unsigned char key[32];
1280 unsigned char buf[64];
1281 const unsigned char *aes_tests;
1282 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1283 unsigned char iv[16];
1284 #endif
1285 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1286 unsigned char prv[16];
1287 #endif
1288 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB)
1289 size_t offset;
1290 #endif
1291 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1292 int len;
1293 unsigned char nonce_counter[16];
1294 unsigned char stream_block[16];
1295 #endif
1296 mbedtls_aes_context ctx;
1297
1298 memset( key, 0, 32 );
1299 mbedtls_aes_init( &ctx );
1300
1301 /*
1302 * ECB mode
1303 */
1304 for( i = 0; i < 6; i++ )
1305 {
1306 u = i >> 1;
1307 keybits = 128 + u * 64;
1308 mode = i & 1;
1309
1310 if( verbose != 0 )
1311 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1312 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1313
1314 memset( buf, 0, 16 );
1315
1316 if( mode == MBEDTLS_AES_DECRYPT )
1317 {
1318 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1319 aes_tests = aes_test_ecb_dec[u];
1320 }
1321 else
1322 {
1323 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1324 aes_tests = aes_test_ecb_enc[u];
1325 }
1326
1327 /*
1328 * AES-192 is an optional feature that may be unavailable when
1329 * there is an alternative underlying implementation i.e. when
1330 * MBEDTLS_AES_ALT is defined.
1331 */
1332 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1333 {
1334 mbedtls_printf( "skipped\n" );
1335 continue;
1336 }
1337 else if( ret != 0 )
1338 {
1339 goto exit;
1340 }
1341
1342 for( j = 0; j < 10000; j++ )
1343 {
1344 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1345 if( ret != 0 )
1346 goto exit;
1347 }
1348
1349 if( memcmp( buf, aes_tests, 16 ) != 0 )
1350 {
1351 ret = 1;
1352 goto exit;
1353 }
1354
1355 if( verbose != 0 )
1356 mbedtls_printf( "passed\n" );
1357 }
1358
1359 if( verbose != 0 )
1360 mbedtls_printf( "\n" );
1361
1362 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1363 /*
1364 * CBC mode
1365 */
1366 for( i = 0; i < 6; i++ )
1367 {
1368 u = i >> 1;
1369 keybits = 128 + u * 64;
1370 mode = i & 1;
1371
1372 if( verbose != 0 )
1373 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1374 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1375
1376 memset( iv , 0, 16 );
1377 memset( prv, 0, 16 );
1378 memset( buf, 0, 16 );
1379
1380 if( mode == MBEDTLS_AES_DECRYPT )
1381 {
1382 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1383 aes_tests = aes_test_cbc_dec[u];
1384 }
1385 else
1386 {
1387 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1388 aes_tests = aes_test_cbc_enc[u];
1389 }
1390
1391 /*
1392 * AES-192 is an optional feature that may be unavailable when
1393 * there is an alternative underlying implementation i.e. when
1394 * MBEDTLS_AES_ALT is defined.
1395 */
1396 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1397 {
1398 mbedtls_printf( "skipped\n" );
1399 continue;
1400 }
1401 else if( ret != 0 )
1402 {
1403 goto exit;
1404 }
1405
1406 for( j = 0; j < 10000; j++ )
1407 {
1408 if( mode == MBEDTLS_AES_ENCRYPT )
1409 {
1410 unsigned char tmp[16];
1411
1412 memcpy( tmp, prv, 16 );
1413 memcpy( prv, buf, 16 );
1414 memcpy( buf, tmp, 16 );
1415 }
1416
1417 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1418 if( ret != 0 )
1419 goto exit;
1420
1421 }
1422
1423 if( memcmp( buf, aes_tests, 16 ) != 0 )
1424 {
1425 ret = 1;
1426 goto exit;
1427 }
1428
1429 if( verbose != 0 )
1430 mbedtls_printf( "passed\n" );
1431 }
1432
1433 if( verbose != 0 )
1434 mbedtls_printf( "\n" );
1435 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1436
1437 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1438 /*
1439 * CFB128 mode
1440 */
1441 for( i = 0; i < 6; i++ )
1442 {
1443 u = i >> 1;
1444 keybits = 128 + u * 64;
1445 mode = i & 1;
1446
1447 if( verbose != 0 )
1448 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1449 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1450
1451 memcpy( iv, aes_test_cfb128_iv, 16 );
1452 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1453
1454 offset = 0;
1455 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1456 /*
1457 * AES-192 is an optional feature that may be unavailable when
1458 * there is an alternative underlying implementation i.e. when
1459 * MBEDTLS_AES_ALT is defined.
1460 */
1461 if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 )
1462 {
1463 mbedtls_printf( "skipped\n" );
1464 continue;
1465 }
1466 else if( ret != 0 )
1467 {
1468 goto exit;
1469 }
1470
1471 if( mode == MBEDTLS_AES_DECRYPT )
1472 {
1473 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1474 aes_tests = aes_test_cfb128_pt;
1475 }
1476 else
1477 {
1478 memcpy( buf, aes_test_cfb128_pt, 64 );
1479 aes_tests = aes_test_cfb128_ct[u];
1480 }
1481
1482 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1483 if( ret != 0 )
1484 goto exit;
1485
1486 if( memcmp( buf, aes_tests, 64 ) != 0 )
1487 {
1488 ret = 1;
1489 goto exit;
1490 }
1491
1492 if( verbose != 0 )
1493 mbedtls_printf( "passed\n" );
1494 }
1495
1496 if( verbose != 0 )
1497 mbedtls_printf( "\n" );
1498 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1499
1500 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1501 /*
1502 * CTR mode
1503 */
1504 for( i = 0; i < 6; i++ )
1505 {
1506 u = i >> 1;
1507 mode = i & 1;
1508
1509 if( verbose != 0 )
1510 mbedtls_printf( " AES-CTR-128 (%s): ",
1511 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1512
1513 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1514 memcpy( key, aes_test_ctr_key[u], 16 );
1515
1516 offset = 0;
1517 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1518 goto exit;
1519
1520 len = aes_test_ctr_len[u];
1521
1522 if( mode == MBEDTLS_AES_DECRYPT )
1523 {
1524 memcpy( buf, aes_test_ctr_ct[u], len );
1525 aes_tests = aes_test_ctr_pt[u];
1526 }
1527 else
1528 {
1529 memcpy( buf, aes_test_ctr_pt[u], len );
1530 aes_tests = aes_test_ctr_ct[u];
1531 }
1532
1533 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
1534 stream_block, buf, buf );
1535 if( ret != 0 )
1536 goto exit;
1537
1538 if( memcmp( buf, aes_tests, len ) != 0 )
1539 {
1540 ret = 1;
1541 goto exit;
1542 }
1543
1544 if( verbose != 0 )
1545 mbedtls_printf( "passed\n" );
1546 }
1547
1548 if( verbose != 0 )
1549 mbedtls_printf( "\n" );
1550 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1551
1552 ret = 0;
1553
1554 exit:
1555 if( ret != 0 && verbose != 0 )
1556 mbedtls_printf( "failed\n" );
1557
1558 mbedtls_aes_free( &ctx );
1559
1560 return( ret );
1561 }
1562
1563 #endif /* MBEDTLS_SELF_TEST */
1564
1565 #endif /* MBEDTLS_AES_C */
1566