1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
48 *
49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_AES_C)
60
61 #include <string.h>
62
63 #include "mbedtls/aes.h"
64 #include "mbedtls/platform.h"
65 #include "mbedtls/platform_util.h"
66 #if defined(MBEDTLS_PADLOCK_C)
67 #include "mbedtls/padlock.h"
68 #endif
69 #if defined(MBEDTLS_AESNI_C)
70 #include "mbedtls/aesni.h"
71 #endif
72
73 #if defined(MBEDTLS_SELF_TEST)
74 #if defined(MBEDTLS_PLATFORM_C)
75 #include "mbedtls/platform.h"
76 #else
77 #include <stdio.h>
78 #define mbedtls_printf printf
79 #endif /* MBEDTLS_PLATFORM_C */
80 #endif /* MBEDTLS_SELF_TEST */
81
82 #if !defined(MBEDTLS_AES_ALT)
83
84 /* Parameter validation macros based on platform_util.h */
85 #define AES_VALIDATE_RET( cond ) \
86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
87 #define AES_VALIDATE( cond ) \
88 MBEDTLS_INTERNAL_VALIDATE( cond )
89
90 /*
91 * 32-bit integer manipulation macros (little endian)
92 */
93 #ifndef GET_UINT32_LE
94 #define GET_UINT32_LE(n,b,i) \
95 { \
96 (n) = ( (uint32_t) (b)[(i) ] ) \
97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
100 }
101 #endif
102
103 #ifndef PUT_UINT32_LE
104 #define PUT_UINT32_LE(n,b,i) \
105 { \
106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
110 }
111 #endif
112
113 #if defined(MBEDTLS_PADLOCK_C) && \
114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
115 static int aes_padlock_ace = -1;
116 #endif
117
118 #if defined(MBEDTLS_AES_ROM_TABLES)
119 /*
120 * Forward S-box
121 */
122 static const unsigned char FSb[256] =
123 {
124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
156 };
157
158 /*
159 * Forward tables
160 */
161 #define FT \
162 \
163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
227
228 #define V(a,b,c,d) 0x##a##b##c##d
229 static const uint32_t FT0[256] = { FT };
230 #undef V
231
232 #if !defined(MBEDTLS_AES_FEWER_TABLES)
233
234 #define V(a,b,c,d) 0x##b##c##d##a
235 static const uint32_t FT1[256] = { FT };
236 #undef V
237
238 #define V(a,b,c,d) 0x##c##d##a##b
239 static const uint32_t FT2[256] = { FT };
240 #undef V
241
242 #define V(a,b,c,d) 0x##d##a##b##c
243 static const uint32_t FT3[256] = { FT };
244 #undef V
245
246 #endif /* !MBEDTLS_AES_FEWER_TABLES */
247
248 #undef FT
249
250 /*
251 * Reverse S-box
252 */
253 static const unsigned char RSb[256] =
254 {
255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
287 };
288
289 /*
290 * Reverse tables
291 */
292 #define RT \
293 \
294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
358
359 #define V(a,b,c,d) 0x##a##b##c##d
360 static const uint32_t RT0[256] = { RT };
361 #undef V
362
363 #if !defined(MBEDTLS_AES_FEWER_TABLES)
364
365 #define V(a,b,c,d) 0x##b##c##d##a
366 static const uint32_t RT1[256] = { RT };
367 #undef V
368
369 #define V(a,b,c,d) 0x##c##d##a##b
370 static const uint32_t RT2[256] = { RT };
371 #undef V
372
373 #define V(a,b,c,d) 0x##d##a##b##c
374 static const uint32_t RT3[256] = { RT };
375 #undef V
376
377 #endif /* !MBEDTLS_AES_FEWER_TABLES */
378
379 #undef RT
380
381 /*
382 * Round constants
383 */
384 static const uint32_t RCON[10] =
385 {
386 0x00000001, 0x00000002, 0x00000004, 0x00000008,
387 0x00000010, 0x00000020, 0x00000040, 0x00000080,
388 0x0000001B, 0x00000036
389 };
390
391 #else /* MBEDTLS_AES_ROM_TABLES */
392
393 /*
394 * Forward S-box & tables
395 */
396 static unsigned char FSb[256];
397 static uint32_t FT0[256];
398 #if !defined(MBEDTLS_AES_FEWER_TABLES)
399 static uint32_t FT1[256];
400 static uint32_t FT2[256];
401 static uint32_t FT3[256];
402 #endif /* !MBEDTLS_AES_FEWER_TABLES */
403
404 /*
405 * Reverse S-box & tables
406 */
407 static unsigned char RSb[256];
408 static uint32_t RT0[256];
409 #if !defined(MBEDTLS_AES_FEWER_TABLES)
410 static uint32_t RT1[256];
411 static uint32_t RT2[256];
412 static uint32_t RT3[256];
413 #endif /* !MBEDTLS_AES_FEWER_TABLES */
414
415 /*
416 * Round constants
417 */
418 static uint32_t RCON[10];
419
420 /*
421 * Tables generation code
422 */
423 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
424 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
425 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
426
427 static int aes_init_done = 0;
428
aes_gen_tables(void)429 static void aes_gen_tables( void )
430 {
431 int i, x, y, z;
432 int pow[256];
433 int log[256];
434
435 /*
436 * compute pow and log tables over GF(2^8)
437 */
438 for( i = 0, x = 1; i < 256; i++ )
439 {
440 pow[i] = x;
441 log[x] = i;
442 x = ( x ^ XTIME( x ) ) & 0xFF;
443 }
444
445 /*
446 * calculate the round constants
447 */
448 for( i = 0, x = 1; i < 10; i++ )
449 {
450 RCON[i] = (uint32_t) x;
451 x = XTIME( x ) & 0xFF;
452 }
453
454 /*
455 * generate the forward and reverse S-boxes
456 */
457 FSb[0x00] = 0x63;
458 RSb[0x63] = 0x00;
459
460 for( i = 1; i < 256; i++ )
461 {
462 x = pow[255 - log[i]];
463
464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
468 x ^= y ^ 0x63;
469
470 FSb[i] = (unsigned char) x;
471 RSb[x] = (unsigned char) i;
472 }
473
474 /*
475 * generate the forward and reverse tables
476 */
477 for( i = 0; i < 256; i++ )
478 {
479 x = FSb[i];
480 y = XTIME( x ) & 0xFF;
481 z = ( y ^ x ) & 0xFF;
482
483 FT0[i] = ( (uint32_t) y ) ^
484 ( (uint32_t) x << 8 ) ^
485 ( (uint32_t) x << 16 ) ^
486 ( (uint32_t) z << 24 );
487
488 #if !defined(MBEDTLS_AES_FEWER_TABLES)
489 FT1[i] = ROTL8( FT0[i] );
490 FT2[i] = ROTL8( FT1[i] );
491 FT3[i] = ROTL8( FT2[i] );
492 #endif /* !MBEDTLS_AES_FEWER_TABLES */
493
494 x = RSb[i];
495
496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
499 ( (uint32_t) MUL( 0x0B, x ) << 24 );
500
501 #if !defined(MBEDTLS_AES_FEWER_TABLES)
502 RT1[i] = ROTL8( RT0[i] );
503 RT2[i] = ROTL8( RT1[i] );
504 RT3[i] = ROTL8( RT2[i] );
505 #endif /* !MBEDTLS_AES_FEWER_TABLES */
506 }
507 }
508
509 #undef ROTL8
510
511 #endif /* MBEDTLS_AES_ROM_TABLES */
512
513 #if defined(MBEDTLS_AES_FEWER_TABLES)
514
515 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
516 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
517 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
518
519 #define AES_RT0(idx) RT0[idx]
520 #define AES_RT1(idx) ROTL8( RT0[idx] )
521 #define AES_RT2(idx) ROTL16( RT0[idx] )
522 #define AES_RT3(idx) ROTL24( RT0[idx] )
523
524 #define AES_FT0(idx) FT0[idx]
525 #define AES_FT1(idx) ROTL8( FT0[idx] )
526 #define AES_FT2(idx) ROTL16( FT0[idx] )
527 #define AES_FT3(idx) ROTL24( FT0[idx] )
528
529 #else /* MBEDTLS_AES_FEWER_TABLES */
530
531 #define AES_RT0(idx) RT0[idx]
532 #define AES_RT1(idx) RT1[idx]
533 #define AES_RT2(idx) RT2[idx]
534 #define AES_RT3(idx) RT3[idx]
535
536 #define AES_FT0(idx) FT0[idx]
537 #define AES_FT1(idx) FT1[idx]
538 #define AES_FT2(idx) FT2[idx]
539 #define AES_FT3(idx) FT3[idx]
540
541 #endif /* MBEDTLS_AES_FEWER_TABLES */
542
mbedtls_aes_init(mbedtls_aes_context * ctx)543 void mbedtls_aes_init( mbedtls_aes_context *ctx )
544 {
545 AES_VALIDATE( ctx != NULL );
546
547 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
548 }
549
mbedtls_aes_free(mbedtls_aes_context * ctx)550 void mbedtls_aes_free( mbedtls_aes_context *ctx )
551 {
552 if( ctx == NULL )
553 return;
554
555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
556 }
557
558 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)559 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
560 {
561 AES_VALIDATE( ctx != NULL );
562
563 mbedtls_aes_init( &ctx->crypt );
564 mbedtls_aes_init( &ctx->tweak );
565 }
566
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)567 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
568 {
569 if( ctx == NULL )
570 return;
571
572 mbedtls_aes_free( &ctx->crypt );
573 mbedtls_aes_free( &ctx->tweak );
574 }
575 #endif /* MBEDTLS_CIPHER_MODE_XTS */
576
577 /*
578 * AES key schedule (encryption)
579 */
580 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)581 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
582 unsigned int keybits )
583 {
584 unsigned int i;
585 uint32_t *RK;
586
587 AES_VALIDATE_RET( ctx != NULL );
588 AES_VALIDATE_RET( key != NULL );
589
590 switch( keybits )
591 {
592 case 128: ctx->nr = 10; break;
593 case 192: ctx->nr = 12; break;
594 case 256: ctx->nr = 14; break;
595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
596 }
597
598 #if !defined(MBEDTLS_AES_ROM_TABLES)
599 if( aes_init_done == 0 )
600 {
601 aes_gen_tables();
602 aes_init_done = 1;
603 }
604 #endif
605
606 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
607 if( aes_padlock_ace == -1 )
608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
609
610 if( aes_padlock_ace )
611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
612 else
613 #endif
614 ctx->rk = RK = ctx->buf;
615
616 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
619 #endif
620
621 for( i = 0; i < ( keybits >> 5 ); i++ )
622 {
623 GET_UINT32_LE( RK[i], key, i << 2 );
624 }
625
626 switch( ctx->nr )
627 {
628 case 10:
629
630 for( i = 0; i < 10; i++, RK += 4 )
631 {
632 RK[4] = RK[0] ^ RCON[i] ^
633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
637
638 RK[5] = RK[1] ^ RK[4];
639 RK[6] = RK[2] ^ RK[5];
640 RK[7] = RK[3] ^ RK[6];
641 }
642 break;
643
644 case 12:
645
646 for( i = 0; i < 8; i++, RK += 6 )
647 {
648 RK[6] = RK[0] ^ RCON[i] ^
649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
653
654 RK[7] = RK[1] ^ RK[6];
655 RK[8] = RK[2] ^ RK[7];
656 RK[9] = RK[3] ^ RK[8];
657 RK[10] = RK[4] ^ RK[9];
658 RK[11] = RK[5] ^ RK[10];
659 }
660 break;
661
662 case 14:
663
664 for( i = 0; i < 7; i++, RK += 8 )
665 {
666 RK[8] = RK[0] ^ RCON[i] ^
667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
671
672 RK[9] = RK[1] ^ RK[8];
673 RK[10] = RK[2] ^ RK[9];
674 RK[11] = RK[3] ^ RK[10];
675
676 RK[12] = RK[4] ^
677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
681
682 RK[13] = RK[5] ^ RK[12];
683 RK[14] = RK[6] ^ RK[13];
684 RK[15] = RK[7] ^ RK[14];
685 }
686 break;
687 }
688
689 return( 0 );
690 }
691 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
692
693 /*
694 * AES key schedule (decryption)
695 */
696 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)697 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
698 unsigned int keybits )
699 {
700 int i, j, ret;
701 mbedtls_aes_context cty;
702 uint32_t *RK;
703 uint32_t *SK;
704
705 AES_VALIDATE_RET( ctx != NULL );
706 AES_VALIDATE_RET( key != NULL );
707
708 mbedtls_aes_init( &cty );
709
710 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
711 if( aes_padlock_ace == -1 )
712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
713
714 if( aes_padlock_ace )
715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
716 else
717 #endif
718 ctx->rk = RK = ctx->buf;
719
720 /* Also checks keybits */
721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
722 goto exit;
723
724 ctx->nr = cty.nr;
725
726 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
728 {
729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
730 (const unsigned char *) cty.rk, ctx->nr );
731 goto exit;
732 }
733 #endif
734
735 SK = cty.rk + cty.nr * 4;
736
737 *RK++ = *SK++;
738 *RK++ = *SK++;
739 *RK++ = *SK++;
740 *RK++ = *SK++;
741
742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
743 {
744 for( j = 0; j < 4; j++, SK++ )
745 {
746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
750 }
751 }
752
753 *RK++ = *SK++;
754 *RK++ = *SK++;
755 *RK++ = *SK++;
756 *RK++ = *SK++;
757
758 exit:
759 mbedtls_aes_free( &cty );
760
761 return( ret );
762 }
763
764 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)765 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
766 unsigned int keybits,
767 const unsigned char **key1,
768 unsigned int *key1bits,
769 const unsigned char **key2,
770 unsigned int *key2bits )
771 {
772 const unsigned int half_keybits = keybits / 2;
773 const unsigned int half_keybytes = half_keybits / 8;
774
775 switch( keybits )
776 {
777 case 256: break;
778 case 512: break;
779 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
780 }
781
782 *key1bits = half_keybits;
783 *key2bits = half_keybits;
784 *key1 = &key[0];
785 *key2 = &key[half_keybytes];
786
787 return 0;
788 }
789
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)790 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793 {
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for the encryption mode. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for encryption. */
812 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
813 }
814
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)815 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
816 const unsigned char *key,
817 unsigned int keybits)
818 {
819 int ret;
820 const unsigned char *key1, *key2;
821 unsigned int key1bits, key2bits;
822
823 AES_VALIDATE_RET( ctx != NULL );
824 AES_VALIDATE_RET( key != NULL );
825
826 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
827 &key2, &key2bits );
828 if( ret != 0 )
829 return( ret );
830
831 /* Set the tweak key. Always set tweak key for encryption. */
832 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
833 if( ret != 0 )
834 return( ret );
835
836 /* Set crypt key for decryption. */
837 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
838 }
839 #endif /* MBEDTLS_CIPHER_MODE_XTS */
840
841 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
842
843 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
844 do \
845 { \
846 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
847 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
848 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
849 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
850 \
851 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
852 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
853 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
854 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
855 \
856 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
857 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
858 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
859 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
860 \
861 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
862 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
863 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
864 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
865 } while( 0 )
866
867 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
868 do \
869 { \
870 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
871 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
872 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
873 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
874 \
875 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
876 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
877 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
878 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
879 \
880 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
881 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
882 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
883 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
884 \
885 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
886 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
887 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
888 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
889 } while( 0 )
890
891 /*
892 * AES-ECB block encryption
893 */
894 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])895 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
896 const unsigned char input[16],
897 unsigned char output[16] )
898 {
899 int i;
900 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
901
902 RK = ctx->rk;
903
904 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
905 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
906 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
907 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
908
909 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
910 {
911 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
912 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
913 }
914
915 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
916
917 X0 = *RK++ ^ \
918 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
919 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
920 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
921 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
922
923 X1 = *RK++ ^ \
924 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
925 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
926 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
927 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
928
929 X2 = *RK++ ^ \
930 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
931 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
932 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
933 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
934
935 X3 = *RK++ ^ \
936 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
937 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
938 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
939 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
940
941 PUT_UINT32_LE( X0, output, 0 );
942 PUT_UINT32_LE( X1, output, 4 );
943 PUT_UINT32_LE( X2, output, 8 );
944 PUT_UINT32_LE( X3, output, 12 );
945
946 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
947 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
948 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
949 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
950
951 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
952 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
953 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
954 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
955
956 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
957
958 return( 0 );
959 }
960 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
961
962 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])963 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
964 const unsigned char input[16],
965 unsigned char output[16] )
966 {
967 mbedtls_internal_aes_encrypt( ctx, input, output );
968 }
969 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
970
971 /*
972 * AES-ECB block decryption
973 */
974 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])975 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
976 const unsigned char input[16],
977 unsigned char output[16] )
978 {
979 int i;
980 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
981
982 RK = ctx->rk;
983
984 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
985 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
986 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
987 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
988
989 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
990 {
991 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
992 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
993 }
994
995 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
996
997 X0 = *RK++ ^ \
998 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
999 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
1000 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
1001 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
1002
1003 X1 = *RK++ ^ \
1004 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
1005 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
1006 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
1007 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
1008
1009 X2 = *RK++ ^ \
1010 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
1011 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
1012 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
1013 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
1014
1015 X3 = *RK++ ^ \
1016 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
1017 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
1018 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
1019 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
1020
1021 PUT_UINT32_LE( X0, output, 0 );
1022 PUT_UINT32_LE( X1, output, 4 );
1023 PUT_UINT32_LE( X2, output, 8 );
1024 PUT_UINT32_LE( X3, output, 12 );
1025
1026 mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
1027 mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
1028 mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
1029 mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
1030
1031 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
1032 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
1033 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
1034 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
1035
1036 mbedtls_platform_zeroize( &RK, sizeof( RK ) );
1037
1038 return( 0 );
1039 }
1040 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
1041
1042 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])1043 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
1044 const unsigned char input[16],
1045 unsigned char output[16] )
1046 {
1047 mbedtls_internal_aes_decrypt( ctx, input, output );
1048 }
1049 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1050
1051 /*
1052 * AES-ECB block encryption/decryption
1053 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])1054 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
1055 int mode,
1056 const unsigned char input[16],
1057 unsigned char output[16] )
1058 {
1059 AES_VALIDATE_RET( ctx != NULL );
1060 AES_VALIDATE_RET( input != NULL );
1061 AES_VALIDATE_RET( output != NULL );
1062 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1063 mode == MBEDTLS_AES_DECRYPT );
1064
1065 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1066 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
1067 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
1068 #endif
1069
1070 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1071 if( aes_padlock_ace )
1072 {
1073 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
1074 return( 0 );
1075
1076 // If padlock data misaligned, we just fall back to
1077 // unaccelerated mode
1078 //
1079 }
1080 #endif
1081
1082 if( mode == MBEDTLS_AES_ENCRYPT )
1083 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1084 else
1085 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
1086 }
1087
1088 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1089 /*
1090 * AES-CBC buffer encryption/decryption
1091 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1092 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
1093 int mode,
1094 size_t length,
1095 unsigned char iv[16],
1096 const unsigned char *input,
1097 unsigned char *output )
1098 {
1099 int i;
1100 unsigned char temp[16];
1101
1102 AES_VALIDATE_RET( ctx != NULL );
1103 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1104 mode == MBEDTLS_AES_DECRYPT );
1105 AES_VALIDATE_RET( iv != NULL );
1106 AES_VALIDATE_RET( input != NULL );
1107 AES_VALIDATE_RET( output != NULL );
1108
1109 if( length % 16 )
1110 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1111
1112 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1113 if( aes_padlock_ace )
1114 {
1115 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
1116 return( 0 );
1117
1118 // If padlock data misaligned, we just fall back to
1119 // unaccelerated mode
1120 //
1121 }
1122 #endif
1123
1124 if( mode == MBEDTLS_AES_DECRYPT )
1125 {
1126 while( length > 0 )
1127 {
1128 memcpy( temp, input, 16 );
1129 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1130
1131 for( i = 0; i < 16; i++ )
1132 output[i] = (unsigned char)( output[i] ^ iv[i] );
1133
1134 memcpy( iv, temp, 16 );
1135
1136 input += 16;
1137 output += 16;
1138 length -= 16;
1139 }
1140 }
1141 else
1142 {
1143 while( length > 0 )
1144 {
1145 for( i = 0; i < 16; i++ )
1146 output[i] = (unsigned char)( input[i] ^ iv[i] );
1147
1148 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1149 memcpy( iv, output, 16 );
1150
1151 input += 16;
1152 output += 16;
1153 length -= 16;
1154 }
1155 }
1156
1157 return( 0 );
1158 }
1159 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1160
1161 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1162
1163 /* Endianess with 64 bits values */
1164 #ifndef GET_UINT64_LE
1165 #define GET_UINT64_LE(n,b,i) \
1166 { \
1167 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1168 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1169 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1170 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1171 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1172 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1173 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1174 | ( (uint64_t) (b)[(i) ] ); \
1175 }
1176 #endif
1177
1178 #ifndef PUT_UINT64_LE
1179 #define PUT_UINT64_LE(n,b,i) \
1180 { \
1181 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1182 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1183 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1184 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1185 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1186 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1187 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1188 (b)[(i) ] = (unsigned char) ( (n) ); \
1189 }
1190 #endif
1191
1192 typedef unsigned char mbedtls_be128[16];
1193
1194 /*
1195 * GF(2^128) multiplication function
1196 *
1197 * This function multiplies a field element by x in the polynomial field
1198 * representation. It uses 64-bit word operations to gain speed but compensates
1199 * for machine endianess and hence works correctly on both big and little
1200 * endian machines.
1201 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])1202 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1203 const unsigned char x[16] )
1204 {
1205 uint64_t a, b, ra, rb;
1206
1207 GET_UINT64_LE( a, x, 0 );
1208 GET_UINT64_LE( b, x, 8 );
1209
1210 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1211 rb = ( a >> 63 ) | ( b << 1 );
1212
1213 PUT_UINT64_LE( ra, r, 0 );
1214 PUT_UINT64_LE( rb, r, 8 );
1215 }
1216
1217 /*
1218 * AES-XTS buffer encryption/decryption
1219 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1220 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1221 int mode,
1222 size_t length,
1223 const unsigned char data_unit[16],
1224 const unsigned char *input,
1225 unsigned char *output )
1226 {
1227 int ret;
1228 size_t blocks = length / 16;
1229 size_t leftover = length % 16;
1230 unsigned char tweak[16];
1231 unsigned char prev_tweak[16];
1232 unsigned char tmp[16];
1233
1234 AES_VALIDATE_RET( ctx != NULL );
1235 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1236 mode == MBEDTLS_AES_DECRYPT );
1237 AES_VALIDATE_RET( data_unit != NULL );
1238 AES_VALIDATE_RET( input != NULL );
1239 AES_VALIDATE_RET( output != NULL );
1240
1241 /* Data units must be at least 16 bytes long. */
1242 if( length < 16 )
1243 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1244
1245 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1246 if( length > ( 1 << 20 ) * 16 )
1247 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1248
1249 /* Compute the tweak. */
1250 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1251 data_unit, tweak );
1252 if( ret != 0 )
1253 return( ret );
1254
1255 while( blocks-- )
1256 {
1257 size_t i;
1258
1259 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1260 {
1261 /* We are on the last block in a decrypt operation that has
1262 * leftover bytes, so we need to use the next tweak for this block,
1263 * and this tweak for the lefover bytes. Save the current tweak for
1264 * the leftovers and then update the current tweak for use on this,
1265 * the last full block. */
1266 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1267 mbedtls_gf128mul_x_ble( tweak, tweak );
1268 }
1269
1270 for( i = 0; i < 16; i++ )
1271 tmp[i] = input[i] ^ tweak[i];
1272
1273 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1274 if( ret != 0 )
1275 return( ret );
1276
1277 for( i = 0; i < 16; i++ )
1278 output[i] = tmp[i] ^ tweak[i];
1279
1280 /* Update the tweak for the next block. */
1281 mbedtls_gf128mul_x_ble( tweak, tweak );
1282
1283 output += 16;
1284 input += 16;
1285 }
1286
1287 if( leftover )
1288 {
1289 /* If we are on the leftover bytes in a decrypt operation, we need to
1290 * use the previous tweak for these bytes (as saved in prev_tweak). */
1291 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1292
1293 /* We are now on the final part of the data unit, which doesn't divide
1294 * evenly by 16. It's time for ciphertext stealing. */
1295 size_t i;
1296 unsigned char *prev_output = output - 16;
1297
1298 /* Copy ciphertext bytes from the previous block to our output for each
1299 * byte of cyphertext we won't steal. At the same time, copy the
1300 * remainder of the input for this final round (since the loop bounds
1301 * are the same). */
1302 for( i = 0; i < leftover; i++ )
1303 {
1304 output[i] = prev_output[i];
1305 tmp[i] = input[i] ^ t[i];
1306 }
1307
1308 /* Copy ciphertext bytes from the previous block for input in this
1309 * round. */
1310 for( ; i < 16; i++ )
1311 tmp[i] = prev_output[i] ^ t[i];
1312
1313 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1314 if( ret != 0 )
1315 return ret;
1316
1317 /* Write the result back to the previous block, overriding the previous
1318 * output we copied. */
1319 for( i = 0; i < 16; i++ )
1320 prev_output[i] = tmp[i] ^ t[i];
1321 }
1322
1323 return( 0 );
1324 }
1325 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1326
1327 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1328 /*
1329 * AES-CFB128 buffer encryption/decryption
1330 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1331 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1332 int mode,
1333 size_t length,
1334 size_t *iv_off,
1335 unsigned char iv[16],
1336 const unsigned char *input,
1337 unsigned char *output )
1338 {
1339 int c;
1340 size_t n;
1341
1342 AES_VALIDATE_RET( ctx != NULL );
1343 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1344 mode == MBEDTLS_AES_DECRYPT );
1345 AES_VALIDATE_RET( iv_off != NULL );
1346 AES_VALIDATE_RET( iv != NULL );
1347 AES_VALIDATE_RET( input != NULL );
1348 AES_VALIDATE_RET( output != NULL );
1349
1350 n = *iv_off;
1351
1352 if( n > 15 )
1353 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1354
1355 if( mode == MBEDTLS_AES_DECRYPT )
1356 {
1357 while( length-- )
1358 {
1359 if( n == 0 )
1360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1361
1362 c = *input++;
1363 *output++ = (unsigned char)( c ^ iv[n] );
1364 iv[n] = (unsigned char) c;
1365
1366 n = ( n + 1 ) & 0x0F;
1367 }
1368 }
1369 else
1370 {
1371 while( length-- )
1372 {
1373 if( n == 0 )
1374 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1375
1376 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1377
1378 n = ( n + 1 ) & 0x0F;
1379 }
1380 }
1381
1382 *iv_off = n;
1383
1384 return( 0 );
1385 }
1386
1387 /*
1388 * AES-CFB8 buffer encryption/decryption
1389 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1390 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1391 int mode,
1392 size_t length,
1393 unsigned char iv[16],
1394 const unsigned char *input,
1395 unsigned char *output )
1396 {
1397 unsigned char c;
1398 unsigned char ov[17];
1399
1400 AES_VALIDATE_RET( ctx != NULL );
1401 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1402 mode == MBEDTLS_AES_DECRYPT );
1403 AES_VALIDATE_RET( iv != NULL );
1404 AES_VALIDATE_RET( input != NULL );
1405 AES_VALIDATE_RET( output != NULL );
1406 while( length-- )
1407 {
1408 memcpy( ov, iv, 16 );
1409 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1410
1411 if( mode == MBEDTLS_AES_DECRYPT )
1412 ov[16] = *input;
1413
1414 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1415
1416 if( mode == MBEDTLS_AES_ENCRYPT )
1417 ov[16] = c;
1418
1419 memcpy( iv, ov + 1, 16 );
1420 }
1421
1422 return( 0 );
1423 }
1424 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1425
1426 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1427 /*
1428 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1429 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1430 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1431 size_t length,
1432 size_t *iv_off,
1433 unsigned char iv[16],
1434 const unsigned char *input,
1435 unsigned char *output )
1436 {
1437 int ret = 0;
1438 size_t n;
1439
1440 AES_VALIDATE_RET( ctx != NULL );
1441 AES_VALIDATE_RET( iv_off != NULL );
1442 AES_VALIDATE_RET( iv != NULL );
1443 AES_VALIDATE_RET( input != NULL );
1444 AES_VALIDATE_RET( output != NULL );
1445
1446 n = *iv_off;
1447
1448 if( n > 15 )
1449 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1450
1451 while( length-- )
1452 {
1453 if( n == 0 )
1454 {
1455 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1456 if( ret != 0 )
1457 goto exit;
1458 }
1459 *output++ = *input++ ^ iv[n];
1460
1461 n = ( n + 1 ) & 0x0F;
1462 }
1463
1464 *iv_off = n;
1465
1466 exit:
1467 return( ret );
1468 }
1469 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1470
1471 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1472 /*
1473 * AES-CTR buffer encryption/decryption
1474 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1475 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1476 size_t length,
1477 size_t *nc_off,
1478 unsigned char nonce_counter[16],
1479 unsigned char stream_block[16],
1480 const unsigned char *input,
1481 unsigned char *output )
1482 {
1483 int c, i;
1484 size_t n;
1485
1486 AES_VALIDATE_RET( ctx != NULL );
1487 AES_VALIDATE_RET( nc_off != NULL );
1488 AES_VALIDATE_RET( nonce_counter != NULL );
1489 AES_VALIDATE_RET( stream_block != NULL );
1490 AES_VALIDATE_RET( input != NULL );
1491 AES_VALIDATE_RET( output != NULL );
1492
1493 n = *nc_off;
1494
1495 if ( n > 0x0F )
1496 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1497
1498 while( length-- )
1499 {
1500 if( n == 0 ) {
1501 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1502
1503 for( i = 16; i > 0; i-- )
1504 if( ++nonce_counter[i - 1] != 0 )
1505 break;
1506 }
1507 c = *input++;
1508 *output++ = (unsigned char)( c ^ stream_block[n] );
1509
1510 n = ( n + 1 ) & 0x0F;
1511 }
1512
1513 *nc_off = n;
1514
1515 return( 0 );
1516 }
1517 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1518
1519 #endif /* !MBEDTLS_AES_ALT */
1520
1521 #if defined(MBEDTLS_SELF_TEST)
1522 /*
1523 * AES test vectors from:
1524 *
1525 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1526 */
1527 static const unsigned char aes_test_ecb_dec[3][16] =
1528 {
1529 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1530 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1531 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1532 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1533 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1534 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1535 };
1536
1537 static const unsigned char aes_test_ecb_enc[3][16] =
1538 {
1539 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1540 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1541 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1542 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1543 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1544 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1545 };
1546
1547 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1548 static const unsigned char aes_test_cbc_dec[3][16] =
1549 {
1550 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1551 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1552 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1553 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1554 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1555 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1556 };
1557
1558 static const unsigned char aes_test_cbc_enc[3][16] =
1559 {
1560 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1561 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1562 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1563 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1564 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1565 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1566 };
1567 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1568
1569 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1570 /*
1571 * AES-CFB128 test vectors from:
1572 *
1573 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1574 */
1575 static const unsigned char aes_test_cfb128_key[3][32] =
1576 {
1577 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1578 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1579 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1580 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1581 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1582 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1583 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1584 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1585 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1586 };
1587
1588 static const unsigned char aes_test_cfb128_iv[16] =
1589 {
1590 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1591 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1592 };
1593
1594 static const unsigned char aes_test_cfb128_pt[64] =
1595 {
1596 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1597 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1598 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1599 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1600 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1601 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1602 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1603 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1604 };
1605
1606 static const unsigned char aes_test_cfb128_ct[3][64] =
1607 {
1608 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1609 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1610 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1611 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1612 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1613 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1614 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1615 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1616 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1617 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1618 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1619 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1620 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1621 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1622 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1623 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1624 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1625 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1626 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1627 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1628 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1629 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1630 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1631 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1632 };
1633 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1634
1635 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1636 /*
1637 * AES-OFB test vectors from:
1638 *
1639 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1640 */
1641 static const unsigned char aes_test_ofb_key[3][32] =
1642 {
1643 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1644 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1645 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1646 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1647 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1648 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1649 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1650 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1651 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1652 };
1653
1654 static const unsigned char aes_test_ofb_iv[16] =
1655 {
1656 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1658 };
1659
1660 static const unsigned char aes_test_ofb_pt[64] =
1661 {
1662 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1663 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1664 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1665 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1666 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1667 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1668 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1669 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1670 };
1671
1672 static const unsigned char aes_test_ofb_ct[3][64] =
1673 {
1674 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1675 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1676 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1677 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1678 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1679 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1680 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1681 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1682 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1683 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1684 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1685 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1686 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1687 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1688 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1689 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1690 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1691 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1692 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1693 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1694 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1695 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1696 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1697 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1698 };
1699 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1700
1701 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1702 /*
1703 * AES-CTR test vectors from:
1704 *
1705 * http://www.faqs.org/rfcs/rfc3686.html
1706 */
1707
1708 static const unsigned char aes_test_ctr_key[3][16] =
1709 {
1710 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1711 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1712 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1713 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1714 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1715 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1716 };
1717
1718 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1719 {
1720 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1722 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1723 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1724 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1725 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1726 };
1727
1728 static const unsigned char aes_test_ctr_pt[3][48] =
1729 {
1730 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1731 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1732
1733 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1734 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1735 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1736 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1737
1738 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1739 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1740 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1741 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1742 0x20, 0x21, 0x22, 0x23 }
1743 };
1744
1745 static const unsigned char aes_test_ctr_ct[3][48] =
1746 {
1747 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1748 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1749 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1750 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1751 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1752 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1753 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1754 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1755 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1756 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1757 0x25, 0xB2, 0x07, 0x2F }
1758 };
1759
1760 static const int aes_test_ctr_len[3] =
1761 { 16, 32, 36 };
1762 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1763
1764 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1765 /*
1766 * AES-XTS test vectors from:
1767 *
1768 * IEEE P1619/D16 Annex B
1769 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1770 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1771 */
1772 static const unsigned char aes_test_xts_key[][32] =
1773 {
1774 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1778 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1779 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1780 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1781 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1782 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1783 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1784 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1785 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1786 };
1787
1788 static const unsigned char aes_test_xts_pt32[][32] =
1789 {
1790 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1791 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1794 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1795 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1796 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1797 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1798 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1799 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1800 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1801 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1802 };
1803
1804 static const unsigned char aes_test_xts_ct32[][32] =
1805 {
1806 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1807 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1808 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1809 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1810 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1811 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1812 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1813 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1814 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1815 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1816 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1817 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1818 };
1819
1820 static const unsigned char aes_test_xts_data_unit[][16] =
1821 {
1822 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1823 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1824 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1826 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1828 };
1829
1830 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1831
1832 /*
1833 * Checkup routine
1834 */
mbedtls_aes_self_test(int verbose)1835 int mbedtls_aes_self_test( int verbose )
1836 {
1837 int ret = 0, i, j, u, mode;
1838 unsigned int keybits;
1839 unsigned char key[32];
1840 unsigned char buf[64];
1841 const unsigned char *aes_tests;
1842 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1843 unsigned char iv[16];
1844 #endif
1845 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1846 unsigned char prv[16];
1847 #endif
1848 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1849 defined(MBEDTLS_CIPHER_MODE_OFB)
1850 size_t offset;
1851 #endif
1852 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1853 int len;
1854 #endif
1855 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1856 unsigned char nonce_counter[16];
1857 unsigned char stream_block[16];
1858 #endif
1859 mbedtls_aes_context ctx;
1860
1861 memset( key, 0, 32 );
1862 mbedtls_aes_init( &ctx );
1863
1864 /*
1865 * ECB mode
1866 */
1867 for( i = 0; i < 6; i++ )
1868 {
1869 u = i >> 1;
1870 keybits = 128 + u * 64;
1871 mode = i & 1;
1872
1873 if( verbose != 0 )
1874 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1875 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1876
1877 memset( buf, 0, 16 );
1878
1879 if( mode == MBEDTLS_AES_DECRYPT )
1880 {
1881 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1882 aes_tests = aes_test_ecb_dec[u];
1883 }
1884 else
1885 {
1886 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1887 aes_tests = aes_test_ecb_enc[u];
1888 }
1889
1890 /*
1891 * AES-192 is an optional feature that may be unavailable when
1892 * there is an alternative underlying implementation i.e. when
1893 * MBEDTLS_AES_ALT is defined.
1894 */
1895 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1896 {
1897 mbedtls_printf( "skipped\n" );
1898 continue;
1899 }
1900 else if( ret != 0 )
1901 {
1902 goto exit;
1903 }
1904
1905 for( j = 0; j < 10000; j++ )
1906 {
1907 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1908 if( ret != 0 )
1909 goto exit;
1910 }
1911
1912 if( memcmp( buf, aes_tests, 16 ) != 0 )
1913 {
1914 ret = 1;
1915 goto exit;
1916 }
1917
1918 if( verbose != 0 )
1919 mbedtls_printf( "passed\n" );
1920 }
1921
1922 if( verbose != 0 )
1923 mbedtls_printf( "\n" );
1924
1925 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1926 /*
1927 * CBC mode
1928 */
1929 for( i = 0; i < 6; i++ )
1930 {
1931 u = i >> 1;
1932 keybits = 128 + u * 64;
1933 mode = i & 1;
1934
1935 if( verbose != 0 )
1936 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1937 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1938
1939 memset( iv , 0, 16 );
1940 memset( prv, 0, 16 );
1941 memset( buf, 0, 16 );
1942
1943 if( mode == MBEDTLS_AES_DECRYPT )
1944 {
1945 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1946 aes_tests = aes_test_cbc_dec[u];
1947 }
1948 else
1949 {
1950 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1951 aes_tests = aes_test_cbc_enc[u];
1952 }
1953
1954 /*
1955 * AES-192 is an optional feature that may be unavailable when
1956 * there is an alternative underlying implementation i.e. when
1957 * MBEDTLS_AES_ALT is defined.
1958 */
1959 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1960 {
1961 mbedtls_printf( "skipped\n" );
1962 continue;
1963 }
1964 else if( ret != 0 )
1965 {
1966 goto exit;
1967 }
1968
1969 for( j = 0; j < 10000; j++ )
1970 {
1971 if( mode == MBEDTLS_AES_ENCRYPT )
1972 {
1973 unsigned char tmp[16];
1974
1975 memcpy( tmp, prv, 16 );
1976 memcpy( prv, buf, 16 );
1977 memcpy( buf, tmp, 16 );
1978 }
1979
1980 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1981 if( ret != 0 )
1982 goto exit;
1983
1984 }
1985
1986 if( memcmp( buf, aes_tests, 16 ) != 0 )
1987 {
1988 ret = 1;
1989 goto exit;
1990 }
1991
1992 if( verbose != 0 )
1993 mbedtls_printf( "passed\n" );
1994 }
1995
1996 if( verbose != 0 )
1997 mbedtls_printf( "\n" );
1998 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1999
2000 #if defined(MBEDTLS_CIPHER_MODE_CFB)
2001 /*
2002 * CFB128 mode
2003 */
2004 for( i = 0; i < 6; i++ )
2005 {
2006 u = i >> 1;
2007 keybits = 128 + u * 64;
2008 mode = i & 1;
2009
2010 if( verbose != 0 )
2011 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
2012 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2013
2014 memcpy( iv, aes_test_cfb128_iv, 16 );
2015 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
2016
2017 offset = 0;
2018 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2019 /*
2020 * AES-192 is an optional feature that may be unavailable when
2021 * there is an alternative underlying implementation i.e. when
2022 * MBEDTLS_AES_ALT is defined.
2023 */
2024 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2025 {
2026 mbedtls_printf( "skipped\n" );
2027 continue;
2028 }
2029 else if( ret != 0 )
2030 {
2031 goto exit;
2032 }
2033
2034 if( mode == MBEDTLS_AES_DECRYPT )
2035 {
2036 memcpy( buf, aes_test_cfb128_ct[u], 64 );
2037 aes_tests = aes_test_cfb128_pt;
2038 }
2039 else
2040 {
2041 memcpy( buf, aes_test_cfb128_pt, 64 );
2042 aes_tests = aes_test_cfb128_ct[u];
2043 }
2044
2045 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
2046 if( ret != 0 )
2047 goto exit;
2048
2049 if( memcmp( buf, aes_tests, 64 ) != 0 )
2050 {
2051 ret = 1;
2052 goto exit;
2053 }
2054
2055 if( verbose != 0 )
2056 mbedtls_printf( "passed\n" );
2057 }
2058
2059 if( verbose != 0 )
2060 mbedtls_printf( "\n" );
2061 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2062
2063 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2064 /*
2065 * OFB mode
2066 */
2067 for( i = 0; i < 6; i++ )
2068 {
2069 u = i >> 1;
2070 keybits = 128 + u * 64;
2071 mode = i & 1;
2072
2073 if( verbose != 0 )
2074 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2075 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2076
2077 memcpy( iv, aes_test_ofb_iv, 16 );
2078 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2079
2080 offset = 0;
2081 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2082 /*
2083 * AES-192 is an optional feature that may be unavailable when
2084 * there is an alternative underlying implementation i.e. when
2085 * MBEDTLS_AES_ALT is defined.
2086 */
2087 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2088 {
2089 mbedtls_printf( "skipped\n" );
2090 continue;
2091 }
2092 else if( ret != 0 )
2093 {
2094 goto exit;
2095 }
2096
2097 if( mode == MBEDTLS_AES_DECRYPT )
2098 {
2099 memcpy( buf, aes_test_ofb_ct[u], 64 );
2100 aes_tests = aes_test_ofb_pt;
2101 }
2102 else
2103 {
2104 memcpy( buf, aes_test_ofb_pt, 64 );
2105 aes_tests = aes_test_ofb_ct[u];
2106 }
2107
2108 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2109 if( ret != 0 )
2110 goto exit;
2111
2112 if( memcmp( buf, aes_tests, 64 ) != 0 )
2113 {
2114 ret = 1;
2115 goto exit;
2116 }
2117
2118 if( verbose != 0 )
2119 mbedtls_printf( "passed\n" );
2120 }
2121
2122 if( verbose != 0 )
2123 mbedtls_printf( "\n" );
2124 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2125
2126 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2127 /*
2128 * CTR mode
2129 */
2130 for( i = 0; i < 6; i++ )
2131 {
2132 u = i >> 1;
2133 mode = i & 1;
2134
2135 if( verbose != 0 )
2136 mbedtls_printf( " AES-CTR-128 (%s): ",
2137 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2138
2139 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2140 memcpy( key, aes_test_ctr_key[u], 16 );
2141
2142 offset = 0;
2143 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2144 goto exit;
2145
2146 len = aes_test_ctr_len[u];
2147
2148 if( mode == MBEDTLS_AES_DECRYPT )
2149 {
2150 memcpy( buf, aes_test_ctr_ct[u], len );
2151 aes_tests = aes_test_ctr_pt[u];
2152 }
2153 else
2154 {
2155 memcpy( buf, aes_test_ctr_pt[u], len );
2156 aes_tests = aes_test_ctr_ct[u];
2157 }
2158
2159 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2160 stream_block, buf, buf );
2161 if( ret != 0 )
2162 goto exit;
2163
2164 if( memcmp( buf, aes_tests, len ) != 0 )
2165 {
2166 ret = 1;
2167 goto exit;
2168 }
2169
2170 if( verbose != 0 )
2171 mbedtls_printf( "passed\n" );
2172 }
2173
2174 if( verbose != 0 )
2175 mbedtls_printf( "\n" );
2176 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2177
2178 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2179 {
2180 static const int num_tests =
2181 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2182 mbedtls_aes_xts_context ctx_xts;
2183
2184 /*
2185 * XTS mode
2186 */
2187 mbedtls_aes_xts_init( &ctx_xts );
2188
2189 for( i = 0; i < num_tests << 1; i++ )
2190 {
2191 const unsigned char *data_unit;
2192 u = i >> 1;
2193 mode = i & 1;
2194
2195 if( verbose != 0 )
2196 mbedtls_printf( " AES-XTS-128 (%s): ",
2197 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2198
2199 memset( key, 0, sizeof( key ) );
2200 memcpy( key, aes_test_xts_key[u], 32 );
2201 data_unit = aes_test_xts_data_unit[u];
2202
2203 len = sizeof( *aes_test_xts_ct32 );
2204
2205 if( mode == MBEDTLS_AES_DECRYPT )
2206 {
2207 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2208 if( ret != 0)
2209 goto exit;
2210 memcpy( buf, aes_test_xts_ct32[u], len );
2211 aes_tests = aes_test_xts_pt32[u];
2212 }
2213 else
2214 {
2215 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2216 if( ret != 0)
2217 goto exit;
2218 memcpy( buf, aes_test_xts_pt32[u], len );
2219 aes_tests = aes_test_xts_ct32[u];
2220 }
2221
2222
2223 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2224 buf, buf );
2225 if( ret != 0 )
2226 goto exit;
2227
2228 if( memcmp( buf, aes_tests, len ) != 0 )
2229 {
2230 ret = 1;
2231 goto exit;
2232 }
2233
2234 if( verbose != 0 )
2235 mbedtls_printf( "passed\n" );
2236 }
2237
2238 if( verbose != 0 )
2239 mbedtls_printf( "\n" );
2240
2241 mbedtls_aes_xts_free( &ctx_xts );
2242 }
2243 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2244
2245 ret = 0;
2246
2247 exit:
2248 if( ret != 0 && verbose != 0 )
2249 mbedtls_printf( "failed\n" );
2250
2251 mbedtls_aes_free( &ctx );
2252
2253 return( ret );
2254 }
2255
2256 #endif /* MBEDTLS_SELF_TEST */
2257
2258 #endif /* MBEDTLS_AES_C */
2259