1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
23 *
24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_AES_C)
35
36 #include <string.h>
37
38 #include "mbedtls/aes.h"
39 #include "mbedtls/platform.h"
40 #include "mbedtls/platform_util.h"
41 #if defined(MBEDTLS_PADLOCK_C)
42 #include "mbedtls/padlock.h"
43 #endif
44 #if defined(MBEDTLS_AESNI_C)
45 #include "mbedtls/aesni.h"
46 #endif
47
48 #if defined(MBEDTLS_SELF_TEST)
49 #if defined(MBEDTLS_PLATFORM_C)
50 #include "mbedtls/platform.h"
51 #else
52 #include <stdio.h>
53 #define mbedtls_printf printf
54 #endif /* MBEDTLS_PLATFORM_C */
55 #endif /* MBEDTLS_SELF_TEST */
56
57 #if !defined(MBEDTLS_AES_ALT)
58
59 /* Parameter validation macros based on platform_util.h */
60 #define AES_VALIDATE_RET( cond ) \
61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
62 #define AES_VALIDATE( cond ) \
63 MBEDTLS_INTERNAL_VALIDATE( cond )
64
65 /*
66 * 32-bit integer manipulation macros (little endian)
67 */
68 #ifndef GET_UINT32_LE
69 #define GET_UINT32_LE(n,b,i) \
70 { \
71 (n) = ( (uint32_t) (b)[(i) ] ) \
72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
75 }
76 #endif
77
78 #ifndef PUT_UINT32_LE
79 #define PUT_UINT32_LE(n,b,i) \
80 { \
81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
85 }
86 #endif
87
88 #if defined(MBEDTLS_PADLOCK_C) && \
89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
90 static int aes_padlock_ace = -1;
91 #endif
92
93 #if defined(MBEDTLS_AES_ROM_TABLES)
94 /*
95 * Forward S-box
96 */
97 static const unsigned char FSb[256] =
98 {
99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
131 };
132
133 /*
134 * Forward tables
135 */
136 #define FT \
137 \
138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
202
203 #define V(a,b,c,d) 0x##a##b##c##d
204 static const uint32_t FT0[256] = { FT };
205 #undef V
206
207 #if !defined(MBEDTLS_AES_FEWER_TABLES)
208
209 #define V(a,b,c,d) 0x##b##c##d##a
210 static const uint32_t FT1[256] = { FT };
211 #undef V
212
213 #define V(a,b,c,d) 0x##c##d##a##b
214 static const uint32_t FT2[256] = { FT };
215 #undef V
216
217 #define V(a,b,c,d) 0x##d##a##b##c
218 static const uint32_t FT3[256] = { FT };
219 #undef V
220
221 #endif /* !MBEDTLS_AES_FEWER_TABLES */
222
223 #undef FT
224
225 /*
226 * Reverse S-box
227 */
228 static const unsigned char RSb[256] =
229 {
230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
262 };
263
264 /*
265 * Reverse tables
266 */
267 #define RT \
268 \
269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
333
334 #define V(a,b,c,d) 0x##a##b##c##d
335 static const uint32_t RT0[256] = { RT };
336 #undef V
337
338 #if !defined(MBEDTLS_AES_FEWER_TABLES)
339
340 #define V(a,b,c,d) 0x##b##c##d##a
341 static const uint32_t RT1[256] = { RT };
342 #undef V
343
344 #define V(a,b,c,d) 0x##c##d##a##b
345 static const uint32_t RT2[256] = { RT };
346 #undef V
347
348 #define V(a,b,c,d) 0x##d##a##b##c
349 static const uint32_t RT3[256] = { RT };
350 #undef V
351
352 #endif /* !MBEDTLS_AES_FEWER_TABLES */
353
354 #undef RT
355
356 /*
357 * Round constants
358 */
359 static const uint32_t RCON[10] =
360 {
361 0x00000001, 0x00000002, 0x00000004, 0x00000008,
362 0x00000010, 0x00000020, 0x00000040, 0x00000080,
363 0x0000001B, 0x00000036
364 };
365
366 #else /* MBEDTLS_AES_ROM_TABLES */
367
368 /*
369 * Forward S-box & tables
370 */
371 static unsigned char FSb[256];
372 static uint32_t FT0[256];
373 #if !defined(MBEDTLS_AES_FEWER_TABLES)
374 static uint32_t FT1[256];
375 static uint32_t FT2[256];
376 static uint32_t FT3[256];
377 #endif /* !MBEDTLS_AES_FEWER_TABLES */
378
379 /*
380 * Reverse S-box & tables
381 */
382 static unsigned char RSb[256];
383 static uint32_t RT0[256];
384 #if !defined(MBEDTLS_AES_FEWER_TABLES)
385 static uint32_t RT1[256];
386 static uint32_t RT2[256];
387 static uint32_t RT3[256];
388 #endif /* !MBEDTLS_AES_FEWER_TABLES */
389
390 /*
391 * Round constants
392 */
393 static uint32_t RCON[10];
394
395 /*
396 * Tables generation code
397 */
398 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 )
399 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) )
400 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 )
401
402 static int aes_init_done = 0;
403
aes_gen_tables(void)404 static void aes_gen_tables( void )
405 {
406 int i, x, y, z;
407 int pow[256];
408 int log[256];
409
410 /*
411 * compute pow and log tables over GF(2^8)
412 */
413 for( i = 0, x = 1; i < 256; i++ )
414 {
415 pow[i] = x;
416 log[x] = i;
417 x = ( x ^ XTIME( x ) ) & 0xFF;
418 }
419
420 /*
421 * calculate the round constants
422 */
423 for( i = 0, x = 1; i < 10; i++ )
424 {
425 RCON[i] = (uint32_t) x;
426 x = XTIME( x ) & 0xFF;
427 }
428
429 /*
430 * generate the forward and reverse S-boxes
431 */
432 FSb[0x00] = 0x63;
433 RSb[0x63] = 0x00;
434
435 for( i = 1; i < 256; i++ )
436 {
437 x = pow[255 - log[i]];
438
439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF;
443 x ^= y ^ 0x63;
444
445 FSb[i] = (unsigned char) x;
446 RSb[x] = (unsigned char) i;
447 }
448
449 /*
450 * generate the forward and reverse tables
451 */
452 for( i = 0; i < 256; i++ )
453 {
454 x = FSb[i];
455 y = XTIME( x ) & 0xFF;
456 z = ( y ^ x ) & 0xFF;
457
458 FT0[i] = ( (uint32_t) y ) ^
459 ( (uint32_t) x << 8 ) ^
460 ( (uint32_t) x << 16 ) ^
461 ( (uint32_t) z << 24 );
462
463 #if !defined(MBEDTLS_AES_FEWER_TABLES)
464 FT1[i] = ROTL8( FT0[i] );
465 FT2[i] = ROTL8( FT1[i] );
466 FT3[i] = ROTL8( FT2[i] );
467 #endif /* !MBEDTLS_AES_FEWER_TABLES */
468
469 x = RSb[i];
470
471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
474 ( (uint32_t) MUL( 0x0B, x ) << 24 );
475
476 #if !defined(MBEDTLS_AES_FEWER_TABLES)
477 RT1[i] = ROTL8( RT0[i] );
478 RT2[i] = ROTL8( RT1[i] );
479 RT3[i] = ROTL8( RT2[i] );
480 #endif /* !MBEDTLS_AES_FEWER_TABLES */
481 }
482 }
483
484 #undef ROTL8
485
486 #endif /* MBEDTLS_AES_ROM_TABLES */
487
488 #if defined(MBEDTLS_AES_FEWER_TABLES)
489
490 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
493
494 #define AES_RT0(idx) RT0[idx]
495 #define AES_RT1(idx) ROTL8( RT0[idx] )
496 #define AES_RT2(idx) ROTL16( RT0[idx] )
497 #define AES_RT3(idx) ROTL24( RT0[idx] )
498
499 #define AES_FT0(idx) FT0[idx]
500 #define AES_FT1(idx) ROTL8( FT0[idx] )
501 #define AES_FT2(idx) ROTL16( FT0[idx] )
502 #define AES_FT3(idx) ROTL24( FT0[idx] )
503
504 #else /* MBEDTLS_AES_FEWER_TABLES */
505
506 #define AES_RT0(idx) RT0[idx]
507 #define AES_RT1(idx) RT1[idx]
508 #define AES_RT2(idx) RT2[idx]
509 #define AES_RT3(idx) RT3[idx]
510
511 #define AES_FT0(idx) FT0[idx]
512 #define AES_FT1(idx) FT1[idx]
513 #define AES_FT2(idx) FT2[idx]
514 #define AES_FT3(idx) FT3[idx]
515
516 #endif /* MBEDTLS_AES_FEWER_TABLES */
517
mbedtls_aes_init(mbedtls_aes_context * ctx)518 void mbedtls_aes_init( mbedtls_aes_context *ctx )
519 {
520 AES_VALIDATE( ctx != NULL );
521
522 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
523 }
524
mbedtls_aes_free(mbedtls_aes_context * ctx)525 void mbedtls_aes_free( mbedtls_aes_context *ctx )
526 {
527 if( ctx == NULL )
528 return;
529
530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
531 }
532
533 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
535 {
536 AES_VALIDATE( ctx != NULL );
537
538 mbedtls_aes_init( &ctx->crypt );
539 mbedtls_aes_init( &ctx->tweak );
540 }
541
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
543 {
544 if( ctx == NULL )
545 return;
546
547 mbedtls_aes_free( &ctx->crypt );
548 mbedtls_aes_free( &ctx->tweak );
549 }
550 #endif /* MBEDTLS_CIPHER_MODE_XTS */
551
552 /*
553 * AES key schedule (encryption)
554 */
555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
557 unsigned int keybits )
558 {
559 unsigned int i;
560 uint32_t *RK;
561
562 AES_VALIDATE_RET( ctx != NULL );
563 AES_VALIDATE_RET( key != NULL );
564
565 switch( keybits )
566 {
567 case 128: ctx->nr = 10; break;
568 case 192: ctx->nr = 12; break;
569 case 256: ctx->nr = 14; break;
570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
571 }
572
573 #if !defined(MBEDTLS_AES_ROM_TABLES)
574 if( aes_init_done == 0 )
575 {
576 aes_gen_tables();
577 aes_init_done = 1;
578 }
579 #endif
580
581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
582 if( aes_padlock_ace == -1 )
583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
584
585 if( aes_padlock_ace )
586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
587 else
588 #endif
589 ctx->rk = RK = ctx->buf;
590
591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) );
594 #endif
595
596 for( i = 0; i < ( keybits >> 5 ); i++ )
597 {
598 GET_UINT32_LE( RK[i], key, i << 2 );
599 }
600
601 switch( ctx->nr )
602 {
603 case 10:
604
605 for( i = 0; i < 10; i++, RK += 4 )
606 {
607 RK[4] = RK[0] ^ RCON[i] ^
608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^
609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^
610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^
611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 );
612
613 RK[5] = RK[1] ^ RK[4];
614 RK[6] = RK[2] ^ RK[5];
615 RK[7] = RK[3] ^ RK[6];
616 }
617 break;
618
619 case 12:
620
621 for( i = 0; i < 8; i++, RK += 6 )
622 {
623 RK[6] = RK[0] ^ RCON[i] ^
624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^
625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^
626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^
627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 );
628
629 RK[7] = RK[1] ^ RK[6];
630 RK[8] = RK[2] ^ RK[7];
631 RK[9] = RK[3] ^ RK[8];
632 RK[10] = RK[4] ^ RK[9];
633 RK[11] = RK[5] ^ RK[10];
634 }
635 break;
636
637 case 14:
638
639 for( i = 0; i < 7; i++, RK += 8 )
640 {
641 RK[8] = RK[0] ^ RCON[i] ^
642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^
643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^
644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^
645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 );
646
647 RK[9] = RK[1] ^ RK[8];
648 RK[10] = RK[2] ^ RK[9];
649 RK[11] = RK[3] ^ RK[10];
650
651 RK[12] = RK[4] ^
652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^
653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^
654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^
655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 );
656
657 RK[13] = RK[5] ^ RK[12];
658 RK[14] = RK[6] ^ RK[13];
659 RK[15] = RK[7] ^ RK[14];
660 }
661 break;
662 }
663
664 return( 0 );
665 }
666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
667
668 /*
669 * AES key schedule (decryption)
670 */
671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
673 unsigned int keybits )
674 {
675 int i, j, ret;
676 mbedtls_aes_context cty;
677 uint32_t *RK;
678 uint32_t *SK;
679
680 AES_VALIDATE_RET( ctx != NULL );
681 AES_VALIDATE_RET( key != NULL );
682
683 mbedtls_aes_init( &cty );
684
685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
686 if( aes_padlock_ace == -1 )
687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
688
689 if( aes_padlock_ace )
690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf );
691 else
692 #endif
693 ctx->rk = RK = ctx->buf;
694
695 /* Also checks keybits */
696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
697 goto exit;
698
699 ctx->nr = cty.nr;
700
701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
703 {
704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk,
705 (const unsigned char *) cty.rk, ctx->nr );
706 goto exit;
707 }
708 #endif
709
710 SK = cty.rk + cty.nr * 4;
711
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714 *RK++ = *SK++;
715 *RK++ = *SK++;
716
717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
718 {
719 for( j = 0; j < 4; j++, SK++ )
720 {
721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^
722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^
723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^
724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] );
725 }
726 }
727
728 *RK++ = *SK++;
729 *RK++ = *SK++;
730 *RK++ = *SK++;
731 *RK++ = *SK++;
732
733 exit:
734 mbedtls_aes_free( &cty );
735
736 return( ret );
737 }
738
739 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
741 unsigned int keybits,
742 const unsigned char **key1,
743 unsigned int *key1bits,
744 const unsigned char **key2,
745 unsigned int *key2bits )
746 {
747 const unsigned int half_keybits = keybits / 2;
748 const unsigned int half_keybytes = half_keybits / 8;
749
750 switch( keybits )
751 {
752 case 256: break;
753 case 512: break;
754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
755 }
756
757 *key1bits = half_keybits;
758 *key2bits = half_keybits;
759 *key1 = &key[0];
760 *key2 = &key[half_keybytes];
761
762 return 0;
763 }
764
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
766 const unsigned char *key,
767 unsigned int keybits)
768 {
769 int ret;
770 const unsigned char *key1, *key2;
771 unsigned int key1bits, key2bits;
772
773 AES_VALIDATE_RET( ctx != NULL );
774 AES_VALIDATE_RET( key != NULL );
775
776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
777 &key2, &key2bits );
778 if( ret != 0 )
779 return( ret );
780
781 /* Set the tweak key. Always set tweak key for the encryption mode. */
782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
783 if( ret != 0 )
784 return( ret );
785
786 /* Set crypt key for encryption. */
787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
788 }
789
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
791 const unsigned char *key,
792 unsigned int keybits)
793 {
794 int ret;
795 const unsigned char *key1, *key2;
796 unsigned int key1bits, key2bits;
797
798 AES_VALIDATE_RET( ctx != NULL );
799 AES_VALIDATE_RET( key != NULL );
800
801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
802 &key2, &key2bits );
803 if( ret != 0 )
804 return( ret );
805
806 /* Set the tweak key. Always set tweak key for encryption. */
807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
808 if( ret != 0 )
809 return( ret );
810
811 /* Set crypt key for decryption. */
812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
813 }
814 #endif /* MBEDTLS_CIPHER_MODE_XTS */
815
816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
817
818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
819 { \
820 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \
821 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \
822 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \
823 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \
824 \
825 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \
826 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \
827 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \
828 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \
829 \
830 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \
831 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \
832 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \
833 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \
834 \
835 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \
836 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \
837 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \
838 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \
839 }
840
841 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
842 { \
843 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \
844 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \
845 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \
846 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \
847 \
848 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \
849 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \
850 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \
851 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \
852 \
853 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \
854 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \
855 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \
856 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \
857 \
858 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \
859 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \
860 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \
861 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \
862 }
863
864 /*
865 * AES-ECB block encryption
866 */
867 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])868 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
869 const unsigned char input[16],
870 unsigned char output[16] )
871 {
872 int i;
873 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
874
875 RK = ctx->rk;
876
877 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
878 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
879 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
880 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
881
882 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
883 {
884 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
885 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
886 }
887
888 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
889
890 X0 = *RK++ ^ \
891 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
892 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
893 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
894 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
895
896 X1 = *RK++ ^ \
897 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
898 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
899 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
900 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
901
902 X2 = *RK++ ^ \
903 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
904 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
905 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
906 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
907
908 X3 = *RK++ ^ \
909 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
910 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
911 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
912 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
913
914 PUT_UINT32_LE( X0, output, 0 );
915 PUT_UINT32_LE( X1, output, 4 );
916 PUT_UINT32_LE( X2, output, 8 );
917 PUT_UINT32_LE( X3, output, 12 );
918
919 return( 0 );
920 }
921 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
922
923 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])924 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
925 const unsigned char input[16],
926 unsigned char output[16] )
927 {
928 mbedtls_internal_aes_encrypt( ctx, input, output );
929 }
930 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
931
932 /*
933 * AES-ECB block decryption
934 */
935 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])936 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
937 const unsigned char input[16],
938 unsigned char output[16] )
939 {
940 int i;
941 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
942
943 RK = ctx->rk;
944
945 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
946 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
947 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
948 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
949
950 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
951 {
952 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
953 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
954 }
955
956 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
957
958 X0 = *RK++ ^ \
959 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
960 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
961 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
962 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
963
964 X1 = *RK++ ^ \
965 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
966 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
967 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
968 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
969
970 X2 = *RK++ ^ \
971 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
972 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
973 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
974 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
975
976 X3 = *RK++ ^ \
977 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
978 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
979 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
980 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
981
982 PUT_UINT32_LE( X0, output, 0 );
983 PUT_UINT32_LE( X1, output, 4 );
984 PUT_UINT32_LE( X2, output, 8 );
985 PUT_UINT32_LE( X3, output, 12 );
986
987 return( 0 );
988 }
989 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
990
991 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])992 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
993 const unsigned char input[16],
994 unsigned char output[16] )
995 {
996 mbedtls_internal_aes_decrypt( ctx, input, output );
997 }
998 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
999
1000 /*
1001 * AES-ECB block encryption/decryption
1002 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])1003 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
1004 int mode,
1005 const unsigned char input[16],
1006 unsigned char output[16] )
1007 {
1008 AES_VALIDATE_RET( ctx != NULL );
1009 AES_VALIDATE_RET( input != NULL );
1010 AES_VALIDATE_RET( output != NULL );
1011 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1012 mode == MBEDTLS_AES_DECRYPT );
1013
1014 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1015 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
1016 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
1017 #endif
1018
1019 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1020 if( aes_padlock_ace )
1021 {
1022 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
1023 return( 0 );
1024
1025 // If padlock data misaligned, we just fall back to
1026 // unaccelerated mode
1027 //
1028 }
1029 #endif
1030
1031 if( mode == MBEDTLS_AES_ENCRYPT )
1032 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
1033 else
1034 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
1035 }
1036
1037 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1038 /*
1039 * AES-CBC buffer encryption/decryption
1040 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1041 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
1042 int mode,
1043 size_t length,
1044 unsigned char iv[16],
1045 const unsigned char *input,
1046 unsigned char *output )
1047 {
1048 int i;
1049 unsigned char temp[16];
1050
1051 AES_VALIDATE_RET( ctx != NULL );
1052 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1053 mode == MBEDTLS_AES_DECRYPT );
1054 AES_VALIDATE_RET( iv != NULL );
1055 AES_VALIDATE_RET( input != NULL );
1056 AES_VALIDATE_RET( output != NULL );
1057
1058 if( length % 16 )
1059 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
1060
1061 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1062 if( aes_padlock_ace )
1063 {
1064 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
1065 return( 0 );
1066
1067 // If padlock data misaligned, we just fall back to
1068 // unaccelerated mode
1069 //
1070 }
1071 #endif
1072
1073 if( mode == MBEDTLS_AES_DECRYPT )
1074 {
1075 while( length > 0 )
1076 {
1077 memcpy( temp, input, 16 );
1078 mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1079
1080 for( i = 0; i < 16; i++ )
1081 output[i] = (unsigned char)( output[i] ^ iv[i] );
1082
1083 memcpy( iv, temp, 16 );
1084
1085 input += 16;
1086 output += 16;
1087 length -= 16;
1088 }
1089 }
1090 else
1091 {
1092 while( length > 0 )
1093 {
1094 for( i = 0; i < 16; i++ )
1095 output[i] = (unsigned char)( input[i] ^ iv[i] );
1096
1097 mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1098 memcpy( iv, output, 16 );
1099
1100 input += 16;
1101 output += 16;
1102 length -= 16;
1103 }
1104 }
1105
1106 return( 0 );
1107 }
1108 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1109
1110 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1111
1112 /* Endianess with 64 bits values */
1113 #ifndef GET_UINT64_LE
1114 #define GET_UINT64_LE(n,b,i) \
1115 { \
1116 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1117 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1118 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1119 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1120 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1121 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1122 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1123 | ( (uint64_t) (b)[(i) ] ); \
1124 }
1125 #endif
1126
1127 #ifndef PUT_UINT64_LE
1128 #define PUT_UINT64_LE(n,b,i) \
1129 { \
1130 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1131 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1132 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1133 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1134 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1135 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1136 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1137 (b)[(i) ] = (unsigned char) ( (n) ); \
1138 }
1139 #endif
1140
1141 typedef unsigned char mbedtls_be128[16];
1142
1143 /*
1144 * GF(2^128) multiplication function
1145 *
1146 * This function multiplies a field element by x in the polynomial field
1147 * representation. It uses 64-bit word operations to gain speed but compensates
1148 * for machine endianess and hence works correctly on both big and little
1149 * endian machines.
1150 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])1151 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1152 const unsigned char x[16] )
1153 {
1154 uint64_t a, b, ra, rb;
1155
1156 GET_UINT64_LE( a, x, 0 );
1157 GET_UINT64_LE( b, x, 8 );
1158
1159 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1160 rb = ( a >> 63 ) | ( b << 1 );
1161
1162 PUT_UINT64_LE( ra, r, 0 );
1163 PUT_UINT64_LE( rb, r, 8 );
1164 }
1165
1166 /*
1167 * AES-XTS buffer encryption/decryption
1168 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1169 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1170 int mode,
1171 size_t length,
1172 const unsigned char data_unit[16],
1173 const unsigned char *input,
1174 unsigned char *output )
1175 {
1176 int ret;
1177 size_t blocks = length / 16;
1178 size_t leftover = length % 16;
1179 unsigned char tweak[16];
1180 unsigned char prev_tweak[16];
1181 unsigned char tmp[16];
1182
1183 AES_VALIDATE_RET( ctx != NULL );
1184 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1185 mode == MBEDTLS_AES_DECRYPT );
1186 AES_VALIDATE_RET( data_unit != NULL );
1187 AES_VALIDATE_RET( input != NULL );
1188 AES_VALIDATE_RET( output != NULL );
1189
1190 /* Data units must be at least 16 bytes long. */
1191 if( length < 16 )
1192 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1193
1194 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1195 if( length > ( 1 << 20 ) * 16 )
1196 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1197
1198 /* Compute the tweak. */
1199 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1200 data_unit, tweak );
1201 if( ret != 0 )
1202 return( ret );
1203
1204 while( blocks-- )
1205 {
1206 size_t i;
1207
1208 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1209 {
1210 /* We are on the last block in a decrypt operation that has
1211 * leftover bytes, so we need to use the next tweak for this block,
1212 * and this tweak for the lefover bytes. Save the current tweak for
1213 * the leftovers and then update the current tweak for use on this,
1214 * the last full block. */
1215 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1216 mbedtls_gf128mul_x_ble( tweak, tweak );
1217 }
1218
1219 for( i = 0; i < 16; i++ )
1220 tmp[i] = input[i] ^ tweak[i];
1221
1222 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1223 if( ret != 0 )
1224 return( ret );
1225
1226 for( i = 0; i < 16; i++ )
1227 output[i] = tmp[i] ^ tweak[i];
1228
1229 /* Update the tweak for the next block. */
1230 mbedtls_gf128mul_x_ble( tweak, tweak );
1231
1232 output += 16;
1233 input += 16;
1234 }
1235
1236 if( leftover )
1237 {
1238 /* If we are on the leftover bytes in a decrypt operation, we need to
1239 * use the previous tweak for these bytes (as saved in prev_tweak). */
1240 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1241
1242 /* We are now on the final part of the data unit, which doesn't divide
1243 * evenly by 16. It's time for ciphertext stealing. */
1244 size_t i;
1245 unsigned char *prev_output = output - 16;
1246
1247 /* Copy ciphertext bytes from the previous block to our output for each
1248 * byte of cyphertext we won't steal. At the same time, copy the
1249 * remainder of the input for this final round (since the loop bounds
1250 * are the same). */
1251 for( i = 0; i < leftover; i++ )
1252 {
1253 output[i] = prev_output[i];
1254 tmp[i] = input[i] ^ t[i];
1255 }
1256
1257 /* Copy ciphertext bytes from the previous block for input in this
1258 * round. */
1259 for( ; i < 16; i++ )
1260 tmp[i] = prev_output[i] ^ t[i];
1261
1262 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1263 if( ret != 0 )
1264 return ret;
1265
1266 /* Write the result back to the previous block, overriding the previous
1267 * output we copied. */
1268 for( i = 0; i < 16; i++ )
1269 prev_output[i] = tmp[i] ^ t[i];
1270 }
1271
1272 return( 0 );
1273 }
1274 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1275
1276 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1277 /*
1278 * AES-CFB128 buffer encryption/decryption
1279 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1280 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1281 int mode,
1282 size_t length,
1283 size_t *iv_off,
1284 unsigned char iv[16],
1285 const unsigned char *input,
1286 unsigned char *output )
1287 {
1288 int c;
1289 size_t n;
1290
1291 AES_VALIDATE_RET( ctx != NULL );
1292 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1293 mode == MBEDTLS_AES_DECRYPT );
1294 AES_VALIDATE_RET( iv_off != NULL );
1295 AES_VALIDATE_RET( iv != NULL );
1296 AES_VALIDATE_RET( input != NULL );
1297 AES_VALIDATE_RET( output != NULL );
1298
1299 n = *iv_off;
1300
1301 if( n > 15 )
1302 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1303
1304 if( mode == MBEDTLS_AES_DECRYPT )
1305 {
1306 while( length-- )
1307 {
1308 if( n == 0 )
1309 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1310
1311 c = *input++;
1312 *output++ = (unsigned char)( c ^ iv[n] );
1313 iv[n] = (unsigned char) c;
1314
1315 n = ( n + 1 ) & 0x0F;
1316 }
1317 }
1318 else
1319 {
1320 while( length-- )
1321 {
1322 if( n == 0 )
1323 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1324
1325 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1326
1327 n = ( n + 1 ) & 0x0F;
1328 }
1329 }
1330
1331 *iv_off = n;
1332
1333 return( 0 );
1334 }
1335
1336 /*
1337 * AES-CFB8 buffer encryption/decryption
1338 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1339 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1340 int mode,
1341 size_t length,
1342 unsigned char iv[16],
1343 const unsigned char *input,
1344 unsigned char *output )
1345 {
1346 unsigned char c;
1347 unsigned char ov[17];
1348
1349 AES_VALIDATE_RET( ctx != NULL );
1350 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT ||
1351 mode == MBEDTLS_AES_DECRYPT );
1352 AES_VALIDATE_RET( iv != NULL );
1353 AES_VALIDATE_RET( input != NULL );
1354 AES_VALIDATE_RET( output != NULL );
1355 while( length-- )
1356 {
1357 memcpy( ov, iv, 16 );
1358 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1359
1360 if( mode == MBEDTLS_AES_DECRYPT )
1361 ov[16] = *input;
1362
1363 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1364
1365 if( mode == MBEDTLS_AES_ENCRYPT )
1366 ov[16] = c;
1367
1368 memcpy( iv, ov + 1, 16 );
1369 }
1370
1371 return( 0 );
1372 }
1373 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1374
1375 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1376 /*
1377 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1378 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1379 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1380 size_t length,
1381 size_t *iv_off,
1382 unsigned char iv[16],
1383 const unsigned char *input,
1384 unsigned char *output )
1385 {
1386 int ret = 0;
1387 size_t n;
1388
1389 AES_VALIDATE_RET( ctx != NULL );
1390 AES_VALIDATE_RET( iv_off != NULL );
1391 AES_VALIDATE_RET( iv != NULL );
1392 AES_VALIDATE_RET( input != NULL );
1393 AES_VALIDATE_RET( output != NULL );
1394
1395 n = *iv_off;
1396
1397 if( n > 15 )
1398 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1399
1400 while( length-- )
1401 {
1402 if( n == 0 )
1403 {
1404 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1405 if( ret != 0 )
1406 goto exit;
1407 }
1408 *output++ = *input++ ^ iv[n];
1409
1410 n = ( n + 1 ) & 0x0F;
1411 }
1412
1413 *iv_off = n;
1414
1415 exit:
1416 return( ret );
1417 }
1418 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1419
1420 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1421 /*
1422 * AES-CTR buffer encryption/decryption
1423 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1424 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1425 size_t length,
1426 size_t *nc_off,
1427 unsigned char nonce_counter[16],
1428 unsigned char stream_block[16],
1429 const unsigned char *input,
1430 unsigned char *output )
1431 {
1432 int c, i;
1433 size_t n;
1434
1435 AES_VALIDATE_RET( ctx != NULL );
1436 AES_VALIDATE_RET( nc_off != NULL );
1437 AES_VALIDATE_RET( nonce_counter != NULL );
1438 AES_VALIDATE_RET( stream_block != NULL );
1439 AES_VALIDATE_RET( input != NULL );
1440 AES_VALIDATE_RET( output != NULL );
1441
1442 n = *nc_off;
1443
1444 if ( n > 0x0F )
1445 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1446
1447 while( length-- )
1448 {
1449 if( n == 0 ) {
1450 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1451
1452 for( i = 16; i > 0; i-- )
1453 if( ++nonce_counter[i - 1] != 0 )
1454 break;
1455 }
1456 c = *input++;
1457 *output++ = (unsigned char)( c ^ stream_block[n] );
1458
1459 n = ( n + 1 ) & 0x0F;
1460 }
1461
1462 *nc_off = n;
1463
1464 return( 0 );
1465 }
1466 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1467
1468 #endif /* !MBEDTLS_AES_ALT */
1469
1470 #if defined(MBEDTLS_SELF_TEST)
1471 /*
1472 * AES test vectors from:
1473 *
1474 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1475 */
1476 static const unsigned char aes_test_ecb_dec[3][16] =
1477 {
1478 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1479 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1480 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1481 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1482 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1483 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1484 };
1485
1486 static const unsigned char aes_test_ecb_enc[3][16] =
1487 {
1488 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1489 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1490 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1491 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1492 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1493 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1494 };
1495
1496 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1497 static const unsigned char aes_test_cbc_dec[3][16] =
1498 {
1499 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1500 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1501 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1502 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1503 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1504 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1505 };
1506
1507 static const unsigned char aes_test_cbc_enc[3][16] =
1508 {
1509 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1510 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1511 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1512 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1513 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1514 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1515 };
1516 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1517
1518 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1519 /*
1520 * AES-CFB128 test vectors from:
1521 *
1522 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1523 */
1524 static const unsigned char aes_test_cfb128_key[3][32] =
1525 {
1526 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1527 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1528 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1529 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1530 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1531 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1532 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1533 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1534 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1535 };
1536
1537 static const unsigned char aes_test_cfb128_iv[16] =
1538 {
1539 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1540 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1541 };
1542
1543 static const unsigned char aes_test_cfb128_pt[64] =
1544 {
1545 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1546 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1547 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1548 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1549 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1550 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1551 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1552 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1553 };
1554
1555 static const unsigned char aes_test_cfb128_ct[3][64] =
1556 {
1557 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1558 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1559 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1560 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1561 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1562 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1563 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1564 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1565 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1566 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1567 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1568 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1569 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1570 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1571 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1572 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1573 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1574 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1575 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1576 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1577 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1578 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1579 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1580 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1581 };
1582 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1583
1584 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1585 /*
1586 * AES-OFB test vectors from:
1587 *
1588 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1589 */
1590 static const unsigned char aes_test_ofb_key[3][32] =
1591 {
1592 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1593 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1594 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1595 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1596 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1597 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1598 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1599 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1600 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1601 };
1602
1603 static const unsigned char aes_test_ofb_iv[16] =
1604 {
1605 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1606 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1607 };
1608
1609 static const unsigned char aes_test_ofb_pt[64] =
1610 {
1611 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1612 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1613 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1614 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1615 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1616 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1617 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1618 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1619 };
1620
1621 static const unsigned char aes_test_ofb_ct[3][64] =
1622 {
1623 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1624 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1625 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1626 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1627 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1628 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1629 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1630 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1631 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1632 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1633 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1634 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1635 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1636 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1637 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1638 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1639 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1640 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1641 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1642 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1643 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1644 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1645 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1646 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1647 };
1648 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1649
1650 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1651 /*
1652 * AES-CTR test vectors from:
1653 *
1654 * http://www.faqs.org/rfcs/rfc3686.html
1655 */
1656
1657 static const unsigned char aes_test_ctr_key[3][16] =
1658 {
1659 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1660 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1661 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1662 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1663 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1664 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1665 };
1666
1667 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1668 {
1669 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1671 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1672 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1673 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1674 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1675 };
1676
1677 static const unsigned char aes_test_ctr_pt[3][48] =
1678 {
1679 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1680 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1681
1682 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1683 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1684 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1685 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1686
1687 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1688 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1689 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1690 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1691 0x20, 0x21, 0x22, 0x23 }
1692 };
1693
1694 static const unsigned char aes_test_ctr_ct[3][48] =
1695 {
1696 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1697 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1698 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1699 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1700 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1701 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1702 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1703 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1704 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1705 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1706 0x25, 0xB2, 0x07, 0x2F }
1707 };
1708
1709 static const int aes_test_ctr_len[3] =
1710 { 16, 32, 36 };
1711 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1712
1713 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1714 /*
1715 * AES-XTS test vectors from:
1716 *
1717 * IEEE P1619/D16 Annex B
1718 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1719 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1720 */
1721 static const unsigned char aes_test_xts_key[][32] =
1722 {
1723 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1727 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1728 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1729 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1730 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1731 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1732 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1733 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1734 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1735 };
1736
1737 static const unsigned char aes_test_xts_pt32[][32] =
1738 {
1739 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1743 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1744 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1745 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1746 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1747 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1749 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1751 };
1752
1753 static const unsigned char aes_test_xts_ct32[][32] =
1754 {
1755 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1756 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1757 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1758 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1759 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1760 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1761 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1762 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1763 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1764 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1765 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1766 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1767 };
1768
1769 static const unsigned char aes_test_xts_data_unit[][16] =
1770 {
1771 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1773 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1775 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1777 };
1778
1779 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1780
1781 /*
1782 * Checkup routine
1783 */
mbedtls_aes_self_test(int verbose)1784 int mbedtls_aes_self_test( int verbose )
1785 {
1786 int ret = 0, i, j, u, mode;
1787 unsigned int keybits;
1788 unsigned char key[32];
1789 unsigned char buf[64];
1790 const unsigned char *aes_tests;
1791 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1792 unsigned char iv[16];
1793 #endif
1794 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1795 unsigned char prv[16];
1796 #endif
1797 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1798 defined(MBEDTLS_CIPHER_MODE_OFB)
1799 size_t offset;
1800 #endif
1801 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1802 int len;
1803 #endif
1804 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1805 unsigned char nonce_counter[16];
1806 unsigned char stream_block[16];
1807 #endif
1808 mbedtls_aes_context ctx;
1809
1810 memset( key, 0, 32 );
1811 mbedtls_aes_init( &ctx );
1812
1813 /*
1814 * ECB mode
1815 */
1816 for( i = 0; i < 6; i++ )
1817 {
1818 u = i >> 1;
1819 keybits = 128 + u * 64;
1820 mode = i & 1;
1821
1822 if( verbose != 0 )
1823 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
1824 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1825
1826 memset( buf, 0, 16 );
1827
1828 if( mode == MBEDTLS_AES_DECRYPT )
1829 {
1830 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1831 aes_tests = aes_test_ecb_dec[u];
1832 }
1833 else
1834 {
1835 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1836 aes_tests = aes_test_ecb_enc[u];
1837 }
1838
1839 /*
1840 * AES-192 is an optional feature that may be unavailable when
1841 * there is an alternative underlying implementation i.e. when
1842 * MBEDTLS_AES_ALT is defined.
1843 */
1844 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1845 {
1846 mbedtls_printf( "skipped\n" );
1847 continue;
1848 }
1849 else if( ret != 0 )
1850 {
1851 goto exit;
1852 }
1853
1854 for( j = 0; j < 10000; j++ )
1855 {
1856 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1857 if( ret != 0 )
1858 goto exit;
1859 }
1860
1861 if( memcmp( buf, aes_tests, 16 ) != 0 )
1862 {
1863 ret = 1;
1864 goto exit;
1865 }
1866
1867 if( verbose != 0 )
1868 mbedtls_printf( "passed\n" );
1869 }
1870
1871 if( verbose != 0 )
1872 mbedtls_printf( "\n" );
1873
1874 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1875 /*
1876 * CBC mode
1877 */
1878 for( i = 0; i < 6; i++ )
1879 {
1880 u = i >> 1;
1881 keybits = 128 + u * 64;
1882 mode = i & 1;
1883
1884 if( verbose != 0 )
1885 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
1886 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1887
1888 memset( iv , 0, 16 );
1889 memset( prv, 0, 16 );
1890 memset( buf, 0, 16 );
1891
1892 if( mode == MBEDTLS_AES_DECRYPT )
1893 {
1894 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1895 aes_tests = aes_test_cbc_dec[u];
1896 }
1897 else
1898 {
1899 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1900 aes_tests = aes_test_cbc_enc[u];
1901 }
1902
1903 /*
1904 * AES-192 is an optional feature that may be unavailable when
1905 * there is an alternative underlying implementation i.e. when
1906 * MBEDTLS_AES_ALT is defined.
1907 */
1908 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1909 {
1910 mbedtls_printf( "skipped\n" );
1911 continue;
1912 }
1913 else if( ret != 0 )
1914 {
1915 goto exit;
1916 }
1917
1918 for( j = 0; j < 10000; j++ )
1919 {
1920 if( mode == MBEDTLS_AES_ENCRYPT )
1921 {
1922 unsigned char tmp[16];
1923
1924 memcpy( tmp, prv, 16 );
1925 memcpy( prv, buf, 16 );
1926 memcpy( buf, tmp, 16 );
1927 }
1928
1929 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1930 if( ret != 0 )
1931 goto exit;
1932
1933 }
1934
1935 if( memcmp( buf, aes_tests, 16 ) != 0 )
1936 {
1937 ret = 1;
1938 goto exit;
1939 }
1940
1941 if( verbose != 0 )
1942 mbedtls_printf( "passed\n" );
1943 }
1944
1945 if( verbose != 0 )
1946 mbedtls_printf( "\n" );
1947 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1948
1949 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1950 /*
1951 * CFB128 mode
1952 */
1953 for( i = 0; i < 6; i++ )
1954 {
1955 u = i >> 1;
1956 keybits = 128 + u * 64;
1957 mode = i & 1;
1958
1959 if( verbose != 0 )
1960 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
1961 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1962
1963 memcpy( iv, aes_test_cfb128_iv, 16 );
1964 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1965
1966 offset = 0;
1967 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1968 /*
1969 * AES-192 is an optional feature that may be unavailable when
1970 * there is an alternative underlying implementation i.e. when
1971 * MBEDTLS_AES_ALT is defined.
1972 */
1973 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1974 {
1975 mbedtls_printf( "skipped\n" );
1976 continue;
1977 }
1978 else if( ret != 0 )
1979 {
1980 goto exit;
1981 }
1982
1983 if( mode == MBEDTLS_AES_DECRYPT )
1984 {
1985 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1986 aes_tests = aes_test_cfb128_pt;
1987 }
1988 else
1989 {
1990 memcpy( buf, aes_test_cfb128_pt, 64 );
1991 aes_tests = aes_test_cfb128_ct[u];
1992 }
1993
1994 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1995 if( ret != 0 )
1996 goto exit;
1997
1998 if( memcmp( buf, aes_tests, 64 ) != 0 )
1999 {
2000 ret = 1;
2001 goto exit;
2002 }
2003
2004 if( verbose != 0 )
2005 mbedtls_printf( "passed\n" );
2006 }
2007
2008 if( verbose != 0 )
2009 mbedtls_printf( "\n" );
2010 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2011
2012 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2013 /*
2014 * OFB mode
2015 */
2016 for( i = 0; i < 6; i++ )
2017 {
2018 u = i >> 1;
2019 keybits = 128 + u * 64;
2020 mode = i & 1;
2021
2022 if( verbose != 0 )
2023 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
2024 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2025
2026 memcpy( iv, aes_test_ofb_iv, 16 );
2027 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
2028
2029 offset = 0;
2030 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
2031 /*
2032 * AES-192 is an optional feature that may be unavailable when
2033 * there is an alternative underlying implementation i.e. when
2034 * MBEDTLS_AES_ALT is defined.
2035 */
2036 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
2037 {
2038 mbedtls_printf( "skipped\n" );
2039 continue;
2040 }
2041 else if( ret != 0 )
2042 {
2043 goto exit;
2044 }
2045
2046 if( mode == MBEDTLS_AES_DECRYPT )
2047 {
2048 memcpy( buf, aes_test_ofb_ct[u], 64 );
2049 aes_tests = aes_test_ofb_pt;
2050 }
2051 else
2052 {
2053 memcpy( buf, aes_test_ofb_pt, 64 );
2054 aes_tests = aes_test_ofb_ct[u];
2055 }
2056
2057 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
2058 if( ret != 0 )
2059 goto exit;
2060
2061 if( memcmp( buf, aes_tests, 64 ) != 0 )
2062 {
2063 ret = 1;
2064 goto exit;
2065 }
2066
2067 if( verbose != 0 )
2068 mbedtls_printf( "passed\n" );
2069 }
2070
2071 if( verbose != 0 )
2072 mbedtls_printf( "\n" );
2073 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2074
2075 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2076 /*
2077 * CTR mode
2078 */
2079 for( i = 0; i < 6; i++ )
2080 {
2081 u = i >> 1;
2082 mode = i & 1;
2083
2084 if( verbose != 0 )
2085 mbedtls_printf( " AES-CTR-128 (%s): ",
2086 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2087
2088 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
2089 memcpy( key, aes_test_ctr_key[u], 16 );
2090
2091 offset = 0;
2092 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
2093 goto exit;
2094
2095 len = aes_test_ctr_len[u];
2096
2097 if( mode == MBEDTLS_AES_DECRYPT )
2098 {
2099 memcpy( buf, aes_test_ctr_ct[u], len );
2100 aes_tests = aes_test_ctr_pt[u];
2101 }
2102 else
2103 {
2104 memcpy( buf, aes_test_ctr_pt[u], len );
2105 aes_tests = aes_test_ctr_ct[u];
2106 }
2107
2108 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2109 stream_block, buf, buf );
2110 if( ret != 0 )
2111 goto exit;
2112
2113 if( memcmp( buf, aes_tests, len ) != 0 )
2114 {
2115 ret = 1;
2116 goto exit;
2117 }
2118
2119 if( verbose != 0 )
2120 mbedtls_printf( "passed\n" );
2121 }
2122
2123 if( verbose != 0 )
2124 mbedtls_printf( "\n" );
2125 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2126
2127 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2128 {
2129 static const int num_tests =
2130 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2131 mbedtls_aes_xts_context ctx_xts;
2132
2133 /*
2134 * XTS mode
2135 */
2136 mbedtls_aes_xts_init( &ctx_xts );
2137
2138 for( i = 0; i < num_tests << 1; i++ )
2139 {
2140 const unsigned char *data_unit;
2141 u = i >> 1;
2142 mode = i & 1;
2143
2144 if( verbose != 0 )
2145 mbedtls_printf( " AES-XTS-128 (%s): ",
2146 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2147
2148 memset( key, 0, sizeof( key ) );
2149 memcpy( key, aes_test_xts_key[u], 32 );
2150 data_unit = aes_test_xts_data_unit[u];
2151
2152 len = sizeof( *aes_test_xts_ct32 );
2153
2154 if( mode == MBEDTLS_AES_DECRYPT )
2155 {
2156 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2157 if( ret != 0)
2158 goto exit;
2159 memcpy( buf, aes_test_xts_ct32[u], len );
2160 aes_tests = aes_test_xts_pt32[u];
2161 }
2162 else
2163 {
2164 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2165 if( ret != 0)
2166 goto exit;
2167 memcpy( buf, aes_test_xts_pt32[u], len );
2168 aes_tests = aes_test_xts_ct32[u];
2169 }
2170
2171
2172 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2173 buf, buf );
2174 if( ret != 0 )
2175 goto exit;
2176
2177 if( memcmp( buf, aes_tests, len ) != 0 )
2178 {
2179 ret = 1;
2180 goto exit;
2181 }
2182
2183 if( verbose != 0 )
2184 mbedtls_printf( "passed\n" );
2185 }
2186
2187 if( verbose != 0 )
2188 mbedtls_printf( "\n" );
2189
2190 mbedtls_aes_xts_free( &ctx_xts );
2191 }
2192 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2193
2194 ret = 0;
2195
2196 exit:
2197 if( ret != 0 && verbose != 0 )
2198 mbedtls_printf( "failed\n" );
2199
2200 mbedtls_aes_free( &ctx );
2201
2202 return( ret );
2203 }
2204
2205 #endif /* MBEDTLS_SELF_TEST */
2206
2207 #endif /* MBEDTLS_AES_C */
2208