1 /* 2 * FIPS-197 compliant AES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 */ 46 /* 47 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 48 * 49 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 50 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 51 */ 52 53 #if !defined(MBEDTLS_CONFIG_FILE) 54 #include "mbedtls/config.h" 55 #else 56 #include MBEDTLS_CONFIG_FILE 57 #endif 58 59 #if defined(MBEDTLS_AES_C) 60 61 #include <string.h> 62 63 #include "mbedtls/aes.h" 64 #include "mbedtls/platform.h" 65 #include "mbedtls/platform_util.h" 66 #if defined(MBEDTLS_PADLOCK_C) 67 #include "mbedtls/padlock.h" 68 #endif 69 #if defined(MBEDTLS_AESNI_C) 70 #include "mbedtls/aesni.h" 71 #endif 72 73 #if defined(MBEDTLS_SELF_TEST) 74 #if defined(MBEDTLS_PLATFORM_C) 75 #include "mbedtls/platform.h" 76 #else 77 #include <stdio.h> 78 #define mbedtls_printf printf 79 #endif /* MBEDTLS_PLATFORM_C */ 80 #endif /* MBEDTLS_SELF_TEST */ 81 82 #if !defined(MBEDTLS_AES_ALT) 83 84 /* Parameter validation macros based on platform_util.h */ 85 #define AES_VALIDATE_RET( cond ) \ 86 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 87 #define AES_VALIDATE( cond ) \ 88 MBEDTLS_INTERNAL_VALIDATE( cond ) 89 90 /* 91 * 32-bit integer manipulation macros (little endian) 92 */ 93 #ifndef GET_UINT32_LE 94 #define GET_UINT32_LE(n,b,i) \ 95 { \ 96 (n) = ( (uint32_t) (b)[(i) ] ) \ 97 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 98 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 99 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 100 } 101 #endif 102 103 #ifndef PUT_UINT32_LE 104 #define PUT_UINT32_LE(n,b,i) \ 105 { \ 106 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 107 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 108 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 109 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 110 } 111 #endif 112 113 #if defined(MBEDTLS_PADLOCK_C) && \ 114 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 115 static int aes_padlock_ace = -1; 116 #endif 117 118 #if defined(MBEDTLS_AES_ROM_TABLES) 119 /* 120 * Forward S-box 121 */ 122 static const unsigned char FSb[256] = 123 { 124 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 125 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 126 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 127 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 128 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 129 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 130 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 131 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 132 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 133 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 134 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 135 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 136 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 137 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 138 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 139 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 140 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 141 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 142 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 143 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 144 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 145 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 146 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 147 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 148 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 149 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 150 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 151 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 152 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 153 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 154 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 155 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 156 }; 157 158 /* 159 * Forward tables 160 */ 161 #define FT \ 162 \ 163 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 164 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 165 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 166 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 167 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 168 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 169 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 170 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 171 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 172 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 173 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 174 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 175 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 176 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 177 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 178 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 179 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 180 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 181 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 182 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 183 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 184 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 185 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 186 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 187 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 188 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 189 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 190 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 191 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 192 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 193 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 194 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 195 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 196 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 197 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 198 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 199 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 200 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 201 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 202 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 203 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 204 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 205 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 206 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 207 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 208 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 209 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 210 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 211 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 212 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 213 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 214 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 215 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 216 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 217 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 218 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 219 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 220 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 221 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 222 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 223 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 224 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 225 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 226 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 227 228 #define V(a,b,c,d) 0x##a##b##c##d 229 static const uint32_t FT0[256] = { FT }; 230 #undef V 231 232 #if !defined(MBEDTLS_AES_FEWER_TABLES) 233 234 #define V(a,b,c,d) 0x##b##c##d##a 235 static const uint32_t FT1[256] = { FT }; 236 #undef V 237 238 #define V(a,b,c,d) 0x##c##d##a##b 239 static const uint32_t FT2[256] = { FT }; 240 #undef V 241 242 #define V(a,b,c,d) 0x##d##a##b##c 243 static const uint32_t FT3[256] = { FT }; 244 #undef V 245 246 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 247 248 #undef FT 249 250 /* 251 * Reverse S-box 252 */ 253 static const unsigned char RSb[256] = 254 { 255 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 256 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 257 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 258 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 259 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 260 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 261 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 262 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 263 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 264 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 265 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 266 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 267 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 268 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 269 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 270 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 271 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 272 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 273 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 274 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 275 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 276 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 277 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 278 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 279 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 280 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 281 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 282 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 283 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 284 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 285 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 286 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 287 }; 288 289 /* 290 * Reverse tables 291 */ 292 #define RT \ 293 \ 294 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 295 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 296 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 297 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 298 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 299 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 300 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 301 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 302 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 303 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 304 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 305 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 306 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 307 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 308 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 309 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 310 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 311 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 312 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 313 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 314 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 315 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 316 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 317 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 318 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 319 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 320 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 321 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 322 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 323 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 324 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 325 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 326 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 327 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 328 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 329 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 330 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 331 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 332 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 333 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 334 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 335 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 336 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 337 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 338 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 339 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 340 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 341 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 342 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 343 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 344 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 345 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 346 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 347 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 348 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 349 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 350 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 351 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 352 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 353 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 354 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 355 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 356 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 357 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 358 359 #define V(a,b,c,d) 0x##a##b##c##d 360 static const uint32_t RT0[256] = { RT }; 361 #undef V 362 363 #if !defined(MBEDTLS_AES_FEWER_TABLES) 364 365 #define V(a,b,c,d) 0x##b##c##d##a 366 static const uint32_t RT1[256] = { RT }; 367 #undef V 368 369 #define V(a,b,c,d) 0x##c##d##a##b 370 static const uint32_t RT2[256] = { RT }; 371 #undef V 372 373 #define V(a,b,c,d) 0x##d##a##b##c 374 static const uint32_t RT3[256] = { RT }; 375 #undef V 376 377 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 378 379 #undef RT 380 381 /* 382 * Round constants 383 */ 384 static const uint32_t RCON[10] = 385 { 386 0x00000001, 0x00000002, 0x00000004, 0x00000008, 387 0x00000010, 0x00000020, 0x00000040, 0x00000080, 388 0x0000001B, 0x00000036 389 }; 390 391 #else /* MBEDTLS_AES_ROM_TABLES */ 392 393 /* 394 * Forward S-box & tables 395 */ 396 static unsigned char FSb[256]; 397 static uint32_t FT0[256]; 398 #if !defined(MBEDTLS_AES_FEWER_TABLES) 399 static uint32_t FT1[256]; 400 static uint32_t FT2[256]; 401 static uint32_t FT3[256]; 402 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 403 404 /* 405 * Reverse S-box & tables 406 */ 407 static unsigned char RSb[256]; 408 static uint32_t RT0[256]; 409 #if !defined(MBEDTLS_AES_FEWER_TABLES) 410 static uint32_t RT1[256]; 411 static uint32_t RT2[256]; 412 static uint32_t RT3[256]; 413 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 414 415 /* 416 * Round constants 417 */ 418 static uint32_t RCON[10]; 419 420 /* 421 * Tables generation code 422 */ 423 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 ) 424 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) ) 425 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) 426 427 static int aes_init_done = 0; 428 429 static void aes_gen_tables( void ) 430 { 431 int i, x, y, z; 432 int pow[256]; 433 int log[256]; 434 435 /* 436 * compute pow and log tables over GF(2^8) 437 */ 438 for( i = 0, x = 1; i < 256; i++ ) 439 { 440 pow[i] = x; 441 log[x] = i; 442 x = ( x ^ XTIME( x ) ) & 0xFF; 443 } 444 445 /* 446 * calculate the round constants 447 */ 448 for( i = 0, x = 1; i < 10; i++ ) 449 { 450 RCON[i] = (uint32_t) x; 451 x = XTIME( x ) & 0xFF; 452 } 453 454 /* 455 * generate the forward and reverse S-boxes 456 */ 457 FSb[0x00] = 0x63; 458 RSb[0x63] = 0x00; 459 460 for( i = 1; i < 256; i++ ) 461 { 462 x = pow[255 - log[i]]; 463 464 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 465 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 466 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 467 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 468 x ^= y ^ 0x63; 469 470 FSb[i] = (unsigned char) x; 471 RSb[x] = (unsigned char) i; 472 } 473 474 /* 475 * generate the forward and reverse tables 476 */ 477 for( i = 0; i < 256; i++ ) 478 { 479 x = FSb[i]; 480 y = XTIME( x ) & 0xFF; 481 z = ( y ^ x ) & 0xFF; 482 483 FT0[i] = ( (uint32_t) y ) ^ 484 ( (uint32_t) x << 8 ) ^ 485 ( (uint32_t) x << 16 ) ^ 486 ( (uint32_t) z << 24 ); 487 488 #if !defined(MBEDTLS_AES_FEWER_TABLES) 489 FT1[i] = ROTL8( FT0[i] ); 490 FT2[i] = ROTL8( FT1[i] ); 491 FT3[i] = ROTL8( FT2[i] ); 492 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 493 494 x = RSb[i]; 495 496 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 497 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 498 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 499 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 500 501 #if !defined(MBEDTLS_AES_FEWER_TABLES) 502 RT1[i] = ROTL8( RT0[i] ); 503 RT2[i] = ROTL8( RT1[i] ); 504 RT3[i] = ROTL8( RT2[i] ); 505 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 506 } 507 } 508 509 #undef ROTL8 510 511 #endif /* MBEDTLS_AES_ROM_TABLES */ 512 513 #if defined(MBEDTLS_AES_FEWER_TABLES) 514 515 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 516 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 517 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 518 519 #define AES_RT0(idx) RT0[idx] 520 #define AES_RT1(idx) ROTL8( RT0[idx] ) 521 #define AES_RT2(idx) ROTL16( RT0[idx] ) 522 #define AES_RT3(idx) ROTL24( RT0[idx] ) 523 524 #define AES_FT0(idx) FT0[idx] 525 #define AES_FT1(idx) ROTL8( FT0[idx] ) 526 #define AES_FT2(idx) ROTL16( FT0[idx] ) 527 #define AES_FT3(idx) ROTL24( FT0[idx] ) 528 529 #else /* MBEDTLS_AES_FEWER_TABLES */ 530 531 #define AES_RT0(idx) RT0[idx] 532 #define AES_RT1(idx) RT1[idx] 533 #define AES_RT2(idx) RT2[idx] 534 #define AES_RT3(idx) RT3[idx] 535 536 #define AES_FT0(idx) FT0[idx] 537 #define AES_FT1(idx) FT1[idx] 538 #define AES_FT2(idx) FT2[idx] 539 #define AES_FT3(idx) FT3[idx] 540 541 #endif /* MBEDTLS_AES_FEWER_TABLES */ 542 543 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 544 { 545 AES_VALIDATE( ctx != NULL ); 546 547 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 548 } 549 550 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 551 { 552 if( ctx == NULL ) 553 return; 554 555 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 556 } 557 558 #if defined(MBEDTLS_CIPHER_MODE_XTS) 559 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 560 { 561 AES_VALIDATE( ctx != NULL ); 562 563 mbedtls_aes_init( &ctx->crypt ); 564 mbedtls_aes_init( &ctx->tweak ); 565 } 566 567 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 568 { 569 if( ctx == NULL ) 570 return; 571 572 mbedtls_aes_free( &ctx->crypt ); 573 mbedtls_aes_free( &ctx->tweak ); 574 } 575 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 576 577 /* 578 * AES key schedule (encryption) 579 */ 580 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 581 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 582 unsigned int keybits ) 583 { 584 unsigned int i; 585 uint32_t *RK; 586 587 AES_VALIDATE_RET( ctx != NULL ); 588 AES_VALIDATE_RET( key != NULL ); 589 590 switch( keybits ) 591 { 592 case 128: ctx->nr = 10; break; 593 case 192: ctx->nr = 12; break; 594 case 256: ctx->nr = 14; break; 595 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 596 } 597 598 #if !defined(MBEDTLS_AES_ROM_TABLES) 599 if( aes_init_done == 0 ) 600 { 601 aes_gen_tables(); 602 aes_init_done = 1; 603 } 604 #endif 605 606 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 607 if( aes_padlock_ace == -1 ) 608 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 609 610 if( aes_padlock_ace ) 611 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 612 else 613 #endif 614 ctx->rk = RK = ctx->buf; 615 616 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 617 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 618 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 619 #endif 620 621 for( i = 0; i < ( keybits >> 5 ); i++ ) 622 { 623 GET_UINT32_LE( RK[i], key, i << 2 ); 624 } 625 626 switch( ctx->nr ) 627 { 628 case 10: 629 630 for( i = 0; i < 10; i++, RK += 4 ) 631 { 632 RK[4] = RK[0] ^ RCON[i] ^ 633 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 634 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 635 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 636 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 637 638 RK[5] = RK[1] ^ RK[4]; 639 RK[6] = RK[2] ^ RK[5]; 640 RK[7] = RK[3] ^ RK[6]; 641 } 642 break; 643 644 case 12: 645 646 for( i = 0; i < 8; i++, RK += 6 ) 647 { 648 RK[6] = RK[0] ^ RCON[i] ^ 649 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 650 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 651 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 652 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 653 654 RK[7] = RK[1] ^ RK[6]; 655 RK[8] = RK[2] ^ RK[7]; 656 RK[9] = RK[3] ^ RK[8]; 657 RK[10] = RK[4] ^ RK[9]; 658 RK[11] = RK[5] ^ RK[10]; 659 } 660 break; 661 662 case 14: 663 664 for( i = 0; i < 7; i++, RK += 8 ) 665 { 666 RK[8] = RK[0] ^ RCON[i] ^ 667 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 668 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 669 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 670 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 671 672 RK[9] = RK[1] ^ RK[8]; 673 RK[10] = RK[2] ^ RK[9]; 674 RK[11] = RK[3] ^ RK[10]; 675 676 RK[12] = RK[4] ^ 677 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 678 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 679 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 680 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 681 682 RK[13] = RK[5] ^ RK[12]; 683 RK[14] = RK[6] ^ RK[13]; 684 RK[15] = RK[7] ^ RK[14]; 685 } 686 break; 687 } 688 689 return( 0 ); 690 } 691 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 692 693 /* 694 * AES key schedule (decryption) 695 */ 696 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 697 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 698 unsigned int keybits ) 699 { 700 int i, j, ret; 701 mbedtls_aes_context cty; 702 uint32_t *RK; 703 uint32_t *SK; 704 705 AES_VALIDATE_RET( ctx != NULL ); 706 AES_VALIDATE_RET( key != NULL ); 707 708 mbedtls_aes_init( &cty ); 709 710 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 711 if( aes_padlock_ace == -1 ) 712 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 713 714 if( aes_padlock_ace ) 715 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 716 else 717 #endif 718 ctx->rk = RK = ctx->buf; 719 720 /* Also checks keybits */ 721 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 722 goto exit; 723 724 ctx->nr = cty.nr; 725 726 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 727 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 728 { 729 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, 730 (const unsigned char *) cty.rk, ctx->nr ); 731 goto exit; 732 } 733 #endif 734 735 SK = cty.rk + cty.nr * 4; 736 737 *RK++ = *SK++; 738 *RK++ = *SK++; 739 *RK++ = *SK++; 740 *RK++ = *SK++; 741 742 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 743 { 744 for( j = 0; j < 4; j++, SK++ ) 745 { 746 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 747 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 748 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 749 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 750 } 751 } 752 753 *RK++ = *SK++; 754 *RK++ = *SK++; 755 *RK++ = *SK++; 756 *RK++ = *SK++; 757 758 exit: 759 mbedtls_aes_free( &cty ); 760 761 return( ret ); 762 } 763 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 764 765 #if defined(MBEDTLS_CIPHER_MODE_XTS) 766 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 767 unsigned int keybits, 768 const unsigned char **key1, 769 unsigned int *key1bits, 770 const unsigned char **key2, 771 unsigned int *key2bits ) 772 { 773 const unsigned int half_keybits = keybits / 2; 774 const unsigned int half_keybytes = half_keybits / 8; 775 776 switch( keybits ) 777 { 778 case 256: break; 779 case 512: break; 780 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 781 } 782 783 *key1bits = half_keybits; 784 *key2bits = half_keybits; 785 *key1 = &key[0]; 786 *key2 = &key[half_keybytes]; 787 788 return 0; 789 } 790 791 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 792 const unsigned char *key, 793 unsigned int keybits) 794 { 795 int ret; 796 const unsigned char *key1, *key2; 797 unsigned int key1bits, key2bits; 798 799 AES_VALIDATE_RET( ctx != NULL ); 800 AES_VALIDATE_RET( key != NULL ); 801 802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 803 &key2, &key2bits ); 804 if( ret != 0 ) 805 return( ret ); 806 807 /* Set the tweak key. Always set tweak key for the encryption mode. */ 808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 809 if( ret != 0 ) 810 return( ret ); 811 812 /* Set crypt key for encryption. */ 813 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits ); 814 } 815 816 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 817 const unsigned char *key, 818 unsigned int keybits) 819 { 820 int ret; 821 const unsigned char *key1, *key2; 822 unsigned int key1bits, key2bits; 823 824 AES_VALIDATE_RET( ctx != NULL ); 825 AES_VALIDATE_RET( key != NULL ); 826 827 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 828 &key2, &key2bits ); 829 if( ret != 0 ) 830 return( ret ); 831 832 /* Set the tweak key. Always set tweak key for encryption. */ 833 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 834 if( ret != 0 ) 835 return( ret ); 836 837 /* Set crypt key for decryption. */ 838 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits ); 839 } 840 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 841 842 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 843 do \ 844 { \ 845 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \ 846 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 847 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 848 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \ 849 \ 850 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \ 851 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 852 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 853 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \ 854 \ 855 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \ 856 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 857 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 858 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \ 859 \ 860 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \ 861 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 862 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 863 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \ 864 } while( 0 ) 865 866 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 867 do \ 868 { \ 869 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \ 870 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 871 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 872 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \ 873 \ 874 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \ 875 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 876 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 877 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \ 878 \ 879 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \ 880 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 881 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 882 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \ 883 \ 884 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \ 885 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 886 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 887 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \ 888 } while( 0 ) 889 890 /* 891 * AES-ECB block encryption 892 */ 893 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 894 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 895 const unsigned char input[16], 896 unsigned char output[16] ) 897 { 898 int i; 899 uint32_t *RK = ctx->rk; 900 struct 901 { 902 uint32_t X[4]; 903 uint32_t Y[4]; 904 } t; 905 906 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++; 907 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++; 908 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++; 909 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++; 910 911 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 912 { 913 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 914 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] ); 915 } 916 917 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 918 919 t.X[0] = *RK++ ^ \ 920 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^ 921 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^ 922 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^ 923 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 ); 924 925 t.X[1] = *RK++ ^ \ 926 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^ 927 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^ 928 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^ 929 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 ); 930 931 t.X[2] = *RK++ ^ \ 932 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^ 933 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^ 934 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^ 935 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 ); 936 937 t.X[3] = *RK++ ^ \ 938 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^ 939 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^ 940 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^ 941 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 ); 942 943 PUT_UINT32_LE( t.X[0], output, 0 ); 944 PUT_UINT32_LE( t.X[1], output, 4 ); 945 PUT_UINT32_LE( t.X[2], output, 8 ); 946 PUT_UINT32_LE( t.X[3], output, 12 ); 947 948 mbedtls_platform_zeroize( &t, sizeof( t ) ); 949 950 return( 0 ); 951 } 952 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 953 954 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 955 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 956 const unsigned char input[16], 957 unsigned char output[16] ) 958 { 959 mbedtls_internal_aes_encrypt( ctx, input, output ); 960 } 961 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 962 963 /* 964 * AES-ECB block decryption 965 */ 966 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 967 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 968 const unsigned char input[16], 969 unsigned char output[16] ) 970 { 971 int i; 972 uint32_t *RK = ctx->rk; 973 struct 974 { 975 uint32_t X[4]; 976 uint32_t Y[4]; 977 } t; 978 979 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++; 980 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++; 981 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++; 982 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++; 983 984 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 985 { 986 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 987 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] ); 988 } 989 990 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 991 992 t.X[0] = *RK++ ^ \ 993 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^ 994 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^ 995 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^ 996 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 ); 997 998 t.X[1] = *RK++ ^ \ 999 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^ 1000 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^ 1001 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^ 1002 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 ); 1003 1004 t.X[2] = *RK++ ^ \ 1005 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^ 1006 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^ 1007 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^ 1008 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 ); 1009 1010 t.X[3] = *RK++ ^ \ 1011 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^ 1012 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^ 1013 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^ 1014 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 ); 1015 1016 PUT_UINT32_LE( t.X[0], output, 0 ); 1017 PUT_UINT32_LE( t.X[1], output, 4 ); 1018 PUT_UINT32_LE( t.X[2], output, 8 ); 1019 PUT_UINT32_LE( t.X[3], output, 12 ); 1020 1021 mbedtls_platform_zeroize( &t, sizeof( t ) ); 1022 1023 return( 0 ); 1024 } 1025 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 1026 1027 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1028 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 1029 const unsigned char input[16], 1030 unsigned char output[16] ) 1031 { 1032 mbedtls_internal_aes_decrypt( ctx, input, output ); 1033 } 1034 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1035 1036 /* 1037 * AES-ECB block encryption/decryption 1038 */ 1039 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 1040 int mode, 1041 const unsigned char input[16], 1042 unsigned char output[16] ) 1043 { 1044 AES_VALIDATE_RET( ctx != NULL ); 1045 AES_VALIDATE_RET( input != NULL ); 1046 AES_VALIDATE_RET( output != NULL ); 1047 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1048 mode == MBEDTLS_AES_DECRYPT ); 1049 1050 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 1051 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 1052 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 1053 #endif 1054 1055 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1056 if( aes_padlock_ace ) 1057 { 1058 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 1059 return( 0 ); 1060 1061 // If padlock data misaligned, we just fall back to 1062 // unaccelerated mode 1063 // 1064 } 1065 #endif 1066 1067 if( mode == MBEDTLS_AES_ENCRYPT ) 1068 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 1069 else 1070 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 1071 } 1072 1073 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1074 /* 1075 * AES-CBC buffer encryption/decryption 1076 */ 1077 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 1078 int mode, 1079 size_t length, 1080 unsigned char iv[16], 1081 const unsigned char *input, 1082 unsigned char *output ) 1083 { 1084 int i; 1085 unsigned char temp[16]; 1086 1087 AES_VALIDATE_RET( ctx != NULL ); 1088 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1089 mode == MBEDTLS_AES_DECRYPT ); 1090 AES_VALIDATE_RET( iv != NULL ); 1091 AES_VALIDATE_RET( input != NULL ); 1092 AES_VALIDATE_RET( output != NULL ); 1093 1094 if( length % 16 ) 1095 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 1096 1097 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1098 if( aes_padlock_ace ) 1099 { 1100 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 1101 return( 0 ); 1102 1103 // If padlock data misaligned, we just fall back to 1104 // unaccelerated mode 1105 // 1106 } 1107 #endif 1108 1109 if( mode == MBEDTLS_AES_DECRYPT ) 1110 { 1111 while( length > 0 ) 1112 { 1113 memcpy( temp, input, 16 ); 1114 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 1115 1116 for( i = 0; i < 16; i++ ) 1117 output[i] = (unsigned char)( output[i] ^ iv[i] ); 1118 1119 memcpy( iv, temp, 16 ); 1120 1121 input += 16; 1122 output += 16; 1123 length -= 16; 1124 } 1125 } 1126 else 1127 { 1128 while( length > 0 ) 1129 { 1130 for( i = 0; i < 16; i++ ) 1131 output[i] = (unsigned char)( input[i] ^ iv[i] ); 1132 1133 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 1134 memcpy( iv, output, 16 ); 1135 1136 input += 16; 1137 output += 16; 1138 length -= 16; 1139 } 1140 } 1141 1142 return( 0 ); 1143 } 1144 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1145 1146 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1147 1148 /* Endianess with 64 bits values */ 1149 #ifndef GET_UINT64_LE 1150 #define GET_UINT64_LE(n,b,i) \ 1151 { \ 1152 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 1153 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 1154 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 1155 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 1156 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 1157 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 1158 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 1159 | ( (uint64_t) (b)[(i) ] ); \ 1160 } 1161 #endif 1162 1163 #ifndef PUT_UINT64_LE 1164 #define PUT_UINT64_LE(n,b,i) \ 1165 { \ 1166 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 1167 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 1168 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 1169 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 1170 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 1171 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 1172 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 1173 (b)[(i) ] = (unsigned char) ( (n) ); \ 1174 } 1175 #endif 1176 1177 typedef unsigned char mbedtls_be128[16]; 1178 1179 /* 1180 * GF(2^128) multiplication function 1181 * 1182 * This function multiplies a field element by x in the polynomial field 1183 * representation. It uses 64-bit word operations to gain speed but compensates 1184 * for machine endianess and hence works correctly on both big and little 1185 * endian machines. 1186 */ 1187 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 1188 const unsigned char x[16] ) 1189 { 1190 uint64_t a, b, ra, rb; 1191 1192 GET_UINT64_LE( a, x, 0 ); 1193 GET_UINT64_LE( b, x, 8 ); 1194 1195 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 1196 rb = ( a >> 63 ) | ( b << 1 ); 1197 1198 PUT_UINT64_LE( ra, r, 0 ); 1199 PUT_UINT64_LE( rb, r, 8 ); 1200 } 1201 1202 /* 1203 * AES-XTS buffer encryption/decryption 1204 */ 1205 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 1206 int mode, 1207 size_t length, 1208 const unsigned char data_unit[16], 1209 const unsigned char *input, 1210 unsigned char *output ) 1211 { 1212 int ret; 1213 size_t blocks = length / 16; 1214 size_t leftover = length % 16; 1215 unsigned char tweak[16]; 1216 unsigned char prev_tweak[16]; 1217 unsigned char tmp[16]; 1218 1219 AES_VALIDATE_RET( ctx != NULL ); 1220 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1221 mode == MBEDTLS_AES_DECRYPT ); 1222 AES_VALIDATE_RET( data_unit != NULL ); 1223 AES_VALIDATE_RET( input != NULL ); 1224 AES_VALIDATE_RET( output != NULL ); 1225 1226 /* Data units must be at least 16 bytes long. */ 1227 if( length < 16 ) 1228 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1229 1230 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1231 if( length > ( 1 << 20 ) * 16 ) 1232 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1233 1234 /* Compute the tweak. */ 1235 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, 1236 data_unit, tweak ); 1237 if( ret != 0 ) 1238 return( ret ); 1239 1240 while( blocks-- ) 1241 { 1242 size_t i; 1243 1244 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 1245 { 1246 /* We are on the last block in a decrypt operation that has 1247 * leftover bytes, so we need to use the next tweak for this block, 1248 * and this tweak for the lefover bytes. Save the current tweak for 1249 * the leftovers and then update the current tweak for use on this, 1250 * the last full block. */ 1251 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 1252 mbedtls_gf128mul_x_ble( tweak, tweak ); 1253 } 1254 1255 for( i = 0; i < 16; i++ ) 1256 tmp[i] = input[i] ^ tweak[i]; 1257 1258 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1259 if( ret != 0 ) 1260 return( ret ); 1261 1262 for( i = 0; i < 16; i++ ) 1263 output[i] = tmp[i] ^ tweak[i]; 1264 1265 /* Update the tweak for the next block. */ 1266 mbedtls_gf128mul_x_ble( tweak, tweak ); 1267 1268 output += 16; 1269 input += 16; 1270 } 1271 1272 if( leftover ) 1273 { 1274 /* If we are on the leftover bytes in a decrypt operation, we need to 1275 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1276 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1277 1278 /* We are now on the final part of the data unit, which doesn't divide 1279 * evenly by 16. It's time for ciphertext stealing. */ 1280 size_t i; 1281 unsigned char *prev_output = output - 16; 1282 1283 /* Copy ciphertext bytes from the previous block to our output for each 1284 * byte of cyphertext we won't steal. At the same time, copy the 1285 * remainder of the input for this final round (since the loop bounds 1286 * are the same). */ 1287 for( i = 0; i < leftover; i++ ) 1288 { 1289 output[i] = prev_output[i]; 1290 tmp[i] = input[i] ^ t[i]; 1291 } 1292 1293 /* Copy ciphertext bytes from the previous block for input in this 1294 * round. */ 1295 for( ; i < 16; i++ ) 1296 tmp[i] = prev_output[i] ^ t[i]; 1297 1298 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1299 if( ret != 0 ) 1300 return ret; 1301 1302 /* Write the result back to the previous block, overriding the previous 1303 * output we copied. */ 1304 for( i = 0; i < 16; i++ ) 1305 prev_output[i] = tmp[i] ^ t[i]; 1306 } 1307 1308 return( 0 ); 1309 } 1310 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1311 1312 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1313 /* 1314 * AES-CFB128 buffer encryption/decryption 1315 */ 1316 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 1317 int mode, 1318 size_t length, 1319 size_t *iv_off, 1320 unsigned char iv[16], 1321 const unsigned char *input, 1322 unsigned char *output ) 1323 { 1324 int c; 1325 size_t n; 1326 1327 AES_VALIDATE_RET( ctx != NULL ); 1328 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1329 mode == MBEDTLS_AES_DECRYPT ); 1330 AES_VALIDATE_RET( iv_off != NULL ); 1331 AES_VALIDATE_RET( iv != NULL ); 1332 AES_VALIDATE_RET( input != NULL ); 1333 AES_VALIDATE_RET( output != NULL ); 1334 1335 n = *iv_off; 1336 1337 if( n > 15 ) 1338 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1339 1340 if( mode == MBEDTLS_AES_DECRYPT ) 1341 { 1342 while( length-- ) 1343 { 1344 if( n == 0 ) 1345 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1346 1347 c = *input++; 1348 *output++ = (unsigned char)( c ^ iv[n] ); 1349 iv[n] = (unsigned char) c; 1350 1351 n = ( n + 1 ) & 0x0F; 1352 } 1353 } 1354 else 1355 { 1356 while( length-- ) 1357 { 1358 if( n == 0 ) 1359 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1360 1361 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 1362 1363 n = ( n + 1 ) & 0x0F; 1364 } 1365 } 1366 1367 *iv_off = n; 1368 1369 return( 0 ); 1370 } 1371 1372 /* 1373 * AES-CFB8 buffer encryption/decryption 1374 */ 1375 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 1376 int mode, 1377 size_t length, 1378 unsigned char iv[16], 1379 const unsigned char *input, 1380 unsigned char *output ) 1381 { 1382 unsigned char c; 1383 unsigned char ov[17]; 1384 1385 AES_VALIDATE_RET( ctx != NULL ); 1386 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1387 mode == MBEDTLS_AES_DECRYPT ); 1388 AES_VALIDATE_RET( iv != NULL ); 1389 AES_VALIDATE_RET( input != NULL ); 1390 AES_VALIDATE_RET( output != NULL ); 1391 while( length-- ) 1392 { 1393 memcpy( ov, iv, 16 ); 1394 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1395 1396 if( mode == MBEDTLS_AES_DECRYPT ) 1397 ov[16] = *input; 1398 1399 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 1400 1401 if( mode == MBEDTLS_AES_ENCRYPT ) 1402 ov[16] = c; 1403 1404 memcpy( iv, ov + 1, 16 ); 1405 } 1406 1407 return( 0 ); 1408 } 1409 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1410 1411 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1412 /* 1413 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1414 */ 1415 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 1416 size_t length, 1417 size_t *iv_off, 1418 unsigned char iv[16], 1419 const unsigned char *input, 1420 unsigned char *output ) 1421 { 1422 int ret = 0; 1423 size_t n; 1424 1425 AES_VALIDATE_RET( ctx != NULL ); 1426 AES_VALIDATE_RET( iv_off != NULL ); 1427 AES_VALIDATE_RET( iv != NULL ); 1428 AES_VALIDATE_RET( input != NULL ); 1429 AES_VALIDATE_RET( output != NULL ); 1430 1431 n = *iv_off; 1432 1433 if( n > 15 ) 1434 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1435 1436 while( length-- ) 1437 { 1438 if( n == 0 ) 1439 { 1440 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1441 if( ret != 0 ) 1442 goto exit; 1443 } 1444 *output++ = *input++ ^ iv[n]; 1445 1446 n = ( n + 1 ) & 0x0F; 1447 } 1448 1449 *iv_off = n; 1450 1451 exit: 1452 return( ret ); 1453 } 1454 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1455 1456 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1457 /* 1458 * AES-CTR buffer encryption/decryption 1459 */ 1460 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 1461 size_t length, 1462 size_t *nc_off, 1463 unsigned char nonce_counter[16], 1464 unsigned char stream_block[16], 1465 const unsigned char *input, 1466 unsigned char *output ) 1467 { 1468 int c, i; 1469 size_t n; 1470 1471 AES_VALIDATE_RET( ctx != NULL ); 1472 AES_VALIDATE_RET( nc_off != NULL ); 1473 AES_VALIDATE_RET( nonce_counter != NULL ); 1474 AES_VALIDATE_RET( stream_block != NULL ); 1475 AES_VALIDATE_RET( input != NULL ); 1476 AES_VALIDATE_RET( output != NULL ); 1477 1478 n = *nc_off; 1479 1480 if ( n > 0x0F ) 1481 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1482 1483 while( length-- ) 1484 { 1485 if( n == 0 ) { 1486 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 1487 1488 for( i = 16; i > 0; i-- ) 1489 if( ++nonce_counter[i - 1] != 0 ) 1490 break; 1491 } 1492 c = *input++; 1493 *output++ = (unsigned char)( c ^ stream_block[n] ); 1494 1495 n = ( n + 1 ) & 0x0F; 1496 } 1497 1498 *nc_off = n; 1499 1500 return( 0 ); 1501 } 1502 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1503 1504 #endif /* !MBEDTLS_AES_ALT */ 1505 1506 #if defined(MBEDTLS_SELF_TEST) 1507 /* 1508 * AES test vectors from: 1509 * 1510 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1511 */ 1512 static const unsigned char aes_test_ecb_dec[3][16] = 1513 { 1514 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1515 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1516 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1517 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1518 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1519 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1520 }; 1521 1522 static const unsigned char aes_test_ecb_enc[3][16] = 1523 { 1524 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1525 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1526 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1527 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1528 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1529 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1530 }; 1531 1532 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1533 static const unsigned char aes_test_cbc_dec[3][16] = 1534 { 1535 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1536 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1537 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1538 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1539 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1540 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1541 }; 1542 1543 static const unsigned char aes_test_cbc_enc[3][16] = 1544 { 1545 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1546 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1547 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1548 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1549 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1550 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1551 }; 1552 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1553 1554 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1555 /* 1556 * AES-CFB128 test vectors from: 1557 * 1558 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1559 */ 1560 static const unsigned char aes_test_cfb128_key[3][32] = 1561 { 1562 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1563 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1564 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1565 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1566 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1567 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1568 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1569 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1570 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1571 }; 1572 1573 static const unsigned char aes_test_cfb128_iv[16] = 1574 { 1575 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1576 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1577 }; 1578 1579 static const unsigned char aes_test_cfb128_pt[64] = 1580 { 1581 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1582 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1583 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1584 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1585 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1586 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1587 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1588 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1589 }; 1590 1591 static const unsigned char aes_test_cfb128_ct[3][64] = 1592 { 1593 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1594 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1595 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1596 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1597 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1598 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1599 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1600 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1601 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1602 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1603 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1604 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1605 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1606 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1607 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1608 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1609 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1610 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1611 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1612 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1613 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1614 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1615 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1616 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1617 }; 1618 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1619 1620 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1621 /* 1622 * AES-OFB test vectors from: 1623 * 1624 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1625 */ 1626 static const unsigned char aes_test_ofb_key[3][32] = 1627 { 1628 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1629 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1630 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1631 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1632 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1633 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1634 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1635 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1636 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1637 }; 1638 1639 static const unsigned char aes_test_ofb_iv[16] = 1640 { 1641 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1642 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1643 }; 1644 1645 static const unsigned char aes_test_ofb_pt[64] = 1646 { 1647 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1648 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1649 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1650 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1651 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1652 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1653 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1654 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1655 }; 1656 1657 static const unsigned char aes_test_ofb_ct[3][64] = 1658 { 1659 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1660 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1661 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1662 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1663 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1664 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1665 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1666 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1667 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1668 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1669 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1670 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1671 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1672 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1673 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1674 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1675 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1676 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1677 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1678 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1679 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1680 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1681 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1682 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1683 }; 1684 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1685 1686 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1687 /* 1688 * AES-CTR test vectors from: 1689 * 1690 * http://www.faqs.org/rfcs/rfc3686.html 1691 */ 1692 1693 static const unsigned char aes_test_ctr_key[3][16] = 1694 { 1695 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1696 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1697 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1698 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1699 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1700 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1701 }; 1702 1703 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1704 { 1705 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1707 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1708 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1709 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1710 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1711 }; 1712 1713 static const unsigned char aes_test_ctr_pt[3][48] = 1714 { 1715 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1716 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1717 1718 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1719 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1720 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1721 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1722 1723 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1724 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1725 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1726 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1727 0x20, 0x21, 0x22, 0x23 } 1728 }; 1729 1730 static const unsigned char aes_test_ctr_ct[3][48] = 1731 { 1732 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1733 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1734 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1735 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1736 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1737 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1738 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1739 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1740 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1741 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1742 0x25, 0xB2, 0x07, 0x2F } 1743 }; 1744 1745 static const int aes_test_ctr_len[3] = 1746 { 16, 32, 36 }; 1747 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1748 1749 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1750 /* 1751 * AES-XTS test vectors from: 1752 * 1753 * IEEE P1619/D16 Annex B 1754 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1755 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1756 */ 1757 static const unsigned char aes_test_xts_key[][32] = 1758 { 1759 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1763 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1764 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1765 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1766 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1767 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1768 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1769 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1770 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1771 }; 1772 1773 static const unsigned char aes_test_xts_pt32[][32] = 1774 { 1775 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1779 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1780 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1781 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1782 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1783 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1784 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1785 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1786 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1787 }; 1788 1789 static const unsigned char aes_test_xts_ct32[][32] = 1790 { 1791 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1792 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1793 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1794 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1795 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1796 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1797 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1798 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1799 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1800 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1801 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1802 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1803 }; 1804 1805 static const unsigned char aes_test_xts_data_unit[][16] = 1806 { 1807 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1809 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1810 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1811 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1812 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1813 }; 1814 1815 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1816 1817 /* 1818 * Checkup routine 1819 */ 1820 int mbedtls_aes_self_test( int verbose ) 1821 { 1822 int ret = 0, i, j, u, mode; 1823 unsigned int keybits; 1824 unsigned char key[32]; 1825 unsigned char buf[64]; 1826 const unsigned char *aes_tests; 1827 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 1828 unsigned char iv[16]; 1829 #endif 1830 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1831 unsigned char prv[16]; 1832 #endif 1833 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1834 defined(MBEDTLS_CIPHER_MODE_OFB) 1835 size_t offset; 1836 #endif 1837 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1838 int len; 1839 #endif 1840 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1841 unsigned char nonce_counter[16]; 1842 unsigned char stream_block[16]; 1843 #endif 1844 mbedtls_aes_context ctx; 1845 1846 memset( key, 0, 32 ); 1847 mbedtls_aes_init( &ctx ); 1848 1849 /* 1850 * ECB mode 1851 */ 1852 for( i = 0; i < 6; i++ ) 1853 { 1854 u = i >> 1; 1855 keybits = 128 + u * 64; 1856 mode = i & 1; 1857 1858 if( verbose != 0 ) 1859 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 1860 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1861 1862 memset( buf, 0, 16 ); 1863 1864 if( mode == MBEDTLS_AES_DECRYPT ) 1865 { 1866 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1867 aes_tests = aes_test_ecb_dec[u]; 1868 } 1869 else 1870 { 1871 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1872 aes_tests = aes_test_ecb_enc[u]; 1873 } 1874 1875 /* 1876 * AES-192 is an optional feature that may be unavailable when 1877 * there is an alternative underlying implementation i.e. when 1878 * MBEDTLS_AES_ALT is defined. 1879 */ 1880 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1881 { 1882 mbedtls_printf( "skipped\n" ); 1883 continue; 1884 } 1885 else if( ret != 0 ) 1886 { 1887 goto exit; 1888 } 1889 1890 for( j = 0; j < 10000; j++ ) 1891 { 1892 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 1893 if( ret != 0 ) 1894 goto exit; 1895 } 1896 1897 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1898 { 1899 ret = 1; 1900 goto exit; 1901 } 1902 1903 if( verbose != 0 ) 1904 mbedtls_printf( "passed\n" ); 1905 } 1906 1907 if( verbose != 0 ) 1908 mbedtls_printf( "\n" ); 1909 1910 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1911 /* 1912 * CBC mode 1913 */ 1914 for( i = 0; i < 6; i++ ) 1915 { 1916 u = i >> 1; 1917 keybits = 128 + u * 64; 1918 mode = i & 1; 1919 1920 if( verbose != 0 ) 1921 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 1922 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1923 1924 memset( iv , 0, 16 ); 1925 memset( prv, 0, 16 ); 1926 memset( buf, 0, 16 ); 1927 1928 if( mode == MBEDTLS_AES_DECRYPT ) 1929 { 1930 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1931 aes_tests = aes_test_cbc_dec[u]; 1932 } 1933 else 1934 { 1935 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1936 aes_tests = aes_test_cbc_enc[u]; 1937 } 1938 1939 /* 1940 * AES-192 is an optional feature that may be unavailable when 1941 * there is an alternative underlying implementation i.e. when 1942 * MBEDTLS_AES_ALT is defined. 1943 */ 1944 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1945 { 1946 mbedtls_printf( "skipped\n" ); 1947 continue; 1948 } 1949 else if( ret != 0 ) 1950 { 1951 goto exit; 1952 } 1953 1954 for( j = 0; j < 10000; j++ ) 1955 { 1956 if( mode == MBEDTLS_AES_ENCRYPT ) 1957 { 1958 unsigned char tmp[16]; 1959 1960 memcpy( tmp, prv, 16 ); 1961 memcpy( prv, buf, 16 ); 1962 memcpy( buf, tmp, 16 ); 1963 } 1964 1965 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 1966 if( ret != 0 ) 1967 goto exit; 1968 1969 } 1970 1971 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1972 { 1973 ret = 1; 1974 goto exit; 1975 } 1976 1977 if( verbose != 0 ) 1978 mbedtls_printf( "passed\n" ); 1979 } 1980 1981 if( verbose != 0 ) 1982 mbedtls_printf( "\n" ); 1983 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1984 1985 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1986 /* 1987 * CFB128 mode 1988 */ 1989 for( i = 0; i < 6; i++ ) 1990 { 1991 u = i >> 1; 1992 keybits = 128 + u * 64; 1993 mode = i & 1; 1994 1995 if( verbose != 0 ) 1996 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 1997 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1998 1999 memcpy( iv, aes_test_cfb128_iv, 16 ); 2000 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 2001 2002 offset = 0; 2003 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2004 /* 2005 * AES-192 is an optional feature that may be unavailable when 2006 * there is an alternative underlying implementation i.e. when 2007 * MBEDTLS_AES_ALT is defined. 2008 */ 2009 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2010 { 2011 mbedtls_printf( "skipped\n" ); 2012 continue; 2013 } 2014 else if( ret != 0 ) 2015 { 2016 goto exit; 2017 } 2018 2019 if( mode == MBEDTLS_AES_DECRYPT ) 2020 { 2021 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 2022 aes_tests = aes_test_cfb128_pt; 2023 } 2024 else 2025 { 2026 memcpy( buf, aes_test_cfb128_pt, 64 ); 2027 aes_tests = aes_test_cfb128_ct[u]; 2028 } 2029 2030 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 2031 if( ret != 0 ) 2032 goto exit; 2033 2034 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2035 { 2036 ret = 1; 2037 goto exit; 2038 } 2039 2040 if( verbose != 0 ) 2041 mbedtls_printf( "passed\n" ); 2042 } 2043 2044 if( verbose != 0 ) 2045 mbedtls_printf( "\n" ); 2046 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 2047 2048 #if defined(MBEDTLS_CIPHER_MODE_OFB) 2049 /* 2050 * OFB mode 2051 */ 2052 for( i = 0; i < 6; i++ ) 2053 { 2054 u = i >> 1; 2055 keybits = 128 + u * 64; 2056 mode = i & 1; 2057 2058 if( verbose != 0 ) 2059 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 2060 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2061 2062 memcpy( iv, aes_test_ofb_iv, 16 ); 2063 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 2064 2065 offset = 0; 2066 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2067 /* 2068 * AES-192 is an optional feature that may be unavailable when 2069 * there is an alternative underlying implementation i.e. when 2070 * MBEDTLS_AES_ALT is defined. 2071 */ 2072 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2073 { 2074 mbedtls_printf( "skipped\n" ); 2075 continue; 2076 } 2077 else if( ret != 0 ) 2078 { 2079 goto exit; 2080 } 2081 2082 if( mode == MBEDTLS_AES_DECRYPT ) 2083 { 2084 memcpy( buf, aes_test_ofb_ct[u], 64 ); 2085 aes_tests = aes_test_ofb_pt; 2086 } 2087 else 2088 { 2089 memcpy( buf, aes_test_ofb_pt, 64 ); 2090 aes_tests = aes_test_ofb_ct[u]; 2091 } 2092 2093 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 2094 if( ret != 0 ) 2095 goto exit; 2096 2097 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2098 { 2099 ret = 1; 2100 goto exit; 2101 } 2102 2103 if( verbose != 0 ) 2104 mbedtls_printf( "passed\n" ); 2105 } 2106 2107 if( verbose != 0 ) 2108 mbedtls_printf( "\n" ); 2109 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2110 2111 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2112 /* 2113 * CTR mode 2114 */ 2115 for( i = 0; i < 6; i++ ) 2116 { 2117 u = i >> 1; 2118 mode = i & 1; 2119 2120 if( verbose != 0 ) 2121 mbedtls_printf( " AES-CTR-128 (%s): ", 2122 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2123 2124 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 2125 memcpy( key, aes_test_ctr_key[u], 16 ); 2126 2127 offset = 0; 2128 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 2129 goto exit; 2130 2131 len = aes_test_ctr_len[u]; 2132 2133 if( mode == MBEDTLS_AES_DECRYPT ) 2134 { 2135 memcpy( buf, aes_test_ctr_ct[u], len ); 2136 aes_tests = aes_test_ctr_pt[u]; 2137 } 2138 else 2139 { 2140 memcpy( buf, aes_test_ctr_pt[u], len ); 2141 aes_tests = aes_test_ctr_ct[u]; 2142 } 2143 2144 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 2145 stream_block, buf, buf ); 2146 if( ret != 0 ) 2147 goto exit; 2148 2149 if( memcmp( buf, aes_tests, len ) != 0 ) 2150 { 2151 ret = 1; 2152 goto exit; 2153 } 2154 2155 if( verbose != 0 ) 2156 mbedtls_printf( "passed\n" ); 2157 } 2158 2159 if( verbose != 0 ) 2160 mbedtls_printf( "\n" ); 2161 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2162 2163 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2164 { 2165 static const int num_tests = 2166 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2167 mbedtls_aes_xts_context ctx_xts; 2168 2169 /* 2170 * XTS mode 2171 */ 2172 mbedtls_aes_xts_init( &ctx_xts ); 2173 2174 for( i = 0; i < num_tests << 1; i++ ) 2175 { 2176 const unsigned char *data_unit; 2177 u = i >> 1; 2178 mode = i & 1; 2179 2180 if( verbose != 0 ) 2181 mbedtls_printf( " AES-XTS-128 (%s): ", 2182 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2183 2184 memset( key, 0, sizeof( key ) ); 2185 memcpy( key, aes_test_xts_key[u], 32 ); 2186 data_unit = aes_test_xts_data_unit[u]; 2187 2188 len = sizeof( *aes_test_xts_ct32 ); 2189 2190 if( mode == MBEDTLS_AES_DECRYPT ) 2191 { 2192 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 2193 if( ret != 0) 2194 goto exit; 2195 memcpy( buf, aes_test_xts_ct32[u], len ); 2196 aes_tests = aes_test_xts_pt32[u]; 2197 } 2198 else 2199 { 2200 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 2201 if( ret != 0) 2202 goto exit; 2203 memcpy( buf, aes_test_xts_pt32[u], len ); 2204 aes_tests = aes_test_xts_ct32[u]; 2205 } 2206 2207 2208 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 2209 buf, buf ); 2210 if( ret != 0 ) 2211 goto exit; 2212 2213 if( memcmp( buf, aes_tests, len ) != 0 ) 2214 { 2215 ret = 1; 2216 goto exit; 2217 } 2218 2219 if( verbose != 0 ) 2220 mbedtls_printf( "passed\n" ); 2221 } 2222 2223 if( verbose != 0 ) 2224 mbedtls_printf( "\n" ); 2225 2226 mbedtls_aes_xts_free( &ctx_xts ); 2227 } 2228 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2229 2230 ret = 0; 2231 2232 exit: 2233 if( ret != 0 && verbose != 0 ) 2234 mbedtls_printf( "failed\n" ); 2235 2236 mbedtls_aes_free( &ctx ); 2237 2238 return( ret ); 2239 } 2240 2241 #endif /* MBEDTLS_SELF_TEST */ 2242 2243 #endif /* MBEDTLS_AES_C */ 2244