Lines Matching +full:- +full:y
2 * FIPS-197 compliant AES implementation
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 …src.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/…
11 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
59 * This is a convenience shorthand macro to check if we need reverse S-box and
71 static int aes_padlock_ace = -1;
76 * Forward S-box
203 * Reverse S-box
343 * Forward S-box & tables
352 * Reverse S-box & tables
371 #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) argument
378 uint8_t x, y, z; in aes_gen_tables() local
400 * generate the forward and reverse S-boxes in aes_gen_tables()
408 x = pow[255 - log[i]]; in aes_gen_tables()
410 y = x; y = (y << 1) | (y >> 7); in aes_gen_tables()
411 x ^= y; y = (y << 1) | (y >> 7); in aes_gen_tables()
412 x ^= y; y = (y << 1) | (y >> 7); in aes_gen_tables()
413 x ^= y; y = (y << 1) | (y >> 7); in aes_gen_tables()
414 x ^= y ^ 0x63; in aes_gen_tables()
427 y = XTIME(x); in aes_gen_tables()
428 z = y ^ x; in aes_gen_tables()
430 FT0[i] = ((uint32_t) y) ^ in aes_gen_tables()
509 mbedtls_aes_init(&ctx->crypt); in mbedtls_aes_xts_init()
510 mbedtls_aes_init(&ctx->tweak); in mbedtls_aes_xts_init()
519 mbedtls_aes_free(&ctx->crypt); in mbedtls_aes_xts_free()
520 mbedtls_aes_free(&ctx->tweak); in mbedtls_aes_xts_free()
527 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
541 if (aes_padlock_ace == -1) { in mbedtls_aes_rk_offset()
556 /* These implementations needs 16-byte alignment in mbedtls_aes_rk_offset()
562 return 4 - delta; // 16 bytes = 4 uint32_t in mbedtls_aes_rk_offset()
582 case 128: ctx->nr = 10; break; in mbedtls_aes_setkey_enc()
584 case 192: ctx->nr = 12; break; in mbedtls_aes_setkey_enc()
585 case 256: ctx->nr = 14; break; in mbedtls_aes_setkey_enc()
597 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); in mbedtls_aes_setkey_enc()
598 RK = ctx->buf + ctx->rk_offset; in mbedtls_aes_setkey_enc()
617 switch (ctx->nr) { in mbedtls_aes_setkey_enc()
700 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); in mbedtls_aes_setkey_dec()
701 RK = ctx->buf + ctx->rk_offset; in mbedtls_aes_setkey_dec()
708 ctx->nr = cty.nr; in mbedtls_aes_setkey_dec()
713 (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); in mbedtls_aes_setkey_dec()
723 ctx->nr); in mbedtls_aes_setkey_dec()
735 SK -= 8; in mbedtls_aes_setkey_dec()
736 for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) { in mbedtls_aes_setkey_dec()
797 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); in mbedtls_aes_xts_setkey_enc()
803 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); in mbedtls_aes_xts_setkey_enc()
821 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); in mbedtls_aes_xts_setkey_dec()
827 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); in mbedtls_aes_xts_setkey_dec()
880 * AES-ECB block encryption
888 uint32_t *RK = ctx->buf + ctx->rk_offset; in mbedtls_internal_aes_encrypt()
891 uint32_t Y[4]; in mbedtls_internal_aes_encrypt() member
899 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { in mbedtls_internal_aes_encrypt()
900 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); in mbedtls_internal_aes_encrypt()
901 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); in mbedtls_internal_aes_encrypt()
904 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); in mbedtls_internal_aes_encrypt()
907 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ in mbedtls_internal_aes_encrypt()
908 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ in mbedtls_internal_aes_encrypt()
909 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ in mbedtls_internal_aes_encrypt()
910 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); in mbedtls_internal_aes_encrypt()
913 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ in mbedtls_internal_aes_encrypt()
914 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ in mbedtls_internal_aes_encrypt()
915 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ in mbedtls_internal_aes_encrypt()
916 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); in mbedtls_internal_aes_encrypt()
919 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ in mbedtls_internal_aes_encrypt()
920 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ in mbedtls_internal_aes_encrypt()
921 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ in mbedtls_internal_aes_encrypt()
922 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); in mbedtls_internal_aes_encrypt()
925 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ in mbedtls_internal_aes_encrypt()
926 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ in mbedtls_internal_aes_encrypt()
927 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ in mbedtls_internal_aes_encrypt()
928 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); in mbedtls_internal_aes_encrypt()
942 * AES-ECB block decryption
950 uint32_t *RK = ctx->buf + ctx->rk_offset; in mbedtls_internal_aes_decrypt()
953 uint32_t Y[4]; in mbedtls_internal_aes_decrypt() member
961 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { in mbedtls_internal_aes_decrypt()
962 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); in mbedtls_internal_aes_decrypt()
963 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); in mbedtls_internal_aes_decrypt()
966 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); in mbedtls_internal_aes_decrypt()
969 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ in mbedtls_internal_aes_decrypt()
970 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ in mbedtls_internal_aes_decrypt()
971 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ in mbedtls_internal_aes_decrypt()
972 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); in mbedtls_internal_aes_decrypt()
975 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ in mbedtls_internal_aes_decrypt()
976 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ in mbedtls_internal_aes_decrypt()
977 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ in mbedtls_internal_aes_decrypt()
978 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); in mbedtls_internal_aes_decrypt()
981 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ in mbedtls_internal_aes_decrypt()
982 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ in mbedtls_internal_aes_decrypt()
983 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ in mbedtls_internal_aes_decrypt()
984 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); in mbedtls_internal_aes_decrypt()
987 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ in mbedtls_internal_aes_decrypt()
988 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ in mbedtls_internal_aes_decrypt()
989 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ in mbedtls_internal_aes_decrypt()
990 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); in mbedtls_internal_aes_decrypt()
1003 /* VIA Padlock and our intrinsics-based implementation of AESNI require
1004 * the round keys to be aligned on a 16-byte boundary. We take care of this
1007 * calls it might have a different alignment with respect to 16-byte memory.
1012 unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); in aes_maybe_realign()
1013 if (new_offset != ctx->rk_offset) { in aes_maybe_realign()
1014 memmove(ctx->buf + new_offset, // new address in aes_maybe_realign()
1015 ctx->buf + ctx->rk_offset, // current address in aes_maybe_realign()
1016 (ctx->nr + 1) * 16); // number of round keys * bytes per rk in aes_maybe_realign()
1017 ctx->rk_offset = new_offset; in aes_maybe_realign()
1022 * AES-ECB block encryption/decryption
1070 * AES-CBC buffer encryption/decryption
1125 length -= 16; in mbedtls_aes_crypt_cbc()
1139 length -= 16; in mbedtls_aes_crypt_cbc()
1158 * representation. It uses 64-bit word operations to gain speed but compensates
1173 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); in mbedtls_gf128mul_x_ble()
1181 * AES-XTS buffer encryption/decryption
1184 * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
1212 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ in mbedtls_aes_crypt_xts()
1218 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, in mbedtls_aes_crypt_xts()
1224 while (blocks--) { in mbedtls_aes_crypt_xts()
1237 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); in mbedtls_aes_crypt_xts()
1259 unsigned char *prev_output = output - 16; in mbedtls_aes_crypt_xts()
1272 mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); in mbedtls_aes_crypt_xts()
1274 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); in mbedtls_aes_crypt_xts()
1290 * AES-CFB128 buffer encryption/decryption
1315 while (length--) { in mbedtls_aes_crypt_cfb128()
1330 while (length--) { in mbedtls_aes_crypt_cfb128()
1352 * AES-CFB8 buffer encryption/decryption
1368 while (length--) { in mbedtls_aes_crypt_cfb8()
1396 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1414 while (length--) { in mbedtls_aes_crypt_ofb()
1435 * AES-CTR buffer encryption/decryption
1462 n -= offset; in mbedtls_aes_crypt_ctr()
1465 if (n > (length - i)) { in mbedtls_aes_crypt_ctr()
1466 n = (length - i); in mbedtls_aes_crypt_ctr()
1469 // offset might be non-zero for the last block, but in that case, we don't use it again in mbedtls_aes_crypt_ctr()
1490 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1546 * AES-CFB128 test vectors from:
1548 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1616 * AES-OFB test vectors from:
1618 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1686 * AES-CTR test vectors from:
1748 * AES-XTS test vectors from:
1875 mbedtls_printf(" AES note: built-in implementation.\n"); in mbedtls_aes_self_test()
1894 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, in mbedtls_aes_self_test()
1920 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
1967 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, in mbedtls_aes_self_test()
1984 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
2041 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, in mbedtls_aes_self_test()
2051 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
2105 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, in mbedtls_aes_self_test()
2115 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
2168 mbedtls_printf(" AES-CTR-128 (%s): ", in mbedtls_aes_self_test()
2229 mbedtls_printf(" AES-XTS-128 (%s): ", in mbedtls_aes_self_test()