1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_AES_C)
29
30 #include <string.h>
31
32 #include "mbedtls/aes.h"
33 #include "mbedtls/platform.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #if defined(MBEDTLS_PADLOCK_C)
37 #include "padlock.h"
38 #endif
39 #if defined(MBEDTLS_AESNI_C)
40 #include "aesni.h"
41 #endif
42
43 #include "mbedtls/platform.h"
44
45 #if !defined(MBEDTLS_AES_ALT)
46
47 #if defined(MBEDTLS_PADLOCK_C) && \
48 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
49 static int aes_padlock_ace = -1;
50 #endif
51
52 #if defined(MBEDTLS_AES_ROM_TABLES)
53 /*
54 * Forward S-box
55 */
56 static const unsigned char FSb[256] =
57 {
58 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
59 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
60 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
61 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
62 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
63 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
64 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
65 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
66 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
67 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
68 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
69 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
70 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
71 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
72 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
73 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
74 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
75 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
76 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
77 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
78 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
79 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
80 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
81 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
82 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
83 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
84 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
85 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
86 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
87 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
88 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
89 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
90 };
91
92 /*
93 * Forward tables
94 */
95 #define FT \
96 \
97 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
98 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
99 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
100 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
101 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
102 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
103 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
104 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
105 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
106 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
107 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
108 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
109 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
110 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
111 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
112 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
113 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
114 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
115 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
116 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
117 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
118 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
119 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
120 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
121 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
122 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
123 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
124 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
125 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
126 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
127 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
128 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
129 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
130 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
131 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
132 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
133 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
134 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
135 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
136 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
137 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
138 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
139 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
140 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
141 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
142 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
143 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
144 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
145 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
146 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
147 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
148 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
149 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
150 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
151 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
152 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
153 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
154 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
155 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
156 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
157 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
158 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
159 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
160 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
161
162 #define V(a,b,c,d) 0x##a##b##c##d
163 static const uint32_t FT0[256] = { FT };
164 #undef V
165
166 #if !defined(MBEDTLS_AES_FEWER_TABLES)
167
168 #define V(a,b,c,d) 0x##b##c##d##a
169 static const uint32_t FT1[256] = { FT };
170 #undef V
171
172 #define V(a,b,c,d) 0x##c##d##a##b
173 static const uint32_t FT2[256] = { FT };
174 #undef V
175
176 #define V(a,b,c,d) 0x##d##a##b##c
177 static const uint32_t FT3[256] = { FT };
178 #undef V
179
180 #endif /* !MBEDTLS_AES_FEWER_TABLES */
181
182 #undef FT
183
184 /*
185 * Reverse S-box
186 */
187 static const unsigned char RSb[256] =
188 {
189 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
190 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
191 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
192 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
193 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
194 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
195 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
196 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
197 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
198 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
199 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
200 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
201 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
202 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
203 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
204 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
205 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
206 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
207 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
208 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
209 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
210 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
211 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
212 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
213 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
214 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
215 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
216 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
217 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
218 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
219 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
220 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
221 };
222
223 /*
224 * Reverse tables
225 */
226 #define RT \
227 \
228 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
229 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
230 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
231 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
232 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
233 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
234 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
235 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
236 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
237 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
238 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
239 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
240 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
241 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
242 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
243 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
244 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
245 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
246 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
247 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
248 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
249 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
250 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
251 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
252 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
253 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
254 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
255 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
256 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
257 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
258 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
259 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
260 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
261 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
262 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
263 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
264 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
265 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
266 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
267 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
268 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
269 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
270 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
271 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
272 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
273 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
274 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
275 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
276 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
277 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
278 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
279 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
280 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
281 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
282 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
283 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
284 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
285 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
286 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
287 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
288 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
289 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
290 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
291 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
292
293 #define V(a,b,c,d) 0x##a##b##c##d
294 static const uint32_t RT0[256] = { RT };
295 #undef V
296
297 #if !defined(MBEDTLS_AES_FEWER_TABLES)
298
299 #define V(a,b,c,d) 0x##b##c##d##a
300 static const uint32_t RT1[256] = { RT };
301 #undef V
302
303 #define V(a,b,c,d) 0x##c##d##a##b
304 static const uint32_t RT2[256] = { RT };
305 #undef V
306
307 #define V(a,b,c,d) 0x##d##a##b##c
308 static const uint32_t RT3[256] = { RT };
309 #undef V
310
311 #endif /* !MBEDTLS_AES_FEWER_TABLES */
312
313 #undef RT
314
315 /*
316 * Round constants
317 */
318 static const uint32_t RCON[10] =
319 {
320 0x00000001, 0x00000002, 0x00000004, 0x00000008,
321 0x00000010, 0x00000020, 0x00000040, 0x00000080,
322 0x0000001B, 0x00000036
323 };
324
325 #else /* MBEDTLS_AES_ROM_TABLES */
326
327 /*
328 * Forward S-box & tables
329 */
330 static unsigned char FSb[256];
331 static uint32_t FT0[256];
332 #if !defined(MBEDTLS_AES_FEWER_TABLES)
333 static uint32_t FT1[256];
334 static uint32_t FT2[256];
335 static uint32_t FT3[256];
336 #endif /* !MBEDTLS_AES_FEWER_TABLES */
337
338 /*
339 * Reverse S-box & tables
340 */
341 static unsigned char RSb[256];
342 static uint32_t RT0[256];
343 #if !defined(MBEDTLS_AES_FEWER_TABLES)
344 static uint32_t RT1[256];
345 static uint32_t RT2[256];
346 static uint32_t RT3[256];
347 #endif /* !MBEDTLS_AES_FEWER_TABLES */
348
349 /*
350 * Round constants
351 */
352 static uint32_t RCON[10];
353
354 /*
355 * Tables generation code
356 */
357 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
358 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
359 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
360
361 static int aes_init_done = 0;
362
aes_gen_tables(void)363 static void aes_gen_tables( void )
364 {
365 int i, x, y, z;
366 int pow[256];
367 int log[256];
368
369 /*
370 * compute pow and log tables over GF(2^8)
371 */
372 for( i = 0, x = 1; i < 256; i++ )
373 {
374 pow[i] = x;
375 log[x] = i;
376 x = MBEDTLS_BYTE_0( x ^ XTIME( x ) );
377 }
378
379 /*
380 * calculate the round constants
381 */
382 for( i = 0, x = 1; i < 10; i++ )
383 {
384 RCON[i] = (uint32_t) x;
385 x = MBEDTLS_BYTE_0( XTIME( x ) );
386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for( i = 1; i < 256; i++ )
395 {
396 x = pow[255 - log[i]];
397
398 y = x; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
399 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
400 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
401 x ^= y; y = MBEDTLS_BYTE_0( ( y << 1 ) | ( y >> 7 ) );
402 x ^= y ^ 0x63;
403
404 FSb[i] = (unsigned char) x;
405 RSb[x] = (unsigned char) i;
406 }
407
408 /*
409 * generate the forward and reverse tables
410 */
411 for( i = 0; i < 256; i++ )
412 {
413 x = FSb[i];
414 y = MBEDTLS_BYTE_0( XTIME( x ) );
415 z = MBEDTLS_BYTE_0( y ^ x );
416
417 FT0[i] = ( (uint32_t) y ) ^
418 ( (uint32_t) x << 8 ) ^
419 ( (uint32_t) x << 16 ) ^
420 ( (uint32_t) z << 24 );
421
422 #if !defined(MBEDTLS_AES_FEWER_TABLES)
423 FT1[i] = ROTL8( FT0[i] );
424 FT2[i] = ROTL8( FT1[i] );
425 FT3[i] = ROTL8( FT2[i] );
426 #endif /* !MBEDTLS_AES_FEWER_TABLES */
427
428 x = RSb[i];
429
430 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^
431 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^
432 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^
433 ( (uint32_t) MUL( 0x0B, x ) << 24 );
434
435 #if !defined(MBEDTLS_AES_FEWER_TABLES)
436 RT1[i] = ROTL8( RT0[i] );
437 RT2[i] = ROTL8( RT1[i] );
438 RT3[i] = ROTL8( RT2[i] );
439 #endif /* !MBEDTLS_AES_FEWER_TABLES */
440 }
441 }
442
443 #undef ROTL8
444
445 #endif /* MBEDTLS_AES_ROM_TABLES */
446
447 #if defined(MBEDTLS_AES_FEWER_TABLES)
448
449 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
450 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
451 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
452
453 #define AES_RT0(idx) RT0[idx]
454 #define AES_RT1(idx) ROTL8( RT0[idx] )
455 #define AES_RT2(idx) ROTL16( RT0[idx] )
456 #define AES_RT3(idx) ROTL24( RT0[idx] )
457
458 #define AES_FT0(idx) FT0[idx]
459 #define AES_FT1(idx) ROTL8( FT0[idx] )
460 #define AES_FT2(idx) ROTL16( FT0[idx] )
461 #define AES_FT3(idx) ROTL24( FT0[idx] )
462
463 #else /* MBEDTLS_AES_FEWER_TABLES */
464
465 #define AES_RT0(idx) RT0[idx]
466 #define AES_RT1(idx) RT1[idx]
467 #define AES_RT2(idx) RT2[idx]
468 #define AES_RT3(idx) RT3[idx]
469
470 #define AES_FT0(idx) FT0[idx]
471 #define AES_FT1(idx) FT1[idx]
472 #define AES_FT2(idx) FT2[idx]
473 #define AES_FT3(idx) FT3[idx]
474
475 #endif /* MBEDTLS_AES_FEWER_TABLES */
476
mbedtls_aes_init(mbedtls_aes_context * ctx)477 void mbedtls_aes_init( mbedtls_aes_context *ctx )
478 {
479 memset( ctx, 0, sizeof( mbedtls_aes_context ) );
480 }
481
mbedtls_aes_free(mbedtls_aes_context * ctx)482 void mbedtls_aes_free( mbedtls_aes_context *ctx )
483 {
484 if( ctx == NULL )
485 return;
486
487 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
488 }
489
490 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)491 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
492 {
493 mbedtls_aes_init( &ctx->crypt );
494 mbedtls_aes_init( &ctx->tweak );
495 }
496
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)497 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
498 {
499 if( ctx == NULL )
500 return;
501
502 mbedtls_aes_free( &ctx->crypt );
503 mbedtls_aes_free( &ctx->tweak );
504 }
505 #endif /* MBEDTLS_CIPHER_MODE_XTS */
506
507 /*
508 * AES key schedule (encryption)
509 */
510 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)511 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
512 unsigned int keybits )
513 {
514 unsigned int i;
515 uint32_t *RK;
516
517 switch( keybits )
518 {
519 case 128: ctx->nr = 10; break;
520 case 192: ctx->nr = 12; break;
521 case 256: ctx->nr = 14; break;
522 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
523 }
524
525 #if !defined(MBEDTLS_AES_ROM_TABLES)
526 if( aes_init_done == 0 )
527 {
528 aes_gen_tables();
529 aes_init_done = 1;
530 }
531 #endif
532
533 ctx->rk_offset = 0;
534 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
535 if( aes_padlock_ace == -1 )
536 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
537
538 if( aes_padlock_ace )
539 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
540 #endif
541 RK = ctx->buf + ctx->rk_offset;
542
543 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
544 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
545 return( mbedtls_aesni_setkey_enc( (unsigned char *) RK, key, keybits ) );
546 #endif
547
548 for( i = 0; i < ( keybits >> 5 ); i++ )
549 {
550 RK[i] = MBEDTLS_GET_UINT32_LE( key, i << 2 );
551 }
552
553 switch( ctx->nr )
554 {
555 case 10:
556
557 for( i = 0; i < 10; i++, RK += 4 )
558 {
559 RK[4] = RK[0] ^ RCON[i] ^
560 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[3] ) ] ) ^
561 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[3] ) ] << 8 ) ^
562 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[3] ) ] << 16 ) ^
563 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[3] ) ] << 24 );
564
565 RK[5] = RK[1] ^ RK[4];
566 RK[6] = RK[2] ^ RK[5];
567 RK[7] = RK[3] ^ RK[6];
568 }
569 break;
570
571 case 12:
572
573 for( i = 0; i < 8; i++, RK += 6 )
574 {
575 RK[6] = RK[0] ^ RCON[i] ^
576 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[5] ) ] ) ^
577 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[5] ) ] << 8 ) ^
578 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[5] ) ] << 16 ) ^
579 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[5] ) ] << 24 );
580
581 RK[7] = RK[1] ^ RK[6];
582 RK[8] = RK[2] ^ RK[7];
583 RK[9] = RK[3] ^ RK[8];
584 RK[10] = RK[4] ^ RK[9];
585 RK[11] = RK[5] ^ RK[10];
586 }
587 break;
588
589 case 14:
590
591 for( i = 0; i < 7; i++, RK += 8 )
592 {
593 RK[8] = RK[0] ^ RCON[i] ^
594 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[7] ) ] ) ^
595 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[7] ) ] << 8 ) ^
596 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[7] ) ] << 16 ) ^
597 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[7] ) ] << 24 );
598
599 RK[9] = RK[1] ^ RK[8];
600 RK[10] = RK[2] ^ RK[9];
601 RK[11] = RK[3] ^ RK[10];
602
603 RK[12] = RK[4] ^
604 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( RK[11] ) ] ) ^
605 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( RK[11] ) ] << 8 ) ^
606 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( RK[11] ) ] << 16 ) ^
607 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( RK[11] ) ] << 24 );
608
609 RK[13] = RK[5] ^ RK[12];
610 RK[14] = RK[6] ^ RK[13];
611 RK[15] = RK[7] ^ RK[14];
612 }
613 break;
614 }
615
616 return( 0 );
617 }
618 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
619
620 /*
621 * AES key schedule (decryption)
622 */
623 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)624 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
625 unsigned int keybits )
626 {
627 int i, j, ret;
628 mbedtls_aes_context cty;
629 uint32_t *RK;
630 uint32_t *SK;
631
632 mbedtls_aes_init( &cty );
633
634 ctx->rk_offset = 0;
635 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
636 if( aes_padlock_ace == -1 )
637 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE );
638
639 if( aes_padlock_ace )
640 ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ) - ctx->buf;
641 #endif
642 RK = ctx->buf + ctx->rk_offset;
643
644 /* Also checks keybits */
645 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 )
646 goto exit;
647
648 ctx->nr = cty.nr;
649
650 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
651 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
652 {
653 mbedtls_aesni_inverse_key( (unsigned char *) RK,
654 (const unsigned char *) ( cty.buf + cty.rk_offset ), ctx->nr );
655 goto exit;
656 }
657 #endif
658
659 SK = cty.buf + cty.rk_offset + cty.nr * 4;
660
661 *RK++ = *SK++;
662 *RK++ = *SK++;
663 *RK++ = *SK++;
664 *RK++ = *SK++;
665
666 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 )
667 {
668 for( j = 0; j < 4; j++, SK++ )
669 {
670 *RK++ = AES_RT0( FSb[ MBEDTLS_BYTE_0( *SK ) ] ) ^
671 AES_RT1( FSb[ MBEDTLS_BYTE_1( *SK ) ] ) ^
672 AES_RT2( FSb[ MBEDTLS_BYTE_2( *SK ) ] ) ^
673 AES_RT3( FSb[ MBEDTLS_BYTE_3( *SK ) ] );
674 }
675 }
676
677 *RK++ = *SK++;
678 *RK++ = *SK++;
679 *RK++ = *SK++;
680 *RK++ = *SK++;
681
682 exit:
683 mbedtls_aes_free( &cty );
684
685 return( ret );
686 }
687 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
688
689 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)690 static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
691 unsigned int keybits,
692 const unsigned char **key1,
693 unsigned int *key1bits,
694 const unsigned char **key2,
695 unsigned int *key2bits )
696 {
697 const unsigned int half_keybits = keybits / 2;
698 const unsigned int half_keybytes = half_keybits / 8;
699
700 switch( keybits )
701 {
702 case 256: break;
703 case 512: break;
704 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH );
705 }
706
707 *key1bits = half_keybits;
708 *key2bits = half_keybits;
709 *key1 = &key[0];
710 *key2 = &key[half_keybytes];
711
712 return 0;
713 }
714
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)715 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
716 const unsigned char *key,
717 unsigned int keybits)
718 {
719 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
720 const unsigned char *key1, *key2;
721 unsigned int key1bits, key2bits;
722
723 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
724 &key2, &key2bits );
725 if( ret != 0 )
726 return( ret );
727
728 /* Set the tweak key. Always set tweak key for the encryption mode. */
729 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
730 if( ret != 0 )
731 return( ret );
732
733 /* Set crypt key for encryption. */
734 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits );
735 }
736
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)737 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
738 const unsigned char *key,
739 unsigned int keybits)
740 {
741 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
742 const unsigned char *key1, *key2;
743 unsigned int key1bits, key2bits;
744
745 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits,
746 &key2, &key2bits );
747 if( ret != 0 )
748 return( ret );
749
750 /* Set the tweak key. Always set tweak key for encryption. */
751 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
752 if( ret != 0 )
753 return( ret );
754
755 /* Set crypt key for decryption. */
756 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits );
757 }
758 #endif /* MBEDTLS_CIPHER_MODE_XTS */
759
760 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
761 do \
762 { \
763 (X0) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
764 AES_FT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
765 AES_FT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
766 AES_FT3( MBEDTLS_BYTE_3( Y3 ) ); \
767 \
768 (X1) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
769 AES_FT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
770 AES_FT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
771 AES_FT3( MBEDTLS_BYTE_3( Y0 ) ); \
772 \
773 (X2) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
774 AES_FT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
775 AES_FT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
776 AES_FT3( MBEDTLS_BYTE_3( Y1 ) ); \
777 \
778 (X3) = *RK++ ^ AES_FT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
779 AES_FT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
780 AES_FT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
781 AES_FT3( MBEDTLS_BYTE_3( Y2 ) ); \
782 } while( 0 )
783
784 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
785 do \
786 { \
787 (X0) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y0 ) ) ^ \
788 AES_RT1( MBEDTLS_BYTE_1( Y3 ) ) ^ \
789 AES_RT2( MBEDTLS_BYTE_2( Y2 ) ) ^ \
790 AES_RT3( MBEDTLS_BYTE_3( Y1 ) ); \
791 \
792 (X1) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y1 ) ) ^ \
793 AES_RT1( MBEDTLS_BYTE_1( Y0 ) ) ^ \
794 AES_RT2( MBEDTLS_BYTE_2( Y3 ) ) ^ \
795 AES_RT3( MBEDTLS_BYTE_3( Y2 ) ); \
796 \
797 (X2) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y2 ) ) ^ \
798 AES_RT1( MBEDTLS_BYTE_1( Y1 ) ) ^ \
799 AES_RT2( MBEDTLS_BYTE_2( Y0 ) ) ^ \
800 AES_RT3( MBEDTLS_BYTE_3( Y3 ) ); \
801 \
802 (X3) = *RK++ ^ AES_RT0( MBEDTLS_BYTE_0( Y3 ) ) ^ \
803 AES_RT1( MBEDTLS_BYTE_1( Y2 ) ) ^ \
804 AES_RT2( MBEDTLS_BYTE_2( Y1 ) ) ^ \
805 AES_RT3( MBEDTLS_BYTE_3( Y0 ) ); \
806 } while( 0 )
807
808 /*
809 * AES-ECB block encryption
810 */
811 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])812 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
813 const unsigned char input[16],
814 unsigned char output[16] )
815 {
816 int i;
817 uint32_t *RK = ctx->buf + ctx->rk_offset;
818 struct
819 {
820 uint32_t X[4];
821 uint32_t Y[4];
822 } t;
823
824 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
825 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
826 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
827 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
828
829 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
830 {
831 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
832 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
833 }
834
835 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
836
837 t.X[0] = *RK++ ^ \
838 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
839 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
840 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
841 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
842
843 t.X[1] = *RK++ ^ \
844 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
845 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
846 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
847 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
848
849 t.X[2] = *RK++ ^ \
850 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
851 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
852 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
853 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
854
855 t.X[3] = *RK++ ^ \
856 ( (uint32_t) FSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
857 ( (uint32_t) FSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
858 ( (uint32_t) FSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
859 ( (uint32_t) FSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
860
861 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
862 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
863 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
864 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
865
866 mbedtls_platform_zeroize( &t, sizeof( t ) );
867
868 return( 0 );
869 }
870 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
871
872 /*
873 * AES-ECB block decryption
874 */
875 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])876 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
877 const unsigned char input[16],
878 unsigned char output[16] )
879 {
880 int i;
881 uint32_t *RK = ctx->buf + ctx->rk_offset;
882 struct
883 {
884 uint32_t X[4];
885 uint32_t Y[4];
886 } t;
887
888 t.X[0] = MBEDTLS_GET_UINT32_LE( input, 0 ); t.X[0] ^= *RK++;
889 t.X[1] = MBEDTLS_GET_UINT32_LE( input, 4 ); t.X[1] ^= *RK++;
890 t.X[2] = MBEDTLS_GET_UINT32_LE( input, 8 ); t.X[2] ^= *RK++;
891 t.X[3] = MBEDTLS_GET_UINT32_LE( input, 12 ); t.X[3] ^= *RK++;
892
893 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
894 {
895 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
896 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
897 }
898
899 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
900
901 t.X[0] = *RK++ ^ \
902 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[0] ) ] ) ^
903 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[3] ) ] << 8 ) ^
904 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[2] ) ] << 16 ) ^
905 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[1] ) ] << 24 );
906
907 t.X[1] = *RK++ ^ \
908 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[1] ) ] ) ^
909 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[0] ) ] << 8 ) ^
910 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[3] ) ] << 16 ) ^
911 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[2] ) ] << 24 );
912
913 t.X[2] = *RK++ ^ \
914 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[2] ) ] ) ^
915 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[1] ) ] << 8 ) ^
916 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[0] ) ] << 16 ) ^
917 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[3] ) ] << 24 );
918
919 t.X[3] = *RK++ ^ \
920 ( (uint32_t) RSb[ MBEDTLS_BYTE_0( t.Y[3] ) ] ) ^
921 ( (uint32_t) RSb[ MBEDTLS_BYTE_1( t.Y[2] ) ] << 8 ) ^
922 ( (uint32_t) RSb[ MBEDTLS_BYTE_2( t.Y[1] ) ] << 16 ) ^
923 ( (uint32_t) RSb[ MBEDTLS_BYTE_3( t.Y[0] ) ] << 24 );
924
925 MBEDTLS_PUT_UINT32_LE( t.X[0], output, 0 );
926 MBEDTLS_PUT_UINT32_LE( t.X[1], output, 4 );
927 MBEDTLS_PUT_UINT32_LE( t.X[2], output, 8 );
928 MBEDTLS_PUT_UINT32_LE( t.X[3], output, 12 );
929
930 mbedtls_platform_zeroize( &t, sizeof( t ) );
931
932 return( 0 );
933 }
934 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
935
936 /*
937 * AES-ECB block encryption/decryption
938 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])939 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
940 int mode,
941 const unsigned char input[16],
942 unsigned char output[16] )
943 {
944 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
945 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
946
947 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
948 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) )
949 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) );
950 #endif
951
952 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
953 if( aes_padlock_ace > 0)
954 {
955 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 )
956 return( 0 );
957
958 // If padlock data misaligned, we just fall back to
959 // unaccelerated mode
960 //
961 }
962 #endif
963
964 if( mode == MBEDTLS_AES_ENCRYPT )
965 return( mbedtls_internal_aes_encrypt( ctx, input, output ) );
966 else
967 return( mbedtls_internal_aes_decrypt( ctx, input, output ) );
968 }
969
970 #if defined(MBEDTLS_CIPHER_MODE_CBC)
971 /*
972 * AES-CBC buffer encryption/decryption
973 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)974 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
975 int mode,
976 size_t length,
977 unsigned char iv[16],
978 const unsigned char *input,
979 unsigned char *output )
980 {
981 int i;
982 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
983 unsigned char temp[16];
984
985 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
986 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
987
988 if( length % 16 )
989 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
990
991 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
992 if( aes_padlock_ace > 0 )
993 {
994 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 )
995 return( 0 );
996
997 // If padlock data misaligned, we just fall back to
998 // unaccelerated mode
999 //
1000 }
1001 #endif
1002
1003 if( mode == MBEDTLS_AES_DECRYPT )
1004 {
1005 while( length > 0 )
1006 {
1007 memcpy( temp, input, 16 );
1008 ret = mbedtls_aes_crypt_ecb( ctx, mode, input, output );
1009 if( ret != 0 )
1010 goto exit;
1011
1012 for( i = 0; i < 16; i++ )
1013 output[i] = (unsigned char)( output[i] ^ iv[i] );
1014
1015 memcpy( iv, temp, 16 );
1016
1017 input += 16;
1018 output += 16;
1019 length -= 16;
1020 }
1021 }
1022 else
1023 {
1024 while( length > 0 )
1025 {
1026 for( i = 0; i < 16; i++ )
1027 output[i] = (unsigned char)( input[i] ^ iv[i] );
1028
1029 ret = mbedtls_aes_crypt_ecb( ctx, mode, output, output );
1030 if( ret != 0 )
1031 goto exit;
1032 memcpy( iv, output, 16 );
1033
1034 input += 16;
1035 output += 16;
1036 length -= 16;
1037 }
1038 }
1039 ret = 0;
1040
1041 exit:
1042 return( ret );
1043 }
1044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1045
1046 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1047
1048 typedef unsigned char mbedtls_be128[16];
1049
1050 /*
1051 * GF(2^128) multiplication function
1052 *
1053 * This function multiplies a field element by x in the polynomial field
1054 * representation. It uses 64-bit word operations to gain speed but compensates
1055 * for machine endianness and hence works correctly on both big and little
1056 * endian machines.
1057 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])1058 static void mbedtls_gf128mul_x_ble( unsigned char r[16],
1059 const unsigned char x[16] )
1060 {
1061 uint64_t a, b, ra, rb;
1062
1063 a = MBEDTLS_GET_UINT64_LE( x, 0 );
1064 b = MBEDTLS_GET_UINT64_LE( x, 8 );
1065
1066 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) );
1067 rb = ( a >> 63 ) | ( b << 1 );
1068
1069 MBEDTLS_PUT_UINT64_LE( ra, r, 0 );
1070 MBEDTLS_PUT_UINT64_LE( rb, r, 8 );
1071 }
1072
1073 /*
1074 * AES-XTS buffer encryption/decryption
1075 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1076 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
1077 int mode,
1078 size_t length,
1079 const unsigned char data_unit[16],
1080 const unsigned char *input,
1081 unsigned char *output )
1082 {
1083 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1084 size_t blocks = length / 16;
1085 size_t leftover = length % 16;
1086 unsigned char tweak[16];
1087 unsigned char prev_tweak[16];
1088 unsigned char tmp[16];
1089
1090 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1091 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1092
1093 /* Data units must be at least 16 bytes long. */
1094 if( length < 16 )
1095 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1096
1097 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1098 if( length > ( 1 << 20 ) * 16 )
1099 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1100
1101 /* Compute the tweak. */
1102 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT,
1103 data_unit, tweak );
1104 if( ret != 0 )
1105 return( ret );
1106
1107 while( blocks-- )
1108 {
1109 size_t i;
1110
1111 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
1112 {
1113 /* We are on the last block in a decrypt operation that has
1114 * leftover bytes, so we need to use the next tweak for this block,
1115 * and this tweak for the leftover bytes. Save the current tweak for
1116 * the leftovers and then update the current tweak for use on this,
1117 * the last full block. */
1118 memcpy( prev_tweak, tweak, sizeof( tweak ) );
1119 mbedtls_gf128mul_x_ble( tweak, tweak );
1120 }
1121
1122 for( i = 0; i < 16; i++ )
1123 tmp[i] = input[i] ^ tweak[i];
1124
1125 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1126 if( ret != 0 )
1127 return( ret );
1128
1129 for( i = 0; i < 16; i++ )
1130 output[i] = tmp[i] ^ tweak[i];
1131
1132 /* Update the tweak for the next block. */
1133 mbedtls_gf128mul_x_ble( tweak, tweak );
1134
1135 output += 16;
1136 input += 16;
1137 }
1138
1139 if( leftover )
1140 {
1141 /* If we are on the leftover bytes in a decrypt operation, we need to
1142 * use the previous tweak for these bytes (as saved in prev_tweak). */
1143 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1144
1145 /* We are now on the final part of the data unit, which doesn't divide
1146 * evenly by 16. It's time for ciphertext stealing. */
1147 size_t i;
1148 unsigned char *prev_output = output - 16;
1149
1150 /* Copy ciphertext bytes from the previous block to our output for each
1151 * byte of ciphertext we won't steal. At the same time, copy the
1152 * remainder of the input for this final round (since the loop bounds
1153 * are the same). */
1154 for( i = 0; i < leftover; i++ )
1155 {
1156 output[i] = prev_output[i];
1157 tmp[i] = input[i] ^ t[i];
1158 }
1159
1160 /* Copy ciphertext bytes from the previous block for input in this
1161 * round. */
1162 for( ; i < 16; i++ )
1163 tmp[i] = prev_output[i] ^ t[i];
1164
1165 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
1166 if( ret != 0 )
1167 return ret;
1168
1169 /* Write the result back to the previous block, overriding the previous
1170 * output we copied. */
1171 for( i = 0; i < 16; i++ )
1172 prev_output[i] = tmp[i] ^ t[i];
1173 }
1174
1175 return( 0 );
1176 }
1177 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1178
1179 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1180 /*
1181 * AES-CFB128 buffer encryption/decryption
1182 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1183 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
1184 int mode,
1185 size_t length,
1186 size_t *iv_off,
1187 unsigned char iv[16],
1188 const unsigned char *input,
1189 unsigned char *output )
1190 {
1191 int c;
1192 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1193 size_t n;
1194
1195 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1196 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1197
1198 n = *iv_off;
1199
1200 if( n > 15 )
1201 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1202
1203 if( mode == MBEDTLS_AES_DECRYPT )
1204 {
1205 while( length-- )
1206 {
1207 if( n == 0 )
1208 {
1209 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1210 if( ret != 0 )
1211 goto exit;
1212 }
1213
1214 c = *input++;
1215 *output++ = (unsigned char)( c ^ iv[n] );
1216 iv[n] = (unsigned char) c;
1217
1218 n = ( n + 1 ) & 0x0F;
1219 }
1220 }
1221 else
1222 {
1223 while( length-- )
1224 {
1225 if( n == 0 )
1226 {
1227 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1228 if( ret != 0 )
1229 goto exit;
1230 }
1231
1232 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
1233
1234 n = ( n + 1 ) & 0x0F;
1235 }
1236 }
1237
1238 *iv_off = n;
1239 ret = 0;
1240
1241 exit:
1242 return( ret );
1243 }
1244
1245 /*
1246 * AES-CFB8 buffer encryption/decryption
1247 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1248 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
1249 int mode,
1250 size_t length,
1251 unsigned char iv[16],
1252 const unsigned char *input,
1253 unsigned char *output )
1254 {
1255 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1256 unsigned char c;
1257 unsigned char ov[17];
1258
1259 if( mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT )
1260 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1261 while( length-- )
1262 {
1263 memcpy( ov, iv, 16 );
1264 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1265 if( ret != 0 )
1266 goto exit;
1267
1268 if( mode == MBEDTLS_AES_DECRYPT )
1269 ov[16] = *input;
1270
1271 c = *output++ = (unsigned char)( iv[0] ^ *input++ );
1272
1273 if( mode == MBEDTLS_AES_ENCRYPT )
1274 ov[16] = c;
1275
1276 memcpy( iv, ov + 1, 16 );
1277 }
1278 ret = 0;
1279
1280 exit:
1281 return( ret );
1282 }
1283 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1284
1285 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1286 /*
1287 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1288 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1289 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
1290 size_t length,
1291 size_t *iv_off,
1292 unsigned char iv[16],
1293 const unsigned char *input,
1294 unsigned char *output )
1295 {
1296 int ret = 0;
1297 size_t n;
1298
1299 n = *iv_off;
1300
1301 if( n > 15 )
1302 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1303
1304 while( length-- )
1305 {
1306 if( n == 0 )
1307 {
1308 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv );
1309 if( ret != 0 )
1310 goto exit;
1311 }
1312 *output++ = *input++ ^ iv[n];
1313
1314 n = ( n + 1 ) & 0x0F;
1315 }
1316
1317 *iv_off = n;
1318
1319 exit:
1320 return( ret );
1321 }
1322 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1323
1324 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1325 /*
1326 * AES-CTR buffer encryption/decryption
1327 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1328 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
1329 size_t length,
1330 size_t *nc_off,
1331 unsigned char nonce_counter[16],
1332 unsigned char stream_block[16],
1333 const unsigned char *input,
1334 unsigned char *output )
1335 {
1336 int c, i;
1337 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1338 size_t n;
1339
1340 n = *nc_off;
1341
1342 if ( n > 0x0F )
1343 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
1344
1345 while( length-- )
1346 {
1347 if( n == 0 ) {
1348 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block );
1349 if( ret != 0 )
1350 goto exit;
1351
1352 for( i = 16; i > 0; i-- )
1353 if( ++nonce_counter[i - 1] != 0 )
1354 break;
1355 }
1356 c = *input++;
1357 *output++ = (unsigned char)( c ^ stream_block[n] );
1358
1359 n = ( n + 1 ) & 0x0F;
1360 }
1361
1362 *nc_off = n;
1363 ret = 0;
1364
1365 exit:
1366 return( ret );
1367 }
1368 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1369
1370 #endif /* !MBEDTLS_AES_ALT */
1371
1372 #if defined(MBEDTLS_SELF_TEST)
1373 /*
1374 * AES test vectors from:
1375 *
1376 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1377 */
1378 static const unsigned char aes_test_ecb_dec[3][16] =
1379 {
1380 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1381 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1382 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1383 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1384 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1385 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1386 };
1387
1388 static const unsigned char aes_test_ecb_enc[3][16] =
1389 {
1390 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1391 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1392 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1393 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1394 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1395 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1396 };
1397
1398 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1399 static const unsigned char aes_test_cbc_dec[3][16] =
1400 {
1401 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1402 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1403 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1404 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1405 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1406 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1407 };
1408
1409 static const unsigned char aes_test_cbc_enc[3][16] =
1410 {
1411 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1412 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1413 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1414 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1415 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1416 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1417 };
1418 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1419
1420 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1421 /*
1422 * AES-CFB128 test vectors from:
1423 *
1424 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1425 */
1426 static const unsigned char aes_test_cfb128_key[3][32] =
1427 {
1428 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1429 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1430 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1431 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1432 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1433 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1434 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1435 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1436 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1437 };
1438
1439 static const unsigned char aes_test_cfb128_iv[16] =
1440 {
1441 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1442 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1443 };
1444
1445 static const unsigned char aes_test_cfb128_pt[64] =
1446 {
1447 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1448 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1449 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1450 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1451 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1452 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1453 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1454 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1455 };
1456
1457 static const unsigned char aes_test_cfb128_ct[3][64] =
1458 {
1459 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1460 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1461 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1462 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1463 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1464 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1465 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1466 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1467 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1468 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1469 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1470 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1471 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1472 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1473 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1474 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1475 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1476 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1477 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1478 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1479 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1480 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1481 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1482 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1483 };
1484 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1485
1486 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1487 /*
1488 * AES-OFB test vectors from:
1489 *
1490 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1491 */
1492 static const unsigned char aes_test_ofb_key[3][32] =
1493 {
1494 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1495 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1496 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1497 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1498 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1499 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1500 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1501 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1502 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1503 };
1504
1505 static const unsigned char aes_test_ofb_iv[16] =
1506 {
1507 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1508 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1509 };
1510
1511 static const unsigned char aes_test_ofb_pt[64] =
1512 {
1513 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1514 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1515 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1516 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1517 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1518 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1519 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1520 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1521 };
1522
1523 static const unsigned char aes_test_ofb_ct[3][64] =
1524 {
1525 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1526 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1527 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1528 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1529 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1530 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1531 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1532 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1533 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1534 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1535 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1536 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1537 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1538 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1539 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1540 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1541 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1542 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1543 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1544 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1545 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1546 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1547 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1548 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1549 };
1550 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1551
1552 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1553 /*
1554 * AES-CTR test vectors from:
1555 *
1556 * http://www.faqs.org/rfcs/rfc3686.html
1557 */
1558
1559 static const unsigned char aes_test_ctr_key[3][16] =
1560 {
1561 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1562 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1563 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1564 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1565 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1566 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1567 };
1568
1569 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1570 {
1571 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1573 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1574 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1575 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1576 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1577 };
1578
1579 static const unsigned char aes_test_ctr_pt[3][48] =
1580 {
1581 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1582 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1583
1584 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1585 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1586 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1587 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1588
1589 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1590 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1591 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1592 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1593 0x20, 0x21, 0x22, 0x23 }
1594 };
1595
1596 static const unsigned char aes_test_ctr_ct[3][48] =
1597 {
1598 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1599 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1600 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1601 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1602 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1603 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1604 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1605 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1606 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1607 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1608 0x25, 0xB2, 0x07, 0x2F }
1609 };
1610
1611 static const int aes_test_ctr_len[3] =
1612 { 16, 32, 36 };
1613 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1614
1615 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1616 /*
1617 * AES-XTS test vectors from:
1618 *
1619 * IEEE P1619/D16 Annex B
1620 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1621 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1622 */
1623 static const unsigned char aes_test_xts_key[][32] =
1624 {
1625 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1629 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1630 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1631 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1632 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1633 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1634 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1635 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1636 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1637 };
1638
1639 static const unsigned char aes_test_xts_pt32[][32] =
1640 {
1641 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1642 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1643 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1645 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1646 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1647 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1648 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1649 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1650 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1651 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1652 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1653 };
1654
1655 static const unsigned char aes_test_xts_ct32[][32] =
1656 {
1657 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1658 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1659 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1660 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1661 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1662 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1663 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1664 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1665 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1666 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1667 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1668 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1669 };
1670
1671 static const unsigned char aes_test_xts_data_unit[][16] =
1672 {
1673 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1675 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1677 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1678 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1679 };
1680
1681 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1682
1683 /*
1684 * Checkup routine
1685 */
mbedtls_aes_self_test(int verbose)1686 int mbedtls_aes_self_test( int verbose )
1687 {
1688 int ret = 0, i, j, u, mode;
1689 unsigned int keybits;
1690 unsigned char key[32];
1691 unsigned char buf[64];
1692 const unsigned char *aes_tests;
1693 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1694 defined(MBEDTLS_CIPHER_MODE_OFB)
1695 unsigned char iv[16];
1696 #endif
1697 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1698 unsigned char prv[16];
1699 #endif
1700 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1701 defined(MBEDTLS_CIPHER_MODE_OFB)
1702 size_t offset;
1703 #endif
1704 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1705 int len;
1706 #endif
1707 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1708 unsigned char nonce_counter[16];
1709 unsigned char stream_block[16];
1710 #endif
1711 mbedtls_aes_context ctx;
1712
1713 memset( key, 0, 32 );
1714 mbedtls_aes_init( &ctx );
1715
1716 /*
1717 * ECB mode
1718 */
1719 for( i = 0; i < 6; i++ )
1720 {
1721 u = i >> 1;
1722 keybits = 128 + u * 64;
1723 mode = i & 1;
1724
1725 if( verbose != 0 )
1726 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
1727 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1728
1729 memset( buf, 0, 16 );
1730
1731 if( mode == MBEDTLS_AES_DECRYPT )
1732 {
1733 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1734 aes_tests = aes_test_ecb_dec[u];
1735 }
1736 else
1737 {
1738 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1739 aes_tests = aes_test_ecb_enc[u];
1740 }
1741
1742 /*
1743 * AES-192 is an optional feature that may be unavailable when
1744 * there is an alternative underlying implementation i.e. when
1745 * MBEDTLS_AES_ALT is defined.
1746 */
1747 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1748 {
1749 mbedtls_printf( "skipped\n" );
1750 continue;
1751 }
1752 else if( ret != 0 )
1753 {
1754 goto exit;
1755 }
1756
1757 for( j = 0; j < 10000; j++ )
1758 {
1759 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf );
1760 if( ret != 0 )
1761 goto exit;
1762 }
1763
1764 if( memcmp( buf, aes_tests, 16 ) != 0 )
1765 {
1766 ret = 1;
1767 goto exit;
1768 }
1769
1770 if( verbose != 0 )
1771 mbedtls_printf( "passed\n" );
1772 }
1773
1774 if( verbose != 0 )
1775 mbedtls_printf( "\n" );
1776
1777 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1778 /*
1779 * CBC mode
1780 */
1781 for( i = 0; i < 6; i++ )
1782 {
1783 u = i >> 1;
1784 keybits = 128 + u * 64;
1785 mode = i & 1;
1786
1787 if( verbose != 0 )
1788 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
1789 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1790
1791 memset( iv , 0, 16 );
1792 memset( prv, 0, 16 );
1793 memset( buf, 0, 16 );
1794
1795 if( mode == MBEDTLS_AES_DECRYPT )
1796 {
1797 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits );
1798 aes_tests = aes_test_cbc_dec[u];
1799 }
1800 else
1801 {
1802 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1803 aes_tests = aes_test_cbc_enc[u];
1804 }
1805
1806 /*
1807 * AES-192 is an optional feature that may be unavailable when
1808 * there is an alternative underlying implementation i.e. when
1809 * MBEDTLS_AES_ALT is defined.
1810 */
1811 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1812 {
1813 mbedtls_printf( "skipped\n" );
1814 continue;
1815 }
1816 else if( ret != 0 )
1817 {
1818 goto exit;
1819 }
1820
1821 for( j = 0; j < 10000; j++ )
1822 {
1823 if( mode == MBEDTLS_AES_ENCRYPT )
1824 {
1825 unsigned char tmp[16];
1826
1827 memcpy( tmp, prv, 16 );
1828 memcpy( prv, buf, 16 );
1829 memcpy( buf, tmp, 16 );
1830 }
1831
1832 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf );
1833 if( ret != 0 )
1834 goto exit;
1835
1836 }
1837
1838 if( memcmp( buf, aes_tests, 16 ) != 0 )
1839 {
1840 ret = 1;
1841 goto exit;
1842 }
1843
1844 if( verbose != 0 )
1845 mbedtls_printf( "passed\n" );
1846 }
1847
1848 if( verbose != 0 )
1849 mbedtls_printf( "\n" );
1850 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1851
1852 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1853 /*
1854 * CFB128 mode
1855 */
1856 for( i = 0; i < 6; i++ )
1857 {
1858 u = i >> 1;
1859 keybits = 128 + u * 64;
1860 mode = i & 1;
1861
1862 if( verbose != 0 )
1863 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
1864 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1865
1866 memcpy( iv, aes_test_cfb128_iv, 16 );
1867 memcpy( key, aes_test_cfb128_key[u], keybits / 8 );
1868
1869 offset = 0;
1870 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1871 /*
1872 * AES-192 is an optional feature that may be unavailable when
1873 * there is an alternative underlying implementation i.e. when
1874 * MBEDTLS_AES_ALT is defined.
1875 */
1876 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1877 {
1878 mbedtls_printf( "skipped\n" );
1879 continue;
1880 }
1881 else if( ret != 0 )
1882 {
1883 goto exit;
1884 }
1885
1886 if( mode == MBEDTLS_AES_DECRYPT )
1887 {
1888 memcpy( buf, aes_test_cfb128_ct[u], 64 );
1889 aes_tests = aes_test_cfb128_pt;
1890 }
1891 else
1892 {
1893 memcpy( buf, aes_test_cfb128_pt, 64 );
1894 aes_tests = aes_test_cfb128_ct[u];
1895 }
1896
1897 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf );
1898 if( ret != 0 )
1899 goto exit;
1900
1901 if( memcmp( buf, aes_tests, 64 ) != 0 )
1902 {
1903 ret = 1;
1904 goto exit;
1905 }
1906
1907 if( verbose != 0 )
1908 mbedtls_printf( "passed\n" );
1909 }
1910
1911 if( verbose != 0 )
1912 mbedtls_printf( "\n" );
1913 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1914
1915 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1916 /*
1917 * OFB mode
1918 */
1919 for( i = 0; i < 6; i++ )
1920 {
1921 u = i >> 1;
1922 keybits = 128 + u * 64;
1923 mode = i & 1;
1924
1925 if( verbose != 0 )
1926 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
1927 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1928
1929 memcpy( iv, aes_test_ofb_iv, 16 );
1930 memcpy( key, aes_test_ofb_key[u], keybits / 8 );
1931
1932 offset = 0;
1933 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits );
1934 /*
1935 * AES-192 is an optional feature that may be unavailable when
1936 * there is an alternative underlying implementation i.e. when
1937 * MBEDTLS_AES_ALT is defined.
1938 */
1939 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 )
1940 {
1941 mbedtls_printf( "skipped\n" );
1942 continue;
1943 }
1944 else if( ret != 0 )
1945 {
1946 goto exit;
1947 }
1948
1949 if( mode == MBEDTLS_AES_DECRYPT )
1950 {
1951 memcpy( buf, aes_test_ofb_ct[u], 64 );
1952 aes_tests = aes_test_ofb_pt;
1953 }
1954 else
1955 {
1956 memcpy( buf, aes_test_ofb_pt, 64 );
1957 aes_tests = aes_test_ofb_ct[u];
1958 }
1959
1960 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf );
1961 if( ret != 0 )
1962 goto exit;
1963
1964 if( memcmp( buf, aes_tests, 64 ) != 0 )
1965 {
1966 ret = 1;
1967 goto exit;
1968 }
1969
1970 if( verbose != 0 )
1971 mbedtls_printf( "passed\n" );
1972 }
1973
1974 if( verbose != 0 )
1975 mbedtls_printf( "\n" );
1976 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1977
1978 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1979 /*
1980 * CTR mode
1981 */
1982 for( i = 0; i < 6; i++ )
1983 {
1984 u = i >> 1;
1985 mode = i & 1;
1986
1987 if( verbose != 0 )
1988 mbedtls_printf( " AES-CTR-128 (%s): ",
1989 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
1990
1991 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 );
1992 memcpy( key, aes_test_ctr_key[u], 16 );
1993
1994 offset = 0;
1995 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 )
1996 goto exit;
1997
1998 len = aes_test_ctr_len[u];
1999
2000 if( mode == MBEDTLS_AES_DECRYPT )
2001 {
2002 memcpy( buf, aes_test_ctr_ct[u], len );
2003 aes_tests = aes_test_ctr_pt[u];
2004 }
2005 else
2006 {
2007 memcpy( buf, aes_test_ctr_pt[u], len );
2008 aes_tests = aes_test_ctr_ct[u];
2009 }
2010
2011 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter,
2012 stream_block, buf, buf );
2013 if( ret != 0 )
2014 goto exit;
2015
2016 if( memcmp( buf, aes_tests, len ) != 0 )
2017 {
2018 ret = 1;
2019 goto exit;
2020 }
2021
2022 if( verbose != 0 )
2023 mbedtls_printf( "passed\n" );
2024 }
2025
2026 if( verbose != 0 )
2027 mbedtls_printf( "\n" );
2028 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2029
2030 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2031 {
2032 static const int num_tests =
2033 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2034 mbedtls_aes_xts_context ctx_xts;
2035
2036 /*
2037 * XTS mode
2038 */
2039 mbedtls_aes_xts_init( &ctx_xts );
2040
2041 for( i = 0; i < num_tests << 1; i++ )
2042 {
2043 const unsigned char *data_unit;
2044 u = i >> 1;
2045 mode = i & 1;
2046
2047 if( verbose != 0 )
2048 mbedtls_printf( " AES-XTS-128 (%s): ",
2049 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
2050
2051 memset( key, 0, sizeof( key ) );
2052 memcpy( key, aes_test_xts_key[u], 32 );
2053 data_unit = aes_test_xts_data_unit[u];
2054
2055 len = sizeof( *aes_test_xts_ct32 );
2056
2057 if( mode == MBEDTLS_AES_DECRYPT )
2058 {
2059 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
2060 if( ret != 0)
2061 goto exit;
2062 memcpy( buf, aes_test_xts_ct32[u], len );
2063 aes_tests = aes_test_xts_pt32[u];
2064 }
2065 else
2066 {
2067 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
2068 if( ret != 0)
2069 goto exit;
2070 memcpy( buf, aes_test_xts_pt32[u], len );
2071 aes_tests = aes_test_xts_ct32[u];
2072 }
2073
2074
2075 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
2076 buf, buf );
2077 if( ret != 0 )
2078 goto exit;
2079
2080 if( memcmp( buf, aes_tests, len ) != 0 )
2081 {
2082 ret = 1;
2083 goto exit;
2084 }
2085
2086 if( verbose != 0 )
2087 mbedtls_printf( "passed\n" );
2088 }
2089
2090 if( verbose != 0 )
2091 mbedtls_printf( "\n" );
2092
2093 mbedtls_aes_xts_free( &ctx_xts );
2094 }
2095 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2096
2097 ret = 0;
2098
2099 exit:
2100 if( ret != 0 && verbose != 0 )
2101 mbedtls_printf( "failed\n" );
2102
2103 mbedtls_aes_free( &ctx );
2104
2105 return( ret );
2106 }
2107
2108 #endif /* MBEDTLS_SELF_TEST */
2109
2110 #endif /* MBEDTLS_AES_C */
2111
