1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_AES_C)
29
30 #include <string.h>
31
32 #include "mbedtls/aes.h"
33 #include "mbedtls/platform.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #if defined(MBEDTLS_PADLOCK_C)
37 #include "padlock.h"
38 #endif
39 #if defined(MBEDTLS_AESNI_C)
40 #include "aesni.h"
41 #endif
42 #if defined(MBEDTLS_AESCE_C)
43 #include "aesce.h"
44 #endif
45
46 #include "mbedtls/platform.h"
47
48 #if !defined(MBEDTLS_AES_ALT)
49
50 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
51 static int aes_padlock_ace = -1;
52 #endif
53
54 #if defined(MBEDTLS_AES_ROM_TABLES)
55 /*
56 * Forward S-box
57 */
58 static const unsigned char FSb[256] =
59 {
60 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
61 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
62 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
63 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
64 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
65 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
66 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
67 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
68 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
69 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
70 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
71 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
72 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
73 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
74 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
75 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
76 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
77 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
78 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
79 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
80 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
81 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
82 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
83 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
84 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
85 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
86 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
87 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
88 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
89 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
90 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
91 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
92 };
93
94 /*
95 * Forward tables
96 */
97 #define FT \
98 \
99 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
100 V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
101 V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
102 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
103 V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
104 V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
105 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
106 V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
107 V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
108 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
109 V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
110 V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
111 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
112 V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
113 V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
114 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
115 V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
116 V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
117 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
118 V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
119 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
120 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
121 V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
122 V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
123 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
124 V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
125 V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
126 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
127 V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
128 V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
129 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
130 V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
131 V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
132 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
133 V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
134 V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
135 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
136 V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
137 V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
138 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
139 V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
140 V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
141 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
142 V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
143 V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
144 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
145 V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
146 V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
147 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
148 V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
149 V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
150 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
151 V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
152 V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
153 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
154 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
155 V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
156 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
157 V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
158 V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
159 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
160 V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
161 V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
162 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
163
164 #define V(a, b, c, d) 0x##a##b##c##d
165 static const uint32_t FT0[256] = { FT };
166 #undef V
167
168 #if !defined(MBEDTLS_AES_FEWER_TABLES)
169
170 #define V(a, b, c, d) 0x##b##c##d##a
171 static const uint32_t FT1[256] = { FT };
172 #undef V
173
174 #define V(a, b, c, d) 0x##c##d##a##b
175 static const uint32_t FT2[256] = { FT };
176 #undef V
177
178 #define V(a, b, c, d) 0x##d##a##b##c
179 static const uint32_t FT3[256] = { FT };
180 #undef V
181
182 #endif /* !MBEDTLS_AES_FEWER_TABLES */
183
184 #undef FT
185
186 /*
187 * Reverse S-box
188 */
189 static const unsigned char RSb[256] =
190 {
191 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
192 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
193 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
194 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
195 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
196 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
197 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
198 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
199 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
200 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
201 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
202 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
203 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
204 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
205 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
206 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
207 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
208 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
209 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
210 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
211 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
212 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
213 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
214 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
215 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
216 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
217 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
218 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
219 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
220 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
221 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
222 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
223 };
224
225 /*
226 * Reverse tables
227 */
228 #define RT \
229 \
230 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
231 V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
232 V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
233 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
234 V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
235 V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
236 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
237 V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
238 V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
239 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
240 V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
241 V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
242 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
243 V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
244 V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
245 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
246 V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
247 V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
248 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
249 V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
250 V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
251 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
252 V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
253 V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
254 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
255 V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
256 V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
257 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
258 V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
259 V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
260 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
261 V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
262 V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
263 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
264 V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
265 V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
266 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
267 V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
268 V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
269 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
270 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
271 V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
272 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
273 V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
274 V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
275 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
276 V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
277 V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
278 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
279 V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
280 V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
281 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
282 V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
283 V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
284 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
285 V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
286 V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
287 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
288 V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
289 V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
290 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
291 V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
292 V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
293 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
294
295 #define V(a, b, c, d) 0x##a##b##c##d
296 static const uint32_t RT0[256] = { RT };
297 #undef V
298
299 #if !defined(MBEDTLS_AES_FEWER_TABLES)
300
301 #define V(a, b, c, d) 0x##b##c##d##a
302 static const uint32_t RT1[256] = { RT };
303 #undef V
304
305 #define V(a, b, c, d) 0x##c##d##a##b
306 static const uint32_t RT2[256] = { RT };
307 #undef V
308
309 #define V(a, b, c, d) 0x##d##a##b##c
310 static const uint32_t RT3[256] = { RT };
311 #undef V
312
313 #endif /* !MBEDTLS_AES_FEWER_TABLES */
314
315 #undef RT
316
317 /*
318 * Round constants
319 */
320 static const uint32_t RCON[10] =
321 {
322 0x00000001, 0x00000002, 0x00000004, 0x00000008,
323 0x00000010, 0x00000020, 0x00000040, 0x00000080,
324 0x0000001B, 0x00000036
325 };
326
327 #else /* MBEDTLS_AES_ROM_TABLES */
328
329 /*
330 * Forward S-box & tables
331 */
332 static unsigned char FSb[256];
333 static uint32_t FT0[256];
334 #if !defined(MBEDTLS_AES_FEWER_TABLES)
335 static uint32_t FT1[256];
336 static uint32_t FT2[256];
337 static uint32_t FT3[256];
338 #endif /* !MBEDTLS_AES_FEWER_TABLES */
339
340 /*
341 * Reverse S-box & tables
342 */
343 static unsigned char RSb[256];
344 static uint32_t RT0[256];
345 #if !defined(MBEDTLS_AES_FEWER_TABLES)
346 static uint32_t RT1[256];
347 static uint32_t RT2[256];
348 static uint32_t RT3[256];
349 #endif /* !MBEDTLS_AES_FEWER_TABLES */
350
351 /*
352 * Round constants
353 */
354 static uint32_t RCON[10];
355
356 /*
357 * Tables generation code
358 */
359 #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
360 #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
361 #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
362
363 static int aes_init_done = 0;
364
aes_gen_tables(void)365 static void aes_gen_tables(void)
366 {
367 int i, x, y, z;
368 int pow[256];
369 int log[256];
370
371 /*
372 * compute pow and log tables over GF(2^8)
373 */
374 for (i = 0, x = 1; i < 256; i++) {
375 pow[i] = x;
376 log[x] = i;
377 x = MBEDTLS_BYTE_0(x ^ XTIME(x));
378 }
379
380 /*
381 * calculate the round constants
382 */
383 for (i = 0, x = 1; i < 10; i++) {
384 RCON[i] = (uint32_t) x;
385 x = MBEDTLS_BYTE_0(XTIME(x));
386 }
387
388 /*
389 * generate the forward and reverse S-boxes
390 */
391 FSb[0x00] = 0x63;
392 RSb[0x63] = 0x00;
393
394 for (i = 1; i < 256; i++) {
395 x = pow[255 - log[i]];
396
397 y = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
398 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
399 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
400 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
401 x ^= y ^ 0x63;
402
403 FSb[i] = (unsigned char) x;
404 RSb[x] = (unsigned char) i;
405 }
406
407 /*
408 * generate the forward and reverse tables
409 */
410 for (i = 0; i < 256; i++) {
411 x = FSb[i];
412 y = MBEDTLS_BYTE_0(XTIME(x));
413 z = MBEDTLS_BYTE_0(y ^ x);
414
415 FT0[i] = ((uint32_t) y) ^
416 ((uint32_t) x << 8) ^
417 ((uint32_t) x << 16) ^
418 ((uint32_t) z << 24);
419
420 #if !defined(MBEDTLS_AES_FEWER_TABLES)
421 FT1[i] = ROTL8(FT0[i]);
422 FT2[i] = ROTL8(FT1[i]);
423 FT3[i] = ROTL8(FT2[i]);
424 #endif /* !MBEDTLS_AES_FEWER_TABLES */
425
426 x = RSb[i];
427
428 RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
429 ((uint32_t) MUL(0x09, x) << 8) ^
430 ((uint32_t) MUL(0x0D, x) << 16) ^
431 ((uint32_t) MUL(0x0B, x) << 24);
432
433 #if !defined(MBEDTLS_AES_FEWER_TABLES)
434 RT1[i] = ROTL8(RT0[i]);
435 RT2[i] = ROTL8(RT1[i]);
436 RT3[i] = ROTL8(RT2[i]);
437 #endif /* !MBEDTLS_AES_FEWER_TABLES */
438 }
439 }
440
441 #undef ROTL8
442
443 #endif /* MBEDTLS_AES_ROM_TABLES */
444
445 #if defined(MBEDTLS_AES_FEWER_TABLES)
446
447 #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24))
448 #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
449 #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8))
450
451 #define AES_RT0(idx) RT0[idx]
452 #define AES_RT1(idx) ROTL8(RT0[idx])
453 #define AES_RT2(idx) ROTL16(RT0[idx])
454 #define AES_RT3(idx) ROTL24(RT0[idx])
455
456 #define AES_FT0(idx) FT0[idx]
457 #define AES_FT1(idx) ROTL8(FT0[idx])
458 #define AES_FT2(idx) ROTL16(FT0[idx])
459 #define AES_FT3(idx) ROTL24(FT0[idx])
460
461 #else /* MBEDTLS_AES_FEWER_TABLES */
462
463 #define AES_RT0(idx) RT0[idx]
464 #define AES_RT1(idx) RT1[idx]
465 #define AES_RT2(idx) RT2[idx]
466 #define AES_RT3(idx) RT3[idx]
467
468 #define AES_FT0(idx) FT0[idx]
469 #define AES_FT1(idx) FT1[idx]
470 #define AES_FT2(idx) FT2[idx]
471 #define AES_FT3(idx) FT3[idx]
472
473 #endif /* MBEDTLS_AES_FEWER_TABLES */
474
mbedtls_aes_init(mbedtls_aes_context * ctx)475 void mbedtls_aes_init(mbedtls_aes_context *ctx)
476 {
477 memset(ctx, 0, sizeof(mbedtls_aes_context));
478 }
479
mbedtls_aes_free(mbedtls_aes_context * ctx)480 void mbedtls_aes_free(mbedtls_aes_context *ctx)
481 {
482 if (ctx == NULL) {
483 return;
484 }
485
486 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
487 }
488
489 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)490 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
491 {
492 mbedtls_aes_init(&ctx->crypt);
493 mbedtls_aes_init(&ctx->tweak);
494 }
495
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)496 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
497 {
498 if (ctx == NULL) {
499 return;
500 }
501
502 mbedtls_aes_free(&ctx->crypt);
503 mbedtls_aes_free(&ctx->tweak);
504 }
505 #endif /* MBEDTLS_CIPHER_MODE_XTS */
506
507 /* Some implementations need the round keys to be aligned.
508 * Return an offset to be added to buf, such that (buf + offset) is
509 * correctly aligned.
510 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
511 * i.e. an offset of 1 means 4 bytes and so on.
512 */
513 #if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \
514 (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
515 #define MAY_NEED_TO_ALIGN
516 #endif
mbedtls_aes_rk_offset(uint32_t * buf)517 static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
518 {
519 #if defined(MAY_NEED_TO_ALIGN)
520 int align_16_bytes = 0;
521
522 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
523 if (aes_padlock_ace == -1) {
524 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
525 }
526 if (aes_padlock_ace) {
527 align_16_bytes = 1;
528 }
529 #endif
530
531 #if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
532 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
533 align_16_bytes = 1;
534 }
535 #endif
536
537 if (align_16_bytes) {
538 /* These implementations needs 16-byte alignment
539 * for the round key array. */
540 unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
541 if (delta == 0) {
542 return 0;
543 } else {
544 return 4 - delta; // 16 bytes = 4 uint32_t
545 }
546 }
547 #else /* MAY_NEED_TO_ALIGN */
548 (void) buf;
549 #endif /* MAY_NEED_TO_ALIGN */
550
551 return 0;
552 }
553
554 /*
555 * AES key schedule (encryption)
556 */
557 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)558 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
559 unsigned int keybits)
560 {
561 unsigned int i;
562 uint32_t *RK;
563
564 switch (keybits) {
565 case 128: ctx->nr = 10; break;
566 case 192: ctx->nr = 12; break;
567 case 256: ctx->nr = 14; break;
568 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
569 }
570
571 #if !defined(MBEDTLS_AES_ROM_TABLES)
572 if (aes_init_done == 0) {
573 aes_gen_tables();
574 aes_init_done = 1;
575 }
576 #endif
577
578 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
579 RK = ctx->buf + ctx->rk_offset;
580
581 #if defined(MBEDTLS_AESNI_HAVE_CODE)
582 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
583 return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
584 }
585 #endif
586
587 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
588 if (mbedtls_aesce_has_support()) {
589 return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
590 }
591 #endif
592
593 for (i = 0; i < (keybits >> 5); i++) {
594 RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
595 }
596
597 switch (ctx->nr) {
598 case 10:
599
600 for (i = 0; i < 10; i++, RK += 4) {
601 RK[4] = RK[0] ^ RCON[i] ^
602 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
603 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
604 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
605 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
606
607 RK[5] = RK[1] ^ RK[4];
608 RK[6] = RK[2] ^ RK[5];
609 RK[7] = RK[3] ^ RK[6];
610 }
611 break;
612
613 case 12:
614
615 for (i = 0; i < 8; i++, RK += 6) {
616 RK[6] = RK[0] ^ RCON[i] ^
617 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
618 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
619 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
620 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
621
622 RK[7] = RK[1] ^ RK[6];
623 RK[8] = RK[2] ^ RK[7];
624 RK[9] = RK[3] ^ RK[8];
625 RK[10] = RK[4] ^ RK[9];
626 RK[11] = RK[5] ^ RK[10];
627 }
628 break;
629
630 case 14:
631
632 for (i = 0; i < 7; i++, RK += 8) {
633 RK[8] = RK[0] ^ RCON[i] ^
634 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
635 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
636 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
637 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
638
639 RK[9] = RK[1] ^ RK[8];
640 RK[10] = RK[2] ^ RK[9];
641 RK[11] = RK[3] ^ RK[10];
642
643 RK[12] = RK[4] ^
644 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
645 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^
646 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
647 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
648
649 RK[13] = RK[5] ^ RK[12];
650 RK[14] = RK[6] ^ RK[13];
651 RK[15] = RK[7] ^ RK[14];
652 }
653 break;
654 }
655
656 return 0;
657 }
658 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
659
660 /*
661 * AES key schedule (decryption)
662 */
663 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)664 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
665 unsigned int keybits)
666 {
667 int i, j, ret;
668 mbedtls_aes_context cty;
669 uint32_t *RK;
670 uint32_t *SK;
671
672 mbedtls_aes_init(&cty);
673
674 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
675 RK = ctx->buf + ctx->rk_offset;
676
677 /* Also checks keybits */
678 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
679 goto exit;
680 }
681
682 ctx->nr = cty.nr;
683
684 #if defined(MBEDTLS_AESNI_HAVE_CODE)
685 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
686 mbedtls_aesni_inverse_key((unsigned char *) RK,
687 (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
688 goto exit;
689 }
690 #endif
691
692 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
693 if (mbedtls_aesce_has_support()) {
694 mbedtls_aesce_inverse_key(
695 (unsigned char *) RK,
696 (const unsigned char *) (cty.buf + cty.rk_offset),
697 ctx->nr);
698 goto exit;
699 }
700 #endif
701
702 SK = cty.buf + cty.rk_offset + cty.nr * 4;
703
704 *RK++ = *SK++;
705 *RK++ = *SK++;
706 *RK++ = *SK++;
707 *RK++ = *SK++;
708
709 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
710 for (j = 0; j < 4; j++, SK++) {
711 *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
712 AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
713 AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
714 AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
715 }
716 }
717
718 *RK++ = *SK++;
719 *RK++ = *SK++;
720 *RK++ = *SK++;
721 *RK++ = *SK++;
722
723 exit:
724 mbedtls_aes_free(&cty);
725
726 return ret;
727 }
728 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
729
730 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)731 static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
732 unsigned int keybits,
733 const unsigned char **key1,
734 unsigned int *key1bits,
735 const unsigned char **key2,
736 unsigned int *key2bits)
737 {
738 const unsigned int half_keybits = keybits / 2;
739 const unsigned int half_keybytes = half_keybits / 8;
740
741 switch (keybits) {
742 case 256: break;
743 case 512: break;
744 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
745 }
746
747 *key1bits = half_keybits;
748 *key2bits = half_keybits;
749 *key1 = &key[0];
750 *key2 = &key[half_keybytes];
751
752 return 0;
753 }
754
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)755 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
756 const unsigned char *key,
757 unsigned int keybits)
758 {
759 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
760 const unsigned char *key1, *key2;
761 unsigned int key1bits, key2bits;
762
763 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
764 &key2, &key2bits);
765 if (ret != 0) {
766 return ret;
767 }
768
769 /* Set the tweak key. Always set tweak key for the encryption mode. */
770 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
771 if (ret != 0) {
772 return ret;
773 }
774
775 /* Set crypt key for encryption. */
776 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
777 }
778
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)779 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
780 const unsigned char *key,
781 unsigned int keybits)
782 {
783 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
784 const unsigned char *key1, *key2;
785 unsigned int key1bits, key2bits;
786
787 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
788 &key2, &key2bits);
789 if (ret != 0) {
790 return ret;
791 }
792
793 /* Set the tweak key. Always set tweak key for encryption. */
794 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
795 if (ret != 0) {
796 return ret;
797 }
798
799 /* Set crypt key for decryption. */
800 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
801 }
802 #endif /* MBEDTLS_CIPHER_MODE_XTS */
803
804 #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
805 do \
806 { \
807 (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \
808 AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \
809 AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \
810 AES_FT3(MBEDTLS_BYTE_3(Y3)); \
811 \
812 (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \
813 AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \
814 AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \
815 AES_FT3(MBEDTLS_BYTE_3(Y0)); \
816 \
817 (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \
818 AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \
819 AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \
820 AES_FT3(MBEDTLS_BYTE_3(Y1)); \
821 \
822 (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \
823 AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \
824 AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \
825 AES_FT3(MBEDTLS_BYTE_3(Y2)); \
826 } while (0)
827
828 #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
829 do \
830 { \
831 (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \
832 AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \
833 AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \
834 AES_RT3(MBEDTLS_BYTE_3(Y1)); \
835 \
836 (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \
837 AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \
838 AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \
839 AES_RT3(MBEDTLS_BYTE_3(Y2)); \
840 \
841 (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \
842 AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \
843 AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \
844 AES_RT3(MBEDTLS_BYTE_3(Y3)); \
845 \
846 (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \
847 AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \
848 AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \
849 AES_RT3(MBEDTLS_BYTE_3(Y0)); \
850 } while (0)
851
852 /*
853 * AES-ECB block encryption
854 */
855 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])856 int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
857 const unsigned char input[16],
858 unsigned char output[16])
859 {
860 int i;
861 uint32_t *RK = ctx->buf + ctx->rk_offset;
862 struct {
863 uint32_t X[4];
864 uint32_t Y[4];
865 } t;
866
867 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
868 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
869 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
870 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
871
872 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
873 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
874 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
875 }
876
877 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
878
879 t.X[0] = *RK++ ^ \
880 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
881 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
882 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
883 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
884
885 t.X[1] = *RK++ ^ \
886 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
887 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
888 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
889 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
890
891 t.X[2] = *RK++ ^ \
892 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
893 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
894 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
895 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
896
897 t.X[3] = *RK++ ^ \
898 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
899 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
900 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
901 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
902
903 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
904 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
905 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
906 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
907
908 mbedtls_platform_zeroize(&t, sizeof(t));
909
910 return 0;
911 }
912 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
913
914 /*
915 * AES-ECB block decryption
916 */
917 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])918 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
919 const unsigned char input[16],
920 unsigned char output[16])
921 {
922 int i;
923 uint32_t *RK = ctx->buf + ctx->rk_offset;
924 struct {
925 uint32_t X[4];
926 uint32_t Y[4];
927 } t;
928
929 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
930 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
931 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
932 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
933
934 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
935 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
936 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
937 }
938
939 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
940
941 t.X[0] = *RK++ ^ \
942 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
943 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
944 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
945 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
946
947 t.X[1] = *RK++ ^ \
948 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
949 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
950 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
951 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
952
953 t.X[2] = *RK++ ^ \
954 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
955 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
956 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
957 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
958
959 t.X[3] = *RK++ ^ \
960 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
961 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
962 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
963 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
964
965 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
966 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
967 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
968 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
969
970 mbedtls_platform_zeroize(&t, sizeof(t));
971
972 return 0;
973 }
974 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
975
976 #if defined(MAY_NEED_TO_ALIGN)
977 /* VIA Padlock and our intrinsics-based implementation of AESNI require
978 * the round keys to be aligned on a 16-byte boundary. We take care of this
979 * before creating them, but the AES context may have moved (this can happen
980 * if the library is called from a language with managed memory), and in later
981 * calls it might have a different alignment with respect to 16-byte memory.
982 * So we may need to realign.
983 */
aes_maybe_realign(mbedtls_aes_context * ctx)984 static void aes_maybe_realign(mbedtls_aes_context *ctx)
985 {
986 unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
987 if (new_offset != ctx->rk_offset) {
988 memmove(ctx->buf + new_offset, // new address
989 ctx->buf + ctx->rk_offset, // current address
990 (ctx->nr + 1) * 16); // number of round keys * bytes per rk
991 ctx->rk_offset = new_offset;
992 }
993 }
994 #endif
995
996 /*
997 * AES-ECB block encryption/decryption
998 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])999 int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
1000 int mode,
1001 const unsigned char input[16],
1002 unsigned char output[16])
1003 {
1004 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1005 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1006 }
1007
1008 #if defined(MAY_NEED_TO_ALIGN)
1009 aes_maybe_realign(ctx);
1010 #endif
1011
1012 #if defined(MBEDTLS_AESNI_HAVE_CODE)
1013 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1014 return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
1015 }
1016 #endif
1017
1018 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
1019 if (mbedtls_aesce_has_support()) {
1020 return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
1021 }
1022 #endif
1023
1024 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1025 if (aes_padlock_ace > 0) {
1026 return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
1027 }
1028 #endif
1029
1030 if (mode == MBEDTLS_AES_ENCRYPT) {
1031 return mbedtls_internal_aes_encrypt(ctx, input, output);
1032 } else {
1033 return mbedtls_internal_aes_decrypt(ctx, input, output);
1034 }
1035 }
1036
1037 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1038 /*
1039 * AES-CBC buffer encryption/decryption
1040 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1041 int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1042 int mode,
1043 size_t length,
1044 unsigned char iv[16],
1045 const unsigned char *input,
1046 unsigned char *output)
1047 {
1048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1049 unsigned char temp[16];
1050
1051 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1052 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1053 }
1054
1055 if (length % 16) {
1056 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1057 }
1058
1059 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1060 if (aes_padlock_ace > 0) {
1061 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1062 return 0;
1063 }
1064
1065 // If padlock data misaligned, we just fall back to
1066 // unaccelerated mode
1067 //
1068 }
1069 #endif
1070
1071 if (mode == MBEDTLS_AES_DECRYPT) {
1072 while (length > 0) {
1073 memcpy(temp, input, 16);
1074 ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1075 if (ret != 0) {
1076 goto exit;
1077 }
1078
1079 mbedtls_xor(output, output, iv, 16);
1080
1081 memcpy(iv, temp, 16);
1082
1083 input += 16;
1084 output += 16;
1085 length -= 16;
1086 }
1087 } else {
1088 while (length > 0) {
1089 mbedtls_xor(output, input, iv, 16);
1090
1091 ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1092 if (ret != 0) {
1093 goto exit;
1094 }
1095 memcpy(iv, output, 16);
1096
1097 input += 16;
1098 output += 16;
1099 length -= 16;
1100 }
1101 }
1102 ret = 0;
1103
1104 exit:
1105 return ret;
1106 }
1107 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1108
1109 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1110
1111 typedef unsigned char mbedtls_be128[16];
1112
1113 /*
1114 * GF(2^128) multiplication function
1115 *
1116 * This function multiplies a field element by x in the polynomial field
1117 * representation. It uses 64-bit word operations to gain speed but compensates
1118 * for machine endianness and hence works correctly on both big and little
1119 * endian machines.
1120 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])1121 static void mbedtls_gf128mul_x_ble(unsigned char r[16],
1122 const unsigned char x[16])
1123 {
1124 uint64_t a, b, ra, rb;
1125
1126 a = MBEDTLS_GET_UINT64_LE(x, 0);
1127 b = MBEDTLS_GET_UINT64_LE(x, 8);
1128
1129 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1130 rb = (a >> 63) | (b << 1);
1131
1132 MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1133 MBEDTLS_PUT_UINT64_LE(rb, r, 8);
1134 }
1135
1136 /*
1137 * AES-XTS buffer encryption/decryption
1138 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1139 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1140 int mode,
1141 size_t length,
1142 const unsigned char data_unit[16],
1143 const unsigned char *input,
1144 unsigned char *output)
1145 {
1146 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1147 size_t blocks = length / 16;
1148 size_t leftover = length % 16;
1149 unsigned char tweak[16];
1150 unsigned char prev_tweak[16];
1151 unsigned char tmp[16];
1152
1153 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1154 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1155 }
1156
1157 /* Data units must be at least 16 bytes long. */
1158 if (length < 16) {
1159 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1160 }
1161
1162 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1163 if (length > (1 << 20) * 16) {
1164 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1165 }
1166
1167 /* Compute the tweak. */
1168 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1169 data_unit, tweak);
1170 if (ret != 0) {
1171 return ret;
1172 }
1173
1174 while (blocks--) {
1175 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
1176 /* We are on the last block in a decrypt operation that has
1177 * leftover bytes, so we need to use the next tweak for this block,
1178 * and this tweak for the leftover bytes. Save the current tweak for
1179 * the leftovers and then update the current tweak for use on this,
1180 * the last full block. */
1181 memcpy(prev_tweak, tweak, sizeof(tweak));
1182 mbedtls_gf128mul_x_ble(tweak, tweak);
1183 }
1184
1185 mbedtls_xor(tmp, input, tweak, 16);
1186
1187 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1188 if (ret != 0) {
1189 return ret;
1190 }
1191
1192 mbedtls_xor(output, tmp, tweak, 16);
1193
1194 /* Update the tweak for the next block. */
1195 mbedtls_gf128mul_x_ble(tweak, tweak);
1196
1197 output += 16;
1198 input += 16;
1199 }
1200
1201 if (leftover) {
1202 /* If we are on the leftover bytes in a decrypt operation, we need to
1203 * use the previous tweak for these bytes (as saved in prev_tweak). */
1204 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1205
1206 /* We are now on the final part of the data unit, which doesn't divide
1207 * evenly by 16. It's time for ciphertext stealing. */
1208 size_t i;
1209 unsigned char *prev_output = output - 16;
1210
1211 /* Copy ciphertext bytes from the previous block to our output for each
1212 * byte of ciphertext we won't steal. */
1213 for (i = 0; i < leftover; i++) {
1214 output[i] = prev_output[i];
1215 }
1216
1217 /* Copy the remainder of the input for this final round. */
1218 mbedtls_xor(tmp, input, t, leftover);
1219
1220 /* Copy ciphertext bytes from the previous block for input in this
1221 * round. */
1222 mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
1223
1224 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1225 if (ret != 0) {
1226 return ret;
1227 }
1228
1229 /* Write the result back to the previous block, overriding the previous
1230 * output we copied. */
1231 mbedtls_xor(prev_output, tmp, t, 16);
1232 }
1233
1234 return 0;
1235 }
1236 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1237
1238 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1239 /*
1240 * AES-CFB128 buffer encryption/decryption
1241 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1242 int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1243 int mode,
1244 size_t length,
1245 size_t *iv_off,
1246 unsigned char iv[16],
1247 const unsigned char *input,
1248 unsigned char *output)
1249 {
1250 int c;
1251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1252 size_t n;
1253
1254 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1255 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1256 }
1257
1258 n = *iv_off;
1259
1260 if (n > 15) {
1261 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1262 }
1263
1264 if (mode == MBEDTLS_AES_DECRYPT) {
1265 while (length--) {
1266 if (n == 0) {
1267 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1268 if (ret != 0) {
1269 goto exit;
1270 }
1271 }
1272
1273 c = *input++;
1274 *output++ = (unsigned char) (c ^ iv[n]);
1275 iv[n] = (unsigned char) c;
1276
1277 n = (n + 1) & 0x0F;
1278 }
1279 } else {
1280 while (length--) {
1281 if (n == 0) {
1282 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1283 if (ret != 0) {
1284 goto exit;
1285 }
1286 }
1287
1288 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
1289
1290 n = (n + 1) & 0x0F;
1291 }
1292 }
1293
1294 *iv_off = n;
1295 ret = 0;
1296
1297 exit:
1298 return ret;
1299 }
1300
1301 /*
1302 * AES-CFB8 buffer encryption/decryption
1303 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1304 int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1305 int mode,
1306 size_t length,
1307 unsigned char iv[16],
1308 const unsigned char *input,
1309 unsigned char *output)
1310 {
1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1312 unsigned char c;
1313 unsigned char ov[17];
1314
1315 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1316 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1317 }
1318 while (length--) {
1319 memcpy(ov, iv, 16);
1320 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1321 if (ret != 0) {
1322 goto exit;
1323 }
1324
1325 if (mode == MBEDTLS_AES_DECRYPT) {
1326 ov[16] = *input;
1327 }
1328
1329 c = *output++ = (unsigned char) (iv[0] ^ *input++);
1330
1331 if (mode == MBEDTLS_AES_ENCRYPT) {
1332 ov[16] = c;
1333 }
1334
1335 memcpy(iv, ov + 1, 16);
1336 }
1337 ret = 0;
1338
1339 exit:
1340 return ret;
1341 }
1342 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1343
1344 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1345 /*
1346 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1347 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1348 int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1349 size_t length,
1350 size_t *iv_off,
1351 unsigned char iv[16],
1352 const unsigned char *input,
1353 unsigned char *output)
1354 {
1355 int ret = 0;
1356 size_t n;
1357
1358 n = *iv_off;
1359
1360 if (n > 15) {
1361 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1362 }
1363
1364 while (length--) {
1365 if (n == 0) {
1366 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1367 if (ret != 0) {
1368 goto exit;
1369 }
1370 }
1371 *output++ = *input++ ^ iv[n];
1372
1373 n = (n + 1) & 0x0F;
1374 }
1375
1376 *iv_off = n;
1377
1378 exit:
1379 return ret;
1380 }
1381 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1382
1383 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1384 /*
1385 * AES-CTR buffer encryption/decryption
1386 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1387 int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1388 size_t length,
1389 size_t *nc_off,
1390 unsigned char nonce_counter[16],
1391 unsigned char stream_block[16],
1392 const unsigned char *input,
1393 unsigned char *output)
1394 {
1395 int c, i;
1396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1397 size_t n;
1398
1399 n = *nc_off;
1400
1401 if (n > 0x0F) {
1402 return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1403 }
1404
1405 while (length--) {
1406 if (n == 0) {
1407 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1408 if (ret != 0) {
1409 goto exit;
1410 }
1411
1412 for (i = 16; i > 0; i--) {
1413 if (++nonce_counter[i - 1] != 0) {
1414 break;
1415 }
1416 }
1417 }
1418 c = *input++;
1419 *output++ = (unsigned char) (c ^ stream_block[n]);
1420
1421 n = (n + 1) & 0x0F;
1422 }
1423
1424 *nc_off = n;
1425 ret = 0;
1426
1427 exit:
1428 return ret;
1429 }
1430 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1431
1432 #endif /* !MBEDTLS_AES_ALT */
1433
1434 #if defined(MBEDTLS_SELF_TEST)
1435 /*
1436 * AES test vectors from:
1437 *
1438 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1439 */
1440 static const unsigned char aes_test_ecb_dec[3][16] =
1441 {
1442 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1443 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1444 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1445 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1446 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1447 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1448 };
1449
1450 static const unsigned char aes_test_ecb_enc[3][16] =
1451 {
1452 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1453 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1454 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1455 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1456 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1457 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1458 };
1459
1460 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1461 static const unsigned char aes_test_cbc_dec[3][16] =
1462 {
1463 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1464 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1465 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1466 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1467 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1468 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1469 };
1470
1471 static const unsigned char aes_test_cbc_enc[3][16] =
1472 {
1473 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1474 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1475 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1476 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1477 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1478 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1479 };
1480 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1481
1482 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1483 /*
1484 * AES-CFB128 test vectors from:
1485 *
1486 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1487 */
1488 static const unsigned char aes_test_cfb128_key[3][32] =
1489 {
1490 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1491 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1492 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1493 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1494 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1495 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1496 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1497 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1498 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1499 };
1500
1501 static const unsigned char aes_test_cfb128_iv[16] =
1502 {
1503 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1504 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1505 };
1506
1507 static const unsigned char aes_test_cfb128_pt[64] =
1508 {
1509 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1510 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1511 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1512 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1513 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1514 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1515 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1516 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1517 };
1518
1519 static const unsigned char aes_test_cfb128_ct[3][64] =
1520 {
1521 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1522 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1523 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1524 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1525 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1526 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1527 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1528 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1529 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1530 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1531 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1532 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1533 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1534 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1535 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1536 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1537 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1538 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1539 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1540 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1541 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1542 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1543 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1544 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1545 };
1546 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1547
1548 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1549 /*
1550 * AES-OFB test vectors from:
1551 *
1552 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1553 */
1554 static const unsigned char aes_test_ofb_key[3][32] =
1555 {
1556 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1557 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1558 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1559 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1560 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1561 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1562 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1563 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1564 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1565 };
1566
1567 static const unsigned char aes_test_ofb_iv[16] =
1568 {
1569 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1570 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1571 };
1572
1573 static const unsigned char aes_test_ofb_pt[64] =
1574 {
1575 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1576 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1577 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1578 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1579 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1580 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1581 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1582 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1583 };
1584
1585 static const unsigned char aes_test_ofb_ct[3][64] =
1586 {
1587 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1588 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1589 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1590 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1591 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1592 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1593 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1594 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1595 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1596 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1597 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1598 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1599 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1600 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1601 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1602 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1603 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1604 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1605 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1606 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1607 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1608 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1609 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1610 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1611 };
1612 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1613
1614 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1615 /*
1616 * AES-CTR test vectors from:
1617 *
1618 * http://www.faqs.org/rfcs/rfc3686.html
1619 */
1620
1621 static const unsigned char aes_test_ctr_key[3][16] =
1622 {
1623 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1624 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1625 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1626 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1627 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1628 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1629 };
1630
1631 static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1632 {
1633 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1635 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1636 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1637 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1638 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1639 };
1640
1641 static const unsigned char aes_test_ctr_pt[3][48] =
1642 {
1643 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1644 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1645
1646 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1647 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1648 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1649 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1650
1651 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1652 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1653 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1654 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1655 0x20, 0x21, 0x22, 0x23 }
1656 };
1657
1658 static const unsigned char aes_test_ctr_ct[3][48] =
1659 {
1660 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1661 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1662 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1663 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1664 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1665 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1666 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1667 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1668 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1669 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1670 0x25, 0xB2, 0x07, 0x2F }
1671 };
1672
1673 static const int aes_test_ctr_len[3] =
1674 { 16, 32, 36 };
1675 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1676
1677 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1678 /*
1679 * AES-XTS test vectors from:
1680 *
1681 * IEEE P1619/D16 Annex B
1682 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1683 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1684 */
1685 static const unsigned char aes_test_xts_key[][32] =
1686 {
1687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1691 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1692 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1693 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1694 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1695 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1696 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1697 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1698 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1699 };
1700
1701 static const unsigned char aes_test_xts_pt32[][32] =
1702 {
1703 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1707 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1708 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1709 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1710 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1711 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1712 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1713 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1714 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1715 };
1716
1717 static const unsigned char aes_test_xts_ct32[][32] =
1718 {
1719 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1720 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1721 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1722 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1723 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1724 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1725 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1726 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1727 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1728 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1729 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1730 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1731 };
1732
1733 static const unsigned char aes_test_xts_data_unit[][16] =
1734 {
1735 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1737 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1739 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1741 };
1742
1743 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1744
1745 /*
1746 * Checkup routine
1747 */
mbedtls_aes_self_test(int verbose)1748 int mbedtls_aes_self_test(int verbose)
1749 {
1750 int ret = 0, i, j, u, mode;
1751 unsigned int keybits;
1752 unsigned char key[32];
1753 unsigned char buf[64];
1754 const unsigned char *aes_tests;
1755 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1756 defined(MBEDTLS_CIPHER_MODE_OFB)
1757 unsigned char iv[16];
1758 #endif
1759 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1760 unsigned char prv[16];
1761 #endif
1762 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1763 defined(MBEDTLS_CIPHER_MODE_OFB)
1764 size_t offset;
1765 #endif
1766 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1767 int len;
1768 #endif
1769 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1770 unsigned char nonce_counter[16];
1771 unsigned char stream_block[16];
1772 #endif
1773 mbedtls_aes_context ctx;
1774
1775 memset(key, 0, 32);
1776 mbedtls_aes_init(&ctx);
1777
1778 if (verbose != 0) {
1779 #if defined(MBEDTLS_AES_ALT)
1780 mbedtls_printf(" AES note: alternative implementation.\n");
1781 #else /* MBEDTLS_AES_ALT */
1782 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1783 if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
1784 mbedtls_printf(" AES note: using VIA Padlock.\n");
1785 } else
1786 #endif
1787 #if defined(MBEDTLS_AESNI_HAVE_CODE)
1788 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1789 mbedtls_printf(" AES note: using AESNI.\n");
1790 } else
1791 #endif
1792 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
1793 if (mbedtls_aesce_has_support()) {
1794 mbedtls_printf(" AES note: using AESCE.\n");
1795 } else
1796 #endif
1797 mbedtls_printf(" AES note: built-in implementation.\n");
1798 #endif /* MBEDTLS_AES_ALT */
1799 }
1800
1801 /*
1802 * ECB mode
1803 */
1804 for (i = 0; i < 6; i++) {
1805 u = i >> 1;
1806 keybits = 128 + u * 64;
1807 mode = i & 1;
1808
1809 if (verbose != 0) {
1810 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1811 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1812 }
1813
1814 memset(buf, 0, 16);
1815
1816 if (mode == MBEDTLS_AES_DECRYPT) {
1817 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1818 aes_tests = aes_test_ecb_dec[u];
1819 } else {
1820 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1821 aes_tests = aes_test_ecb_enc[u];
1822 }
1823
1824 /*
1825 * AES-192 is an optional feature that may be unavailable when
1826 * there is an alternative underlying implementation i.e. when
1827 * MBEDTLS_AES_ALT is defined.
1828 */
1829 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1830 mbedtls_printf("skipped\n");
1831 continue;
1832 } else if (ret != 0) {
1833 goto exit;
1834 }
1835
1836 for (j = 0; j < 10000; j++) {
1837 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1838 if (ret != 0) {
1839 goto exit;
1840 }
1841 }
1842
1843 if (memcmp(buf, aes_tests, 16) != 0) {
1844 ret = 1;
1845 goto exit;
1846 }
1847
1848 if (verbose != 0) {
1849 mbedtls_printf("passed\n");
1850 }
1851 }
1852
1853 if (verbose != 0) {
1854 mbedtls_printf("\n");
1855 }
1856
1857 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1858 /*
1859 * CBC mode
1860 */
1861 for (i = 0; i < 6; i++) {
1862 u = i >> 1;
1863 keybits = 128 + u * 64;
1864 mode = i & 1;
1865
1866 if (verbose != 0) {
1867 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1868 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1869 }
1870
1871 memset(iv, 0, 16);
1872 memset(prv, 0, 16);
1873 memset(buf, 0, 16);
1874
1875 if (mode == MBEDTLS_AES_DECRYPT) {
1876 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1877 aes_tests = aes_test_cbc_dec[u];
1878 } else {
1879 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1880 aes_tests = aes_test_cbc_enc[u];
1881 }
1882
1883 /*
1884 * AES-192 is an optional feature that may be unavailable when
1885 * there is an alternative underlying implementation i.e. when
1886 * MBEDTLS_AES_ALT is defined.
1887 */
1888 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1889 mbedtls_printf("skipped\n");
1890 continue;
1891 } else if (ret != 0) {
1892 goto exit;
1893 }
1894
1895 for (j = 0; j < 10000; j++) {
1896 if (mode == MBEDTLS_AES_ENCRYPT) {
1897 unsigned char tmp[16];
1898
1899 memcpy(tmp, prv, 16);
1900 memcpy(prv, buf, 16);
1901 memcpy(buf, tmp, 16);
1902 }
1903
1904 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1905 if (ret != 0) {
1906 goto exit;
1907 }
1908
1909 }
1910
1911 if (memcmp(buf, aes_tests, 16) != 0) {
1912 ret = 1;
1913 goto exit;
1914 }
1915
1916 if (verbose != 0) {
1917 mbedtls_printf("passed\n");
1918 }
1919 }
1920
1921 if (verbose != 0) {
1922 mbedtls_printf("\n");
1923 }
1924 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1925
1926 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1927 /*
1928 * CFB128 mode
1929 */
1930 for (i = 0; i < 6; i++) {
1931 u = i >> 1;
1932 keybits = 128 + u * 64;
1933 mode = i & 1;
1934
1935 if (verbose != 0) {
1936 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
1937 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1938 }
1939
1940 memcpy(iv, aes_test_cfb128_iv, 16);
1941 memcpy(key, aes_test_cfb128_key[u], keybits / 8);
1942
1943 offset = 0;
1944 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1945 /*
1946 * AES-192 is an optional feature that may be unavailable when
1947 * there is an alternative underlying implementation i.e. when
1948 * MBEDTLS_AES_ALT is defined.
1949 */
1950 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1951 mbedtls_printf("skipped\n");
1952 continue;
1953 } else if (ret != 0) {
1954 goto exit;
1955 }
1956
1957 if (mode == MBEDTLS_AES_DECRYPT) {
1958 memcpy(buf, aes_test_cfb128_ct[u], 64);
1959 aes_tests = aes_test_cfb128_pt;
1960 } else {
1961 memcpy(buf, aes_test_cfb128_pt, 64);
1962 aes_tests = aes_test_cfb128_ct[u];
1963 }
1964
1965 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
1966 if (ret != 0) {
1967 goto exit;
1968 }
1969
1970 if (memcmp(buf, aes_tests, 64) != 0) {
1971 ret = 1;
1972 goto exit;
1973 }
1974
1975 if (verbose != 0) {
1976 mbedtls_printf("passed\n");
1977 }
1978 }
1979
1980 if (verbose != 0) {
1981 mbedtls_printf("\n");
1982 }
1983 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1984
1985 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1986 /*
1987 * OFB mode
1988 */
1989 for (i = 0; i < 6; i++) {
1990 u = i >> 1;
1991 keybits = 128 + u * 64;
1992 mode = i & 1;
1993
1994 if (verbose != 0) {
1995 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
1996 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1997 }
1998
1999 memcpy(iv, aes_test_ofb_iv, 16);
2000 memcpy(key, aes_test_ofb_key[u], keybits / 8);
2001
2002 offset = 0;
2003 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2004 /*
2005 * AES-192 is an optional feature that may be unavailable when
2006 * there is an alternative underlying implementation i.e. when
2007 * MBEDTLS_AES_ALT is defined.
2008 */
2009 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2010 mbedtls_printf("skipped\n");
2011 continue;
2012 } else if (ret != 0) {
2013 goto exit;
2014 }
2015
2016 if (mode == MBEDTLS_AES_DECRYPT) {
2017 memcpy(buf, aes_test_ofb_ct[u], 64);
2018 aes_tests = aes_test_ofb_pt;
2019 } else {
2020 memcpy(buf, aes_test_ofb_pt, 64);
2021 aes_tests = aes_test_ofb_ct[u];
2022 }
2023
2024 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2025 if (ret != 0) {
2026 goto exit;
2027 }
2028
2029 if (memcmp(buf, aes_tests, 64) != 0) {
2030 ret = 1;
2031 goto exit;
2032 }
2033
2034 if (verbose != 0) {
2035 mbedtls_printf("passed\n");
2036 }
2037 }
2038
2039 if (verbose != 0) {
2040 mbedtls_printf("\n");
2041 }
2042 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2043
2044 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2045 /*
2046 * CTR mode
2047 */
2048 for (i = 0; i < 6; i++) {
2049 u = i >> 1;
2050 mode = i & 1;
2051
2052 if (verbose != 0) {
2053 mbedtls_printf(" AES-CTR-128 (%s): ",
2054 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2055 }
2056
2057 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2058 memcpy(key, aes_test_ctr_key[u], 16);
2059
2060 offset = 0;
2061 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
2062 goto exit;
2063 }
2064
2065 len = aes_test_ctr_len[u];
2066
2067 if (mode == MBEDTLS_AES_DECRYPT) {
2068 memcpy(buf, aes_test_ctr_ct[u], len);
2069 aes_tests = aes_test_ctr_pt[u];
2070 } else {
2071 memcpy(buf, aes_test_ctr_pt[u], len);
2072 aes_tests = aes_test_ctr_ct[u];
2073 }
2074
2075 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2076 stream_block, buf, buf);
2077 if (ret != 0) {
2078 goto exit;
2079 }
2080
2081 if (memcmp(buf, aes_tests, len) != 0) {
2082 ret = 1;
2083 goto exit;
2084 }
2085
2086 if (verbose != 0) {
2087 mbedtls_printf("passed\n");
2088 }
2089 }
2090
2091 if (verbose != 0) {
2092 mbedtls_printf("\n");
2093 }
2094 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2095
2096 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2097 {
2098 static const int num_tests =
2099 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2100 mbedtls_aes_xts_context ctx_xts;
2101
2102 /*
2103 * XTS mode
2104 */
2105 mbedtls_aes_xts_init(&ctx_xts);
2106
2107 for (i = 0; i < num_tests << 1; i++) {
2108 const unsigned char *data_unit;
2109 u = i >> 1;
2110 mode = i & 1;
2111
2112 if (verbose != 0) {
2113 mbedtls_printf(" AES-XTS-128 (%s): ",
2114 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2115 }
2116
2117 memset(key, 0, sizeof(key));
2118 memcpy(key, aes_test_xts_key[u], 32);
2119 data_unit = aes_test_xts_data_unit[u];
2120
2121 len = sizeof(*aes_test_xts_ct32);
2122
2123 if (mode == MBEDTLS_AES_DECRYPT) {
2124 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2125 if (ret != 0) {
2126 goto exit;
2127 }
2128 memcpy(buf, aes_test_xts_ct32[u], len);
2129 aes_tests = aes_test_xts_pt32[u];
2130 } else {
2131 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2132 if (ret != 0) {
2133 goto exit;
2134 }
2135 memcpy(buf, aes_test_xts_pt32[u], len);
2136 aes_tests = aes_test_xts_ct32[u];
2137 }
2138
2139
2140 ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2141 buf, buf);
2142 if (ret != 0) {
2143 goto exit;
2144 }
2145
2146 if (memcmp(buf, aes_tests, len) != 0) {
2147 ret = 1;
2148 goto exit;
2149 }
2150
2151 if (verbose != 0) {
2152 mbedtls_printf("passed\n");
2153 }
2154 }
2155
2156 if (verbose != 0) {
2157 mbedtls_printf("\n");
2158 }
2159
2160 mbedtls_aes_xts_free(&ctx_xts);
2161 }
2162 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2163
2164 ret = 0;
2165
2166 exit:
2167 if (ret != 0 && verbose != 0) {
2168 mbedtls_printf("failed\n");
2169 }
2170
2171 mbedtls_aes_free(&ctx);
2172
2173 return ret;
2174 }
2175
2176 #endif /* MBEDTLS_SELF_TEST */
2177
2178 #endif /* MBEDTLS_AES_C */
2179
