Lines Matching +full:- +full:c1 +full:- +full:16
2 * FIPS-197 compliant AES implementation
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
10 …src.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/…
11 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
59 * This is a convenience shorthand macro to check if we need reverse S-box and
71 static int aes_padlock_ace = -1;
76 * Forward S-box
139 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
143 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
149 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
158 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
174 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
182 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
203 * Reverse S-box
261 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
275 V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
283 V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
284 V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
286 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
299 V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
307 V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
308 V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
343 * Forward S-box & tables
352 * Reverse S-box & tables
400 * generate the forward and reverse S-boxes in aes_gen_tables()
408 x = pow[255 - log[i]]; in aes_gen_tables()
432 ((uint32_t) x << 16) ^ in aes_gen_tables()
446 ((uint32_t) MUL(0x0D, x) << 16) ^ in aes_gen_tables()
465 #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
509 mbedtls_aes_init(&ctx->crypt); in mbedtls_aes_xts_init()
510 mbedtls_aes_init(&ctx->tweak); in mbedtls_aes_xts_init()
519 mbedtls_aes_free(&ctx->crypt); in mbedtls_aes_xts_free()
520 mbedtls_aes_free(&ctx->tweak); in mbedtls_aes_xts_free()
527 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
541 if (aes_padlock_ace == -1) { in mbedtls_aes_rk_offset()
556 /* These implementations needs 16-byte alignment in mbedtls_aes_rk_offset()
562 return 4 - delta; // 16 bytes = 4 uint32_t in mbedtls_aes_rk_offset()
582 case 128: ctx->nr = 10; break; in mbedtls_aes_setkey_enc()
584 case 192: ctx->nr = 12; break; in mbedtls_aes_setkey_enc()
585 case 256: ctx->nr = 14; break; in mbedtls_aes_setkey_enc()
597 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); in mbedtls_aes_setkey_enc()
598 RK = ctx->buf + ctx->rk_offset; in mbedtls_aes_setkey_enc()
617 switch (ctx->nr) { in mbedtls_aes_setkey_enc()
624 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ in mbedtls_aes_setkey_enc()
640 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ in mbedtls_aes_setkey_enc()
657 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ in mbedtls_aes_setkey_enc()
667 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ in mbedtls_aes_setkey_enc()
700 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); in mbedtls_aes_setkey_dec()
701 RK = ctx->buf + ctx->rk_offset; in mbedtls_aes_setkey_dec()
708 ctx->nr = cty.nr; in mbedtls_aes_setkey_dec()
713 (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); in mbedtls_aes_setkey_dec()
723 ctx->nr); in mbedtls_aes_setkey_dec()
735 SK -= 8; in mbedtls_aes_setkey_dec()
736 for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) { in mbedtls_aes_setkey_dec()
797 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); in mbedtls_aes_xts_setkey_enc()
803 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); in mbedtls_aes_xts_setkey_enc()
821 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); in mbedtls_aes_xts_setkey_dec()
827 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); in mbedtls_aes_xts_setkey_dec()
880 * AES-ECB block encryption
884 const unsigned char input[16], in mbedtls_internal_aes_encrypt() argument
885 unsigned char output[16]) in mbedtls_internal_aes_encrypt() argument
888 uint32_t *RK = ctx->buf + ctx->rk_offset; in mbedtls_internal_aes_encrypt()
899 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { in mbedtls_internal_aes_encrypt()
909 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ in mbedtls_internal_aes_encrypt()
915 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ in mbedtls_internal_aes_encrypt()
921 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ in mbedtls_internal_aes_encrypt()
927 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ in mbedtls_internal_aes_encrypt()
942 * AES-ECB block decryption
946 const unsigned char input[16], in mbedtls_internal_aes_decrypt() argument
947 unsigned char output[16]) in mbedtls_internal_aes_decrypt() argument
950 uint32_t *RK = ctx->buf + ctx->rk_offset; in mbedtls_internal_aes_decrypt()
961 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { in mbedtls_internal_aes_decrypt()
971 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ in mbedtls_internal_aes_decrypt()
977 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ in mbedtls_internal_aes_decrypt()
983 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ in mbedtls_internal_aes_decrypt()
989 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ in mbedtls_internal_aes_decrypt()
1003 /* VIA Padlock and our intrinsics-based implementation of AESNI require
1004 * the round keys to be aligned on a 16-byte boundary. We take care of this
1007 * calls it might have a different alignment with respect to 16-byte memory.
1012 unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); in aes_maybe_realign()
1013 if (new_offset != ctx->rk_offset) { in aes_maybe_realign()
1014 memmove(ctx->buf + new_offset, // new address in aes_maybe_realign()
1015 ctx->buf + ctx->rk_offset, // current address in aes_maybe_realign()
1016 (ctx->nr + 1) * 16); // number of round keys * bytes per rk in aes_maybe_realign()
1017 ctx->rk_offset = new_offset; in aes_maybe_realign()
1022 * AES-ECB block encryption/decryption
1026 const unsigned char input[16], in mbedtls_aes_crypt_ecb() argument
1027 unsigned char output[16]) in mbedtls_aes_crypt_ecb() argument
1070 * AES-CBC buffer encryption/decryption
1075 unsigned char iv[16], in mbedtls_aes_crypt_cbc() argument
1080 unsigned char temp[16]; in mbedtls_aes_crypt_cbc()
1091 if (length % 16) { in mbedtls_aes_crypt_cbc()
1111 memcpy(temp, input, 16); in mbedtls_aes_crypt_cbc()
1119 mbedtls_xor_no_simd(output, output, iv, 16); in mbedtls_aes_crypt_cbc()
1121 memcpy(iv, temp, 16); in mbedtls_aes_crypt_cbc()
1123 input += 16; in mbedtls_aes_crypt_cbc()
1124 output += 16; in mbedtls_aes_crypt_cbc()
1125 length -= 16; in mbedtls_aes_crypt_cbc()
1129 mbedtls_xor_no_simd(output, input, ivp, 16); in mbedtls_aes_crypt_cbc()
1137 input += 16; in mbedtls_aes_crypt_cbc()
1138 output += 16; in mbedtls_aes_crypt_cbc()
1139 length -= 16; in mbedtls_aes_crypt_cbc()
1141 memcpy(iv, ivp, 16); in mbedtls_aes_crypt_cbc()
1152 typedef unsigned char mbedtls_be128[16];
1158 * representation. It uses 64-bit word operations to gain speed but compensates
1165 static inline void mbedtls_gf128mul_x_ble(unsigned char r[16], in mbedtls_gf128mul_x_ble() argument
1166 const unsigned char x[16]) in mbedtls_gf128mul_x_ble() argument
1173 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); in mbedtls_gf128mul_x_ble()
1181 * AES-XTS buffer encryption/decryption
1184 * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
1192 const unsigned char data_unit[16], in mbedtls_aes_crypt_xts() argument
1197 size_t blocks = length / 16; in mbedtls_aes_crypt_xts()
1198 size_t leftover = length % 16; in mbedtls_aes_crypt_xts()
1199 unsigned char tweak[16]; in mbedtls_aes_crypt_xts()
1200 unsigned char prev_tweak[16]; in mbedtls_aes_crypt_xts()
1201 unsigned char tmp[16]; in mbedtls_aes_crypt_xts()
1207 /* Data units must be at least 16 bytes long. */ in mbedtls_aes_crypt_xts()
1208 if (length < 16) { in mbedtls_aes_crypt_xts()
1212 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ in mbedtls_aes_crypt_xts()
1213 if (length > (1 << 20) * 16) { in mbedtls_aes_crypt_xts()
1218 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, in mbedtls_aes_crypt_xts()
1224 while (blocks--) { in mbedtls_aes_crypt_xts()
1235 mbedtls_xor(tmp, input, tweak, 16); in mbedtls_aes_crypt_xts()
1237 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); in mbedtls_aes_crypt_xts()
1242 mbedtls_xor(output, tmp, tweak, 16); in mbedtls_aes_crypt_xts()
1247 output += 16; in mbedtls_aes_crypt_xts()
1248 input += 16; in mbedtls_aes_crypt_xts()
1257 * evenly by 16. It's time for ciphertext stealing. */ in mbedtls_aes_crypt_xts()
1259 unsigned char *prev_output = output - 16; in mbedtls_aes_crypt_xts()
1272 mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); in mbedtls_aes_crypt_xts()
1274 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); in mbedtls_aes_crypt_xts()
1281 mbedtls_xor(prev_output, tmp, t, 16); in mbedtls_aes_crypt_xts()
1290 * AES-CFB128 buffer encryption/decryption
1296 unsigned char iv[16], in mbedtls_aes_crypt_cfb128() argument
1315 while (length--) { in mbedtls_aes_crypt_cfb128()
1330 while (length--) { in mbedtls_aes_crypt_cfb128()
1352 * AES-CFB8 buffer encryption/decryption
1357 unsigned char iv[16], in mbedtls_aes_crypt_cfb8() argument
1368 while (length--) { in mbedtls_aes_crypt_cfb8()
1369 memcpy(ov, iv, 16); in mbedtls_aes_crypt_cfb8()
1376 ov[16] = *input; in mbedtls_aes_crypt_cfb8()
1382 ov[16] = c; in mbedtls_aes_crypt_cfb8()
1385 memcpy(iv, ov + 1, 16); in mbedtls_aes_crypt_cfb8()
1396 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1401 unsigned char iv[16], in mbedtls_aes_crypt_ofb() argument
1414 while (length--) { in mbedtls_aes_crypt_ofb()
1435 * AES-CTR buffer encryption/decryption
1440 unsigned char nonce_counter[16], in mbedtls_aes_crypt_ctr() argument
1441 unsigned char stream_block[16], in mbedtls_aes_crypt_ctr() argument
1454 size_t n = 16; in mbedtls_aes_crypt_ctr()
1462 n -= offset; in mbedtls_aes_crypt_ctr()
1465 if (n > (length - i)) { in mbedtls_aes_crypt_ctr()
1466 n = (length - i); in mbedtls_aes_crypt_ctr()
1469 // offset might be non-zero for the last block, but in that case, we don't use it again in mbedtls_aes_crypt_ctr()
1475 *nc_off = (*nc_off + length) % 16; in mbedtls_aes_crypt_ctr()
1490 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1493 static const unsigned char aes_test_ecb_dec[][16] =
1506 static const unsigned char aes_test_ecb_enc[][16] =
1519 static const unsigned char aes_test_cbc_dec[][16] =
1531 static const unsigned char aes_test_cbc_enc[][16] =
1546 * AES-CFB128 test vectors from:
1548 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1565 static const unsigned char aes_test_cfb128_iv[16] =
1616 * AES-OFB test vectors from:
1618 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1635 static const unsigned char aes_test_ofb_iv[16] =
1686 * AES-CTR test vectors from:
1691 static const unsigned char aes_test_ctr_key[][16] =
1701 static const unsigned char aes_test_ctr_nonce_counter[][16] =
1743 { 16, 32, 36 };
1748 * AES-XTS test vectors from:
1802 static const unsigned char aes_test_xts_data_unit[][16] =
1826 unsigned char iv[16]; in mbedtls_aes_self_test()
1829 unsigned char prv[16]; in mbedtls_aes_self_test()
1839 unsigned char nonce_counter[16]; in mbedtls_aes_self_test()
1840 unsigned char stream_block[16]; in mbedtls_aes_self_test()
1875 mbedtls_printf(" AES note: built-in implementation.\n"); in mbedtls_aes_self_test()
1894 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, in mbedtls_aes_self_test()
1906 memset(buf, 0, 16); in mbedtls_aes_self_test()
1920 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
1938 if (memcmp(buf, aes_tests, 16) != 0) { in mbedtls_aes_self_test()
1967 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, in mbedtls_aes_self_test()
1971 memset(iv, 0, 16); in mbedtls_aes_self_test()
1972 memset(prv, 0, 16); in mbedtls_aes_self_test()
1973 memset(buf, 0, 16); in mbedtls_aes_self_test()
1984 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
1997 unsigned char tmp[16]; in mbedtls_aes_self_test()
1999 memcpy(tmp, prv, 16); in mbedtls_aes_self_test()
2000 memcpy(prv, buf, 16); in mbedtls_aes_self_test()
2001 memcpy(buf, tmp, 16); in mbedtls_aes_self_test()
2004 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); in mbedtls_aes_self_test()
2011 if (memcmp(buf, aes_tests, 16) != 0) { in mbedtls_aes_self_test()
2041 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, in mbedtls_aes_self_test()
2045 memcpy(iv, aes_test_cfb128_iv, 16); in mbedtls_aes_self_test()
2051 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
2105 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, in mbedtls_aes_self_test()
2109 memcpy(iv, aes_test_ofb_iv, 16); in mbedtls_aes_self_test()
2115 * AES-192 is an optional feature that may be unavailable when in mbedtls_aes_self_test()
2168 mbedtls_printf(" AES-CTR-128 (%s): ", in mbedtls_aes_self_test()
2172 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); in mbedtls_aes_self_test()
2173 memcpy(key, aes_test_ctr_key[u], 16); in mbedtls_aes_self_test()
2229 mbedtls_printf(" AES-XTS-128 (%s): ", in mbedtls_aes_self_test()