1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-197 compliant AES implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 23 * 24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_AES_C) 35 36 #include <string.h> 37 38 #include "mbedtls/aes.h" 39 #include "mbedtls/platform.h" 40 #include "mbedtls/platform_util.h" 41 #include "mbedtls/error.h" 42 #if defined(MBEDTLS_PADLOCK_C) 43 #include "mbedtls/padlock.h" 44 #endif 45 #if defined(MBEDTLS_AESNI_C) 46 #include "mbedtls/aesni.h" 47 #endif 48 49 #if defined(MBEDTLS_SELF_TEST) 50 #if defined(MBEDTLS_PLATFORM_C) 51 #include "mbedtls/platform.h" 52 #else 53 #include <stdio.h> 54 #define mbedtls_printf printf 55 #endif /* MBEDTLS_PLATFORM_C */ 56 #endif /* MBEDTLS_SELF_TEST */ 57 58 #if !defined(MBEDTLS_AES_ALT) 59 60 /* Parameter validation macros based on platform_util.h */ 61 #define AES_VALIDATE_RET( cond ) \ 62 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 63 #define AES_VALIDATE( cond ) \ 64 MBEDTLS_INTERNAL_VALIDATE( cond ) 65 66 /* 67 * 32-bit integer manipulation macros (little endian) 68 */ 69 #ifndef GET_UINT32_LE 70 #define GET_UINT32_LE(n,b,i) \ 71 { \ 72 (n) = ( (uint32_t) (b)[(i) ] ) \ 73 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 74 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 75 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 76 } 77 #endif 78 79 #ifndef PUT_UINT32_LE 80 #define PUT_UINT32_LE(n,b,i) \ 81 { \ 82 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 83 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 84 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 85 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 86 } 87 #endif 88 89 #if defined(MBEDTLS_PADLOCK_C) && \ 90 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 91 static int aes_padlock_ace = -1; 92 #endif 93 94 #if defined(MBEDTLS_AES_ROM_TABLES) 95 /* 96 * Forward S-box 97 */ 98 static const unsigned char FSb[256] = 99 { 100 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 101 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 102 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 103 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 104 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 105 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 106 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 107 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 108 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 109 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 110 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 111 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 112 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 113 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 114 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 115 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 116 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 117 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 118 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 119 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 120 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 121 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 122 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 123 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 124 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 125 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 126 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 127 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 128 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 129 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 130 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 131 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 132 }; 133 134 /* 135 * Forward tables 136 */ 137 #define FT \ 138 \ 139 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 140 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 141 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 142 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 143 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 144 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 145 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 146 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 147 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 148 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 149 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 150 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 151 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 152 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 153 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 154 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 155 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 156 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 157 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 158 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 159 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 160 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 161 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 162 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 163 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 164 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 165 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 166 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 167 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 168 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 169 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 170 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 171 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 172 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 173 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 174 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 175 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 176 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 177 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 178 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 179 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 180 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 181 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 182 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 183 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 184 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 185 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 186 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 187 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 188 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 189 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 190 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 191 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 192 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 193 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 194 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 195 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 196 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 197 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 198 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 199 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 200 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 201 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 202 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 203 204 #define V(a,b,c,d) 0x##a##b##c##d 205 static const uint32_t FT0[256] = { FT }; 206 #undef V 207 208 #if !defined(MBEDTLS_AES_FEWER_TABLES) 209 210 #define V(a,b,c,d) 0x##b##c##d##a 211 static const uint32_t FT1[256] = { FT }; 212 #undef V 213 214 #define V(a,b,c,d) 0x##c##d##a##b 215 static const uint32_t FT2[256] = { FT }; 216 #undef V 217 218 #define V(a,b,c,d) 0x##d##a##b##c 219 static const uint32_t FT3[256] = { FT }; 220 #undef V 221 222 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 223 224 #undef FT 225 226 /* 227 * Reverse S-box 228 */ 229 static const unsigned char RSb[256] = 230 { 231 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 232 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 233 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 234 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 235 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 236 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 237 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 238 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 239 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 240 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 241 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 242 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 243 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 244 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 245 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 246 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 247 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 248 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 249 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 250 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 251 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 252 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 253 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 254 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 255 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 256 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 257 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 258 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 259 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 260 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 261 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 262 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 263 }; 264 265 /* 266 * Reverse tables 267 */ 268 #define RT \ 269 \ 270 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 271 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 272 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 273 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 274 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 275 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 276 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 277 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 278 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 279 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 280 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 281 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 282 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 283 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 284 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 285 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 286 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 287 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 288 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 289 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 290 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 291 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 292 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 293 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 294 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 295 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 296 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 297 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 298 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 299 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 300 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 301 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 302 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 303 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 304 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 305 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 306 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 307 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 308 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 309 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 310 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 311 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 312 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 313 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 314 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 315 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 316 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 317 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 318 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 319 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 320 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 321 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 322 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 323 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 324 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 325 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 326 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 327 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 328 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 329 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 330 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 331 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 332 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 333 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 334 335 #define V(a,b,c,d) 0x##a##b##c##d 336 static const uint32_t RT0[256] = { RT }; 337 #undef V 338 339 #if !defined(MBEDTLS_AES_FEWER_TABLES) 340 341 #define V(a,b,c,d) 0x##b##c##d##a 342 static const uint32_t RT1[256] = { RT }; 343 #undef V 344 345 #define V(a,b,c,d) 0x##c##d##a##b 346 static const uint32_t RT2[256] = { RT }; 347 #undef V 348 349 #define V(a,b,c,d) 0x##d##a##b##c 350 static const uint32_t RT3[256] = { RT }; 351 #undef V 352 353 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 354 355 #undef RT 356 357 /* 358 * Round constants 359 */ 360 static const uint32_t RCON[10] = 361 { 362 0x00000001, 0x00000002, 0x00000004, 0x00000008, 363 0x00000010, 0x00000020, 0x00000040, 0x00000080, 364 0x0000001B, 0x00000036 365 }; 366 367 #else /* MBEDTLS_AES_ROM_TABLES */ 368 369 /* 370 * Forward S-box & tables 371 */ 372 static unsigned char FSb[256]; 373 static uint32_t FT0[256]; 374 #if !defined(MBEDTLS_AES_FEWER_TABLES) 375 static uint32_t FT1[256]; 376 static uint32_t FT2[256]; 377 static uint32_t FT3[256]; 378 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 379 380 /* 381 * Reverse S-box & tables 382 */ 383 static unsigned char RSb[256]; 384 static uint32_t RT0[256]; 385 #if !defined(MBEDTLS_AES_FEWER_TABLES) 386 static uint32_t RT1[256]; 387 static uint32_t RT2[256]; 388 static uint32_t RT3[256]; 389 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 390 391 /* 392 * Round constants 393 */ 394 static uint32_t RCON[10]; 395 396 /* 397 * Tables generation code 398 */ 399 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 ) 400 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) ) 401 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) 402 403 static int aes_init_done = 0; 404 405 static void aes_gen_tables( void ) 406 { 407 int i, x, y, z; 408 int pow[256]; 409 int log[256]; 410 411 /* 412 * compute pow and log tables over GF(2^8) 413 */ 414 for( i = 0, x = 1; i < 256; i++ ) 415 { 416 pow[i] = x; 417 log[x] = i; 418 x = ( x ^ XTIME( x ) ) & 0xFF; 419 } 420 421 /* 422 * calculate the round constants 423 */ 424 for( i = 0, x = 1; i < 10; i++ ) 425 { 426 RCON[i] = (uint32_t) x; 427 x = XTIME( x ) & 0xFF; 428 } 429 430 /* 431 * generate the forward and reverse S-boxes 432 */ 433 FSb[0x00] = 0x63; 434 RSb[0x63] = 0x00; 435 436 for( i = 1; i < 256; i++ ) 437 { 438 x = pow[255 - log[i]]; 439 440 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 443 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 444 x ^= y ^ 0x63; 445 446 FSb[i] = (unsigned char) x; 447 RSb[x] = (unsigned char) i; 448 } 449 450 /* 451 * generate the forward and reverse tables 452 */ 453 for( i = 0; i < 256; i++ ) 454 { 455 x = FSb[i]; 456 y = XTIME( x ) & 0xFF; 457 z = ( y ^ x ) & 0xFF; 458 459 FT0[i] = ( (uint32_t) y ) ^ 460 ( (uint32_t) x << 8 ) ^ 461 ( (uint32_t) x << 16 ) ^ 462 ( (uint32_t) z << 24 ); 463 464 #if !defined(MBEDTLS_AES_FEWER_TABLES) 465 FT1[i] = ROTL8( FT0[i] ); 466 FT2[i] = ROTL8( FT1[i] ); 467 FT3[i] = ROTL8( FT2[i] ); 468 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 469 470 x = RSb[i]; 471 472 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 473 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 474 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 475 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 476 477 #if !defined(MBEDTLS_AES_FEWER_TABLES) 478 RT1[i] = ROTL8( RT0[i] ); 479 RT2[i] = ROTL8( RT1[i] ); 480 RT3[i] = ROTL8( RT2[i] ); 481 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 482 } 483 } 484 485 #undef ROTL8 486 487 #endif /* MBEDTLS_AES_ROM_TABLES */ 488 489 #if defined(MBEDTLS_AES_FEWER_TABLES) 490 491 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 492 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 493 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 494 495 #define AES_RT0(idx) RT0[idx] 496 #define AES_RT1(idx) ROTL8( RT0[idx] ) 497 #define AES_RT2(idx) ROTL16( RT0[idx] ) 498 #define AES_RT3(idx) ROTL24( RT0[idx] ) 499 500 #define AES_FT0(idx) FT0[idx] 501 #define AES_FT1(idx) ROTL8( FT0[idx] ) 502 #define AES_FT2(idx) ROTL16( FT0[idx] ) 503 #define AES_FT3(idx) ROTL24( FT0[idx] ) 504 505 #else /* MBEDTLS_AES_FEWER_TABLES */ 506 507 #define AES_RT0(idx) RT0[idx] 508 #define AES_RT1(idx) RT1[idx] 509 #define AES_RT2(idx) RT2[idx] 510 #define AES_RT3(idx) RT3[idx] 511 512 #define AES_FT0(idx) FT0[idx] 513 #define AES_FT1(idx) FT1[idx] 514 #define AES_FT2(idx) FT2[idx] 515 #define AES_FT3(idx) FT3[idx] 516 517 #endif /* MBEDTLS_AES_FEWER_TABLES */ 518 519 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 520 { 521 AES_VALIDATE( ctx != NULL ); 522 523 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 524 } 525 526 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 527 { 528 if( ctx == NULL ) 529 return; 530 531 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 532 } 533 534 #if defined(MBEDTLS_CIPHER_MODE_XTS) 535 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 536 { 537 AES_VALIDATE( ctx != NULL ); 538 539 mbedtls_aes_init( &ctx->crypt ); 540 mbedtls_aes_init( &ctx->tweak ); 541 } 542 543 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 544 { 545 if( ctx == NULL ) 546 return; 547 548 mbedtls_aes_free( &ctx->crypt ); 549 mbedtls_aes_free( &ctx->tweak ); 550 } 551 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 552 553 /* 554 * AES key schedule (encryption) 555 */ 556 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 557 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 558 unsigned int keybits ) 559 { 560 unsigned int i; 561 uint32_t *RK; 562 563 AES_VALIDATE_RET( ctx != NULL ); 564 AES_VALIDATE_RET( key != NULL ); 565 566 switch( keybits ) 567 { 568 case 128: ctx->nr = 10; break; 569 case 192: ctx->nr = 12; break; 570 case 256: ctx->nr = 14; break; 571 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 572 } 573 574 #if !defined(MBEDTLS_AES_ROM_TABLES) 575 if( aes_init_done == 0 ) 576 { 577 aes_gen_tables(); 578 aes_init_done = 1; 579 } 580 #endif 581 582 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 583 if( aes_padlock_ace == -1 ) 584 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 585 586 if( aes_padlock_ace ) 587 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 588 else 589 #endif 590 ctx->rk = RK = ctx->buf; 591 592 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 593 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 594 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 595 #endif 596 597 for( i = 0; i < ( keybits >> 5 ); i++ ) 598 { 599 GET_UINT32_LE( RK[i], key, i << 2 ); 600 } 601 602 switch( ctx->nr ) 603 { 604 case 10: 605 606 for( i = 0; i < 10; i++, RK += 4 ) 607 { 608 RK[4] = RK[0] ^ RCON[i] ^ 609 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 610 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 611 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 612 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 613 614 RK[5] = RK[1] ^ RK[4]; 615 RK[6] = RK[2] ^ RK[5]; 616 RK[7] = RK[3] ^ RK[6]; 617 } 618 break; 619 620 case 12: 621 622 for( i = 0; i < 8; i++, RK += 6 ) 623 { 624 RK[6] = RK[0] ^ RCON[i] ^ 625 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 626 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 627 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 628 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 629 630 RK[7] = RK[1] ^ RK[6]; 631 RK[8] = RK[2] ^ RK[7]; 632 RK[9] = RK[3] ^ RK[8]; 633 RK[10] = RK[4] ^ RK[9]; 634 RK[11] = RK[5] ^ RK[10]; 635 } 636 break; 637 638 case 14: 639 640 for( i = 0; i < 7; i++, RK += 8 ) 641 { 642 RK[8] = RK[0] ^ RCON[i] ^ 643 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 644 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 645 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 646 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 647 648 RK[9] = RK[1] ^ RK[8]; 649 RK[10] = RK[2] ^ RK[9]; 650 RK[11] = RK[3] ^ RK[10]; 651 652 RK[12] = RK[4] ^ 653 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 654 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 655 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 656 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 657 658 RK[13] = RK[5] ^ RK[12]; 659 RK[14] = RK[6] ^ RK[13]; 660 RK[15] = RK[7] ^ RK[14]; 661 } 662 break; 663 } 664 665 return( 0 ); 666 } 667 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 668 669 /* 670 * AES key schedule (decryption) 671 */ 672 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 673 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 674 unsigned int keybits ) 675 { 676 int i, j, ret; 677 mbedtls_aes_context cty; 678 uint32_t *RK; 679 uint32_t *SK; 680 681 AES_VALIDATE_RET( ctx != NULL ); 682 AES_VALIDATE_RET( key != NULL ); 683 684 mbedtls_aes_init( &cty ); 685 686 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 687 if( aes_padlock_ace == -1 ) 688 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 689 690 if( aes_padlock_ace ) 691 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 692 else 693 #endif 694 ctx->rk = RK = ctx->buf; 695 696 /* Also checks keybits */ 697 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 698 goto exit; 699 700 ctx->nr = cty.nr; 701 702 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 703 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 704 { 705 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, 706 (const unsigned char *) cty.rk, ctx->nr ); 707 goto exit; 708 } 709 #endif 710 711 SK = cty.rk + cty.nr * 4; 712 713 *RK++ = *SK++; 714 *RK++ = *SK++; 715 *RK++ = *SK++; 716 *RK++ = *SK++; 717 718 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 719 { 720 for( j = 0; j < 4; j++, SK++ ) 721 { 722 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 723 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 724 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 725 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 726 } 727 } 728 729 *RK++ = *SK++; 730 *RK++ = *SK++; 731 *RK++ = *SK++; 732 *RK++ = *SK++; 733 734 exit: 735 mbedtls_aes_free( &cty ); 736 737 return( ret ); 738 } 739 740 #if defined(MBEDTLS_CIPHER_MODE_XTS) 741 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 742 unsigned int keybits, 743 const unsigned char **key1, 744 unsigned int *key1bits, 745 const unsigned char **key2, 746 unsigned int *key2bits ) 747 { 748 const unsigned int half_keybits = keybits / 2; 749 const unsigned int half_keybytes = half_keybits / 8; 750 751 switch( keybits ) 752 { 753 case 256: break; 754 case 512: break; 755 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 756 } 757 758 *key1bits = half_keybits; 759 *key2bits = half_keybits; 760 *key1 = &key[0]; 761 *key2 = &key[half_keybytes]; 762 763 return 0; 764 } 765 766 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 767 const unsigned char *key, 768 unsigned int keybits) 769 { 770 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 771 const unsigned char *key1, *key2; 772 unsigned int key1bits, key2bits; 773 774 AES_VALIDATE_RET( ctx != NULL ); 775 AES_VALIDATE_RET( key != NULL ); 776 777 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 778 &key2, &key2bits ); 779 if( ret != 0 ) 780 return( ret ); 781 782 /* Set the tweak key. Always set tweak key for the encryption mode. */ 783 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 784 if( ret != 0 ) 785 return( ret ); 786 787 /* Set crypt key for encryption. */ 788 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits ); 789 } 790 791 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 792 const unsigned char *key, 793 unsigned int keybits) 794 { 795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 796 const unsigned char *key1, *key2; 797 unsigned int key1bits, key2bits; 798 799 AES_VALIDATE_RET( ctx != NULL ); 800 AES_VALIDATE_RET( key != NULL ); 801 802 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 803 &key2, &key2bits ); 804 if( ret != 0 ) 805 return( ret ); 806 807 /* Set the tweak key. Always set tweak key for encryption. */ 808 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 809 if( ret != 0 ) 810 return( ret ); 811 812 /* Set crypt key for decryption. */ 813 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits ); 814 } 815 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 816 817 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 818 819 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 820 do \ 821 { \ 822 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \ 823 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 824 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 825 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \ 826 \ 827 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \ 828 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 829 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 830 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \ 831 \ 832 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \ 833 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 834 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 835 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \ 836 \ 837 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \ 838 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 839 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 840 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \ 841 } while( 0 ) 842 843 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 844 do \ 845 { \ 846 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \ 847 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 848 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 849 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \ 850 \ 851 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \ 852 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 853 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 854 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \ 855 \ 856 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \ 857 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 858 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 859 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \ 860 \ 861 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \ 862 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 863 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 864 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \ 865 } while( 0 ) 866 867 /* 868 * AES-ECB block encryption 869 */ 870 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 871 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 872 const unsigned char input[16], 873 unsigned char output[16] ) 874 { 875 int i; 876 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 877 878 RK = ctx->rk; 879 880 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 881 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 882 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 883 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 884 885 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 886 { 887 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 888 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 889 } 890 891 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 892 893 X0 = *RK++ ^ \ 894 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 895 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 896 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 897 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 898 899 X1 = *RK++ ^ \ 900 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 901 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 902 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 903 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 904 905 X2 = *RK++ ^ \ 906 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 907 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 908 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 909 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 910 911 X3 = *RK++ ^ \ 912 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 913 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 914 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 915 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 916 917 PUT_UINT32_LE( X0, output, 0 ); 918 PUT_UINT32_LE( X1, output, 4 ); 919 PUT_UINT32_LE( X2, output, 8 ); 920 PUT_UINT32_LE( X3, output, 12 ); 921 922 mbedtls_platform_zeroize( &X0, sizeof( X0 ) ); 923 mbedtls_platform_zeroize( &X1, sizeof( X1 ) ); 924 mbedtls_platform_zeroize( &X2, sizeof( X2 ) ); 925 mbedtls_platform_zeroize( &X3, sizeof( X3 ) ); 926 927 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) ); 928 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) ); 929 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) ); 930 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) ); 931 932 mbedtls_platform_zeroize( &RK, sizeof( RK ) ); 933 934 return( 0 ); 935 } 936 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 937 938 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 939 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 940 const unsigned char input[16], 941 unsigned char output[16] ) 942 { 943 mbedtls_internal_aes_encrypt( ctx, input, output ); 944 } 945 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 946 947 /* 948 * AES-ECB block decryption 949 */ 950 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 951 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 952 const unsigned char input[16], 953 unsigned char output[16] ) 954 { 955 int i; 956 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 957 958 RK = ctx->rk; 959 960 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 961 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 962 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 963 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 964 965 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 966 { 967 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 968 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 969 } 970 971 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 972 973 X0 = *RK++ ^ \ 974 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 975 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 976 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 977 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 978 979 X1 = *RK++ ^ \ 980 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 981 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 982 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 983 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 984 985 X2 = *RK++ ^ \ 986 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 987 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 988 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 989 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 990 991 X3 = *RK++ ^ \ 992 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 993 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 994 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 995 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 996 997 PUT_UINT32_LE( X0, output, 0 ); 998 PUT_UINT32_LE( X1, output, 4 ); 999 PUT_UINT32_LE( X2, output, 8 ); 1000 PUT_UINT32_LE( X3, output, 12 ); 1001 1002 mbedtls_platform_zeroize( &X0, sizeof( X0 ) ); 1003 mbedtls_platform_zeroize( &X1, sizeof( X1 ) ); 1004 mbedtls_platform_zeroize( &X2, sizeof( X2 ) ); 1005 mbedtls_platform_zeroize( &X3, sizeof( X3 ) ); 1006 1007 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) ); 1008 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) ); 1009 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) ); 1010 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) ); 1011 1012 mbedtls_platform_zeroize( &RK, sizeof( RK ) ); 1013 1014 return( 0 ); 1015 } 1016 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 1017 1018 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1019 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 1020 const unsigned char input[16], 1021 unsigned char output[16] ) 1022 { 1023 mbedtls_internal_aes_decrypt( ctx, input, output ); 1024 } 1025 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1026 1027 /* 1028 * AES-ECB block encryption/decryption 1029 */ 1030 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 1031 int mode, 1032 const unsigned char input[16], 1033 unsigned char output[16] ) 1034 { 1035 AES_VALIDATE_RET( ctx != NULL ); 1036 AES_VALIDATE_RET( input != NULL ); 1037 AES_VALIDATE_RET( output != NULL ); 1038 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1039 mode == MBEDTLS_AES_DECRYPT ); 1040 1041 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 1042 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 1043 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 1044 #endif 1045 1046 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1047 if( aes_padlock_ace ) 1048 { 1049 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 1050 return( 0 ); 1051 1052 // If padlock data misaligned, we just fall back to 1053 // unaccelerated mode 1054 // 1055 } 1056 #endif 1057 1058 if( mode == MBEDTLS_AES_ENCRYPT ) 1059 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 1060 else 1061 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 1062 } 1063 1064 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1065 /* 1066 * AES-CBC buffer encryption/decryption 1067 */ 1068 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 1069 int mode, 1070 size_t length, 1071 unsigned char iv[16], 1072 const unsigned char *input, 1073 unsigned char *output ) 1074 { 1075 int i; 1076 unsigned char temp[16]; 1077 1078 AES_VALIDATE_RET( ctx != NULL ); 1079 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1080 mode == MBEDTLS_AES_DECRYPT ); 1081 AES_VALIDATE_RET( iv != NULL ); 1082 AES_VALIDATE_RET( input != NULL ); 1083 AES_VALIDATE_RET( output != NULL ); 1084 1085 if( length % 16 ) 1086 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 1087 1088 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1089 if( aes_padlock_ace ) 1090 { 1091 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 1092 return( 0 ); 1093 1094 // If padlock data misaligned, we just fall back to 1095 // unaccelerated mode 1096 // 1097 } 1098 #endif 1099 1100 if( mode == MBEDTLS_AES_DECRYPT ) 1101 { 1102 while( length > 0 ) 1103 { 1104 memcpy( temp, input, 16 ); 1105 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 1106 1107 for( i = 0; i < 16; i++ ) 1108 output[i] = (unsigned char)( output[i] ^ iv[i] ); 1109 1110 memcpy( iv, temp, 16 ); 1111 1112 input += 16; 1113 output += 16; 1114 length -= 16; 1115 } 1116 } 1117 else 1118 { 1119 while( length > 0 ) 1120 { 1121 for( i = 0; i < 16; i++ ) 1122 output[i] = (unsigned char)( input[i] ^ iv[i] ); 1123 1124 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 1125 memcpy( iv, output, 16 ); 1126 1127 input += 16; 1128 output += 16; 1129 length -= 16; 1130 } 1131 } 1132 1133 return( 0 ); 1134 } 1135 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1136 1137 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1138 1139 /* Endianess with 64 bits values */ 1140 #ifndef GET_UINT64_LE 1141 #define GET_UINT64_LE(n,b,i) \ 1142 { \ 1143 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 1144 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 1145 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 1146 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 1147 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 1148 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 1149 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 1150 | ( (uint64_t) (b)[(i) ] ); \ 1151 } 1152 #endif 1153 1154 #ifndef PUT_UINT64_LE 1155 #define PUT_UINT64_LE(n,b,i) \ 1156 { \ 1157 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 1158 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 1159 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 1160 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 1161 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 1162 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 1163 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 1164 (b)[(i) ] = (unsigned char) ( (n) ); \ 1165 } 1166 #endif 1167 1168 typedef unsigned char mbedtls_be128[16]; 1169 1170 /* 1171 * GF(2^128) multiplication function 1172 * 1173 * This function multiplies a field element by x in the polynomial field 1174 * representation. It uses 64-bit word operations to gain speed but compensates 1175 * for machine endianess and hence works correctly on both big and little 1176 * endian machines. 1177 */ 1178 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 1179 const unsigned char x[16] ) 1180 { 1181 uint64_t a, b, ra, rb; 1182 1183 GET_UINT64_LE( a, x, 0 ); 1184 GET_UINT64_LE( b, x, 8 ); 1185 1186 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 1187 rb = ( a >> 63 ) | ( b << 1 ); 1188 1189 PUT_UINT64_LE( ra, r, 0 ); 1190 PUT_UINT64_LE( rb, r, 8 ); 1191 } 1192 1193 /* 1194 * AES-XTS buffer encryption/decryption 1195 */ 1196 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 1197 int mode, 1198 size_t length, 1199 const unsigned char data_unit[16], 1200 const unsigned char *input, 1201 unsigned char *output ) 1202 { 1203 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1204 size_t blocks = length / 16; 1205 size_t leftover = length % 16; 1206 unsigned char tweak[16]; 1207 unsigned char prev_tweak[16]; 1208 unsigned char tmp[16]; 1209 1210 AES_VALIDATE_RET( ctx != NULL ); 1211 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1212 mode == MBEDTLS_AES_DECRYPT ); 1213 AES_VALIDATE_RET( data_unit != NULL ); 1214 AES_VALIDATE_RET( input != NULL ); 1215 AES_VALIDATE_RET( output != NULL ); 1216 1217 /* Data units must be at least 16 bytes long. */ 1218 if( length < 16 ) 1219 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1220 1221 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1222 if( length > ( 1 << 20 ) * 16 ) 1223 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1224 1225 /* Compute the tweak. */ 1226 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, 1227 data_unit, tweak ); 1228 if( ret != 0 ) 1229 return( ret ); 1230 1231 while( blocks-- ) 1232 { 1233 size_t i; 1234 1235 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 1236 { 1237 /* We are on the last block in a decrypt operation that has 1238 * leftover bytes, so we need to use the next tweak for this block, 1239 * and this tweak for the lefover bytes. Save the current tweak for 1240 * the leftovers and then update the current tweak for use on this, 1241 * the last full block. */ 1242 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 1243 mbedtls_gf128mul_x_ble( tweak, tweak ); 1244 } 1245 1246 for( i = 0; i < 16; i++ ) 1247 tmp[i] = input[i] ^ tweak[i]; 1248 1249 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1250 if( ret != 0 ) 1251 return( ret ); 1252 1253 for( i = 0; i < 16; i++ ) 1254 output[i] = tmp[i] ^ tweak[i]; 1255 1256 /* Update the tweak for the next block. */ 1257 mbedtls_gf128mul_x_ble( tweak, tweak ); 1258 1259 output += 16; 1260 input += 16; 1261 } 1262 1263 if( leftover ) 1264 { 1265 /* If we are on the leftover bytes in a decrypt operation, we need to 1266 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1267 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1268 1269 /* We are now on the final part of the data unit, which doesn't divide 1270 * evenly by 16. It's time for ciphertext stealing. */ 1271 size_t i; 1272 unsigned char *prev_output = output - 16; 1273 1274 /* Copy ciphertext bytes from the previous block to our output for each 1275 * byte of cyphertext we won't steal. At the same time, copy the 1276 * remainder of the input for this final round (since the loop bounds 1277 * are the same). */ 1278 for( i = 0; i < leftover; i++ ) 1279 { 1280 output[i] = prev_output[i]; 1281 tmp[i] = input[i] ^ t[i]; 1282 } 1283 1284 /* Copy ciphertext bytes from the previous block for input in this 1285 * round. */ 1286 for( ; i < 16; i++ ) 1287 tmp[i] = prev_output[i] ^ t[i]; 1288 1289 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1290 if( ret != 0 ) 1291 return ret; 1292 1293 /* Write the result back to the previous block, overriding the previous 1294 * output we copied. */ 1295 for( i = 0; i < 16; i++ ) 1296 prev_output[i] = tmp[i] ^ t[i]; 1297 } 1298 1299 return( 0 ); 1300 } 1301 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1302 1303 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1304 /* 1305 * AES-CFB128 buffer encryption/decryption 1306 */ 1307 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 1308 int mode, 1309 size_t length, 1310 size_t *iv_off, 1311 unsigned char iv[16], 1312 const unsigned char *input, 1313 unsigned char *output ) 1314 { 1315 int c; 1316 size_t n; 1317 1318 AES_VALIDATE_RET( ctx != NULL ); 1319 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1320 mode == MBEDTLS_AES_DECRYPT ); 1321 AES_VALIDATE_RET( iv_off != NULL ); 1322 AES_VALIDATE_RET( iv != NULL ); 1323 AES_VALIDATE_RET( input != NULL ); 1324 AES_VALIDATE_RET( output != NULL ); 1325 1326 n = *iv_off; 1327 1328 if( n > 15 ) 1329 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1330 1331 if( mode == MBEDTLS_AES_DECRYPT ) 1332 { 1333 while( length-- ) 1334 { 1335 if( n == 0 ) 1336 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1337 1338 c = *input++; 1339 *output++ = (unsigned char)( c ^ iv[n] ); 1340 iv[n] = (unsigned char) c; 1341 1342 n = ( n + 1 ) & 0x0F; 1343 } 1344 } 1345 else 1346 { 1347 while( length-- ) 1348 { 1349 if( n == 0 ) 1350 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1351 1352 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 1353 1354 n = ( n + 1 ) & 0x0F; 1355 } 1356 } 1357 1358 *iv_off = n; 1359 1360 return( 0 ); 1361 } 1362 1363 /* 1364 * AES-CFB8 buffer encryption/decryption 1365 */ 1366 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 1367 int mode, 1368 size_t length, 1369 unsigned char iv[16], 1370 const unsigned char *input, 1371 unsigned char *output ) 1372 { 1373 unsigned char c; 1374 unsigned char ov[17]; 1375 1376 AES_VALIDATE_RET( ctx != NULL ); 1377 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1378 mode == MBEDTLS_AES_DECRYPT ); 1379 AES_VALIDATE_RET( iv != NULL ); 1380 AES_VALIDATE_RET( input != NULL ); 1381 AES_VALIDATE_RET( output != NULL ); 1382 while( length-- ) 1383 { 1384 memcpy( ov, iv, 16 ); 1385 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1386 1387 if( mode == MBEDTLS_AES_DECRYPT ) 1388 ov[16] = *input; 1389 1390 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 1391 1392 if( mode == MBEDTLS_AES_ENCRYPT ) 1393 ov[16] = c; 1394 1395 memcpy( iv, ov + 1, 16 ); 1396 } 1397 1398 return( 0 ); 1399 } 1400 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1401 1402 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1403 /* 1404 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1405 */ 1406 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 1407 size_t length, 1408 size_t *iv_off, 1409 unsigned char iv[16], 1410 const unsigned char *input, 1411 unsigned char *output ) 1412 { 1413 int ret = 0; 1414 size_t n; 1415 1416 AES_VALIDATE_RET( ctx != NULL ); 1417 AES_VALIDATE_RET( iv_off != NULL ); 1418 AES_VALIDATE_RET( iv != NULL ); 1419 AES_VALIDATE_RET( input != NULL ); 1420 AES_VALIDATE_RET( output != NULL ); 1421 1422 n = *iv_off; 1423 1424 if( n > 15 ) 1425 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1426 1427 while( length-- ) 1428 { 1429 if( n == 0 ) 1430 { 1431 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1432 if( ret != 0 ) 1433 goto exit; 1434 } 1435 *output++ = *input++ ^ iv[n]; 1436 1437 n = ( n + 1 ) & 0x0F; 1438 } 1439 1440 *iv_off = n; 1441 1442 exit: 1443 return( ret ); 1444 } 1445 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1446 1447 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1448 /* 1449 * AES-CTR buffer encryption/decryption 1450 */ 1451 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 1452 size_t length, 1453 size_t *nc_off, 1454 unsigned char nonce_counter[16], 1455 unsigned char stream_block[16], 1456 const unsigned char *input, 1457 unsigned char *output ) 1458 { 1459 int c, i; 1460 size_t n; 1461 1462 AES_VALIDATE_RET( ctx != NULL ); 1463 AES_VALIDATE_RET( nc_off != NULL ); 1464 AES_VALIDATE_RET( nonce_counter != NULL ); 1465 AES_VALIDATE_RET( stream_block != NULL ); 1466 AES_VALIDATE_RET( input != NULL ); 1467 AES_VALIDATE_RET( output != NULL ); 1468 1469 n = *nc_off; 1470 1471 if ( n > 0x0F ) 1472 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1473 1474 while( length-- ) 1475 { 1476 if( n == 0 ) { 1477 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 1478 1479 for( i = 16; i > 0; i-- ) 1480 if( ++nonce_counter[i - 1] != 0 ) 1481 break; 1482 } 1483 c = *input++; 1484 *output++ = (unsigned char)( c ^ stream_block[n] ); 1485 1486 n = ( n + 1 ) & 0x0F; 1487 } 1488 1489 *nc_off = n; 1490 1491 return( 0 ); 1492 } 1493 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1494 1495 #endif /* !MBEDTLS_AES_ALT */ 1496 1497 #if defined(MBEDTLS_SELF_TEST) 1498 /* 1499 * AES test vectors from: 1500 * 1501 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1502 */ 1503 static const unsigned char aes_test_ecb_dec[3][16] = 1504 { 1505 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1506 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1507 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1508 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1509 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1510 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1511 }; 1512 1513 static const unsigned char aes_test_ecb_enc[3][16] = 1514 { 1515 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1516 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1517 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1518 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1519 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1520 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1521 }; 1522 1523 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1524 static const unsigned char aes_test_cbc_dec[3][16] = 1525 { 1526 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1527 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1528 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1529 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1530 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1531 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1532 }; 1533 1534 static const unsigned char aes_test_cbc_enc[3][16] = 1535 { 1536 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1537 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1538 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1539 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1540 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1541 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1542 }; 1543 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1544 1545 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1546 /* 1547 * AES-CFB128 test vectors from: 1548 * 1549 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1550 */ 1551 static const unsigned char aes_test_cfb128_key[3][32] = 1552 { 1553 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1554 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1555 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1556 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1557 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1558 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1559 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1560 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1561 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1562 }; 1563 1564 static const unsigned char aes_test_cfb128_iv[16] = 1565 { 1566 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1567 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1568 }; 1569 1570 static const unsigned char aes_test_cfb128_pt[64] = 1571 { 1572 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1573 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1574 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1575 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1576 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1577 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1578 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1579 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1580 }; 1581 1582 static const unsigned char aes_test_cfb128_ct[3][64] = 1583 { 1584 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1585 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1586 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1587 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1588 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1589 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1590 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1591 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1592 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1593 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1594 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1595 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1596 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1597 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1598 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1599 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1600 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1601 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1602 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1603 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1604 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1605 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1606 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1607 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1608 }; 1609 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1610 1611 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1612 /* 1613 * AES-OFB test vectors from: 1614 * 1615 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1616 */ 1617 static const unsigned char aes_test_ofb_key[3][32] = 1618 { 1619 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1620 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1621 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1622 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1623 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1624 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1625 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1626 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1627 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1628 }; 1629 1630 static const unsigned char aes_test_ofb_iv[16] = 1631 { 1632 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1633 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1634 }; 1635 1636 static const unsigned char aes_test_ofb_pt[64] = 1637 { 1638 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1639 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1640 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1641 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1642 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1643 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1644 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1645 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1646 }; 1647 1648 static const unsigned char aes_test_ofb_ct[3][64] = 1649 { 1650 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1651 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1652 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1653 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1654 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1655 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1656 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1657 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1658 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1659 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1660 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1661 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1662 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1663 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1664 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1665 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1666 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1667 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1668 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1669 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1670 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1671 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1672 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1673 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1674 }; 1675 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1676 1677 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1678 /* 1679 * AES-CTR test vectors from: 1680 * 1681 * http://www.faqs.org/rfcs/rfc3686.html 1682 */ 1683 1684 static const unsigned char aes_test_ctr_key[3][16] = 1685 { 1686 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1687 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1688 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1689 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1690 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1691 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1692 }; 1693 1694 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1695 { 1696 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1697 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1698 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1699 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1700 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1701 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1702 }; 1703 1704 static const unsigned char aes_test_ctr_pt[3][48] = 1705 { 1706 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1707 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1708 1709 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1710 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1711 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1712 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1713 1714 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1715 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1716 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1717 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1718 0x20, 0x21, 0x22, 0x23 } 1719 }; 1720 1721 static const unsigned char aes_test_ctr_ct[3][48] = 1722 { 1723 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1724 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1725 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1726 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1727 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1728 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1729 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1730 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1731 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1732 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1733 0x25, 0xB2, 0x07, 0x2F } 1734 }; 1735 1736 static const int aes_test_ctr_len[3] = 1737 { 16, 32, 36 }; 1738 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1739 1740 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1741 /* 1742 * AES-XTS test vectors from: 1743 * 1744 * IEEE P1619/D16 Annex B 1745 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1746 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1747 */ 1748 static const unsigned char aes_test_xts_key[][32] = 1749 { 1750 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1753 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1754 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1755 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1757 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1758 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1759 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1761 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1762 }; 1763 1764 static const unsigned char aes_test_xts_pt32[][32] = 1765 { 1766 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1770 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1774 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1778 }; 1779 1780 static const unsigned char aes_test_xts_ct32[][32] = 1781 { 1782 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1783 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1784 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1785 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1786 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1787 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1788 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1789 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1790 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1791 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1792 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1793 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1794 }; 1795 1796 static const unsigned char aes_test_xts_data_unit[][16] = 1797 { 1798 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1800 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1801 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1802 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1803 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1804 }; 1805 1806 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1807 1808 /* 1809 * Checkup routine 1810 */ 1811 int mbedtls_aes_self_test( int verbose ) 1812 { 1813 int ret = 0, i, j, u, mode; 1814 unsigned int keybits; 1815 unsigned char key[32]; 1816 unsigned char buf[64]; 1817 const unsigned char *aes_tests; 1818 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 1819 unsigned char iv[16]; 1820 #endif 1821 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1822 unsigned char prv[16]; 1823 #endif 1824 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1825 defined(MBEDTLS_CIPHER_MODE_OFB) 1826 size_t offset; 1827 #endif 1828 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1829 int len; 1830 #endif 1831 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1832 unsigned char nonce_counter[16]; 1833 unsigned char stream_block[16]; 1834 #endif 1835 mbedtls_aes_context ctx; 1836 1837 memset( key, 0, 32 ); 1838 mbedtls_aes_init( &ctx ); 1839 1840 /* 1841 * ECB mode 1842 */ 1843 for( i = 0; i < 6; i++ ) 1844 { 1845 u = i >> 1; 1846 keybits = 128 + u * 64; 1847 mode = i & 1; 1848 1849 if( verbose != 0 ) 1850 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 1851 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1852 1853 memset( buf, 0, 16 ); 1854 1855 if( mode == MBEDTLS_AES_DECRYPT ) 1856 { 1857 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1858 aes_tests = aes_test_ecb_dec[u]; 1859 } 1860 else 1861 { 1862 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1863 aes_tests = aes_test_ecb_enc[u]; 1864 } 1865 1866 /* 1867 * AES-192 is an optional feature that may be unavailable when 1868 * there is an alternative underlying implementation i.e. when 1869 * MBEDTLS_AES_ALT is defined. 1870 */ 1871 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1872 { 1873 mbedtls_printf( "skipped\n" ); 1874 continue; 1875 } 1876 else if( ret != 0 ) 1877 { 1878 goto exit; 1879 } 1880 1881 for( j = 0; j < 10000; j++ ) 1882 { 1883 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 1884 if( ret != 0 ) 1885 goto exit; 1886 } 1887 1888 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1889 { 1890 ret = 1; 1891 goto exit; 1892 } 1893 1894 if( verbose != 0 ) 1895 mbedtls_printf( "passed\n" ); 1896 } 1897 1898 if( verbose != 0 ) 1899 mbedtls_printf( "\n" ); 1900 1901 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1902 /* 1903 * CBC mode 1904 */ 1905 for( i = 0; i < 6; i++ ) 1906 { 1907 u = i >> 1; 1908 keybits = 128 + u * 64; 1909 mode = i & 1; 1910 1911 if( verbose != 0 ) 1912 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 1913 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1914 1915 memset( iv , 0, 16 ); 1916 memset( prv, 0, 16 ); 1917 memset( buf, 0, 16 ); 1918 1919 if( mode == MBEDTLS_AES_DECRYPT ) 1920 { 1921 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1922 aes_tests = aes_test_cbc_dec[u]; 1923 } 1924 else 1925 { 1926 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1927 aes_tests = aes_test_cbc_enc[u]; 1928 } 1929 1930 /* 1931 * AES-192 is an optional feature that may be unavailable when 1932 * there is an alternative underlying implementation i.e. when 1933 * MBEDTLS_AES_ALT is defined. 1934 */ 1935 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1936 { 1937 mbedtls_printf( "skipped\n" ); 1938 continue; 1939 } 1940 else if( ret != 0 ) 1941 { 1942 goto exit; 1943 } 1944 1945 for( j = 0; j < 10000; j++ ) 1946 { 1947 if( mode == MBEDTLS_AES_ENCRYPT ) 1948 { 1949 unsigned char tmp[16]; 1950 1951 memcpy( tmp, prv, 16 ); 1952 memcpy( prv, buf, 16 ); 1953 memcpy( buf, tmp, 16 ); 1954 } 1955 1956 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 1957 if( ret != 0 ) 1958 goto exit; 1959 1960 } 1961 1962 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1963 { 1964 ret = 1; 1965 goto exit; 1966 } 1967 1968 if( verbose != 0 ) 1969 mbedtls_printf( "passed\n" ); 1970 } 1971 1972 if( verbose != 0 ) 1973 mbedtls_printf( "\n" ); 1974 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1975 1976 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1977 /* 1978 * CFB128 mode 1979 */ 1980 for( i = 0; i < 6; i++ ) 1981 { 1982 u = i >> 1; 1983 keybits = 128 + u * 64; 1984 mode = i & 1; 1985 1986 if( verbose != 0 ) 1987 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 1988 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1989 1990 memcpy( iv, aes_test_cfb128_iv, 16 ); 1991 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 1992 1993 offset = 0; 1994 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1995 /* 1996 * AES-192 is an optional feature that may be unavailable when 1997 * there is an alternative underlying implementation i.e. when 1998 * MBEDTLS_AES_ALT is defined. 1999 */ 2000 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2001 { 2002 mbedtls_printf( "skipped\n" ); 2003 continue; 2004 } 2005 else if( ret != 0 ) 2006 { 2007 goto exit; 2008 } 2009 2010 if( mode == MBEDTLS_AES_DECRYPT ) 2011 { 2012 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 2013 aes_tests = aes_test_cfb128_pt; 2014 } 2015 else 2016 { 2017 memcpy( buf, aes_test_cfb128_pt, 64 ); 2018 aes_tests = aes_test_cfb128_ct[u]; 2019 } 2020 2021 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 2022 if( ret != 0 ) 2023 goto exit; 2024 2025 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2026 { 2027 ret = 1; 2028 goto exit; 2029 } 2030 2031 if( verbose != 0 ) 2032 mbedtls_printf( "passed\n" ); 2033 } 2034 2035 if( verbose != 0 ) 2036 mbedtls_printf( "\n" ); 2037 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 2038 2039 #if defined(MBEDTLS_CIPHER_MODE_OFB) 2040 /* 2041 * OFB mode 2042 */ 2043 for( i = 0; i < 6; i++ ) 2044 { 2045 u = i >> 1; 2046 keybits = 128 + u * 64; 2047 mode = i & 1; 2048 2049 if( verbose != 0 ) 2050 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 2051 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2052 2053 memcpy( iv, aes_test_ofb_iv, 16 ); 2054 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 2055 2056 offset = 0; 2057 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2058 /* 2059 * AES-192 is an optional feature that may be unavailable when 2060 * there is an alternative underlying implementation i.e. when 2061 * MBEDTLS_AES_ALT is defined. 2062 */ 2063 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2064 { 2065 mbedtls_printf( "skipped\n" ); 2066 continue; 2067 } 2068 else if( ret != 0 ) 2069 { 2070 goto exit; 2071 } 2072 2073 if( mode == MBEDTLS_AES_DECRYPT ) 2074 { 2075 memcpy( buf, aes_test_ofb_ct[u], 64 ); 2076 aes_tests = aes_test_ofb_pt; 2077 } 2078 else 2079 { 2080 memcpy( buf, aes_test_ofb_pt, 64 ); 2081 aes_tests = aes_test_ofb_ct[u]; 2082 } 2083 2084 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 2085 if( ret != 0 ) 2086 goto exit; 2087 2088 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2089 { 2090 ret = 1; 2091 goto exit; 2092 } 2093 2094 if( verbose != 0 ) 2095 mbedtls_printf( "passed\n" ); 2096 } 2097 2098 if( verbose != 0 ) 2099 mbedtls_printf( "\n" ); 2100 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2101 2102 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2103 /* 2104 * CTR mode 2105 */ 2106 for( i = 0; i < 6; i++ ) 2107 { 2108 u = i >> 1; 2109 mode = i & 1; 2110 2111 if( verbose != 0 ) 2112 mbedtls_printf( " AES-CTR-128 (%s): ", 2113 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2114 2115 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 2116 memcpy( key, aes_test_ctr_key[u], 16 ); 2117 2118 offset = 0; 2119 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 2120 goto exit; 2121 2122 len = aes_test_ctr_len[u]; 2123 2124 if( mode == MBEDTLS_AES_DECRYPT ) 2125 { 2126 memcpy( buf, aes_test_ctr_ct[u], len ); 2127 aes_tests = aes_test_ctr_pt[u]; 2128 } 2129 else 2130 { 2131 memcpy( buf, aes_test_ctr_pt[u], len ); 2132 aes_tests = aes_test_ctr_ct[u]; 2133 } 2134 2135 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 2136 stream_block, buf, buf ); 2137 if( ret != 0 ) 2138 goto exit; 2139 2140 if( memcmp( buf, aes_tests, len ) != 0 ) 2141 { 2142 ret = 1; 2143 goto exit; 2144 } 2145 2146 if( verbose != 0 ) 2147 mbedtls_printf( "passed\n" ); 2148 } 2149 2150 if( verbose != 0 ) 2151 mbedtls_printf( "\n" ); 2152 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2153 2154 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2155 { 2156 static const int num_tests = 2157 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2158 mbedtls_aes_xts_context ctx_xts; 2159 2160 /* 2161 * XTS mode 2162 */ 2163 mbedtls_aes_xts_init( &ctx_xts ); 2164 2165 for( i = 0; i < num_tests << 1; i++ ) 2166 { 2167 const unsigned char *data_unit; 2168 u = i >> 1; 2169 mode = i & 1; 2170 2171 if( verbose != 0 ) 2172 mbedtls_printf( " AES-XTS-128 (%s): ", 2173 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2174 2175 memset( key, 0, sizeof( key ) ); 2176 memcpy( key, aes_test_xts_key[u], 32 ); 2177 data_unit = aes_test_xts_data_unit[u]; 2178 2179 len = sizeof( *aes_test_xts_ct32 ); 2180 2181 if( mode == MBEDTLS_AES_DECRYPT ) 2182 { 2183 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 2184 if( ret != 0) 2185 goto exit; 2186 memcpy( buf, aes_test_xts_ct32[u], len ); 2187 aes_tests = aes_test_xts_pt32[u]; 2188 } 2189 else 2190 { 2191 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 2192 if( ret != 0) 2193 goto exit; 2194 memcpy( buf, aes_test_xts_pt32[u], len ); 2195 aes_tests = aes_test_xts_ct32[u]; 2196 } 2197 2198 2199 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 2200 buf, buf ); 2201 if( ret != 0 ) 2202 goto exit; 2203 2204 if( memcmp( buf, aes_tests, len ) != 0 ) 2205 { 2206 ret = 1; 2207 goto exit; 2208 } 2209 2210 if( verbose != 0 ) 2211 mbedtls_printf( "passed\n" ); 2212 } 2213 2214 if( verbose != 0 ) 2215 mbedtls_printf( "\n" ); 2216 2217 mbedtls_aes_xts_free( &ctx_xts ); 2218 } 2219 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2220 2221 ret = 0; 2222 2223 exit: 2224 if( ret != 0 && verbose != 0 ) 2225 mbedtls_printf( "failed\n" ); 2226 2227 mbedtls_aes_free( &ctx ); 2228 2229 return( ret ); 2230 } 2231 2232 #endif /* MBEDTLS_SELF_TEST */ 2233 2234 #endif /* MBEDTLS_AES_C */ 2235