1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-197 compliant AES implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 23 * 24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_AES_C) 35 36 #include <string.h> 37 38 #include "mbedtls/aes.h" 39 #include "mbedtls/platform.h" 40 #include "mbedtls/platform_util.h" 41 #if defined(MBEDTLS_PADLOCK_C) 42 #include "mbedtls/padlock.h" 43 #endif 44 #if defined(MBEDTLS_AESNI_C) 45 #include "mbedtls/aesni.h" 46 #endif 47 48 #if defined(MBEDTLS_SELF_TEST) 49 #if defined(MBEDTLS_PLATFORM_C) 50 #include "mbedtls/platform.h" 51 #else 52 #include <stdio.h> 53 #define mbedtls_printf printf 54 #endif /* MBEDTLS_PLATFORM_C */ 55 #endif /* MBEDTLS_SELF_TEST */ 56 57 #if !defined(MBEDTLS_AES_ALT) 58 59 /* Parameter validation macros based on platform_util.h */ 60 #define AES_VALIDATE_RET( cond ) \ 61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 62 #define AES_VALIDATE( cond ) \ 63 MBEDTLS_INTERNAL_VALIDATE( cond ) 64 65 /* 66 * 32-bit integer manipulation macros (little endian) 67 */ 68 #ifndef GET_UINT32_LE 69 #define GET_UINT32_LE(n,b,i) \ 70 { \ 71 (n) = ( (uint32_t) (b)[(i) ] ) \ 72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 75 } 76 #endif 77 78 #ifndef PUT_UINT32_LE 79 #define PUT_UINT32_LE(n,b,i) \ 80 { \ 81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 85 } 86 #endif 87 88 #if defined(MBEDTLS_PADLOCK_C) && \ 89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 90 static int aes_padlock_ace = -1; 91 #endif 92 93 #if defined(MBEDTLS_AES_ROM_TABLES) 94 /* 95 * Forward S-box 96 */ 97 static const unsigned char FSb[256] = 98 { 99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 131 }; 132 133 /* 134 * Forward tables 135 */ 136 #define FT \ 137 \ 138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 202 203 #define V(a,b,c,d) 0x##a##b##c##d 204 static const uint32_t FT0[256] = { FT }; 205 #undef V 206 207 #if !defined(MBEDTLS_AES_FEWER_TABLES) 208 209 #define V(a,b,c,d) 0x##b##c##d##a 210 static const uint32_t FT1[256] = { FT }; 211 #undef V 212 213 #define V(a,b,c,d) 0x##c##d##a##b 214 static const uint32_t FT2[256] = { FT }; 215 #undef V 216 217 #define V(a,b,c,d) 0x##d##a##b##c 218 static const uint32_t FT3[256] = { FT }; 219 #undef V 220 221 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 222 223 #undef FT 224 225 /* 226 * Reverse S-box 227 */ 228 static const unsigned char RSb[256] = 229 { 230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 262 }; 263 264 /* 265 * Reverse tables 266 */ 267 #define RT \ 268 \ 269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 333 334 #define V(a,b,c,d) 0x##a##b##c##d 335 static const uint32_t RT0[256] = { RT }; 336 #undef V 337 338 #if !defined(MBEDTLS_AES_FEWER_TABLES) 339 340 #define V(a,b,c,d) 0x##b##c##d##a 341 static const uint32_t RT1[256] = { RT }; 342 #undef V 343 344 #define V(a,b,c,d) 0x##c##d##a##b 345 static const uint32_t RT2[256] = { RT }; 346 #undef V 347 348 #define V(a,b,c,d) 0x##d##a##b##c 349 static const uint32_t RT3[256] = { RT }; 350 #undef V 351 352 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 353 354 #undef RT 355 356 /* 357 * Round constants 358 */ 359 static const uint32_t RCON[10] = 360 { 361 0x00000001, 0x00000002, 0x00000004, 0x00000008, 362 0x00000010, 0x00000020, 0x00000040, 0x00000080, 363 0x0000001B, 0x00000036 364 }; 365 366 #else /* MBEDTLS_AES_ROM_TABLES */ 367 368 /* 369 * Forward S-box & tables 370 */ 371 static unsigned char FSb[256]; 372 static uint32_t FT0[256]; 373 #if !defined(MBEDTLS_AES_FEWER_TABLES) 374 static uint32_t FT1[256]; 375 static uint32_t FT2[256]; 376 static uint32_t FT3[256]; 377 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 378 379 /* 380 * Reverse S-box & tables 381 */ 382 static unsigned char RSb[256]; 383 static uint32_t RT0[256]; 384 #if !defined(MBEDTLS_AES_FEWER_TABLES) 385 static uint32_t RT1[256]; 386 static uint32_t RT2[256]; 387 static uint32_t RT3[256]; 388 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 389 390 /* 391 * Round constants 392 */ 393 static uint32_t RCON[10]; 394 395 /* 396 * Tables generation code 397 */ 398 #define ROTL8(x) ( ( x << 8 ) & 0xFFFFFFFF ) | ( x >> 24 ) 399 #define XTIME(x) ( ( x << 1 ) ^ ( ( x & 0x80 ) ? 0x1B : 0x00 ) ) 400 #define MUL(x,y) ( ( x && y ) ? pow[(log[x]+log[y]) % 255] : 0 ) 401 402 static int aes_init_done = 0; 403 404 static void aes_gen_tables( void ) 405 { 406 int i, x, y, z; 407 int pow[256]; 408 int log[256]; 409 410 /* 411 * compute pow and log tables over GF(2^8) 412 */ 413 for( i = 0, x = 1; i < 256; i++ ) 414 { 415 pow[i] = x; 416 log[x] = i; 417 x = ( x ^ XTIME( x ) ) & 0xFF; 418 } 419 420 /* 421 * calculate the round constants 422 */ 423 for( i = 0, x = 1; i < 10; i++ ) 424 { 425 RCON[i] = (uint32_t) x; 426 x = XTIME( x ) & 0xFF; 427 } 428 429 /* 430 * generate the forward and reverse S-boxes 431 */ 432 FSb[0x00] = 0x63; 433 RSb[0x63] = 0x00; 434 435 for( i = 1; i < 256; i++ ) 436 { 437 x = pow[255 - log[i]]; 438 439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 443 x ^= y ^ 0x63; 444 445 FSb[i] = (unsigned char) x; 446 RSb[x] = (unsigned char) i; 447 } 448 449 /* 450 * generate the forward and reverse tables 451 */ 452 for( i = 0; i < 256; i++ ) 453 { 454 x = FSb[i]; 455 y = XTIME( x ) & 0xFF; 456 z = ( y ^ x ) & 0xFF; 457 458 FT0[i] = ( (uint32_t) y ) ^ 459 ( (uint32_t) x << 8 ) ^ 460 ( (uint32_t) x << 16 ) ^ 461 ( (uint32_t) z << 24 ); 462 463 #if !defined(MBEDTLS_AES_FEWER_TABLES) 464 FT1[i] = ROTL8( FT0[i] ); 465 FT2[i] = ROTL8( FT1[i] ); 466 FT3[i] = ROTL8( FT2[i] ); 467 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 468 469 x = RSb[i]; 470 471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 474 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 475 476 #if !defined(MBEDTLS_AES_FEWER_TABLES) 477 RT1[i] = ROTL8( RT0[i] ); 478 RT2[i] = ROTL8( RT1[i] ); 479 RT3[i] = ROTL8( RT2[i] ); 480 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 481 } 482 } 483 484 #undef ROTL8 485 486 #endif /* MBEDTLS_AES_ROM_TABLES */ 487 488 #if defined(MBEDTLS_AES_FEWER_TABLES) 489 490 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 493 494 #define AES_RT0(idx) RT0[idx] 495 #define AES_RT1(idx) ROTL8( RT0[idx] ) 496 #define AES_RT2(idx) ROTL16( RT0[idx] ) 497 #define AES_RT3(idx) ROTL24( RT0[idx] ) 498 499 #define AES_FT0(idx) FT0[idx] 500 #define AES_FT1(idx) ROTL8( FT0[idx] ) 501 #define AES_FT2(idx) ROTL16( FT0[idx] ) 502 #define AES_FT3(idx) ROTL24( FT0[idx] ) 503 504 #else /* MBEDTLS_AES_FEWER_TABLES */ 505 506 #define AES_RT0(idx) RT0[idx] 507 #define AES_RT1(idx) RT1[idx] 508 #define AES_RT2(idx) RT2[idx] 509 #define AES_RT3(idx) RT3[idx] 510 511 #define AES_FT0(idx) FT0[idx] 512 #define AES_FT1(idx) FT1[idx] 513 #define AES_FT2(idx) FT2[idx] 514 #define AES_FT3(idx) FT3[idx] 515 516 #endif /* MBEDTLS_AES_FEWER_TABLES */ 517 518 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 519 { 520 AES_VALIDATE( ctx != NULL ); 521 522 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 523 } 524 525 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 526 { 527 if( ctx == NULL ) 528 return; 529 530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 531 } 532 533 #if defined(MBEDTLS_CIPHER_MODE_XTS) 534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 535 { 536 AES_VALIDATE( ctx != NULL ); 537 538 mbedtls_aes_init( &ctx->crypt ); 539 mbedtls_aes_init( &ctx->tweak ); 540 } 541 542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 543 { 544 if( ctx == NULL ) 545 return; 546 547 mbedtls_aes_free( &ctx->crypt ); 548 mbedtls_aes_free( &ctx->tweak ); 549 } 550 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 551 552 /* 553 * AES key schedule (encryption) 554 */ 555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 557 unsigned int keybits ) 558 { 559 unsigned int i; 560 uint32_t *RK; 561 562 AES_VALIDATE_RET( ctx != NULL ); 563 AES_VALIDATE_RET( key != NULL ); 564 565 switch( keybits ) 566 { 567 case 128: ctx->nr = 10; break; 568 case 192: ctx->nr = 12; break; 569 case 256: ctx->nr = 14; break; 570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 571 } 572 573 #if !defined(MBEDTLS_AES_ROM_TABLES) 574 if( aes_init_done == 0 ) 575 { 576 aes_gen_tables(); 577 aes_init_done = 1; 578 } 579 #endif 580 581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 582 if( aes_padlock_ace == -1 ) 583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 584 585 if( aes_padlock_ace ) 586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 587 else 588 #endif 589 ctx->rk = RK = ctx->buf; 590 591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 594 #endif 595 596 for( i = 0; i < ( keybits >> 5 ); i++ ) 597 { 598 GET_UINT32_LE( RK[i], key, i << 2 ); 599 } 600 601 switch( ctx->nr ) 602 { 603 case 10: 604 605 for( i = 0; i < 10; i++, RK += 4 ) 606 { 607 RK[4] = RK[0] ^ RCON[i] ^ 608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 612 613 RK[5] = RK[1] ^ RK[4]; 614 RK[6] = RK[2] ^ RK[5]; 615 RK[7] = RK[3] ^ RK[6]; 616 } 617 break; 618 619 case 12: 620 621 for( i = 0; i < 8; i++, RK += 6 ) 622 { 623 RK[6] = RK[0] ^ RCON[i] ^ 624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 628 629 RK[7] = RK[1] ^ RK[6]; 630 RK[8] = RK[2] ^ RK[7]; 631 RK[9] = RK[3] ^ RK[8]; 632 RK[10] = RK[4] ^ RK[9]; 633 RK[11] = RK[5] ^ RK[10]; 634 } 635 break; 636 637 case 14: 638 639 for( i = 0; i < 7; i++, RK += 8 ) 640 { 641 RK[8] = RK[0] ^ RCON[i] ^ 642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 646 647 RK[9] = RK[1] ^ RK[8]; 648 RK[10] = RK[2] ^ RK[9]; 649 RK[11] = RK[3] ^ RK[10]; 650 651 RK[12] = RK[4] ^ 652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 656 657 RK[13] = RK[5] ^ RK[12]; 658 RK[14] = RK[6] ^ RK[13]; 659 RK[15] = RK[7] ^ RK[14]; 660 } 661 break; 662 } 663 664 return( 0 ); 665 } 666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 667 668 /* 669 * AES key schedule (decryption) 670 */ 671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 673 unsigned int keybits ) 674 { 675 int i, j, ret; 676 mbedtls_aes_context cty; 677 uint32_t *RK; 678 uint32_t *SK; 679 680 AES_VALIDATE_RET( ctx != NULL ); 681 AES_VALIDATE_RET( key != NULL ); 682 683 mbedtls_aes_init( &cty ); 684 685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 686 if( aes_padlock_ace == -1 ) 687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 688 689 if( aes_padlock_ace ) 690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 691 else 692 #endif 693 ctx->rk = RK = ctx->buf; 694 695 /* Also checks keybits */ 696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 697 goto exit; 698 699 ctx->nr = cty.nr; 700 701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 703 { 704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, 705 (const unsigned char *) cty.rk, ctx->nr ); 706 goto exit; 707 } 708 #endif 709 710 SK = cty.rk + cty.nr * 4; 711 712 *RK++ = *SK++; 713 *RK++ = *SK++; 714 *RK++ = *SK++; 715 *RK++ = *SK++; 716 717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 718 { 719 for( j = 0; j < 4; j++, SK++ ) 720 { 721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 725 } 726 } 727 728 *RK++ = *SK++; 729 *RK++ = *SK++; 730 *RK++ = *SK++; 731 *RK++ = *SK++; 732 733 exit: 734 mbedtls_aes_free( &cty ); 735 736 return( ret ); 737 } 738 739 #if defined(MBEDTLS_CIPHER_MODE_XTS) 740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 741 unsigned int keybits, 742 const unsigned char **key1, 743 unsigned int *key1bits, 744 const unsigned char **key2, 745 unsigned int *key2bits ) 746 { 747 const unsigned int half_keybits = keybits / 2; 748 const unsigned int half_keybytes = half_keybits / 8; 749 750 switch( keybits ) 751 { 752 case 256: break; 753 case 512: break; 754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 755 } 756 757 *key1bits = half_keybits; 758 *key2bits = half_keybits; 759 *key1 = &key[0]; 760 *key2 = &key[half_keybytes]; 761 762 return 0; 763 } 764 765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 766 const unsigned char *key, 767 unsigned int keybits) 768 { 769 int ret; 770 const unsigned char *key1, *key2; 771 unsigned int key1bits, key2bits; 772 773 AES_VALIDATE_RET( ctx != NULL ); 774 AES_VALIDATE_RET( key != NULL ); 775 776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 777 &key2, &key2bits ); 778 if( ret != 0 ) 779 return( ret ); 780 781 /* Set the tweak key. Always set tweak key for the encryption mode. */ 782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 783 if( ret != 0 ) 784 return( ret ); 785 786 /* Set crypt key for encryption. */ 787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits ); 788 } 789 790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 791 const unsigned char *key, 792 unsigned int keybits) 793 { 794 int ret; 795 const unsigned char *key1, *key2; 796 unsigned int key1bits, key2bits; 797 798 AES_VALIDATE_RET( ctx != NULL ); 799 AES_VALIDATE_RET( key != NULL ); 800 801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 802 &key2, &key2bits ); 803 if( ret != 0 ) 804 return( ret ); 805 806 /* Set the tweak key. Always set tweak key for encryption. */ 807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 808 if( ret != 0 ) 809 return( ret ); 810 811 /* Set crypt key for decryption. */ 812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits ); 813 } 814 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 815 816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 817 818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 819 { \ 820 X0 = *RK++ ^ AES_FT0( ( Y0 ) & 0xFF ) ^ \ 821 AES_FT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 822 AES_FT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 823 AES_FT3( ( Y3 >> 24 ) & 0xFF ); \ 824 \ 825 X1 = *RK++ ^ AES_FT0( ( Y1 ) & 0xFF ) ^ \ 826 AES_FT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 827 AES_FT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 828 AES_FT3( ( Y0 >> 24 ) & 0xFF ); \ 829 \ 830 X2 = *RK++ ^ AES_FT0( ( Y2 ) & 0xFF ) ^ \ 831 AES_FT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 832 AES_FT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 833 AES_FT3( ( Y1 >> 24 ) & 0xFF ); \ 834 \ 835 X3 = *RK++ ^ AES_FT0( ( Y3 ) & 0xFF ) ^ \ 836 AES_FT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 837 AES_FT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 838 AES_FT3( ( Y2 >> 24 ) & 0xFF ); \ 839 } 840 841 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 842 { \ 843 X0 = *RK++ ^ AES_RT0( ( Y0 ) & 0xFF ) ^ \ 844 AES_RT1( ( Y3 >> 8 ) & 0xFF ) ^ \ 845 AES_RT2( ( Y2 >> 16 ) & 0xFF ) ^ \ 846 AES_RT3( ( Y1 >> 24 ) & 0xFF ); \ 847 \ 848 X1 = *RK++ ^ AES_RT0( ( Y1 ) & 0xFF ) ^ \ 849 AES_RT1( ( Y0 >> 8 ) & 0xFF ) ^ \ 850 AES_RT2( ( Y3 >> 16 ) & 0xFF ) ^ \ 851 AES_RT3( ( Y2 >> 24 ) & 0xFF ); \ 852 \ 853 X2 = *RK++ ^ AES_RT0( ( Y2 ) & 0xFF ) ^ \ 854 AES_RT1( ( Y1 >> 8 ) & 0xFF ) ^ \ 855 AES_RT2( ( Y0 >> 16 ) & 0xFF ) ^ \ 856 AES_RT3( ( Y3 >> 24 ) & 0xFF ); \ 857 \ 858 X3 = *RK++ ^ AES_RT0( ( Y3 ) & 0xFF ) ^ \ 859 AES_RT1( ( Y2 >> 8 ) & 0xFF ) ^ \ 860 AES_RT2( ( Y1 >> 16 ) & 0xFF ) ^ \ 861 AES_RT3( ( Y0 >> 24 ) & 0xFF ); \ 862 } 863 864 /* 865 * AES-ECB block encryption 866 */ 867 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 868 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 869 const unsigned char input[16], 870 unsigned char output[16] ) 871 { 872 int i; 873 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 874 875 RK = ctx->rk; 876 877 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 878 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 879 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 880 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 881 882 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 883 { 884 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 885 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 886 } 887 888 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 889 890 X0 = *RK++ ^ \ 891 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 892 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 893 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 894 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 895 896 X1 = *RK++ ^ \ 897 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 898 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 899 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 900 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 901 902 X2 = *RK++ ^ \ 903 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 904 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 905 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 906 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 907 908 X3 = *RK++ ^ \ 909 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 910 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 911 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 912 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 913 914 PUT_UINT32_LE( X0, output, 0 ); 915 PUT_UINT32_LE( X1, output, 4 ); 916 PUT_UINT32_LE( X2, output, 8 ); 917 PUT_UINT32_LE( X3, output, 12 ); 918 919 return( 0 ); 920 } 921 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 922 923 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 924 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 925 const unsigned char input[16], 926 unsigned char output[16] ) 927 { 928 mbedtls_internal_aes_encrypt( ctx, input, output ); 929 } 930 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 931 932 /* 933 * AES-ECB block decryption 934 */ 935 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 936 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 937 const unsigned char input[16], 938 unsigned char output[16] ) 939 { 940 int i; 941 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 942 943 RK = ctx->rk; 944 945 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 946 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 947 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 948 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 949 950 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 951 { 952 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 953 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 954 } 955 956 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 957 958 X0 = *RK++ ^ \ 959 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 960 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 961 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 962 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 963 964 X1 = *RK++ ^ \ 965 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 966 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 967 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 968 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 969 970 X2 = *RK++ ^ \ 971 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 972 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 973 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 974 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 975 976 X3 = *RK++ ^ \ 977 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 978 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 979 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 980 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 981 982 PUT_UINT32_LE( X0, output, 0 ); 983 PUT_UINT32_LE( X1, output, 4 ); 984 PUT_UINT32_LE( X2, output, 8 ); 985 PUT_UINT32_LE( X3, output, 12 ); 986 987 return( 0 ); 988 } 989 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 990 991 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 992 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 993 const unsigned char input[16], 994 unsigned char output[16] ) 995 { 996 mbedtls_internal_aes_decrypt( ctx, input, output ); 997 } 998 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 999 1000 /* 1001 * AES-ECB block encryption/decryption 1002 */ 1003 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 1004 int mode, 1005 const unsigned char input[16], 1006 unsigned char output[16] ) 1007 { 1008 AES_VALIDATE_RET( ctx != NULL ); 1009 AES_VALIDATE_RET( input != NULL ); 1010 AES_VALIDATE_RET( output != NULL ); 1011 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1012 mode == MBEDTLS_AES_DECRYPT ); 1013 1014 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 1015 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 1016 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 1017 #endif 1018 1019 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1020 if( aes_padlock_ace ) 1021 { 1022 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 1023 return( 0 ); 1024 1025 // If padlock data misaligned, we just fall back to 1026 // unaccelerated mode 1027 // 1028 } 1029 #endif 1030 1031 if( mode == MBEDTLS_AES_ENCRYPT ) 1032 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 1033 else 1034 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 1035 } 1036 1037 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1038 /* 1039 * AES-CBC buffer encryption/decryption 1040 */ 1041 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 1042 int mode, 1043 size_t length, 1044 unsigned char iv[16], 1045 const unsigned char *input, 1046 unsigned char *output ) 1047 { 1048 int i; 1049 unsigned char temp[16]; 1050 1051 AES_VALIDATE_RET( ctx != NULL ); 1052 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1053 mode == MBEDTLS_AES_DECRYPT ); 1054 AES_VALIDATE_RET( iv != NULL ); 1055 AES_VALIDATE_RET( input != NULL ); 1056 AES_VALIDATE_RET( output != NULL ); 1057 1058 if( length % 16 ) 1059 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 1060 1061 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1062 if( aes_padlock_ace ) 1063 { 1064 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 1065 return( 0 ); 1066 1067 // If padlock data misaligned, we just fall back to 1068 // unaccelerated mode 1069 // 1070 } 1071 #endif 1072 1073 if( mode == MBEDTLS_AES_DECRYPT ) 1074 { 1075 while( length > 0 ) 1076 { 1077 memcpy( temp, input, 16 ); 1078 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 1079 1080 for( i = 0; i < 16; i++ ) 1081 output[i] = (unsigned char)( output[i] ^ iv[i] ); 1082 1083 memcpy( iv, temp, 16 ); 1084 1085 input += 16; 1086 output += 16; 1087 length -= 16; 1088 } 1089 } 1090 else 1091 { 1092 while( length > 0 ) 1093 { 1094 for( i = 0; i < 16; i++ ) 1095 output[i] = (unsigned char)( input[i] ^ iv[i] ); 1096 1097 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 1098 memcpy( iv, output, 16 ); 1099 1100 input += 16; 1101 output += 16; 1102 length -= 16; 1103 } 1104 } 1105 1106 return( 0 ); 1107 } 1108 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1109 1110 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1111 1112 /* Endianess with 64 bits values */ 1113 #ifndef GET_UINT64_LE 1114 #define GET_UINT64_LE(n,b,i) \ 1115 { \ 1116 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 1117 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 1118 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 1119 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 1120 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 1121 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 1122 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 1123 | ( (uint64_t) (b)[(i) ] ); \ 1124 } 1125 #endif 1126 1127 #ifndef PUT_UINT64_LE 1128 #define PUT_UINT64_LE(n,b,i) \ 1129 { \ 1130 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 1131 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 1132 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 1133 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 1134 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 1135 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 1136 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 1137 (b)[(i) ] = (unsigned char) ( (n) ); \ 1138 } 1139 #endif 1140 1141 typedef unsigned char mbedtls_be128[16]; 1142 1143 /* 1144 * GF(2^128) multiplication function 1145 * 1146 * This function multiplies a field element by x in the polynomial field 1147 * representation. It uses 64-bit word operations to gain speed but compensates 1148 * for machine endianess and hence works correctly on both big and little 1149 * endian machines. 1150 */ 1151 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 1152 const unsigned char x[16] ) 1153 { 1154 uint64_t a, b, ra, rb; 1155 1156 GET_UINT64_LE( a, x, 0 ); 1157 GET_UINT64_LE( b, x, 8 ); 1158 1159 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 1160 rb = ( a >> 63 ) | ( b << 1 ); 1161 1162 PUT_UINT64_LE( ra, r, 0 ); 1163 PUT_UINT64_LE( rb, r, 8 ); 1164 } 1165 1166 /* 1167 * AES-XTS buffer encryption/decryption 1168 */ 1169 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 1170 int mode, 1171 size_t length, 1172 const unsigned char data_unit[16], 1173 const unsigned char *input, 1174 unsigned char *output ) 1175 { 1176 int ret; 1177 size_t blocks = length / 16; 1178 size_t leftover = length % 16; 1179 unsigned char tweak[16]; 1180 unsigned char prev_tweak[16]; 1181 unsigned char tmp[16]; 1182 1183 AES_VALIDATE_RET( ctx != NULL ); 1184 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1185 mode == MBEDTLS_AES_DECRYPT ); 1186 AES_VALIDATE_RET( data_unit != NULL ); 1187 AES_VALIDATE_RET( input != NULL ); 1188 AES_VALIDATE_RET( output != NULL ); 1189 1190 /* Data units must be at least 16 bytes long. */ 1191 if( length < 16 ) 1192 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1193 1194 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1195 if( length > ( 1 << 20 ) * 16 ) 1196 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1197 1198 /* Compute the tweak. */ 1199 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, 1200 data_unit, tweak ); 1201 if( ret != 0 ) 1202 return( ret ); 1203 1204 while( blocks-- ) 1205 { 1206 size_t i; 1207 1208 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 1209 { 1210 /* We are on the last block in a decrypt operation that has 1211 * leftover bytes, so we need to use the next tweak for this block, 1212 * and this tweak for the lefover bytes. Save the current tweak for 1213 * the leftovers and then update the current tweak for use on this, 1214 * the last full block. */ 1215 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 1216 mbedtls_gf128mul_x_ble( tweak, tweak ); 1217 } 1218 1219 for( i = 0; i < 16; i++ ) 1220 tmp[i] = input[i] ^ tweak[i]; 1221 1222 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1223 if( ret != 0 ) 1224 return( ret ); 1225 1226 for( i = 0; i < 16; i++ ) 1227 output[i] = tmp[i] ^ tweak[i]; 1228 1229 /* Update the tweak for the next block. */ 1230 mbedtls_gf128mul_x_ble( tweak, tweak ); 1231 1232 output += 16; 1233 input += 16; 1234 } 1235 1236 if( leftover ) 1237 { 1238 /* If we are on the leftover bytes in a decrypt operation, we need to 1239 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1240 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1241 1242 /* We are now on the final part of the data unit, which doesn't divide 1243 * evenly by 16. It's time for ciphertext stealing. */ 1244 size_t i; 1245 unsigned char *prev_output = output - 16; 1246 1247 /* Copy ciphertext bytes from the previous block to our output for each 1248 * byte of cyphertext we won't steal. At the same time, copy the 1249 * remainder of the input for this final round (since the loop bounds 1250 * are the same). */ 1251 for( i = 0; i < leftover; i++ ) 1252 { 1253 output[i] = prev_output[i]; 1254 tmp[i] = input[i] ^ t[i]; 1255 } 1256 1257 /* Copy ciphertext bytes from the previous block for input in this 1258 * round. */ 1259 for( ; i < 16; i++ ) 1260 tmp[i] = prev_output[i] ^ t[i]; 1261 1262 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1263 if( ret != 0 ) 1264 return ret; 1265 1266 /* Write the result back to the previous block, overriding the previous 1267 * output we copied. */ 1268 for( i = 0; i < 16; i++ ) 1269 prev_output[i] = tmp[i] ^ t[i]; 1270 } 1271 1272 return( 0 ); 1273 } 1274 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1275 1276 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1277 /* 1278 * AES-CFB128 buffer encryption/decryption 1279 */ 1280 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 1281 int mode, 1282 size_t length, 1283 size_t *iv_off, 1284 unsigned char iv[16], 1285 const unsigned char *input, 1286 unsigned char *output ) 1287 { 1288 int c; 1289 size_t n; 1290 1291 AES_VALIDATE_RET( ctx != NULL ); 1292 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1293 mode == MBEDTLS_AES_DECRYPT ); 1294 AES_VALIDATE_RET( iv_off != NULL ); 1295 AES_VALIDATE_RET( iv != NULL ); 1296 AES_VALIDATE_RET( input != NULL ); 1297 AES_VALIDATE_RET( output != NULL ); 1298 1299 n = *iv_off; 1300 1301 if( n > 15 ) 1302 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1303 1304 if( mode == MBEDTLS_AES_DECRYPT ) 1305 { 1306 while( length-- ) 1307 { 1308 if( n == 0 ) 1309 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1310 1311 c = *input++; 1312 *output++ = (unsigned char)( c ^ iv[n] ); 1313 iv[n] = (unsigned char) c; 1314 1315 n = ( n + 1 ) & 0x0F; 1316 } 1317 } 1318 else 1319 { 1320 while( length-- ) 1321 { 1322 if( n == 0 ) 1323 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1324 1325 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 1326 1327 n = ( n + 1 ) & 0x0F; 1328 } 1329 } 1330 1331 *iv_off = n; 1332 1333 return( 0 ); 1334 } 1335 1336 /* 1337 * AES-CFB8 buffer encryption/decryption 1338 */ 1339 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 1340 int mode, 1341 size_t length, 1342 unsigned char iv[16], 1343 const unsigned char *input, 1344 unsigned char *output ) 1345 { 1346 unsigned char c; 1347 unsigned char ov[17]; 1348 1349 AES_VALIDATE_RET( ctx != NULL ); 1350 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1351 mode == MBEDTLS_AES_DECRYPT ); 1352 AES_VALIDATE_RET( iv != NULL ); 1353 AES_VALIDATE_RET( input != NULL ); 1354 AES_VALIDATE_RET( output != NULL ); 1355 while( length-- ) 1356 { 1357 memcpy( ov, iv, 16 ); 1358 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1359 1360 if( mode == MBEDTLS_AES_DECRYPT ) 1361 ov[16] = *input; 1362 1363 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 1364 1365 if( mode == MBEDTLS_AES_ENCRYPT ) 1366 ov[16] = c; 1367 1368 memcpy( iv, ov + 1, 16 ); 1369 } 1370 1371 return( 0 ); 1372 } 1373 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1374 1375 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1376 /* 1377 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1378 */ 1379 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 1380 size_t length, 1381 size_t *iv_off, 1382 unsigned char iv[16], 1383 const unsigned char *input, 1384 unsigned char *output ) 1385 { 1386 int ret = 0; 1387 size_t n; 1388 1389 AES_VALIDATE_RET( ctx != NULL ); 1390 AES_VALIDATE_RET( iv_off != NULL ); 1391 AES_VALIDATE_RET( iv != NULL ); 1392 AES_VALIDATE_RET( input != NULL ); 1393 AES_VALIDATE_RET( output != NULL ); 1394 1395 n = *iv_off; 1396 1397 if( n > 15 ) 1398 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1399 1400 while( length-- ) 1401 { 1402 if( n == 0 ) 1403 { 1404 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1405 if( ret != 0 ) 1406 goto exit; 1407 } 1408 *output++ = *input++ ^ iv[n]; 1409 1410 n = ( n + 1 ) & 0x0F; 1411 } 1412 1413 *iv_off = n; 1414 1415 exit: 1416 return( ret ); 1417 } 1418 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1419 1420 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1421 /* 1422 * AES-CTR buffer encryption/decryption 1423 */ 1424 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 1425 size_t length, 1426 size_t *nc_off, 1427 unsigned char nonce_counter[16], 1428 unsigned char stream_block[16], 1429 const unsigned char *input, 1430 unsigned char *output ) 1431 { 1432 int c, i; 1433 size_t n; 1434 1435 AES_VALIDATE_RET( ctx != NULL ); 1436 AES_VALIDATE_RET( nc_off != NULL ); 1437 AES_VALIDATE_RET( nonce_counter != NULL ); 1438 AES_VALIDATE_RET( stream_block != NULL ); 1439 AES_VALIDATE_RET( input != NULL ); 1440 AES_VALIDATE_RET( output != NULL ); 1441 1442 n = *nc_off; 1443 1444 if ( n > 0x0F ) 1445 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1446 1447 while( length-- ) 1448 { 1449 if( n == 0 ) { 1450 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 1451 1452 for( i = 16; i > 0; i-- ) 1453 if( ++nonce_counter[i - 1] != 0 ) 1454 break; 1455 } 1456 c = *input++; 1457 *output++ = (unsigned char)( c ^ stream_block[n] ); 1458 1459 n = ( n + 1 ) & 0x0F; 1460 } 1461 1462 *nc_off = n; 1463 1464 return( 0 ); 1465 } 1466 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1467 1468 #endif /* !MBEDTLS_AES_ALT */ 1469 1470 #if defined(MBEDTLS_SELF_TEST) 1471 /* 1472 * AES test vectors from: 1473 * 1474 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1475 */ 1476 static const unsigned char aes_test_ecb_dec[3][16] = 1477 { 1478 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1479 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1480 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1481 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1482 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1483 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1484 }; 1485 1486 static const unsigned char aes_test_ecb_enc[3][16] = 1487 { 1488 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1489 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1490 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1491 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1492 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1493 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1494 }; 1495 1496 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1497 static const unsigned char aes_test_cbc_dec[3][16] = 1498 { 1499 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1500 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1501 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1502 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1503 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1504 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1505 }; 1506 1507 static const unsigned char aes_test_cbc_enc[3][16] = 1508 { 1509 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1510 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1511 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1512 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1513 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1514 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1515 }; 1516 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1517 1518 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1519 /* 1520 * AES-CFB128 test vectors from: 1521 * 1522 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1523 */ 1524 static const unsigned char aes_test_cfb128_key[3][32] = 1525 { 1526 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1527 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1528 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1529 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1530 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1531 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1532 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1533 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1534 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1535 }; 1536 1537 static const unsigned char aes_test_cfb128_iv[16] = 1538 { 1539 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1540 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1541 }; 1542 1543 static const unsigned char aes_test_cfb128_pt[64] = 1544 { 1545 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1546 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1547 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1548 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1549 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1550 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1551 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1552 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1553 }; 1554 1555 static const unsigned char aes_test_cfb128_ct[3][64] = 1556 { 1557 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1558 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1559 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1560 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1561 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1562 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1563 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1564 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1565 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1566 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1567 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1568 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1569 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1570 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1571 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1572 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1573 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1574 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1575 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1576 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1577 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1578 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1579 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1580 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1581 }; 1582 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1583 1584 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1585 /* 1586 * AES-OFB test vectors from: 1587 * 1588 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1589 */ 1590 static const unsigned char aes_test_ofb_key[3][32] = 1591 { 1592 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1593 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1594 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1595 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1596 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1597 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1598 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1599 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1600 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1601 }; 1602 1603 static const unsigned char aes_test_ofb_iv[16] = 1604 { 1605 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1606 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1607 }; 1608 1609 static const unsigned char aes_test_ofb_pt[64] = 1610 { 1611 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1612 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1613 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1614 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1615 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1616 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1617 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1618 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1619 }; 1620 1621 static const unsigned char aes_test_ofb_ct[3][64] = 1622 { 1623 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1624 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1625 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1626 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1627 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1628 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1629 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1630 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1631 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1632 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1633 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1634 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1635 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1636 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1637 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1638 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1639 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1640 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1641 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1642 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1643 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1644 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1645 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1646 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1647 }; 1648 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1649 1650 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1651 /* 1652 * AES-CTR test vectors from: 1653 * 1654 * http://www.faqs.org/rfcs/rfc3686.html 1655 */ 1656 1657 static const unsigned char aes_test_ctr_key[3][16] = 1658 { 1659 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1660 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1661 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1662 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1663 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1664 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1665 }; 1666 1667 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1668 { 1669 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1671 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1672 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1673 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1674 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1675 }; 1676 1677 static const unsigned char aes_test_ctr_pt[3][48] = 1678 { 1679 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1680 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1681 1682 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1683 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1684 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1685 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1686 1687 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1688 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1689 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1690 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1691 0x20, 0x21, 0x22, 0x23 } 1692 }; 1693 1694 static const unsigned char aes_test_ctr_ct[3][48] = 1695 { 1696 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1697 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1698 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1699 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1700 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1701 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1702 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1703 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1704 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1705 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1706 0x25, 0xB2, 0x07, 0x2F } 1707 }; 1708 1709 static const int aes_test_ctr_len[3] = 1710 { 16, 32, 36 }; 1711 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1712 1713 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1714 /* 1715 * AES-XTS test vectors from: 1716 * 1717 * IEEE P1619/D16 Annex B 1718 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1719 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1720 */ 1721 static const unsigned char aes_test_xts_key[][32] = 1722 { 1723 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1725 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1727 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1728 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1729 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1730 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1731 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1732 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1733 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1734 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1735 }; 1736 1737 static const unsigned char aes_test_xts_pt32[][32] = 1738 { 1739 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1743 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1744 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1745 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1746 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1747 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1749 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1751 }; 1752 1753 static const unsigned char aes_test_xts_ct32[][32] = 1754 { 1755 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1756 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1757 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1758 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1759 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1760 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1761 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1762 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1763 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1764 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1765 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1766 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1767 }; 1768 1769 static const unsigned char aes_test_xts_data_unit[][16] = 1770 { 1771 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1773 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1775 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1777 }; 1778 1779 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1780 1781 /* 1782 * Checkup routine 1783 */ 1784 int mbedtls_aes_self_test( int verbose ) 1785 { 1786 int ret = 0, i, j, u, mode; 1787 unsigned int keybits; 1788 unsigned char key[32]; 1789 unsigned char buf[64]; 1790 const unsigned char *aes_tests; 1791 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 1792 unsigned char iv[16]; 1793 #endif 1794 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1795 unsigned char prv[16]; 1796 #endif 1797 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1798 defined(MBEDTLS_CIPHER_MODE_OFB) 1799 size_t offset; 1800 #endif 1801 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1802 int len; 1803 #endif 1804 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1805 unsigned char nonce_counter[16]; 1806 unsigned char stream_block[16]; 1807 #endif 1808 mbedtls_aes_context ctx; 1809 1810 memset( key, 0, 32 ); 1811 mbedtls_aes_init( &ctx ); 1812 1813 /* 1814 * ECB mode 1815 */ 1816 for( i = 0; i < 6; i++ ) 1817 { 1818 u = i >> 1; 1819 keybits = 128 + u * 64; 1820 mode = i & 1; 1821 1822 if( verbose != 0 ) 1823 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 1824 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1825 1826 memset( buf, 0, 16 ); 1827 1828 if( mode == MBEDTLS_AES_DECRYPT ) 1829 { 1830 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1831 aes_tests = aes_test_ecb_dec[u]; 1832 } 1833 else 1834 { 1835 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1836 aes_tests = aes_test_ecb_enc[u]; 1837 } 1838 1839 /* 1840 * AES-192 is an optional feature that may be unavailable when 1841 * there is an alternative underlying implementation i.e. when 1842 * MBEDTLS_AES_ALT is defined. 1843 */ 1844 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1845 { 1846 mbedtls_printf( "skipped\n" ); 1847 continue; 1848 } 1849 else if( ret != 0 ) 1850 { 1851 goto exit; 1852 } 1853 1854 for( j = 0; j < 10000; j++ ) 1855 { 1856 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 1857 if( ret != 0 ) 1858 goto exit; 1859 } 1860 1861 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1862 { 1863 ret = 1; 1864 goto exit; 1865 } 1866 1867 if( verbose != 0 ) 1868 mbedtls_printf( "passed\n" ); 1869 } 1870 1871 if( verbose != 0 ) 1872 mbedtls_printf( "\n" ); 1873 1874 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1875 /* 1876 * CBC mode 1877 */ 1878 for( i = 0; i < 6; i++ ) 1879 { 1880 u = i >> 1; 1881 keybits = 128 + u * 64; 1882 mode = i & 1; 1883 1884 if( verbose != 0 ) 1885 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 1886 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1887 1888 memset( iv , 0, 16 ); 1889 memset( prv, 0, 16 ); 1890 memset( buf, 0, 16 ); 1891 1892 if( mode == MBEDTLS_AES_DECRYPT ) 1893 { 1894 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1895 aes_tests = aes_test_cbc_dec[u]; 1896 } 1897 else 1898 { 1899 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1900 aes_tests = aes_test_cbc_enc[u]; 1901 } 1902 1903 /* 1904 * AES-192 is an optional feature that may be unavailable when 1905 * there is an alternative underlying implementation i.e. when 1906 * MBEDTLS_AES_ALT is defined. 1907 */ 1908 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1909 { 1910 mbedtls_printf( "skipped\n" ); 1911 continue; 1912 } 1913 else if( ret != 0 ) 1914 { 1915 goto exit; 1916 } 1917 1918 for( j = 0; j < 10000; j++ ) 1919 { 1920 if( mode == MBEDTLS_AES_ENCRYPT ) 1921 { 1922 unsigned char tmp[16]; 1923 1924 memcpy( tmp, prv, 16 ); 1925 memcpy( prv, buf, 16 ); 1926 memcpy( buf, tmp, 16 ); 1927 } 1928 1929 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 1930 if( ret != 0 ) 1931 goto exit; 1932 1933 } 1934 1935 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1936 { 1937 ret = 1; 1938 goto exit; 1939 } 1940 1941 if( verbose != 0 ) 1942 mbedtls_printf( "passed\n" ); 1943 } 1944 1945 if( verbose != 0 ) 1946 mbedtls_printf( "\n" ); 1947 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1948 1949 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1950 /* 1951 * CFB128 mode 1952 */ 1953 for( i = 0; i < 6; i++ ) 1954 { 1955 u = i >> 1; 1956 keybits = 128 + u * 64; 1957 mode = i & 1; 1958 1959 if( verbose != 0 ) 1960 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 1961 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1962 1963 memcpy( iv, aes_test_cfb128_iv, 16 ); 1964 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 1965 1966 offset = 0; 1967 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1968 /* 1969 * AES-192 is an optional feature that may be unavailable when 1970 * there is an alternative underlying implementation i.e. when 1971 * MBEDTLS_AES_ALT is defined. 1972 */ 1973 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1974 { 1975 mbedtls_printf( "skipped\n" ); 1976 continue; 1977 } 1978 else if( ret != 0 ) 1979 { 1980 goto exit; 1981 } 1982 1983 if( mode == MBEDTLS_AES_DECRYPT ) 1984 { 1985 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 1986 aes_tests = aes_test_cfb128_pt; 1987 } 1988 else 1989 { 1990 memcpy( buf, aes_test_cfb128_pt, 64 ); 1991 aes_tests = aes_test_cfb128_ct[u]; 1992 } 1993 1994 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 1995 if( ret != 0 ) 1996 goto exit; 1997 1998 if( memcmp( buf, aes_tests, 64 ) != 0 ) 1999 { 2000 ret = 1; 2001 goto exit; 2002 } 2003 2004 if( verbose != 0 ) 2005 mbedtls_printf( "passed\n" ); 2006 } 2007 2008 if( verbose != 0 ) 2009 mbedtls_printf( "\n" ); 2010 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 2011 2012 #if defined(MBEDTLS_CIPHER_MODE_OFB) 2013 /* 2014 * OFB mode 2015 */ 2016 for( i = 0; i < 6; i++ ) 2017 { 2018 u = i >> 1; 2019 keybits = 128 + u * 64; 2020 mode = i & 1; 2021 2022 if( verbose != 0 ) 2023 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 2024 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2025 2026 memcpy( iv, aes_test_ofb_iv, 16 ); 2027 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 2028 2029 offset = 0; 2030 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2031 /* 2032 * AES-192 is an optional feature that may be unavailable when 2033 * there is an alternative underlying implementation i.e. when 2034 * MBEDTLS_AES_ALT is defined. 2035 */ 2036 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2037 { 2038 mbedtls_printf( "skipped\n" ); 2039 continue; 2040 } 2041 else if( ret != 0 ) 2042 { 2043 goto exit; 2044 } 2045 2046 if( mode == MBEDTLS_AES_DECRYPT ) 2047 { 2048 memcpy( buf, aes_test_ofb_ct[u], 64 ); 2049 aes_tests = aes_test_ofb_pt; 2050 } 2051 else 2052 { 2053 memcpy( buf, aes_test_ofb_pt, 64 ); 2054 aes_tests = aes_test_ofb_ct[u]; 2055 } 2056 2057 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 2058 if( ret != 0 ) 2059 goto exit; 2060 2061 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2062 { 2063 ret = 1; 2064 goto exit; 2065 } 2066 2067 if( verbose != 0 ) 2068 mbedtls_printf( "passed\n" ); 2069 } 2070 2071 if( verbose != 0 ) 2072 mbedtls_printf( "\n" ); 2073 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2074 2075 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2076 /* 2077 * CTR mode 2078 */ 2079 for( i = 0; i < 6; i++ ) 2080 { 2081 u = i >> 1; 2082 mode = i & 1; 2083 2084 if( verbose != 0 ) 2085 mbedtls_printf( " AES-CTR-128 (%s): ", 2086 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2087 2088 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 2089 memcpy( key, aes_test_ctr_key[u], 16 ); 2090 2091 offset = 0; 2092 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 2093 goto exit; 2094 2095 len = aes_test_ctr_len[u]; 2096 2097 if( mode == MBEDTLS_AES_DECRYPT ) 2098 { 2099 memcpy( buf, aes_test_ctr_ct[u], len ); 2100 aes_tests = aes_test_ctr_pt[u]; 2101 } 2102 else 2103 { 2104 memcpy( buf, aes_test_ctr_pt[u], len ); 2105 aes_tests = aes_test_ctr_ct[u]; 2106 } 2107 2108 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 2109 stream_block, buf, buf ); 2110 if( ret != 0 ) 2111 goto exit; 2112 2113 if( memcmp( buf, aes_tests, len ) != 0 ) 2114 { 2115 ret = 1; 2116 goto exit; 2117 } 2118 2119 if( verbose != 0 ) 2120 mbedtls_printf( "passed\n" ); 2121 } 2122 2123 if( verbose != 0 ) 2124 mbedtls_printf( "\n" ); 2125 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2126 2127 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2128 { 2129 static const int num_tests = 2130 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2131 mbedtls_aes_xts_context ctx_xts; 2132 2133 /* 2134 * XTS mode 2135 */ 2136 mbedtls_aes_xts_init( &ctx_xts ); 2137 2138 for( i = 0; i < num_tests << 1; i++ ) 2139 { 2140 const unsigned char *data_unit; 2141 u = i >> 1; 2142 mode = i & 1; 2143 2144 if( verbose != 0 ) 2145 mbedtls_printf( " AES-XTS-128 (%s): ", 2146 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2147 2148 memset( key, 0, sizeof( key ) ); 2149 memcpy( key, aes_test_xts_key[u], 32 ); 2150 data_unit = aes_test_xts_data_unit[u]; 2151 2152 len = sizeof( *aes_test_xts_ct32 ); 2153 2154 if( mode == MBEDTLS_AES_DECRYPT ) 2155 { 2156 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 2157 if( ret != 0) 2158 goto exit; 2159 memcpy( buf, aes_test_xts_ct32[u], len ); 2160 aes_tests = aes_test_xts_pt32[u]; 2161 } 2162 else 2163 { 2164 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 2165 if( ret != 0) 2166 goto exit; 2167 memcpy( buf, aes_test_xts_pt32[u], len ); 2168 aes_tests = aes_test_xts_ct32[u]; 2169 } 2170 2171 2172 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 2173 buf, buf ); 2174 if( ret != 0 ) 2175 goto exit; 2176 2177 if( memcmp( buf, aes_tests, len ) != 0 ) 2178 { 2179 ret = 1; 2180 goto exit; 2181 } 2182 2183 if( verbose != 0 ) 2184 mbedtls_printf( "passed\n" ); 2185 } 2186 2187 if( verbose != 0 ) 2188 mbedtls_printf( "\n" ); 2189 2190 mbedtls_aes_xts_free( &ctx_xts ); 2191 } 2192 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2193 2194 ret = 0; 2195 2196 exit: 2197 if( ret != 0 && verbose != 0 ) 2198 mbedtls_printf( "failed\n" ); 2199 2200 mbedtls_aes_free( &ctx ); 2201 2202 return( ret ); 2203 } 2204 2205 #endif /* MBEDTLS_SELF_TEST */ 2206 2207 #endif /* MBEDTLS_AES_C */ 2208