1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-197 compliant AES implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 23 * 24 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 25 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_AES_C) 35 36 #include <string.h> 37 38 #include "mbedtls/aes.h" 39 #include "mbedtls/platform.h" 40 #include "mbedtls/platform_util.h" 41 #if defined(MBEDTLS_PADLOCK_C) 42 #include "mbedtls/padlock.h" 43 #endif 44 #if defined(MBEDTLS_AESNI_C) 45 #include "mbedtls/aesni.h" 46 #endif 47 48 #if defined(MBEDTLS_SELF_TEST) 49 #if defined(MBEDTLS_PLATFORM_C) 50 #include "mbedtls/platform.h" 51 #else 52 #include <stdio.h> 53 #define mbedtls_printf printf 54 #endif /* MBEDTLS_PLATFORM_C */ 55 #endif /* MBEDTLS_SELF_TEST */ 56 57 #if !defined(MBEDTLS_AES_ALT) 58 59 /* Parameter validation macros based on platform_util.h */ 60 #define AES_VALIDATE_RET( cond ) \ 61 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 62 #define AES_VALIDATE( cond ) \ 63 MBEDTLS_INTERNAL_VALIDATE( cond ) 64 65 /* 66 * 32-bit integer manipulation macros (little endian) 67 */ 68 #ifndef GET_UINT32_LE 69 #define GET_UINT32_LE(n,b,i) \ 70 { \ 71 (n) = ( (uint32_t) (b)[(i) ] ) \ 72 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 73 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 74 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 75 } 76 #endif 77 78 #ifndef PUT_UINT32_LE 79 #define PUT_UINT32_LE(n,b,i) \ 80 { \ 81 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 82 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 83 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 84 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 85 } 86 #endif 87 88 #if defined(MBEDTLS_PADLOCK_C) && \ 89 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 90 static int aes_padlock_ace = -1; 91 #endif 92 93 #if defined(MBEDTLS_AES_ROM_TABLES) 94 /* 95 * Forward S-box 96 */ 97 static const unsigned char FSb[256] = 98 { 99 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 131 }; 132 133 /* 134 * Forward tables 135 */ 136 #define FT \ 137 \ 138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 202 203 #define V(a,b,c,d) 0x##a##b##c##d 204 static const uint32_t FT0[256] = { FT }; 205 #undef V 206 207 #if !defined(MBEDTLS_AES_FEWER_TABLES) 208 209 #define V(a,b,c,d) 0x##b##c##d##a 210 static const uint32_t FT1[256] = { FT }; 211 #undef V 212 213 #define V(a,b,c,d) 0x##c##d##a##b 214 static const uint32_t FT2[256] = { FT }; 215 #undef V 216 217 #define V(a,b,c,d) 0x##d##a##b##c 218 static const uint32_t FT3[256] = { FT }; 219 #undef V 220 221 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 222 223 #undef FT 224 225 /* 226 * Reverse S-box 227 */ 228 static const unsigned char RSb[256] = 229 { 230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 262 }; 263 264 /* 265 * Reverse tables 266 */ 267 #define RT \ 268 \ 269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 333 334 #define V(a,b,c,d) 0x##a##b##c##d 335 static const uint32_t RT0[256] = { RT }; 336 #undef V 337 338 #if !defined(MBEDTLS_AES_FEWER_TABLES) 339 340 #define V(a,b,c,d) 0x##b##c##d##a 341 static const uint32_t RT1[256] = { RT }; 342 #undef V 343 344 #define V(a,b,c,d) 0x##c##d##a##b 345 static const uint32_t RT2[256] = { RT }; 346 #undef V 347 348 #define V(a,b,c,d) 0x##d##a##b##c 349 static const uint32_t RT3[256] = { RT }; 350 #undef V 351 352 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 353 354 #undef RT 355 356 /* 357 * Round constants 358 */ 359 static const uint32_t RCON[10] = 360 { 361 0x00000001, 0x00000002, 0x00000004, 0x00000008, 362 0x00000010, 0x00000020, 0x00000040, 0x00000080, 363 0x0000001B, 0x00000036 364 }; 365 366 #else /* MBEDTLS_AES_ROM_TABLES */ 367 368 /* 369 * Forward S-box & tables 370 */ 371 static unsigned char FSb[256]; 372 static uint32_t FT0[256]; 373 #if !defined(MBEDTLS_AES_FEWER_TABLES) 374 static uint32_t FT1[256]; 375 static uint32_t FT2[256]; 376 static uint32_t FT3[256]; 377 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 378 379 /* 380 * Reverse S-box & tables 381 */ 382 static unsigned char RSb[256]; 383 static uint32_t RT0[256]; 384 #if !defined(MBEDTLS_AES_FEWER_TABLES) 385 static uint32_t RT1[256]; 386 static uint32_t RT2[256]; 387 static uint32_t RT3[256]; 388 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 389 390 /* 391 * Round constants 392 */ 393 static uint32_t RCON[10]; 394 395 /* 396 * Tables generation code 397 */ 398 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 ) 399 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) ) 400 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) 401 402 static int aes_init_done = 0; 403 404 static void aes_gen_tables( void ) 405 { 406 int i, x, y, z; 407 int pow[256]; 408 int log[256]; 409 410 /* 411 * compute pow and log tables over GF(2^8) 412 */ 413 for( i = 0, x = 1; i < 256; i++ ) 414 { 415 pow[i] = x; 416 log[x] = i; 417 x = ( x ^ XTIME( x ) ) & 0xFF; 418 } 419 420 /* 421 * calculate the round constants 422 */ 423 for( i = 0, x = 1; i < 10; i++ ) 424 { 425 RCON[i] = (uint32_t) x; 426 x = XTIME( x ) & 0xFF; 427 } 428 429 /* 430 * generate the forward and reverse S-boxes 431 */ 432 FSb[0x00] = 0x63; 433 RSb[0x63] = 0x00; 434 435 for( i = 1; i < 256; i++ ) 436 { 437 x = pow[255 - log[i]]; 438 439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 443 x ^= y ^ 0x63; 444 445 FSb[i] = (unsigned char) x; 446 RSb[x] = (unsigned char) i; 447 } 448 449 /* 450 * generate the forward and reverse tables 451 */ 452 for( i = 0; i < 256; i++ ) 453 { 454 x = FSb[i]; 455 y = XTIME( x ) & 0xFF; 456 z = ( y ^ x ) & 0xFF; 457 458 FT0[i] = ( (uint32_t) y ) ^ 459 ( (uint32_t) x << 8 ) ^ 460 ( (uint32_t) x << 16 ) ^ 461 ( (uint32_t) z << 24 ); 462 463 #if !defined(MBEDTLS_AES_FEWER_TABLES) 464 FT1[i] = ROTL8( FT0[i] ); 465 FT2[i] = ROTL8( FT1[i] ); 466 FT3[i] = ROTL8( FT2[i] ); 467 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 468 469 x = RSb[i]; 470 471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 474 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 475 476 #if !defined(MBEDTLS_AES_FEWER_TABLES) 477 RT1[i] = ROTL8( RT0[i] ); 478 RT2[i] = ROTL8( RT1[i] ); 479 RT3[i] = ROTL8( RT2[i] ); 480 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 481 } 482 } 483 484 #undef ROTL8 485 486 #endif /* MBEDTLS_AES_ROM_TABLES */ 487 488 #if defined(MBEDTLS_AES_FEWER_TABLES) 489 490 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 493 494 #define AES_RT0(idx) RT0[idx] 495 #define AES_RT1(idx) ROTL8( RT0[idx] ) 496 #define AES_RT2(idx) ROTL16( RT0[idx] ) 497 #define AES_RT3(idx) ROTL24( RT0[idx] ) 498 499 #define AES_FT0(idx) FT0[idx] 500 #define AES_FT1(idx) ROTL8( FT0[idx] ) 501 #define AES_FT2(idx) ROTL16( FT0[idx] ) 502 #define AES_FT3(idx) ROTL24( FT0[idx] ) 503 504 #else /* MBEDTLS_AES_FEWER_TABLES */ 505 506 #define AES_RT0(idx) RT0[idx] 507 #define AES_RT1(idx) RT1[idx] 508 #define AES_RT2(idx) RT2[idx] 509 #define AES_RT3(idx) RT3[idx] 510 511 #define AES_FT0(idx) FT0[idx] 512 #define AES_FT1(idx) FT1[idx] 513 #define AES_FT2(idx) FT2[idx] 514 #define AES_FT3(idx) FT3[idx] 515 516 #endif /* MBEDTLS_AES_FEWER_TABLES */ 517 518 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 519 { 520 AES_VALIDATE( ctx != NULL ); 521 522 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 523 } 524 525 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 526 { 527 if( ctx == NULL ) 528 return; 529 530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 531 } 532 533 #if defined(MBEDTLS_CIPHER_MODE_XTS) 534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 535 { 536 AES_VALIDATE( ctx != NULL ); 537 538 mbedtls_aes_init( &ctx->crypt ); 539 mbedtls_aes_init( &ctx->tweak ); 540 } 541 542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 543 { 544 if( ctx == NULL ) 545 return; 546 547 mbedtls_aes_free( &ctx->crypt ); 548 mbedtls_aes_free( &ctx->tweak ); 549 } 550 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 551 552 /* 553 * AES key schedule (encryption) 554 */ 555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 557 unsigned int keybits ) 558 { 559 unsigned int i; 560 uint32_t *RK; 561 562 AES_VALIDATE_RET( ctx != NULL ); 563 AES_VALIDATE_RET( key != NULL ); 564 565 switch( keybits ) 566 { 567 case 128: ctx->nr = 10; break; 568 case 192: ctx->nr = 12; break; 569 case 256: ctx->nr = 14; break; 570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 571 } 572 573 #if !defined(MBEDTLS_AES_ROM_TABLES) 574 if( aes_init_done == 0 ) 575 { 576 aes_gen_tables(); 577 aes_init_done = 1; 578 } 579 #endif 580 581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 582 if( aes_padlock_ace == -1 ) 583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 584 585 if( aes_padlock_ace ) 586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 587 else 588 #endif 589 ctx->rk = RK = ctx->buf; 590 591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 594 #endif 595 596 for( i = 0; i < ( keybits >> 5 ); i++ ) 597 { 598 GET_UINT32_LE( RK[i], key, i << 2 ); 599 } 600 601 switch( ctx->nr ) 602 { 603 case 10: 604 605 for( i = 0; i < 10; i++, RK += 4 ) 606 { 607 RK[4] = RK[0] ^ RCON[i] ^ 608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 612 613 RK[5] = RK[1] ^ RK[4]; 614 RK[6] = RK[2] ^ RK[5]; 615 RK[7] = RK[3] ^ RK[6]; 616 } 617 break; 618 619 case 12: 620 621 for( i = 0; i < 8; i++, RK += 6 ) 622 { 623 RK[6] = RK[0] ^ RCON[i] ^ 624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 628 629 RK[7] = RK[1] ^ RK[6]; 630 RK[8] = RK[2] ^ RK[7]; 631 RK[9] = RK[3] ^ RK[8]; 632 RK[10] = RK[4] ^ RK[9]; 633 RK[11] = RK[5] ^ RK[10]; 634 } 635 break; 636 637 case 14: 638 639 for( i = 0; i < 7; i++, RK += 8 ) 640 { 641 RK[8] = RK[0] ^ RCON[i] ^ 642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 646 647 RK[9] = RK[1] ^ RK[8]; 648 RK[10] = RK[2] ^ RK[9]; 649 RK[11] = RK[3] ^ RK[10]; 650 651 RK[12] = RK[4] ^ 652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 656 657 RK[13] = RK[5] ^ RK[12]; 658 RK[14] = RK[6] ^ RK[13]; 659 RK[15] = RK[7] ^ RK[14]; 660 } 661 break; 662 } 663 664 return( 0 ); 665 } 666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 667 668 /* 669 * AES key schedule (decryption) 670 */ 671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 673 unsigned int keybits ) 674 { 675 int i, j, ret; 676 mbedtls_aes_context cty; 677 uint32_t *RK; 678 uint32_t *SK; 679 680 AES_VALIDATE_RET( ctx != NULL ); 681 AES_VALIDATE_RET( key != NULL ); 682 683 mbedtls_aes_init( &cty ); 684 685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 686 if( aes_padlock_ace == -1 ) 687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 688 689 if( aes_padlock_ace ) 690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 691 else 692 #endif 693 ctx->rk = RK = ctx->buf; 694 695 /* Also checks keybits */ 696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 697 goto exit; 698 699 ctx->nr = cty.nr; 700 701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 703 { 704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, 705 (const unsigned char *) cty.rk, ctx->nr ); 706 goto exit; 707 } 708 #endif 709 710 SK = cty.rk + cty.nr * 4; 711 712 *RK++ = *SK++; 713 *RK++ = *SK++; 714 *RK++ = *SK++; 715 *RK++ = *SK++; 716 717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 718 { 719 for( j = 0; j < 4; j++, SK++ ) 720 { 721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 725 } 726 } 727 728 *RK++ = *SK++; 729 *RK++ = *SK++; 730 *RK++ = *SK++; 731 *RK++ = *SK++; 732 733 exit: 734 mbedtls_aes_free( &cty ); 735 736 return( ret ); 737 } 738 739 #if defined(MBEDTLS_CIPHER_MODE_XTS) 740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 741 unsigned int keybits, 742 const unsigned char **key1, 743 unsigned int *key1bits, 744 const unsigned char **key2, 745 unsigned int *key2bits ) 746 { 747 const unsigned int half_keybits = keybits / 2; 748 const unsigned int half_keybytes = half_keybits / 8; 749 750 switch( keybits ) 751 { 752 case 256: break; 753 case 512: break; 754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 755 } 756 757 *key1bits = half_keybits; 758 *key2bits = half_keybits; 759 *key1 = &key[0]; 760 *key2 = &key[half_keybytes]; 761 762 return 0; 763 } 764 765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 766 const unsigned char *key, 767 unsigned int keybits) 768 { 769 int ret; 770 const unsigned char *key1, *key2; 771 unsigned int key1bits, key2bits; 772 773 AES_VALIDATE_RET( ctx != NULL ); 774 AES_VALIDATE_RET( key != NULL ); 775 776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 777 &key2, &key2bits ); 778 if( ret != 0 ) 779 return( ret ); 780 781 /* Set the tweak key. Always set tweak key for the encryption mode. */ 782 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 783 if( ret != 0 ) 784 return( ret ); 785 786 /* Set crypt key for encryption. */ 787 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits ); 788 } 789 790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 791 const unsigned char *key, 792 unsigned int keybits) 793 { 794 int ret; 795 const unsigned char *key1, *key2; 796 unsigned int key1bits, key2bits; 797 798 AES_VALIDATE_RET( ctx != NULL ); 799 AES_VALIDATE_RET( key != NULL ); 800 801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 802 &key2, &key2bits ); 803 if( ret != 0 ) 804 return( ret ); 805 806 /* Set the tweak key. Always set tweak key for encryption. */ 807 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 808 if( ret != 0 ) 809 return( ret ); 810 811 /* Set crypt key for decryption. */ 812 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits ); 813 } 814 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 815 816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 817 818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 819 do \ 820 { \ 821 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \ 822 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 823 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 824 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \ 825 \ 826 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \ 827 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 828 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 829 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \ 830 \ 831 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \ 832 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 833 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 834 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \ 835 \ 836 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \ 837 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 838 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 839 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \ 840 } while( 0 ) 841 842 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 843 do \ 844 { \ 845 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \ 846 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 847 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 848 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \ 849 \ 850 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \ 851 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 852 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 853 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \ 854 \ 855 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \ 856 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 857 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 858 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \ 859 \ 860 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \ 861 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 862 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 863 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \ 864 } while( 0 ) 865 866 /* 867 * AES-ECB block encryption 868 */ 869 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 870 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 871 const unsigned char input[16], 872 unsigned char output[16] ) 873 { 874 int i; 875 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 876 877 RK = ctx->rk; 878 879 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 880 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 881 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 882 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 883 884 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 885 { 886 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 887 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 888 } 889 890 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 891 892 X0 = *RK++ ^ \ 893 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 894 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 895 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 896 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 897 898 X1 = *RK++ ^ \ 899 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 900 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 901 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 902 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 903 904 X2 = *RK++ ^ \ 905 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 906 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 907 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 908 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 909 910 X3 = *RK++ ^ \ 911 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 912 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 913 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 914 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 915 916 PUT_UINT32_LE( X0, output, 0 ); 917 PUT_UINT32_LE( X1, output, 4 ); 918 PUT_UINT32_LE( X2, output, 8 ); 919 PUT_UINT32_LE( X3, output, 12 ); 920 921 mbedtls_platform_zeroize( &X0, sizeof( X0 ) ); 922 mbedtls_platform_zeroize( &X1, sizeof( X1 ) ); 923 mbedtls_platform_zeroize( &X2, sizeof( X2 ) ); 924 mbedtls_platform_zeroize( &X3, sizeof( X3 ) ); 925 926 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) ); 927 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) ); 928 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) ); 929 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) ); 930 931 mbedtls_platform_zeroize( &RK, sizeof( RK ) ); 932 933 return( 0 ); 934 } 935 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 936 937 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 938 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 939 const unsigned char input[16], 940 unsigned char output[16] ) 941 { 942 mbedtls_internal_aes_encrypt( ctx, input, output ); 943 } 944 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 945 946 /* 947 * AES-ECB block decryption 948 */ 949 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 950 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 951 const unsigned char input[16], 952 unsigned char output[16] ) 953 { 954 int i; 955 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 956 957 RK = ctx->rk; 958 959 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 960 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 961 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 962 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 963 964 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 965 { 966 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 967 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 968 } 969 970 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 971 972 X0 = *RK++ ^ \ 973 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 974 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 975 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 976 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 977 978 X1 = *RK++ ^ \ 979 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 980 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 981 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 982 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 983 984 X2 = *RK++ ^ \ 985 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 986 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 987 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 988 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 989 990 X3 = *RK++ ^ \ 991 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 992 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 993 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 994 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 995 996 PUT_UINT32_LE( X0, output, 0 ); 997 PUT_UINT32_LE( X1, output, 4 ); 998 PUT_UINT32_LE( X2, output, 8 ); 999 PUT_UINT32_LE( X3, output, 12 ); 1000 1001 mbedtls_platform_zeroize( &X0, sizeof( X0 ) ); 1002 mbedtls_platform_zeroize( &X1, sizeof( X1 ) ); 1003 mbedtls_platform_zeroize( &X2, sizeof( X2 ) ); 1004 mbedtls_platform_zeroize( &X3, sizeof( X3 ) ); 1005 1006 mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) ); 1007 mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) ); 1008 mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) ); 1009 mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) ); 1010 1011 mbedtls_platform_zeroize( &RK, sizeof( RK ) ); 1012 1013 return( 0 ); 1014 } 1015 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 1016 1017 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1018 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 1019 const unsigned char input[16], 1020 unsigned char output[16] ) 1021 { 1022 mbedtls_internal_aes_decrypt( ctx, input, output ); 1023 } 1024 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1025 1026 /* 1027 * AES-ECB block encryption/decryption 1028 */ 1029 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 1030 int mode, 1031 const unsigned char input[16], 1032 unsigned char output[16] ) 1033 { 1034 AES_VALIDATE_RET( ctx != NULL ); 1035 AES_VALIDATE_RET( input != NULL ); 1036 AES_VALIDATE_RET( output != NULL ); 1037 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1038 mode == MBEDTLS_AES_DECRYPT ); 1039 1040 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 1041 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 1042 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 1043 #endif 1044 1045 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1046 if( aes_padlock_ace ) 1047 { 1048 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 1049 return( 0 ); 1050 1051 // If padlock data misaligned, we just fall back to 1052 // unaccelerated mode 1053 // 1054 } 1055 #endif 1056 1057 if( mode == MBEDTLS_AES_ENCRYPT ) 1058 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 1059 else 1060 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 1061 } 1062 1063 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1064 /* 1065 * AES-CBC buffer encryption/decryption 1066 */ 1067 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 1068 int mode, 1069 size_t length, 1070 unsigned char iv[16], 1071 const unsigned char *input, 1072 unsigned char *output ) 1073 { 1074 int i; 1075 unsigned char temp[16]; 1076 1077 AES_VALIDATE_RET( ctx != NULL ); 1078 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1079 mode == MBEDTLS_AES_DECRYPT ); 1080 AES_VALIDATE_RET( iv != NULL ); 1081 AES_VALIDATE_RET( input != NULL ); 1082 AES_VALIDATE_RET( output != NULL ); 1083 1084 if( length % 16 ) 1085 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 1086 1087 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1088 if( aes_padlock_ace ) 1089 { 1090 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 1091 return( 0 ); 1092 1093 // If padlock data misaligned, we just fall back to 1094 // unaccelerated mode 1095 // 1096 } 1097 #endif 1098 1099 if( mode == MBEDTLS_AES_DECRYPT ) 1100 { 1101 while( length > 0 ) 1102 { 1103 memcpy( temp, input, 16 ); 1104 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 1105 1106 for( i = 0; i < 16; i++ ) 1107 output[i] = (unsigned char)( output[i] ^ iv[i] ); 1108 1109 memcpy( iv, temp, 16 ); 1110 1111 input += 16; 1112 output += 16; 1113 length -= 16; 1114 } 1115 } 1116 else 1117 { 1118 while( length > 0 ) 1119 { 1120 for( i = 0; i < 16; i++ ) 1121 output[i] = (unsigned char)( input[i] ^ iv[i] ); 1122 1123 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 1124 memcpy( iv, output, 16 ); 1125 1126 input += 16; 1127 output += 16; 1128 length -= 16; 1129 } 1130 } 1131 1132 return( 0 ); 1133 } 1134 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1135 1136 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1137 1138 /* Endianess with 64 bits values */ 1139 #ifndef GET_UINT64_LE 1140 #define GET_UINT64_LE(n,b,i) \ 1141 { \ 1142 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 1143 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 1144 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 1145 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 1146 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 1147 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 1148 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 1149 | ( (uint64_t) (b)[(i) ] ); \ 1150 } 1151 #endif 1152 1153 #ifndef PUT_UINT64_LE 1154 #define PUT_UINT64_LE(n,b,i) \ 1155 { \ 1156 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 1157 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 1158 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 1159 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 1160 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 1161 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 1162 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 1163 (b)[(i) ] = (unsigned char) ( (n) ); \ 1164 } 1165 #endif 1166 1167 typedef unsigned char mbedtls_be128[16]; 1168 1169 /* 1170 * GF(2^128) multiplication function 1171 * 1172 * This function multiplies a field element by x in the polynomial field 1173 * representation. It uses 64-bit word operations to gain speed but compensates 1174 * for machine endianess and hence works correctly on both big and little 1175 * endian machines. 1176 */ 1177 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 1178 const unsigned char x[16] ) 1179 { 1180 uint64_t a, b, ra, rb; 1181 1182 GET_UINT64_LE( a, x, 0 ); 1183 GET_UINT64_LE( b, x, 8 ); 1184 1185 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 1186 rb = ( a >> 63 ) | ( b << 1 ); 1187 1188 PUT_UINT64_LE( ra, r, 0 ); 1189 PUT_UINT64_LE( rb, r, 8 ); 1190 } 1191 1192 /* 1193 * AES-XTS buffer encryption/decryption 1194 */ 1195 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 1196 int mode, 1197 size_t length, 1198 const unsigned char data_unit[16], 1199 const unsigned char *input, 1200 unsigned char *output ) 1201 { 1202 int ret; 1203 size_t blocks = length / 16; 1204 size_t leftover = length % 16; 1205 unsigned char tweak[16]; 1206 unsigned char prev_tweak[16]; 1207 unsigned char tmp[16]; 1208 1209 AES_VALIDATE_RET( ctx != NULL ); 1210 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1211 mode == MBEDTLS_AES_DECRYPT ); 1212 AES_VALIDATE_RET( data_unit != NULL ); 1213 AES_VALIDATE_RET( input != NULL ); 1214 AES_VALIDATE_RET( output != NULL ); 1215 1216 /* Data units must be at least 16 bytes long. */ 1217 if( length < 16 ) 1218 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1219 1220 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1221 if( length > ( 1 << 20 ) * 16 ) 1222 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1223 1224 /* Compute the tweak. */ 1225 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, 1226 data_unit, tweak ); 1227 if( ret != 0 ) 1228 return( ret ); 1229 1230 while( blocks-- ) 1231 { 1232 size_t i; 1233 1234 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 1235 { 1236 /* We are on the last block in a decrypt operation that has 1237 * leftover bytes, so we need to use the next tweak for this block, 1238 * and this tweak for the lefover bytes. Save the current tweak for 1239 * the leftovers and then update the current tweak for use on this, 1240 * the last full block. */ 1241 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 1242 mbedtls_gf128mul_x_ble( tweak, tweak ); 1243 } 1244 1245 for( i = 0; i < 16; i++ ) 1246 tmp[i] = input[i] ^ tweak[i]; 1247 1248 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1249 if( ret != 0 ) 1250 return( ret ); 1251 1252 for( i = 0; i < 16; i++ ) 1253 output[i] = tmp[i] ^ tweak[i]; 1254 1255 /* Update the tweak for the next block. */ 1256 mbedtls_gf128mul_x_ble( tweak, tweak ); 1257 1258 output += 16; 1259 input += 16; 1260 } 1261 1262 if( leftover ) 1263 { 1264 /* If we are on the leftover bytes in a decrypt operation, we need to 1265 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1266 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1267 1268 /* We are now on the final part of the data unit, which doesn't divide 1269 * evenly by 16. It's time for ciphertext stealing. */ 1270 size_t i; 1271 unsigned char *prev_output = output - 16; 1272 1273 /* Copy ciphertext bytes from the previous block to our output for each 1274 * byte of cyphertext we won't steal. At the same time, copy the 1275 * remainder of the input for this final round (since the loop bounds 1276 * are the same). */ 1277 for( i = 0; i < leftover; i++ ) 1278 { 1279 output[i] = prev_output[i]; 1280 tmp[i] = input[i] ^ t[i]; 1281 } 1282 1283 /* Copy ciphertext bytes from the previous block for input in this 1284 * round. */ 1285 for( ; i < 16; i++ ) 1286 tmp[i] = prev_output[i] ^ t[i]; 1287 1288 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1289 if( ret != 0 ) 1290 return ret; 1291 1292 /* Write the result back to the previous block, overriding the previous 1293 * output we copied. */ 1294 for( i = 0; i < 16; i++ ) 1295 prev_output[i] = tmp[i] ^ t[i]; 1296 } 1297 1298 return( 0 ); 1299 } 1300 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1301 1302 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1303 /* 1304 * AES-CFB128 buffer encryption/decryption 1305 */ 1306 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 1307 int mode, 1308 size_t length, 1309 size_t *iv_off, 1310 unsigned char iv[16], 1311 const unsigned char *input, 1312 unsigned char *output ) 1313 { 1314 int c; 1315 size_t n; 1316 1317 AES_VALIDATE_RET( ctx != NULL ); 1318 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1319 mode == MBEDTLS_AES_DECRYPT ); 1320 AES_VALIDATE_RET( iv_off != NULL ); 1321 AES_VALIDATE_RET( iv != NULL ); 1322 AES_VALIDATE_RET( input != NULL ); 1323 AES_VALIDATE_RET( output != NULL ); 1324 1325 n = *iv_off; 1326 1327 if( n > 15 ) 1328 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1329 1330 if( mode == MBEDTLS_AES_DECRYPT ) 1331 { 1332 while( length-- ) 1333 { 1334 if( n == 0 ) 1335 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1336 1337 c = *input++; 1338 *output++ = (unsigned char)( c ^ iv[n] ); 1339 iv[n] = (unsigned char) c; 1340 1341 n = ( n + 1 ) & 0x0F; 1342 } 1343 } 1344 else 1345 { 1346 while( length-- ) 1347 { 1348 if( n == 0 ) 1349 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1350 1351 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 1352 1353 n = ( n + 1 ) & 0x0F; 1354 } 1355 } 1356 1357 *iv_off = n; 1358 1359 return( 0 ); 1360 } 1361 1362 /* 1363 * AES-CFB8 buffer encryption/decryption 1364 */ 1365 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 1366 int mode, 1367 size_t length, 1368 unsigned char iv[16], 1369 const unsigned char *input, 1370 unsigned char *output ) 1371 { 1372 unsigned char c; 1373 unsigned char ov[17]; 1374 1375 AES_VALIDATE_RET( ctx != NULL ); 1376 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1377 mode == MBEDTLS_AES_DECRYPT ); 1378 AES_VALIDATE_RET( iv != NULL ); 1379 AES_VALIDATE_RET( input != NULL ); 1380 AES_VALIDATE_RET( output != NULL ); 1381 while( length-- ) 1382 { 1383 memcpy( ov, iv, 16 ); 1384 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1385 1386 if( mode == MBEDTLS_AES_DECRYPT ) 1387 ov[16] = *input; 1388 1389 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 1390 1391 if( mode == MBEDTLS_AES_ENCRYPT ) 1392 ov[16] = c; 1393 1394 memcpy( iv, ov + 1, 16 ); 1395 } 1396 1397 return( 0 ); 1398 } 1399 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1400 1401 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1402 /* 1403 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1404 */ 1405 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 1406 size_t length, 1407 size_t *iv_off, 1408 unsigned char iv[16], 1409 const unsigned char *input, 1410 unsigned char *output ) 1411 { 1412 int ret = 0; 1413 size_t n; 1414 1415 AES_VALIDATE_RET( ctx != NULL ); 1416 AES_VALIDATE_RET( iv_off != NULL ); 1417 AES_VALIDATE_RET( iv != NULL ); 1418 AES_VALIDATE_RET( input != NULL ); 1419 AES_VALIDATE_RET( output != NULL ); 1420 1421 n = *iv_off; 1422 1423 if( n > 15 ) 1424 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1425 1426 while( length-- ) 1427 { 1428 if( n == 0 ) 1429 { 1430 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1431 if( ret != 0 ) 1432 goto exit; 1433 } 1434 *output++ = *input++ ^ iv[n]; 1435 1436 n = ( n + 1 ) & 0x0F; 1437 } 1438 1439 *iv_off = n; 1440 1441 exit: 1442 return( ret ); 1443 } 1444 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1445 1446 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1447 /* 1448 * AES-CTR buffer encryption/decryption 1449 */ 1450 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 1451 size_t length, 1452 size_t *nc_off, 1453 unsigned char nonce_counter[16], 1454 unsigned char stream_block[16], 1455 const unsigned char *input, 1456 unsigned char *output ) 1457 { 1458 int c, i; 1459 size_t n; 1460 1461 AES_VALIDATE_RET( ctx != NULL ); 1462 AES_VALIDATE_RET( nc_off != NULL ); 1463 AES_VALIDATE_RET( nonce_counter != NULL ); 1464 AES_VALIDATE_RET( stream_block != NULL ); 1465 AES_VALIDATE_RET( input != NULL ); 1466 AES_VALIDATE_RET( output != NULL ); 1467 1468 n = *nc_off; 1469 1470 if ( n > 0x0F ) 1471 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1472 1473 while( length-- ) 1474 { 1475 if( n == 0 ) { 1476 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 1477 1478 for( i = 16; i > 0; i-- ) 1479 if( ++nonce_counter[i - 1] != 0 ) 1480 break; 1481 } 1482 c = *input++; 1483 *output++ = (unsigned char)( c ^ stream_block[n] ); 1484 1485 n = ( n + 1 ) & 0x0F; 1486 } 1487 1488 *nc_off = n; 1489 1490 return( 0 ); 1491 } 1492 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1493 1494 #endif /* !MBEDTLS_AES_ALT */ 1495 1496 #if defined(MBEDTLS_SELF_TEST) 1497 /* 1498 * AES test vectors from: 1499 * 1500 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1501 */ 1502 static const unsigned char aes_test_ecb_dec[3][16] = 1503 { 1504 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1505 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1506 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1507 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1508 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1509 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1510 }; 1511 1512 static const unsigned char aes_test_ecb_enc[3][16] = 1513 { 1514 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1515 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1516 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1517 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1518 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1519 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1520 }; 1521 1522 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1523 static const unsigned char aes_test_cbc_dec[3][16] = 1524 { 1525 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1526 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1527 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1528 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1529 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1530 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1531 }; 1532 1533 static const unsigned char aes_test_cbc_enc[3][16] = 1534 { 1535 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1536 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1537 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1538 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1539 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1540 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1541 }; 1542 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1543 1544 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1545 /* 1546 * AES-CFB128 test vectors from: 1547 * 1548 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1549 */ 1550 static const unsigned char aes_test_cfb128_key[3][32] = 1551 { 1552 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1553 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1554 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1555 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1556 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1557 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1558 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1559 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1560 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1561 }; 1562 1563 static const unsigned char aes_test_cfb128_iv[16] = 1564 { 1565 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1566 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1567 }; 1568 1569 static const unsigned char aes_test_cfb128_pt[64] = 1570 { 1571 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1572 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1573 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1574 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1575 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1576 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1577 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1578 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1579 }; 1580 1581 static const unsigned char aes_test_cfb128_ct[3][64] = 1582 { 1583 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1584 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1585 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1586 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1587 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1588 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1589 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1590 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1591 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1592 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1593 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1594 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1595 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1596 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1597 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1598 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1599 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1600 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1601 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1602 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1603 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1604 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1605 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1606 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1607 }; 1608 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1609 1610 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1611 /* 1612 * AES-OFB test vectors from: 1613 * 1614 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1615 */ 1616 static const unsigned char aes_test_ofb_key[3][32] = 1617 { 1618 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1619 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1620 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1621 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1622 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1623 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1624 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1625 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1626 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1627 }; 1628 1629 static const unsigned char aes_test_ofb_iv[16] = 1630 { 1631 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1632 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1633 }; 1634 1635 static const unsigned char aes_test_ofb_pt[64] = 1636 { 1637 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1638 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1639 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1640 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1641 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1642 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1643 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1644 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1645 }; 1646 1647 static const unsigned char aes_test_ofb_ct[3][64] = 1648 { 1649 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1650 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1651 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1652 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1653 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1654 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1655 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1656 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1657 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1658 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1659 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1660 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1661 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1662 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1663 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1664 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1665 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1666 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1667 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1668 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1669 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1670 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1671 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1672 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1673 }; 1674 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1675 1676 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1677 /* 1678 * AES-CTR test vectors from: 1679 * 1680 * http://www.faqs.org/rfcs/rfc3686.html 1681 */ 1682 1683 static const unsigned char aes_test_ctr_key[3][16] = 1684 { 1685 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1686 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1687 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1688 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1689 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1690 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1691 }; 1692 1693 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1694 { 1695 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1696 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1697 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1698 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1699 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1700 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1701 }; 1702 1703 static const unsigned char aes_test_ctr_pt[3][48] = 1704 { 1705 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1706 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1707 1708 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1709 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1710 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1711 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1712 1713 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1714 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1715 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1716 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1717 0x20, 0x21, 0x22, 0x23 } 1718 }; 1719 1720 static const unsigned char aes_test_ctr_ct[3][48] = 1721 { 1722 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1723 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1724 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1725 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1726 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1727 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1728 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1729 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1730 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1731 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1732 0x25, 0xB2, 0x07, 0x2F } 1733 }; 1734 1735 static const int aes_test_ctr_len[3] = 1736 { 16, 32, 36 }; 1737 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1738 1739 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1740 /* 1741 * AES-XTS test vectors from: 1742 * 1743 * IEEE P1619/D16 Annex B 1744 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1745 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1746 */ 1747 static const unsigned char aes_test_xts_key[][32] = 1748 { 1749 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1751 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1752 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1753 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1754 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1755 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1756 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1757 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1758 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1759 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1760 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1761 }; 1762 1763 static const unsigned char aes_test_xts_pt32[][32] = 1764 { 1765 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1769 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1773 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1774 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1775 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1777 }; 1778 1779 static const unsigned char aes_test_xts_ct32[][32] = 1780 { 1781 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1782 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1783 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1784 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1785 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1786 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1787 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1788 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1789 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1790 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1791 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1792 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1793 }; 1794 1795 static const unsigned char aes_test_xts_data_unit[][16] = 1796 { 1797 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1799 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1801 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1802 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1803 }; 1804 1805 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1806 1807 /* 1808 * Checkup routine 1809 */ 1810 int mbedtls_aes_self_test( int verbose ) 1811 { 1812 int ret = 0, i, j, u, mode; 1813 unsigned int keybits; 1814 unsigned char key[32]; 1815 unsigned char buf[64]; 1816 const unsigned char *aes_tests; 1817 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 1818 unsigned char iv[16]; 1819 #endif 1820 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1821 unsigned char prv[16]; 1822 #endif 1823 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1824 defined(MBEDTLS_CIPHER_MODE_OFB) 1825 size_t offset; 1826 #endif 1827 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1828 int len; 1829 #endif 1830 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1831 unsigned char nonce_counter[16]; 1832 unsigned char stream_block[16]; 1833 #endif 1834 mbedtls_aes_context ctx; 1835 1836 memset( key, 0, 32 ); 1837 mbedtls_aes_init( &ctx ); 1838 1839 /* 1840 * ECB mode 1841 */ 1842 for( i = 0; i < 6; i++ ) 1843 { 1844 u = i >> 1; 1845 keybits = 128 + u * 64; 1846 mode = i & 1; 1847 1848 if( verbose != 0 ) 1849 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 1850 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1851 1852 memset( buf, 0, 16 ); 1853 1854 if( mode == MBEDTLS_AES_DECRYPT ) 1855 { 1856 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1857 aes_tests = aes_test_ecb_dec[u]; 1858 } 1859 else 1860 { 1861 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1862 aes_tests = aes_test_ecb_enc[u]; 1863 } 1864 1865 /* 1866 * AES-192 is an optional feature that may be unavailable when 1867 * there is an alternative underlying implementation i.e. when 1868 * MBEDTLS_AES_ALT is defined. 1869 */ 1870 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1871 { 1872 mbedtls_printf( "skipped\n" ); 1873 continue; 1874 } 1875 else if( ret != 0 ) 1876 { 1877 goto exit; 1878 } 1879 1880 for( j = 0; j < 10000; j++ ) 1881 { 1882 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 1883 if( ret != 0 ) 1884 goto exit; 1885 } 1886 1887 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1888 { 1889 ret = 1; 1890 goto exit; 1891 } 1892 1893 if( verbose != 0 ) 1894 mbedtls_printf( "passed\n" ); 1895 } 1896 1897 if( verbose != 0 ) 1898 mbedtls_printf( "\n" ); 1899 1900 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1901 /* 1902 * CBC mode 1903 */ 1904 for( i = 0; i < 6; i++ ) 1905 { 1906 u = i >> 1; 1907 keybits = 128 + u * 64; 1908 mode = i & 1; 1909 1910 if( verbose != 0 ) 1911 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 1912 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1913 1914 memset( iv , 0, 16 ); 1915 memset( prv, 0, 16 ); 1916 memset( buf, 0, 16 ); 1917 1918 if( mode == MBEDTLS_AES_DECRYPT ) 1919 { 1920 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1921 aes_tests = aes_test_cbc_dec[u]; 1922 } 1923 else 1924 { 1925 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1926 aes_tests = aes_test_cbc_enc[u]; 1927 } 1928 1929 /* 1930 * AES-192 is an optional feature that may be unavailable when 1931 * there is an alternative underlying implementation i.e. when 1932 * MBEDTLS_AES_ALT is defined. 1933 */ 1934 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1935 { 1936 mbedtls_printf( "skipped\n" ); 1937 continue; 1938 } 1939 else if( ret != 0 ) 1940 { 1941 goto exit; 1942 } 1943 1944 for( j = 0; j < 10000; j++ ) 1945 { 1946 if( mode == MBEDTLS_AES_ENCRYPT ) 1947 { 1948 unsigned char tmp[16]; 1949 1950 memcpy( tmp, prv, 16 ); 1951 memcpy( prv, buf, 16 ); 1952 memcpy( buf, tmp, 16 ); 1953 } 1954 1955 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 1956 if( ret != 0 ) 1957 goto exit; 1958 1959 } 1960 1961 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1962 { 1963 ret = 1; 1964 goto exit; 1965 } 1966 1967 if( verbose != 0 ) 1968 mbedtls_printf( "passed\n" ); 1969 } 1970 1971 if( verbose != 0 ) 1972 mbedtls_printf( "\n" ); 1973 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1974 1975 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1976 /* 1977 * CFB128 mode 1978 */ 1979 for( i = 0; i < 6; i++ ) 1980 { 1981 u = i >> 1; 1982 keybits = 128 + u * 64; 1983 mode = i & 1; 1984 1985 if( verbose != 0 ) 1986 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 1987 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1988 1989 memcpy( iv, aes_test_cfb128_iv, 16 ); 1990 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 1991 1992 offset = 0; 1993 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1994 /* 1995 * AES-192 is an optional feature that may be unavailable when 1996 * there is an alternative underlying implementation i.e. when 1997 * MBEDTLS_AES_ALT is defined. 1998 */ 1999 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2000 { 2001 mbedtls_printf( "skipped\n" ); 2002 continue; 2003 } 2004 else if( ret != 0 ) 2005 { 2006 goto exit; 2007 } 2008 2009 if( mode == MBEDTLS_AES_DECRYPT ) 2010 { 2011 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 2012 aes_tests = aes_test_cfb128_pt; 2013 } 2014 else 2015 { 2016 memcpy( buf, aes_test_cfb128_pt, 64 ); 2017 aes_tests = aes_test_cfb128_ct[u]; 2018 } 2019 2020 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 2021 if( ret != 0 ) 2022 goto exit; 2023 2024 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2025 { 2026 ret = 1; 2027 goto exit; 2028 } 2029 2030 if( verbose != 0 ) 2031 mbedtls_printf( "passed\n" ); 2032 } 2033 2034 if( verbose != 0 ) 2035 mbedtls_printf( "\n" ); 2036 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 2037 2038 #if defined(MBEDTLS_CIPHER_MODE_OFB) 2039 /* 2040 * OFB mode 2041 */ 2042 for( i = 0; i < 6; i++ ) 2043 { 2044 u = i >> 1; 2045 keybits = 128 + u * 64; 2046 mode = i & 1; 2047 2048 if( verbose != 0 ) 2049 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 2050 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2051 2052 memcpy( iv, aes_test_ofb_iv, 16 ); 2053 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 2054 2055 offset = 0; 2056 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2057 /* 2058 * AES-192 is an optional feature that may be unavailable when 2059 * there is an alternative underlying implementation i.e. when 2060 * MBEDTLS_AES_ALT is defined. 2061 */ 2062 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2063 { 2064 mbedtls_printf( "skipped\n" ); 2065 continue; 2066 } 2067 else if( ret != 0 ) 2068 { 2069 goto exit; 2070 } 2071 2072 if( mode == MBEDTLS_AES_DECRYPT ) 2073 { 2074 memcpy( buf, aes_test_ofb_ct[u], 64 ); 2075 aes_tests = aes_test_ofb_pt; 2076 } 2077 else 2078 { 2079 memcpy( buf, aes_test_ofb_pt, 64 ); 2080 aes_tests = aes_test_ofb_ct[u]; 2081 } 2082 2083 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 2084 if( ret != 0 ) 2085 goto exit; 2086 2087 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2088 { 2089 ret = 1; 2090 goto exit; 2091 } 2092 2093 if( verbose != 0 ) 2094 mbedtls_printf( "passed\n" ); 2095 } 2096 2097 if( verbose != 0 ) 2098 mbedtls_printf( "\n" ); 2099 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2100 2101 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2102 /* 2103 * CTR mode 2104 */ 2105 for( i = 0; i < 6; i++ ) 2106 { 2107 u = i >> 1; 2108 mode = i & 1; 2109 2110 if( verbose != 0 ) 2111 mbedtls_printf( " AES-CTR-128 (%s): ", 2112 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2113 2114 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 2115 memcpy( key, aes_test_ctr_key[u], 16 ); 2116 2117 offset = 0; 2118 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 2119 goto exit; 2120 2121 len = aes_test_ctr_len[u]; 2122 2123 if( mode == MBEDTLS_AES_DECRYPT ) 2124 { 2125 memcpy( buf, aes_test_ctr_ct[u], len ); 2126 aes_tests = aes_test_ctr_pt[u]; 2127 } 2128 else 2129 { 2130 memcpy( buf, aes_test_ctr_pt[u], len ); 2131 aes_tests = aes_test_ctr_ct[u]; 2132 } 2133 2134 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 2135 stream_block, buf, buf ); 2136 if( ret != 0 ) 2137 goto exit; 2138 2139 if( memcmp( buf, aes_tests, len ) != 0 ) 2140 { 2141 ret = 1; 2142 goto exit; 2143 } 2144 2145 if( verbose != 0 ) 2146 mbedtls_printf( "passed\n" ); 2147 } 2148 2149 if( verbose != 0 ) 2150 mbedtls_printf( "\n" ); 2151 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2152 2153 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2154 { 2155 static const int num_tests = 2156 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2157 mbedtls_aes_xts_context ctx_xts; 2158 2159 /* 2160 * XTS mode 2161 */ 2162 mbedtls_aes_xts_init( &ctx_xts ); 2163 2164 for( i = 0; i < num_tests << 1; i++ ) 2165 { 2166 const unsigned char *data_unit; 2167 u = i >> 1; 2168 mode = i & 1; 2169 2170 if( verbose != 0 ) 2171 mbedtls_printf( " AES-XTS-128 (%s): ", 2172 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2173 2174 memset( key, 0, sizeof( key ) ); 2175 memcpy( key, aes_test_xts_key[u], 32 ); 2176 data_unit = aes_test_xts_data_unit[u]; 2177 2178 len = sizeof( *aes_test_xts_ct32 ); 2179 2180 if( mode == MBEDTLS_AES_DECRYPT ) 2181 { 2182 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 2183 if( ret != 0) 2184 goto exit; 2185 memcpy( buf, aes_test_xts_ct32[u], len ); 2186 aes_tests = aes_test_xts_pt32[u]; 2187 } 2188 else 2189 { 2190 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 2191 if( ret != 0) 2192 goto exit; 2193 memcpy( buf, aes_test_xts_pt32[u], len ); 2194 aes_tests = aes_test_xts_ct32[u]; 2195 } 2196 2197 2198 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 2199 buf, buf ); 2200 if( ret != 0 ) 2201 goto exit; 2202 2203 if( memcmp( buf, aes_tests, len ) != 0 ) 2204 { 2205 ret = 1; 2206 goto exit; 2207 } 2208 2209 if( verbose != 0 ) 2210 mbedtls_printf( "passed\n" ); 2211 } 2212 2213 if( verbose != 0 ) 2214 mbedtls_printf( "\n" ); 2215 2216 mbedtls_aes_xts_free( &ctx_xts ); 2217 } 2218 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2219 2220 ret = 0; 2221 2222 exit: 2223 if( ret != 0 && verbose != 0 ) 2224 mbedtls_printf( "failed\n" ); 2225 2226 mbedtls_aes_free( &ctx ); 2227 2228 return( ret ); 2229 } 2230 2231 #endif /* MBEDTLS_SELF_TEST */ 2232 2233 #endif /* MBEDTLS_AES_C */ 2234