1 /* 2 * FIPS-197 compliant AES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 21 * 22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_AES_C) 29 30 #include <string.h> 31 32 #include "mbedtls/aes.h" 33 #include "mbedtls/platform.h" 34 #include "mbedtls/platform_util.h" 35 #include "mbedtls/error.h" 36 #if defined(MBEDTLS_PADLOCK_C) 37 #include "padlock.h" 38 #endif 39 #if defined(MBEDTLS_AESNI_C) 40 #include "aesni.h" 41 #endif 42 #if defined(MBEDTLS_AESCE_C) 43 #include "aesce.h" 44 #endif 45 46 #include "mbedtls/platform.h" 47 48 #if !defined(MBEDTLS_AES_ALT) 49 50 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 51 static int aes_padlock_ace = -1; 52 #endif 53 54 #if defined(MBEDTLS_AES_ROM_TABLES) 55 /* 56 * Forward S-box 57 */ 58 static const unsigned char FSb[256] = 59 { 60 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 61 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 62 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 63 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 64 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 65 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 66 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 67 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 68 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 69 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 70 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 71 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 72 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 73 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 74 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 75 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 76 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 77 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 78 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 79 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 80 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 81 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 82 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 83 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 84 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 85 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 86 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 87 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 88 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 89 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 90 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 91 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 92 }; 93 94 /* 95 * Forward tables 96 */ 97 #define FT \ 98 \ 99 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \ 100 V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \ 101 V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \ 102 V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \ 103 V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \ 104 V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \ 105 V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \ 106 V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \ 107 V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \ 108 V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \ 109 V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \ 110 V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \ 111 V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \ 112 V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \ 113 V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \ 114 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \ 115 V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \ 116 V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \ 117 V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \ 118 V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \ 119 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \ 120 V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \ 121 V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \ 122 V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \ 123 V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \ 124 V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \ 125 V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \ 126 V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \ 127 V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \ 128 V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \ 129 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \ 130 V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \ 131 V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \ 132 V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \ 133 V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \ 134 V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \ 135 V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \ 136 V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \ 137 V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \ 138 V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \ 139 V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \ 140 V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \ 141 V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \ 142 V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \ 143 V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \ 144 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \ 145 V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \ 146 V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \ 147 V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \ 148 V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \ 149 V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \ 150 V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \ 151 V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \ 152 V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \ 153 V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \ 154 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \ 155 V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \ 156 V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \ 157 V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \ 158 V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \ 159 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \ 160 V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \ 161 V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \ 162 V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C) 163 164 #define V(a, b, c, d) 0x##a##b##c##d 165 static const uint32_t FT0[256] = { FT }; 166 #undef V 167 168 #if !defined(MBEDTLS_AES_FEWER_TABLES) 169 170 #define V(a, b, c, d) 0x##b##c##d##a 171 static const uint32_t FT1[256] = { FT }; 172 #undef V 173 174 #define V(a, b, c, d) 0x##c##d##a##b 175 static const uint32_t FT2[256] = { FT }; 176 #undef V 177 178 #define V(a, b, c, d) 0x##d##a##b##c 179 static const uint32_t FT3[256] = { FT }; 180 #undef V 181 182 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 183 184 #undef FT 185 186 /* 187 * Reverse S-box 188 */ 189 static const unsigned char RSb[256] = 190 { 191 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 192 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 193 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 194 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 195 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 196 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 197 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 198 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 199 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 200 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 201 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 202 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 203 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 204 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 205 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 206 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 207 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 208 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 209 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 210 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 211 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 212 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 213 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 214 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 215 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 216 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 217 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 218 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 219 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 220 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 221 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 222 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 223 }; 224 225 /* 226 * Reverse tables 227 */ 228 #define RT \ 229 \ 230 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \ 231 V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \ 232 V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \ 233 V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \ 234 V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \ 235 V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \ 236 V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \ 237 V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \ 238 V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \ 239 V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \ 240 V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \ 241 V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \ 242 V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \ 243 V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \ 244 V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \ 245 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \ 246 V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \ 247 V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \ 248 V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \ 249 V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \ 250 V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \ 251 V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \ 252 V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \ 253 V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \ 254 V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \ 255 V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \ 256 V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \ 257 V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \ 258 V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \ 259 V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \ 260 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \ 261 V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \ 262 V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \ 263 V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \ 264 V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \ 265 V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \ 266 V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \ 267 V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \ 268 V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \ 269 V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \ 270 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \ 271 V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \ 272 V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \ 273 V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \ 274 V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \ 275 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \ 276 V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \ 277 V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \ 278 V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \ 279 V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \ 280 V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \ 281 V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \ 282 V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \ 283 V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \ 284 V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \ 285 V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \ 286 V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \ 287 V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \ 288 V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \ 289 V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \ 290 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \ 291 V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \ 292 V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \ 293 V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0) 294 295 #define V(a, b, c, d) 0x##a##b##c##d 296 static const uint32_t RT0[256] = { RT }; 297 #undef V 298 299 #if !defined(MBEDTLS_AES_FEWER_TABLES) 300 301 #define V(a, b, c, d) 0x##b##c##d##a 302 static const uint32_t RT1[256] = { RT }; 303 #undef V 304 305 #define V(a, b, c, d) 0x##c##d##a##b 306 static const uint32_t RT2[256] = { RT }; 307 #undef V 308 309 #define V(a, b, c, d) 0x##d##a##b##c 310 static const uint32_t RT3[256] = { RT }; 311 #undef V 312 313 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 314 315 #undef RT 316 317 /* 318 * Round constants 319 */ 320 static const uint32_t RCON[10] = 321 { 322 0x00000001, 0x00000002, 0x00000004, 0x00000008, 323 0x00000010, 0x00000020, 0x00000040, 0x00000080, 324 0x0000001B, 0x00000036 325 }; 326 327 #else /* MBEDTLS_AES_ROM_TABLES */ 328 329 /* 330 * Forward S-box & tables 331 */ 332 static unsigned char FSb[256]; 333 static uint32_t FT0[256]; 334 #if !defined(MBEDTLS_AES_FEWER_TABLES) 335 static uint32_t FT1[256]; 336 static uint32_t FT2[256]; 337 static uint32_t FT3[256]; 338 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 339 340 /* 341 * Reverse S-box & tables 342 */ 343 static unsigned char RSb[256]; 344 static uint32_t RT0[256]; 345 #if !defined(MBEDTLS_AES_FEWER_TABLES) 346 static uint32_t RT1[256]; 347 static uint32_t RT2[256]; 348 static uint32_t RT3[256]; 349 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 350 351 /* 352 * Round constants 353 */ 354 static uint32_t RCON[10]; 355 356 /* 357 * Tables generation code 358 */ 359 #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24) 360 #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00)) 361 #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) 362 363 static int aes_init_done = 0; 364 365 static void aes_gen_tables(void) 366 { 367 int i, x, y, z; 368 int pow[256]; 369 int log[256]; 370 371 /* 372 * compute pow and log tables over GF(2^8) 373 */ 374 for (i = 0, x = 1; i < 256; i++) { 375 pow[i] = x; 376 log[x] = i; 377 x = MBEDTLS_BYTE_0(x ^ XTIME(x)); 378 } 379 380 /* 381 * calculate the round constants 382 */ 383 for (i = 0, x = 1; i < 10; i++) { 384 RCON[i] = (uint32_t) x; 385 x = MBEDTLS_BYTE_0(XTIME(x)); 386 } 387 388 /* 389 * generate the forward and reverse S-boxes 390 */ 391 FSb[0x00] = 0x63; 392 RSb[0x63] = 0x00; 393 394 for (i = 1; i < 256; i++) { 395 x = pow[255 - log[i]]; 396 397 y = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); 398 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); 399 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); 400 x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); 401 x ^= y ^ 0x63; 402 403 FSb[i] = (unsigned char) x; 404 RSb[x] = (unsigned char) i; 405 } 406 407 /* 408 * generate the forward and reverse tables 409 */ 410 for (i = 0; i < 256; i++) { 411 x = FSb[i]; 412 y = MBEDTLS_BYTE_0(XTIME(x)); 413 z = MBEDTLS_BYTE_0(y ^ x); 414 415 FT0[i] = ((uint32_t) y) ^ 416 ((uint32_t) x << 8) ^ 417 ((uint32_t) x << 16) ^ 418 ((uint32_t) z << 24); 419 420 #if !defined(MBEDTLS_AES_FEWER_TABLES) 421 FT1[i] = ROTL8(FT0[i]); 422 FT2[i] = ROTL8(FT1[i]); 423 FT3[i] = ROTL8(FT2[i]); 424 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 425 426 x = RSb[i]; 427 428 RT0[i] = ((uint32_t) MUL(0x0E, x)) ^ 429 ((uint32_t) MUL(0x09, x) << 8) ^ 430 ((uint32_t) MUL(0x0D, x) << 16) ^ 431 ((uint32_t) MUL(0x0B, x) << 24); 432 433 #if !defined(MBEDTLS_AES_FEWER_TABLES) 434 RT1[i] = ROTL8(RT0[i]); 435 RT2[i] = ROTL8(RT1[i]); 436 RT3[i] = ROTL8(RT2[i]); 437 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 438 } 439 } 440 441 #undef ROTL8 442 443 #endif /* MBEDTLS_AES_ROM_TABLES */ 444 445 #if defined(MBEDTLS_AES_FEWER_TABLES) 446 447 #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24)) 448 #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16)) 449 #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8)) 450 451 #define AES_RT0(idx) RT0[idx] 452 #define AES_RT1(idx) ROTL8(RT0[idx]) 453 #define AES_RT2(idx) ROTL16(RT0[idx]) 454 #define AES_RT3(idx) ROTL24(RT0[idx]) 455 456 #define AES_FT0(idx) FT0[idx] 457 #define AES_FT1(idx) ROTL8(FT0[idx]) 458 #define AES_FT2(idx) ROTL16(FT0[idx]) 459 #define AES_FT3(idx) ROTL24(FT0[idx]) 460 461 #else /* MBEDTLS_AES_FEWER_TABLES */ 462 463 #define AES_RT0(idx) RT0[idx] 464 #define AES_RT1(idx) RT1[idx] 465 #define AES_RT2(idx) RT2[idx] 466 #define AES_RT3(idx) RT3[idx] 467 468 #define AES_FT0(idx) FT0[idx] 469 #define AES_FT1(idx) FT1[idx] 470 #define AES_FT2(idx) FT2[idx] 471 #define AES_FT3(idx) FT3[idx] 472 473 #endif /* MBEDTLS_AES_FEWER_TABLES */ 474 475 void mbedtls_aes_init(mbedtls_aes_context *ctx) 476 { 477 memset(ctx, 0, sizeof(mbedtls_aes_context)); 478 } 479 480 void mbedtls_aes_free(mbedtls_aes_context *ctx) 481 { 482 if (ctx == NULL) { 483 return; 484 } 485 486 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context)); 487 } 488 489 #if defined(MBEDTLS_CIPHER_MODE_XTS) 490 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) 491 { 492 mbedtls_aes_init(&ctx->crypt); 493 mbedtls_aes_init(&ctx->tweak); 494 } 495 496 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) 497 { 498 if (ctx == NULL) { 499 return; 500 } 501 502 mbedtls_aes_free(&ctx->crypt); 503 mbedtls_aes_free(&ctx->tweak); 504 } 505 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 506 507 /* Some implementations need the round keys to be aligned. 508 * Return an offset to be added to buf, such that (buf + offset) is 509 * correctly aligned. 510 * Note that the offset is in units of elements of buf, i.e. 32-bit words, 511 * i.e. an offset of 1 means 4 bytes and so on. 512 */ 513 #if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \ 514 (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2) 515 #define MAY_NEED_TO_ALIGN 516 #endif 517 static unsigned mbedtls_aes_rk_offset(uint32_t *buf) 518 { 519 #if defined(MAY_NEED_TO_ALIGN) 520 int align_16_bytes = 0; 521 522 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 523 if (aes_padlock_ace == -1) { 524 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); 525 } 526 if (aes_padlock_ace) { 527 align_16_bytes = 1; 528 } 529 #endif 530 531 #if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2 532 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 533 align_16_bytes = 1; 534 } 535 #endif 536 537 if (align_16_bytes) { 538 /* These implementations needs 16-byte alignment 539 * for the round key array. */ 540 unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4; 541 if (delta == 0) { 542 return 0; 543 } else { 544 return 4 - delta; // 16 bytes = 4 uint32_t 545 } 546 } 547 #else /* MAY_NEED_TO_ALIGN */ 548 (void) buf; 549 #endif /* MAY_NEED_TO_ALIGN */ 550 551 return 0; 552 } 553 554 /* 555 * AES key schedule (encryption) 556 */ 557 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 558 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, 559 unsigned int keybits) 560 { 561 unsigned int i; 562 uint32_t *RK; 563 564 switch (keybits) { 565 case 128: ctx->nr = 10; break; 566 case 192: ctx->nr = 12; break; 567 case 256: ctx->nr = 14; break; 568 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; 569 } 570 571 #if !defined(MBEDTLS_AES_ROM_TABLES) 572 if (aes_init_done == 0) { 573 aes_gen_tables(); 574 aes_init_done = 1; 575 } 576 #endif 577 578 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); 579 RK = ctx->buf + ctx->rk_offset; 580 581 #if defined(MBEDTLS_AESNI_HAVE_CODE) 582 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 583 return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits); 584 } 585 #endif 586 587 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) 588 if (mbedtls_aesce_has_support()) { 589 return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits); 590 } 591 #endif 592 593 for (i = 0; i < (keybits >> 5); i++) { 594 RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); 595 } 596 597 switch (ctx->nr) { 598 case 10: 599 600 for (i = 0; i < 10; i++, RK += 4) { 601 RK[4] = RK[0] ^ RCON[i] ^ 602 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ 603 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ 604 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ 605 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24); 606 607 RK[5] = RK[1] ^ RK[4]; 608 RK[6] = RK[2] ^ RK[5]; 609 RK[7] = RK[3] ^ RK[6]; 610 } 611 break; 612 613 case 12: 614 615 for (i = 0; i < 8; i++, RK += 6) { 616 RK[6] = RK[0] ^ RCON[i] ^ 617 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ 618 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ 619 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ 620 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24); 621 622 RK[7] = RK[1] ^ RK[6]; 623 RK[8] = RK[2] ^ RK[7]; 624 RK[9] = RK[3] ^ RK[8]; 625 RK[10] = RK[4] ^ RK[9]; 626 RK[11] = RK[5] ^ RK[10]; 627 } 628 break; 629 630 case 14: 631 632 for (i = 0; i < 7; i++, RK += 8) { 633 RK[8] = RK[0] ^ RCON[i] ^ 634 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ 635 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ 636 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ 637 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24); 638 639 RK[9] = RK[1] ^ RK[8]; 640 RK[10] = RK[2] ^ RK[9]; 641 RK[11] = RK[3] ^ RK[10]; 642 643 RK[12] = RK[4] ^ 644 ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^ 645 ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^ 646 ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ 647 ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24); 648 649 RK[13] = RK[5] ^ RK[12]; 650 RK[14] = RK[6] ^ RK[13]; 651 RK[15] = RK[7] ^ RK[14]; 652 } 653 break; 654 } 655 656 return 0; 657 } 658 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 659 660 /* 661 * AES key schedule (decryption) 662 */ 663 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 664 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, 665 unsigned int keybits) 666 { 667 int i, j, ret; 668 mbedtls_aes_context cty; 669 uint32_t *RK; 670 uint32_t *SK; 671 672 mbedtls_aes_init(&cty); 673 674 ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); 675 RK = ctx->buf + ctx->rk_offset; 676 677 /* Also checks keybits */ 678 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) { 679 goto exit; 680 } 681 682 ctx->nr = cty.nr; 683 684 #if defined(MBEDTLS_AESNI_HAVE_CODE) 685 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 686 mbedtls_aesni_inverse_key((unsigned char *) RK, 687 (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); 688 goto exit; 689 } 690 #endif 691 692 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) 693 if (mbedtls_aesce_has_support()) { 694 mbedtls_aesce_inverse_key( 695 (unsigned char *) RK, 696 (const unsigned char *) (cty.buf + cty.rk_offset), 697 ctx->nr); 698 goto exit; 699 } 700 #endif 701 702 SK = cty.buf + cty.rk_offset + cty.nr * 4; 703 704 *RK++ = *SK++; 705 *RK++ = *SK++; 706 *RK++ = *SK++; 707 *RK++ = *SK++; 708 709 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) { 710 for (j = 0; j < 4; j++, SK++) { 711 *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ 712 AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ 713 AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ 714 AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]); 715 } 716 } 717 718 *RK++ = *SK++; 719 *RK++ = *SK++; 720 *RK++ = *SK++; 721 *RK++ = *SK++; 722 723 exit: 724 mbedtls_aes_free(&cty); 725 726 return ret; 727 } 728 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 729 730 #if defined(MBEDTLS_CIPHER_MODE_XTS) 731 static int mbedtls_aes_xts_decode_keys(const unsigned char *key, 732 unsigned int keybits, 733 const unsigned char **key1, 734 unsigned int *key1bits, 735 const unsigned char **key2, 736 unsigned int *key2bits) 737 { 738 const unsigned int half_keybits = keybits / 2; 739 const unsigned int half_keybytes = half_keybits / 8; 740 741 switch (keybits) { 742 case 256: break; 743 case 512: break; 744 default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; 745 } 746 747 *key1bits = half_keybits; 748 *key2bits = half_keybits; 749 *key1 = &key[0]; 750 *key2 = &key[half_keybytes]; 751 752 return 0; 753 } 754 755 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, 756 const unsigned char *key, 757 unsigned int keybits) 758 { 759 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 760 const unsigned char *key1, *key2; 761 unsigned int key1bits, key2bits; 762 763 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, 764 &key2, &key2bits); 765 if (ret != 0) { 766 return ret; 767 } 768 769 /* Set the tweak key. Always set tweak key for the encryption mode. */ 770 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); 771 if (ret != 0) { 772 return ret; 773 } 774 775 /* Set crypt key for encryption. */ 776 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); 777 } 778 779 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, 780 const unsigned char *key, 781 unsigned int keybits) 782 { 783 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 784 const unsigned char *key1, *key2; 785 unsigned int key1bits, key2bits; 786 787 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, 788 &key2, &key2bits); 789 if (ret != 0) { 790 return ret; 791 } 792 793 /* Set the tweak key. Always set tweak key for encryption. */ 794 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); 795 if (ret != 0) { 796 return ret; 797 } 798 799 /* Set crypt key for decryption. */ 800 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); 801 } 802 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 803 804 #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ 805 do \ 806 { \ 807 (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \ 808 AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \ 809 AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \ 810 AES_FT3(MBEDTLS_BYTE_3(Y3)); \ 811 \ 812 (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \ 813 AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \ 814 AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \ 815 AES_FT3(MBEDTLS_BYTE_3(Y0)); \ 816 \ 817 (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \ 818 AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \ 819 AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \ 820 AES_FT3(MBEDTLS_BYTE_3(Y1)); \ 821 \ 822 (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \ 823 AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \ 824 AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \ 825 AES_FT3(MBEDTLS_BYTE_3(Y2)); \ 826 } while (0) 827 828 #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ 829 do \ 830 { \ 831 (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \ 832 AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \ 833 AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \ 834 AES_RT3(MBEDTLS_BYTE_3(Y1)); \ 835 \ 836 (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \ 837 AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \ 838 AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \ 839 AES_RT3(MBEDTLS_BYTE_3(Y2)); \ 840 \ 841 (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \ 842 AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \ 843 AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \ 844 AES_RT3(MBEDTLS_BYTE_3(Y3)); \ 845 \ 846 (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \ 847 AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \ 848 AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \ 849 AES_RT3(MBEDTLS_BYTE_3(Y0)); \ 850 } while (0) 851 852 /* 853 * AES-ECB block encryption 854 */ 855 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 856 int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, 857 const unsigned char input[16], 858 unsigned char output[16]) 859 { 860 int i; 861 uint32_t *RK = ctx->buf + ctx->rk_offset; 862 struct { 863 uint32_t X[4]; 864 uint32_t Y[4]; 865 } t; 866 867 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; 868 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; 869 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; 870 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; 871 872 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { 873 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 874 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); 875 } 876 877 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 878 879 t.X[0] = *RK++ ^ \ 880 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ 881 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ 882 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ 883 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); 884 885 t.X[1] = *RK++ ^ \ 886 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ 887 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ 888 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ 889 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); 890 891 t.X[2] = *RK++ ^ \ 892 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ 893 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ 894 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ 895 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); 896 897 t.X[3] = *RK++ ^ \ 898 ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ 899 ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ 900 ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ 901 ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); 902 903 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); 904 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); 905 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); 906 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); 907 908 mbedtls_platform_zeroize(&t, sizeof(t)); 909 910 return 0; 911 } 912 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 913 914 /* 915 * AES-ECB block decryption 916 */ 917 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 918 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, 919 const unsigned char input[16], 920 unsigned char output[16]) 921 { 922 int i; 923 uint32_t *RK = ctx->buf + ctx->rk_offset; 924 struct { 925 uint32_t X[4]; 926 uint32_t Y[4]; 927 } t; 928 929 t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; 930 t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; 931 t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; 932 t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; 933 934 for (i = (ctx->nr >> 1) - 1; i > 0; i--) { 935 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 936 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); 937 } 938 939 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 940 941 t.X[0] = *RK++ ^ \ 942 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ 943 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ 944 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ 945 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); 946 947 t.X[1] = *RK++ ^ \ 948 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ 949 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ 950 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ 951 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); 952 953 t.X[2] = *RK++ ^ \ 954 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ 955 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ 956 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ 957 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); 958 959 t.X[3] = *RK++ ^ \ 960 ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ 961 ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ 962 ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ 963 ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); 964 965 MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); 966 MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); 967 MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); 968 MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); 969 970 mbedtls_platform_zeroize(&t, sizeof(t)); 971 972 return 0; 973 } 974 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 975 976 #if defined(MAY_NEED_TO_ALIGN) 977 /* VIA Padlock and our intrinsics-based implementation of AESNI require 978 * the round keys to be aligned on a 16-byte boundary. We take care of this 979 * before creating them, but the AES context may have moved (this can happen 980 * if the library is called from a language with managed memory), and in later 981 * calls it might have a different alignment with respect to 16-byte memory. 982 * So we may need to realign. 983 */ 984 static void aes_maybe_realign(mbedtls_aes_context *ctx) 985 { 986 unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); 987 if (new_offset != ctx->rk_offset) { 988 memmove(ctx->buf + new_offset, // new address 989 ctx->buf + ctx->rk_offset, // current address 990 (ctx->nr + 1) * 16); // number of round keys * bytes per rk 991 ctx->rk_offset = new_offset; 992 } 993 } 994 #endif 995 996 /* 997 * AES-ECB block encryption/decryption 998 */ 999 int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, 1000 int mode, 1001 const unsigned char input[16], 1002 unsigned char output[16]) 1003 { 1004 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1005 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1006 } 1007 1008 #if defined(MAY_NEED_TO_ALIGN) 1009 aes_maybe_realign(ctx); 1010 #endif 1011 1012 #if defined(MBEDTLS_AESNI_HAVE_CODE) 1013 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 1014 return mbedtls_aesni_crypt_ecb(ctx, mode, input, output); 1015 } 1016 #endif 1017 1018 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) 1019 if (mbedtls_aesce_has_support()) { 1020 return mbedtls_aesce_crypt_ecb(ctx, mode, input, output); 1021 } 1022 #endif 1023 1024 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1025 if (aes_padlock_ace > 0) { 1026 return mbedtls_padlock_xcryptecb(ctx, mode, input, output); 1027 } 1028 #endif 1029 1030 if (mode == MBEDTLS_AES_ENCRYPT) { 1031 return mbedtls_internal_aes_encrypt(ctx, input, output); 1032 } else { 1033 return mbedtls_internal_aes_decrypt(ctx, input, output); 1034 } 1035 } 1036 1037 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1038 /* 1039 * AES-CBC buffer encryption/decryption 1040 */ 1041 int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, 1042 int mode, 1043 size_t length, 1044 unsigned char iv[16], 1045 const unsigned char *input, 1046 unsigned char *output) 1047 { 1048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1049 unsigned char temp[16]; 1050 1051 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1052 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1053 } 1054 1055 if (length % 16) { 1056 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1057 } 1058 1059 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1060 if (aes_padlock_ace > 0) { 1061 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { 1062 return 0; 1063 } 1064 1065 // If padlock data misaligned, we just fall back to 1066 // unaccelerated mode 1067 // 1068 } 1069 #endif 1070 1071 if (mode == MBEDTLS_AES_DECRYPT) { 1072 while (length > 0) { 1073 memcpy(temp, input, 16); 1074 ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output); 1075 if (ret != 0) { 1076 goto exit; 1077 } 1078 1079 mbedtls_xor(output, output, iv, 16); 1080 1081 memcpy(iv, temp, 16); 1082 1083 input += 16; 1084 output += 16; 1085 length -= 16; 1086 } 1087 } else { 1088 while (length > 0) { 1089 mbedtls_xor(output, input, iv, 16); 1090 1091 ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output); 1092 if (ret != 0) { 1093 goto exit; 1094 } 1095 memcpy(iv, output, 16); 1096 1097 input += 16; 1098 output += 16; 1099 length -= 16; 1100 } 1101 } 1102 ret = 0; 1103 1104 exit: 1105 return ret; 1106 } 1107 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1108 1109 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1110 1111 typedef unsigned char mbedtls_be128[16]; 1112 1113 /* 1114 * GF(2^128) multiplication function 1115 * 1116 * This function multiplies a field element by x in the polynomial field 1117 * representation. It uses 64-bit word operations to gain speed but compensates 1118 * for machine endianness and hence works correctly on both big and little 1119 * endian machines. 1120 */ 1121 static void mbedtls_gf128mul_x_ble(unsigned char r[16], 1122 const unsigned char x[16]) 1123 { 1124 uint64_t a, b, ra, rb; 1125 1126 a = MBEDTLS_GET_UINT64_LE(x, 0); 1127 b = MBEDTLS_GET_UINT64_LE(x, 8); 1128 1129 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); 1130 rb = (a >> 63) | (b << 1); 1131 1132 MBEDTLS_PUT_UINT64_LE(ra, r, 0); 1133 MBEDTLS_PUT_UINT64_LE(rb, r, 8); 1134 } 1135 1136 /* 1137 * AES-XTS buffer encryption/decryption 1138 */ 1139 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, 1140 int mode, 1141 size_t length, 1142 const unsigned char data_unit[16], 1143 const unsigned char *input, 1144 unsigned char *output) 1145 { 1146 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1147 size_t blocks = length / 16; 1148 size_t leftover = length % 16; 1149 unsigned char tweak[16]; 1150 unsigned char prev_tweak[16]; 1151 unsigned char tmp[16]; 1152 1153 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1154 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1155 } 1156 1157 /* Data units must be at least 16 bytes long. */ 1158 if (length < 16) { 1159 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1160 } 1161 1162 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1163 if (length > (1 << 20) * 16) { 1164 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1165 } 1166 1167 /* Compute the tweak. */ 1168 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, 1169 data_unit, tweak); 1170 if (ret != 0) { 1171 return ret; 1172 } 1173 1174 while (blocks--) { 1175 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) { 1176 /* We are on the last block in a decrypt operation that has 1177 * leftover bytes, so we need to use the next tweak for this block, 1178 * and this tweak for the leftover bytes. Save the current tweak for 1179 * the leftovers and then update the current tweak for use on this, 1180 * the last full block. */ 1181 memcpy(prev_tweak, tweak, sizeof(tweak)); 1182 mbedtls_gf128mul_x_ble(tweak, tweak); 1183 } 1184 1185 mbedtls_xor(tmp, input, tweak, 16); 1186 1187 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); 1188 if (ret != 0) { 1189 return ret; 1190 } 1191 1192 mbedtls_xor(output, tmp, tweak, 16); 1193 1194 /* Update the tweak for the next block. */ 1195 mbedtls_gf128mul_x_ble(tweak, tweak); 1196 1197 output += 16; 1198 input += 16; 1199 } 1200 1201 if (leftover) { 1202 /* If we are on the leftover bytes in a decrypt operation, we need to 1203 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1204 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1205 1206 /* We are now on the final part of the data unit, which doesn't divide 1207 * evenly by 16. It's time for ciphertext stealing. */ 1208 size_t i; 1209 unsigned char *prev_output = output - 16; 1210 1211 /* Copy ciphertext bytes from the previous block to our output for each 1212 * byte of ciphertext we won't steal. */ 1213 for (i = 0; i < leftover; i++) { 1214 output[i] = prev_output[i]; 1215 } 1216 1217 /* Copy the remainder of the input for this final round. */ 1218 mbedtls_xor(tmp, input, t, leftover); 1219 1220 /* Copy ciphertext bytes from the previous block for input in this 1221 * round. */ 1222 mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); 1223 1224 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); 1225 if (ret != 0) { 1226 return ret; 1227 } 1228 1229 /* Write the result back to the previous block, overriding the previous 1230 * output we copied. */ 1231 mbedtls_xor(prev_output, tmp, t, 16); 1232 } 1233 1234 return 0; 1235 } 1236 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1237 1238 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1239 /* 1240 * AES-CFB128 buffer encryption/decryption 1241 */ 1242 int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, 1243 int mode, 1244 size_t length, 1245 size_t *iv_off, 1246 unsigned char iv[16], 1247 const unsigned char *input, 1248 unsigned char *output) 1249 { 1250 int c; 1251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1252 size_t n; 1253 1254 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1255 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1256 } 1257 1258 n = *iv_off; 1259 1260 if (n > 15) { 1261 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1262 } 1263 1264 if (mode == MBEDTLS_AES_DECRYPT) { 1265 while (length--) { 1266 if (n == 0) { 1267 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1268 if (ret != 0) { 1269 goto exit; 1270 } 1271 } 1272 1273 c = *input++; 1274 *output++ = (unsigned char) (c ^ iv[n]); 1275 iv[n] = (unsigned char) c; 1276 1277 n = (n + 1) & 0x0F; 1278 } 1279 } else { 1280 while (length--) { 1281 if (n == 0) { 1282 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1283 if (ret != 0) { 1284 goto exit; 1285 } 1286 } 1287 1288 iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); 1289 1290 n = (n + 1) & 0x0F; 1291 } 1292 } 1293 1294 *iv_off = n; 1295 ret = 0; 1296 1297 exit: 1298 return ret; 1299 } 1300 1301 /* 1302 * AES-CFB8 buffer encryption/decryption 1303 */ 1304 int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, 1305 int mode, 1306 size_t length, 1307 unsigned char iv[16], 1308 const unsigned char *input, 1309 unsigned char *output) 1310 { 1311 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1312 unsigned char c; 1313 unsigned char ov[17]; 1314 1315 if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1316 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1317 } 1318 while (length--) { 1319 memcpy(ov, iv, 16); 1320 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1321 if (ret != 0) { 1322 goto exit; 1323 } 1324 1325 if (mode == MBEDTLS_AES_DECRYPT) { 1326 ov[16] = *input; 1327 } 1328 1329 c = *output++ = (unsigned char) (iv[0] ^ *input++); 1330 1331 if (mode == MBEDTLS_AES_ENCRYPT) { 1332 ov[16] = c; 1333 } 1334 1335 memcpy(iv, ov + 1, 16); 1336 } 1337 ret = 0; 1338 1339 exit: 1340 return ret; 1341 } 1342 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1343 1344 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1345 /* 1346 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1347 */ 1348 int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, 1349 size_t length, 1350 size_t *iv_off, 1351 unsigned char iv[16], 1352 const unsigned char *input, 1353 unsigned char *output) 1354 { 1355 int ret = 0; 1356 size_t n; 1357 1358 n = *iv_off; 1359 1360 if (n > 15) { 1361 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1362 } 1363 1364 while (length--) { 1365 if (n == 0) { 1366 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1367 if (ret != 0) { 1368 goto exit; 1369 } 1370 } 1371 *output++ = *input++ ^ iv[n]; 1372 1373 n = (n + 1) & 0x0F; 1374 } 1375 1376 *iv_off = n; 1377 1378 exit: 1379 return ret; 1380 } 1381 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1382 1383 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1384 /* 1385 * AES-CTR buffer encryption/decryption 1386 */ 1387 int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, 1388 size_t length, 1389 size_t *nc_off, 1390 unsigned char nonce_counter[16], 1391 unsigned char stream_block[16], 1392 const unsigned char *input, 1393 unsigned char *output) 1394 { 1395 int c, i; 1396 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1397 size_t n; 1398 1399 n = *nc_off; 1400 1401 if (n > 0x0F) { 1402 return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1403 } 1404 1405 while (length--) { 1406 if (n == 0) { 1407 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block); 1408 if (ret != 0) { 1409 goto exit; 1410 } 1411 1412 for (i = 16; i > 0; i--) { 1413 if (++nonce_counter[i - 1] != 0) { 1414 break; 1415 } 1416 } 1417 } 1418 c = *input++; 1419 *output++ = (unsigned char) (c ^ stream_block[n]); 1420 1421 n = (n + 1) & 0x0F; 1422 } 1423 1424 *nc_off = n; 1425 ret = 0; 1426 1427 exit: 1428 return ret; 1429 } 1430 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1431 1432 #endif /* !MBEDTLS_AES_ALT */ 1433 1434 #if defined(MBEDTLS_SELF_TEST) 1435 /* 1436 * AES test vectors from: 1437 * 1438 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1439 */ 1440 static const unsigned char aes_test_ecb_dec[3][16] = 1441 { 1442 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1443 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1444 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1445 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1446 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1447 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1448 }; 1449 1450 static const unsigned char aes_test_ecb_enc[3][16] = 1451 { 1452 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1453 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1454 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1455 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1456 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1457 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1458 }; 1459 1460 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1461 static const unsigned char aes_test_cbc_dec[3][16] = 1462 { 1463 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1464 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1465 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1466 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1467 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1468 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1469 }; 1470 1471 static const unsigned char aes_test_cbc_enc[3][16] = 1472 { 1473 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1474 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1475 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1476 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1477 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1478 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1479 }; 1480 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1481 1482 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1483 /* 1484 * AES-CFB128 test vectors from: 1485 * 1486 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1487 */ 1488 static const unsigned char aes_test_cfb128_key[3][32] = 1489 { 1490 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1491 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1492 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1493 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1494 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1495 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1496 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1497 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1498 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1499 }; 1500 1501 static const unsigned char aes_test_cfb128_iv[16] = 1502 { 1503 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1504 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1505 }; 1506 1507 static const unsigned char aes_test_cfb128_pt[64] = 1508 { 1509 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1510 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1511 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1512 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1513 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1514 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1515 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1516 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1517 }; 1518 1519 static const unsigned char aes_test_cfb128_ct[3][64] = 1520 { 1521 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1522 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1523 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1524 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1525 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1526 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1527 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1528 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1529 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1530 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1531 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1532 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1533 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1534 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1535 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1536 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1537 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1538 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1539 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1540 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1541 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1542 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1543 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1544 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1545 }; 1546 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1547 1548 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1549 /* 1550 * AES-OFB test vectors from: 1551 * 1552 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1553 */ 1554 static const unsigned char aes_test_ofb_key[3][32] = 1555 { 1556 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1557 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1558 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1559 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1560 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1561 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1562 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1563 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1564 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1565 }; 1566 1567 static const unsigned char aes_test_ofb_iv[16] = 1568 { 1569 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1570 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1571 }; 1572 1573 static const unsigned char aes_test_ofb_pt[64] = 1574 { 1575 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1576 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1577 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1578 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1579 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1580 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1581 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1582 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1583 }; 1584 1585 static const unsigned char aes_test_ofb_ct[3][64] = 1586 { 1587 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1588 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1589 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1590 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1591 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1592 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1593 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1594 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1595 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1596 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1597 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1598 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1599 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1600 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1601 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1602 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1603 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1604 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1605 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1606 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1607 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1608 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1609 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1610 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1611 }; 1612 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1613 1614 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1615 /* 1616 * AES-CTR test vectors from: 1617 * 1618 * http://www.faqs.org/rfcs/rfc3686.html 1619 */ 1620 1621 static const unsigned char aes_test_ctr_key[3][16] = 1622 { 1623 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1624 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1625 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1626 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1627 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1628 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1629 }; 1630 1631 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1632 { 1633 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1635 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1636 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1637 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1638 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1639 }; 1640 1641 static const unsigned char aes_test_ctr_pt[3][48] = 1642 { 1643 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1644 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1645 1646 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1647 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1648 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1649 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1650 1651 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1652 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1653 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1654 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1655 0x20, 0x21, 0x22, 0x23 } 1656 }; 1657 1658 static const unsigned char aes_test_ctr_ct[3][48] = 1659 { 1660 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1661 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1662 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1663 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1664 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1665 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1666 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1667 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1668 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1669 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1670 0x25, 0xB2, 0x07, 0x2F } 1671 }; 1672 1673 static const int aes_test_ctr_len[3] = 1674 { 16, 32, 36 }; 1675 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1676 1677 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1678 /* 1679 * AES-XTS test vectors from: 1680 * 1681 * IEEE P1619/D16 Annex B 1682 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1683 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1684 */ 1685 static const unsigned char aes_test_xts_key[][32] = 1686 { 1687 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1688 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1689 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1691 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1692 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1693 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1694 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1695 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1696 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1697 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1698 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1699 }; 1700 1701 static const unsigned char aes_test_xts_pt32[][32] = 1702 { 1703 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1705 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1706 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1707 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1708 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1709 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1710 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1711 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1712 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1713 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1714 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1715 }; 1716 1717 static const unsigned char aes_test_xts_ct32[][32] = 1718 { 1719 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1720 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1721 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1722 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1723 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1724 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1725 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1726 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1727 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1728 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1729 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1730 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1731 }; 1732 1733 static const unsigned char aes_test_xts_data_unit[][16] = 1734 { 1735 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1736 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1737 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1738 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1739 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1741 }; 1742 1743 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1744 1745 /* 1746 * Checkup routine 1747 */ 1748 int mbedtls_aes_self_test(int verbose) 1749 { 1750 int ret = 0, i, j, u, mode; 1751 unsigned int keybits; 1752 unsigned char key[32]; 1753 unsigned char buf[64]; 1754 const unsigned char *aes_tests; 1755 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1756 defined(MBEDTLS_CIPHER_MODE_OFB) 1757 unsigned char iv[16]; 1758 #endif 1759 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1760 unsigned char prv[16]; 1761 #endif 1762 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1763 defined(MBEDTLS_CIPHER_MODE_OFB) 1764 size_t offset; 1765 #endif 1766 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1767 int len; 1768 #endif 1769 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1770 unsigned char nonce_counter[16]; 1771 unsigned char stream_block[16]; 1772 #endif 1773 mbedtls_aes_context ctx; 1774 1775 memset(key, 0, 32); 1776 mbedtls_aes_init(&ctx); 1777 1778 if (verbose != 0) { 1779 #if defined(MBEDTLS_AES_ALT) 1780 mbedtls_printf(" AES note: alternative implementation.\n"); 1781 #else /* MBEDTLS_AES_ALT */ 1782 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1783 if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { 1784 mbedtls_printf(" AES note: using VIA Padlock.\n"); 1785 } else 1786 #endif 1787 #if defined(MBEDTLS_AESNI_HAVE_CODE) 1788 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 1789 mbedtls_printf(" AES note: using AESNI.\n"); 1790 } else 1791 #endif 1792 #if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64) 1793 if (mbedtls_aesce_has_support()) { 1794 mbedtls_printf(" AES note: using AESCE.\n"); 1795 } else 1796 #endif 1797 mbedtls_printf(" AES note: built-in implementation.\n"); 1798 #endif /* MBEDTLS_AES_ALT */ 1799 } 1800 1801 /* 1802 * ECB mode 1803 */ 1804 for (i = 0; i < 6; i++) { 1805 u = i >> 1; 1806 keybits = 128 + u * 64; 1807 mode = i & 1; 1808 1809 if (verbose != 0) { 1810 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, 1811 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1812 } 1813 1814 memset(buf, 0, 16); 1815 1816 if (mode == MBEDTLS_AES_DECRYPT) { 1817 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); 1818 aes_tests = aes_test_ecb_dec[u]; 1819 } else { 1820 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 1821 aes_tests = aes_test_ecb_enc[u]; 1822 } 1823 1824 /* 1825 * AES-192 is an optional feature that may be unavailable when 1826 * there is an alternative underlying implementation i.e. when 1827 * MBEDTLS_AES_ALT is defined. 1828 */ 1829 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 1830 mbedtls_printf("skipped\n"); 1831 continue; 1832 } else if (ret != 0) { 1833 goto exit; 1834 } 1835 1836 for (j = 0; j < 10000; j++) { 1837 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf); 1838 if (ret != 0) { 1839 goto exit; 1840 } 1841 } 1842 1843 if (memcmp(buf, aes_tests, 16) != 0) { 1844 ret = 1; 1845 goto exit; 1846 } 1847 1848 if (verbose != 0) { 1849 mbedtls_printf("passed\n"); 1850 } 1851 } 1852 1853 if (verbose != 0) { 1854 mbedtls_printf("\n"); 1855 } 1856 1857 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1858 /* 1859 * CBC mode 1860 */ 1861 for (i = 0; i < 6; i++) { 1862 u = i >> 1; 1863 keybits = 128 + u * 64; 1864 mode = i & 1; 1865 1866 if (verbose != 0) { 1867 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, 1868 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1869 } 1870 1871 memset(iv, 0, 16); 1872 memset(prv, 0, 16); 1873 memset(buf, 0, 16); 1874 1875 if (mode == MBEDTLS_AES_DECRYPT) { 1876 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); 1877 aes_tests = aes_test_cbc_dec[u]; 1878 } else { 1879 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 1880 aes_tests = aes_test_cbc_enc[u]; 1881 } 1882 1883 /* 1884 * AES-192 is an optional feature that may be unavailable when 1885 * there is an alternative underlying implementation i.e. when 1886 * MBEDTLS_AES_ALT is defined. 1887 */ 1888 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 1889 mbedtls_printf("skipped\n"); 1890 continue; 1891 } else if (ret != 0) { 1892 goto exit; 1893 } 1894 1895 for (j = 0; j < 10000; j++) { 1896 if (mode == MBEDTLS_AES_ENCRYPT) { 1897 unsigned char tmp[16]; 1898 1899 memcpy(tmp, prv, 16); 1900 memcpy(prv, buf, 16); 1901 memcpy(buf, tmp, 16); 1902 } 1903 1904 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); 1905 if (ret != 0) { 1906 goto exit; 1907 } 1908 1909 } 1910 1911 if (memcmp(buf, aes_tests, 16) != 0) { 1912 ret = 1; 1913 goto exit; 1914 } 1915 1916 if (verbose != 0) { 1917 mbedtls_printf("passed\n"); 1918 } 1919 } 1920 1921 if (verbose != 0) { 1922 mbedtls_printf("\n"); 1923 } 1924 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1925 1926 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1927 /* 1928 * CFB128 mode 1929 */ 1930 for (i = 0; i < 6; i++) { 1931 u = i >> 1; 1932 keybits = 128 + u * 64; 1933 mode = i & 1; 1934 1935 if (verbose != 0) { 1936 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, 1937 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1938 } 1939 1940 memcpy(iv, aes_test_cfb128_iv, 16); 1941 memcpy(key, aes_test_cfb128_key[u], keybits / 8); 1942 1943 offset = 0; 1944 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 1945 /* 1946 * AES-192 is an optional feature that may be unavailable when 1947 * there is an alternative underlying implementation i.e. when 1948 * MBEDTLS_AES_ALT is defined. 1949 */ 1950 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 1951 mbedtls_printf("skipped\n"); 1952 continue; 1953 } else if (ret != 0) { 1954 goto exit; 1955 } 1956 1957 if (mode == MBEDTLS_AES_DECRYPT) { 1958 memcpy(buf, aes_test_cfb128_ct[u], 64); 1959 aes_tests = aes_test_cfb128_pt; 1960 } else { 1961 memcpy(buf, aes_test_cfb128_pt, 64); 1962 aes_tests = aes_test_cfb128_ct[u]; 1963 } 1964 1965 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf); 1966 if (ret != 0) { 1967 goto exit; 1968 } 1969 1970 if (memcmp(buf, aes_tests, 64) != 0) { 1971 ret = 1; 1972 goto exit; 1973 } 1974 1975 if (verbose != 0) { 1976 mbedtls_printf("passed\n"); 1977 } 1978 } 1979 1980 if (verbose != 0) { 1981 mbedtls_printf("\n"); 1982 } 1983 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1984 1985 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1986 /* 1987 * OFB mode 1988 */ 1989 for (i = 0; i < 6; i++) { 1990 u = i >> 1; 1991 keybits = 128 + u * 64; 1992 mode = i & 1; 1993 1994 if (verbose != 0) { 1995 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, 1996 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1997 } 1998 1999 memcpy(iv, aes_test_ofb_iv, 16); 2000 memcpy(key, aes_test_ofb_key[u], keybits / 8); 2001 2002 offset = 0; 2003 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 2004 /* 2005 * AES-192 is an optional feature that may be unavailable when 2006 * there is an alternative underlying implementation i.e. when 2007 * MBEDTLS_AES_ALT is defined. 2008 */ 2009 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 2010 mbedtls_printf("skipped\n"); 2011 continue; 2012 } else if (ret != 0) { 2013 goto exit; 2014 } 2015 2016 if (mode == MBEDTLS_AES_DECRYPT) { 2017 memcpy(buf, aes_test_ofb_ct[u], 64); 2018 aes_tests = aes_test_ofb_pt; 2019 } else { 2020 memcpy(buf, aes_test_ofb_pt, 64); 2021 aes_tests = aes_test_ofb_ct[u]; 2022 } 2023 2024 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf); 2025 if (ret != 0) { 2026 goto exit; 2027 } 2028 2029 if (memcmp(buf, aes_tests, 64) != 0) { 2030 ret = 1; 2031 goto exit; 2032 } 2033 2034 if (verbose != 0) { 2035 mbedtls_printf("passed\n"); 2036 } 2037 } 2038 2039 if (verbose != 0) { 2040 mbedtls_printf("\n"); 2041 } 2042 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2043 2044 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2045 /* 2046 * CTR mode 2047 */ 2048 for (i = 0; i < 6; i++) { 2049 u = i >> 1; 2050 mode = i & 1; 2051 2052 if (verbose != 0) { 2053 mbedtls_printf(" AES-CTR-128 (%s): ", 2054 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2055 } 2056 2057 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); 2058 memcpy(key, aes_test_ctr_key[u], 16); 2059 2060 offset = 0; 2061 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) { 2062 goto exit; 2063 } 2064 2065 len = aes_test_ctr_len[u]; 2066 2067 if (mode == MBEDTLS_AES_DECRYPT) { 2068 memcpy(buf, aes_test_ctr_ct[u], len); 2069 aes_tests = aes_test_ctr_pt[u]; 2070 } else { 2071 memcpy(buf, aes_test_ctr_pt[u], len); 2072 aes_tests = aes_test_ctr_ct[u]; 2073 } 2074 2075 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter, 2076 stream_block, buf, buf); 2077 if (ret != 0) { 2078 goto exit; 2079 } 2080 2081 if (memcmp(buf, aes_tests, len) != 0) { 2082 ret = 1; 2083 goto exit; 2084 } 2085 2086 if (verbose != 0) { 2087 mbedtls_printf("passed\n"); 2088 } 2089 } 2090 2091 if (verbose != 0) { 2092 mbedtls_printf("\n"); 2093 } 2094 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2095 2096 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2097 { 2098 static const int num_tests = 2099 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2100 mbedtls_aes_xts_context ctx_xts; 2101 2102 /* 2103 * XTS mode 2104 */ 2105 mbedtls_aes_xts_init(&ctx_xts); 2106 2107 for (i = 0; i < num_tests << 1; i++) { 2108 const unsigned char *data_unit; 2109 u = i >> 1; 2110 mode = i & 1; 2111 2112 if (verbose != 0) { 2113 mbedtls_printf(" AES-XTS-128 (%s): ", 2114 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2115 } 2116 2117 memset(key, 0, sizeof(key)); 2118 memcpy(key, aes_test_xts_key[u], 32); 2119 data_unit = aes_test_xts_data_unit[u]; 2120 2121 len = sizeof(*aes_test_xts_ct32); 2122 2123 if (mode == MBEDTLS_AES_DECRYPT) { 2124 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256); 2125 if (ret != 0) { 2126 goto exit; 2127 } 2128 memcpy(buf, aes_test_xts_ct32[u], len); 2129 aes_tests = aes_test_xts_pt32[u]; 2130 } else { 2131 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256); 2132 if (ret != 0) { 2133 goto exit; 2134 } 2135 memcpy(buf, aes_test_xts_pt32[u], len); 2136 aes_tests = aes_test_xts_ct32[u]; 2137 } 2138 2139 2140 ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, 2141 buf, buf); 2142 if (ret != 0) { 2143 goto exit; 2144 } 2145 2146 if (memcmp(buf, aes_tests, len) != 0) { 2147 ret = 1; 2148 goto exit; 2149 } 2150 2151 if (verbose != 0) { 2152 mbedtls_printf("passed\n"); 2153 } 2154 } 2155 2156 if (verbose != 0) { 2157 mbedtls_printf("\n"); 2158 } 2159 2160 mbedtls_aes_xts_free(&ctx_xts); 2161 } 2162 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2163 2164 ret = 0; 2165 2166 exit: 2167 if (ret != 0 && verbose != 0) { 2168 mbedtls_printf("failed\n"); 2169 } 2170 2171 mbedtls_aes_free(&ctx); 2172 2173 return ret; 2174 } 2175 2176 #endif /* MBEDTLS_SELF_TEST */ 2177 2178 #endif /* MBEDTLS_AES_C */ 2179