1 /* 2 * FIPS-197 compliant AES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 21 * 22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_AES_C) 29 30 #include <string.h> 31 32 #include "mbedtls/aes.h" 33 #include "mbedtls/platform.h" 34 #include "mbedtls/platform_util.h" 35 #include "mbedtls/error.h" 36 #if defined(MBEDTLS_PADLOCK_C) 37 #include "mbedtls/padlock.h" 38 #endif 39 #if defined(MBEDTLS_AESNI_C) 40 #include "mbedtls/aesni.h" 41 #endif 42 43 #if defined(MBEDTLS_SELF_TEST) 44 #if defined(MBEDTLS_PLATFORM_C) 45 #include "mbedtls/platform.h" 46 #else 47 #include <stdio.h> 48 #define mbedtls_printf printf 49 #endif /* MBEDTLS_PLATFORM_C */ 50 #endif /* MBEDTLS_SELF_TEST */ 51 52 #if !defined(MBEDTLS_AES_ALT) 53 54 /* Parameter validation macros based on platform_util.h */ 55 #define AES_VALIDATE_RET( cond ) \ 56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 57 #define AES_VALIDATE( cond ) \ 58 MBEDTLS_INTERNAL_VALIDATE( cond ) 59 60 /* 61 * 32-bit integer manipulation macros (little endian) 62 */ 63 #ifndef GET_UINT32_LE 64 #define GET_UINT32_LE(n,b,i) \ 65 { \ 66 (n) = ( (uint32_t) (b)[(i) ] ) \ 67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 70 } 71 #endif 72 73 #ifndef PUT_UINT32_LE 74 #define PUT_UINT32_LE(n,b,i) \ 75 { \ 76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 80 } 81 #endif 82 83 #if defined(MBEDTLS_PADLOCK_C) && \ 84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 85 static int aes_padlock_ace = -1; 86 #endif 87 88 #if defined(MBEDTLS_AES_ROM_TABLES) 89 /* 90 * Forward S-box 91 */ 92 static const unsigned char FSb[256] = 93 { 94 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 95 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 96 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 97 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 98 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 99 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 100 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 101 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 102 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 103 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 104 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 105 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 106 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 107 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 108 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 109 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 110 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 111 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 112 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 113 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 114 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 115 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 116 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 117 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 118 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 119 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 120 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 121 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 122 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 123 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 124 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 125 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 126 }; 127 128 /* 129 * Forward tables 130 */ 131 #define FT \ 132 \ 133 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 134 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 135 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 136 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 137 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 138 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 139 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 140 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 141 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 142 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 143 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 144 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 145 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 146 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 147 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 148 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 149 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 150 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 151 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 152 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 153 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 154 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 155 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 156 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 157 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 158 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 159 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 160 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 161 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 162 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 163 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 164 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 165 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 166 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 167 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 168 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 169 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 170 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 171 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 172 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 173 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 174 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 175 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 176 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 177 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 178 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 179 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 180 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 181 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 182 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 183 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 184 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 185 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 186 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 187 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 188 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 189 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 190 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 191 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 192 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 193 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 194 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 195 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 196 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 197 198 #define V(a,b,c,d) 0x##a##b##c##d 199 static const uint32_t FT0[256] = { FT }; 200 #undef V 201 202 #if !defined(MBEDTLS_AES_FEWER_TABLES) 203 204 #define V(a,b,c,d) 0x##b##c##d##a 205 static const uint32_t FT1[256] = { FT }; 206 #undef V 207 208 #define V(a,b,c,d) 0x##c##d##a##b 209 static const uint32_t FT2[256] = { FT }; 210 #undef V 211 212 #define V(a,b,c,d) 0x##d##a##b##c 213 static const uint32_t FT3[256] = { FT }; 214 #undef V 215 216 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 217 218 #undef FT 219 220 /* 221 * Reverse S-box 222 */ 223 static const unsigned char RSb[256] = 224 { 225 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 226 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 227 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 228 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 229 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 230 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 231 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 232 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 233 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 234 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 235 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 236 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 237 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 238 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 239 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 240 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 241 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 242 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 243 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 244 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 245 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 246 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 247 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 248 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 249 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 250 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 251 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 252 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 253 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 254 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 255 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 256 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 257 }; 258 259 /* 260 * Reverse tables 261 */ 262 #define RT \ 263 \ 264 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 265 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 266 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 267 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 268 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 269 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 270 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 271 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 272 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 273 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 274 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 275 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 276 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 277 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 278 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 279 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 280 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 281 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 282 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 283 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 284 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 285 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 286 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 287 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 288 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 289 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 290 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 291 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 292 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 293 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 294 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 295 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 296 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 297 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 298 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 299 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 300 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 301 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 302 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 303 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 304 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 305 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 306 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 307 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 308 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 309 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 310 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 311 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 312 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 313 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 314 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 315 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 316 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 317 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 318 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 319 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 320 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 321 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 322 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 323 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 324 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 325 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 326 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 327 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 328 329 #define V(a,b,c,d) 0x##a##b##c##d 330 static const uint32_t RT0[256] = { RT }; 331 #undef V 332 333 #if !defined(MBEDTLS_AES_FEWER_TABLES) 334 335 #define V(a,b,c,d) 0x##b##c##d##a 336 static const uint32_t RT1[256] = { RT }; 337 #undef V 338 339 #define V(a,b,c,d) 0x##c##d##a##b 340 static const uint32_t RT2[256] = { RT }; 341 #undef V 342 343 #define V(a,b,c,d) 0x##d##a##b##c 344 static const uint32_t RT3[256] = { RT }; 345 #undef V 346 347 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 348 349 #undef RT 350 351 /* 352 * Round constants 353 */ 354 static const uint32_t RCON[10] = 355 { 356 0x00000001, 0x00000002, 0x00000004, 0x00000008, 357 0x00000010, 0x00000020, 0x00000040, 0x00000080, 358 0x0000001B, 0x00000036 359 }; 360 361 #else /* MBEDTLS_AES_ROM_TABLES */ 362 363 /* 364 * Forward S-box & tables 365 */ 366 static unsigned char FSb[256]; 367 static uint32_t FT0[256]; 368 #if !defined(MBEDTLS_AES_FEWER_TABLES) 369 static uint32_t FT1[256]; 370 static uint32_t FT2[256]; 371 static uint32_t FT3[256]; 372 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 373 374 /* 375 * Reverse S-box & tables 376 */ 377 static unsigned char RSb[256]; 378 static uint32_t RT0[256]; 379 #if !defined(MBEDTLS_AES_FEWER_TABLES) 380 static uint32_t RT1[256]; 381 static uint32_t RT2[256]; 382 static uint32_t RT3[256]; 383 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 384 385 /* 386 * Round constants 387 */ 388 static uint32_t RCON[10]; 389 390 /* 391 * Tables generation code 392 */ 393 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 ) 394 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) ) 395 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) 396 397 static int aes_init_done = 0; 398 399 static void aes_gen_tables( void ) 400 { 401 int i, x, y, z; 402 int pow[256]; 403 int log[256]; 404 405 /* 406 * compute pow and log tables over GF(2^8) 407 */ 408 for( i = 0, x = 1; i < 256; i++ ) 409 { 410 pow[i] = x; 411 log[x] = i; 412 x = ( x ^ XTIME( x ) ) & 0xFF; 413 } 414 415 /* 416 * calculate the round constants 417 */ 418 for( i = 0, x = 1; i < 10; i++ ) 419 { 420 RCON[i] = (uint32_t) x; 421 x = XTIME( x ) & 0xFF; 422 } 423 424 /* 425 * generate the forward and reverse S-boxes 426 */ 427 FSb[0x00] = 0x63; 428 RSb[0x63] = 0x00; 429 430 for( i = 1; i < 256; i++ ) 431 { 432 x = pow[255 - log[i]]; 433 434 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 435 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 436 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 437 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 438 x ^= y ^ 0x63; 439 440 FSb[i] = (unsigned char) x; 441 RSb[x] = (unsigned char) i; 442 } 443 444 /* 445 * generate the forward and reverse tables 446 */ 447 for( i = 0; i < 256; i++ ) 448 { 449 x = FSb[i]; 450 y = XTIME( x ) & 0xFF; 451 z = ( y ^ x ) & 0xFF; 452 453 FT0[i] = ( (uint32_t) y ) ^ 454 ( (uint32_t) x << 8 ) ^ 455 ( (uint32_t) x << 16 ) ^ 456 ( (uint32_t) z << 24 ); 457 458 #if !defined(MBEDTLS_AES_FEWER_TABLES) 459 FT1[i] = ROTL8( FT0[i] ); 460 FT2[i] = ROTL8( FT1[i] ); 461 FT3[i] = ROTL8( FT2[i] ); 462 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 463 464 x = RSb[i]; 465 466 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 467 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 468 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 469 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 470 471 #if !defined(MBEDTLS_AES_FEWER_TABLES) 472 RT1[i] = ROTL8( RT0[i] ); 473 RT2[i] = ROTL8( RT1[i] ); 474 RT3[i] = ROTL8( RT2[i] ); 475 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 476 } 477 } 478 479 #undef ROTL8 480 481 #endif /* MBEDTLS_AES_ROM_TABLES */ 482 483 #if defined(MBEDTLS_AES_FEWER_TABLES) 484 485 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 486 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 487 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 488 489 #define AES_RT0(idx) RT0[idx] 490 #define AES_RT1(idx) ROTL8( RT0[idx] ) 491 #define AES_RT2(idx) ROTL16( RT0[idx] ) 492 #define AES_RT3(idx) ROTL24( RT0[idx] ) 493 494 #define AES_FT0(idx) FT0[idx] 495 #define AES_FT1(idx) ROTL8( FT0[idx] ) 496 #define AES_FT2(idx) ROTL16( FT0[idx] ) 497 #define AES_FT3(idx) ROTL24( FT0[idx] ) 498 499 #else /* MBEDTLS_AES_FEWER_TABLES */ 500 501 #define AES_RT0(idx) RT0[idx] 502 #define AES_RT1(idx) RT1[idx] 503 #define AES_RT2(idx) RT2[idx] 504 #define AES_RT3(idx) RT3[idx] 505 506 #define AES_FT0(idx) FT0[idx] 507 #define AES_FT1(idx) FT1[idx] 508 #define AES_FT2(idx) FT2[idx] 509 #define AES_FT3(idx) FT3[idx] 510 511 #endif /* MBEDTLS_AES_FEWER_TABLES */ 512 513 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 514 { 515 AES_VALIDATE( ctx != NULL ); 516 517 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 518 } 519 520 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 521 { 522 if( ctx == NULL ) 523 return; 524 525 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 526 } 527 528 #if defined(MBEDTLS_CIPHER_MODE_XTS) 529 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 530 { 531 AES_VALIDATE( ctx != NULL ); 532 533 mbedtls_aes_init( &ctx->crypt ); 534 mbedtls_aes_init( &ctx->tweak ); 535 } 536 537 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 538 { 539 if( ctx == NULL ) 540 return; 541 542 mbedtls_aes_free( &ctx->crypt ); 543 mbedtls_aes_free( &ctx->tweak ); 544 } 545 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 546 547 /* 548 * AES key schedule (encryption) 549 */ 550 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 551 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 552 unsigned int keybits ) 553 { 554 unsigned int i; 555 uint32_t *RK; 556 557 AES_VALIDATE_RET( ctx != NULL ); 558 AES_VALIDATE_RET( key != NULL ); 559 560 switch( keybits ) 561 { 562 case 128: ctx->nr = 10; break; 563 case 192: ctx->nr = 12; break; 564 case 256: ctx->nr = 14; break; 565 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 566 } 567 568 #if !defined(MBEDTLS_AES_ROM_TABLES) 569 if( aes_init_done == 0 ) 570 { 571 aes_gen_tables(); 572 aes_init_done = 1; 573 } 574 #endif 575 576 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 577 if( aes_padlock_ace == -1 ) 578 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 579 580 if( aes_padlock_ace ) 581 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 582 else 583 #endif 584 ctx->rk = RK = ctx->buf; 585 586 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 587 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 588 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk, key, keybits ) ); 589 #endif 590 591 for( i = 0; i < ( keybits >> 5 ); i++ ) 592 { 593 GET_UINT32_LE( RK[i], key, i << 2 ); 594 } 595 596 switch( ctx->nr ) 597 { 598 case 10: 599 600 for( i = 0; i < 10; i++, RK += 4 ) 601 { 602 RK[4] = RK[0] ^ RCON[i] ^ 603 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 604 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 605 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 606 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 607 608 RK[5] = RK[1] ^ RK[4]; 609 RK[6] = RK[2] ^ RK[5]; 610 RK[7] = RK[3] ^ RK[6]; 611 } 612 break; 613 614 case 12: 615 616 for( i = 0; i < 8; i++, RK += 6 ) 617 { 618 RK[6] = RK[0] ^ RCON[i] ^ 619 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 620 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 621 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 622 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 623 624 RK[7] = RK[1] ^ RK[6]; 625 RK[8] = RK[2] ^ RK[7]; 626 RK[9] = RK[3] ^ RK[8]; 627 RK[10] = RK[4] ^ RK[9]; 628 RK[11] = RK[5] ^ RK[10]; 629 } 630 break; 631 632 case 14: 633 634 for( i = 0; i < 7; i++, RK += 8 ) 635 { 636 RK[8] = RK[0] ^ RCON[i] ^ 637 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 638 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 639 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 640 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 641 642 RK[9] = RK[1] ^ RK[8]; 643 RK[10] = RK[2] ^ RK[9]; 644 RK[11] = RK[3] ^ RK[10]; 645 646 RK[12] = RK[4] ^ 647 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 648 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 649 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 650 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 651 652 RK[13] = RK[5] ^ RK[12]; 653 RK[14] = RK[6] ^ RK[13]; 654 RK[15] = RK[7] ^ RK[14]; 655 } 656 break; 657 } 658 659 return( 0 ); 660 } 661 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 662 663 /* 664 * AES key schedule (decryption) 665 */ 666 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 667 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 668 unsigned int keybits ) 669 { 670 int i, j, ret; 671 mbedtls_aes_context cty; 672 uint32_t *RK; 673 uint32_t *SK; 674 675 AES_VALIDATE_RET( ctx != NULL ); 676 AES_VALIDATE_RET( key != NULL ); 677 678 mbedtls_aes_init( &cty ); 679 680 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 681 if( aes_padlock_ace == -1 ) 682 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 683 684 if( aes_padlock_ace ) 685 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 686 else 687 #endif 688 ctx->rk = RK = ctx->buf; 689 690 /* Also checks keybits */ 691 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 692 goto exit; 693 694 ctx->nr = cty.nr; 695 696 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 697 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 698 { 699 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk, 700 (const unsigned char *) cty.rk, ctx->nr ); 701 goto exit; 702 } 703 #endif 704 705 SK = cty.rk + cty.nr * 4; 706 707 *RK++ = *SK++; 708 *RK++ = *SK++; 709 *RK++ = *SK++; 710 *RK++ = *SK++; 711 712 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 713 { 714 for( j = 0; j < 4; j++, SK++ ) 715 { 716 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 717 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 718 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 719 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 720 } 721 } 722 723 *RK++ = *SK++; 724 *RK++ = *SK++; 725 *RK++ = *SK++; 726 *RK++ = *SK++; 727 728 exit: 729 mbedtls_aes_free( &cty ); 730 731 return( ret ); 732 } 733 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 734 735 #if defined(MBEDTLS_CIPHER_MODE_XTS) 736 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 737 unsigned int keybits, 738 const unsigned char **key1, 739 unsigned int *key1bits, 740 const unsigned char **key2, 741 unsigned int *key2bits ) 742 { 743 const unsigned int half_keybits = keybits / 2; 744 const unsigned int half_keybytes = half_keybits / 8; 745 746 switch( keybits ) 747 { 748 case 256: break; 749 case 512: break; 750 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 751 } 752 753 *key1bits = half_keybits; 754 *key2bits = half_keybits; 755 *key1 = &key[0]; 756 *key2 = &key[half_keybytes]; 757 758 return 0; 759 } 760 761 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 762 const unsigned char *key, 763 unsigned int keybits) 764 { 765 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 766 const unsigned char *key1, *key2; 767 unsigned int key1bits, key2bits; 768 769 AES_VALIDATE_RET( ctx != NULL ); 770 AES_VALIDATE_RET( key != NULL ); 771 772 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 773 &key2, &key2bits ); 774 if( ret != 0 ) 775 return( ret ); 776 777 /* Set the tweak key. Always set tweak key for the encryption mode. */ 778 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 779 if( ret != 0 ) 780 return( ret ); 781 782 /* Set crypt key for encryption. */ 783 return mbedtls_aes_setkey_enc( &ctx->crypt, key1, key1bits ); 784 } 785 786 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 787 const unsigned char *key, 788 unsigned int keybits) 789 { 790 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 791 const unsigned char *key1, *key2; 792 unsigned int key1bits, key2bits; 793 794 AES_VALIDATE_RET( ctx != NULL ); 795 AES_VALIDATE_RET( key != NULL ); 796 797 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 798 &key2, &key2bits ); 799 if( ret != 0 ) 800 return( ret ); 801 802 /* Set the tweak key. Always set tweak key for encryption. */ 803 ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits ); 804 if( ret != 0 ) 805 return( ret ); 806 807 /* Set crypt key for decryption. */ 808 return mbedtls_aes_setkey_dec( &ctx->crypt, key1, key1bits ); 809 } 810 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 811 812 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 813 do \ 814 { \ 815 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \ 816 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 817 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 818 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \ 819 \ 820 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \ 821 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 822 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 823 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \ 824 \ 825 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \ 826 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 827 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 828 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \ 829 \ 830 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \ 831 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 832 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 833 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \ 834 } while( 0 ) 835 836 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 837 do \ 838 { \ 839 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \ 840 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 841 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 842 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \ 843 \ 844 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \ 845 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 846 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 847 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \ 848 \ 849 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \ 850 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 851 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 852 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \ 853 \ 854 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \ 855 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 856 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 857 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \ 858 } while( 0 ) 859 860 /* 861 * AES-ECB block encryption 862 */ 863 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 864 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 865 const unsigned char input[16], 866 unsigned char output[16] ) 867 { 868 int i; 869 uint32_t *RK = ctx->rk; 870 struct 871 { 872 uint32_t X[4]; 873 uint32_t Y[4]; 874 } t; 875 876 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++; 877 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++; 878 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++; 879 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++; 880 881 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 882 { 883 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 884 AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] ); 885 } 886 887 AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 888 889 t.X[0] = *RK++ ^ \ 890 ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^ 891 ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^ 892 ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^ 893 ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 ); 894 895 t.X[1] = *RK++ ^ \ 896 ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^ 897 ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^ 898 ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^ 899 ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 ); 900 901 t.X[2] = *RK++ ^ \ 902 ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^ 903 ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^ 904 ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^ 905 ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 ); 906 907 t.X[3] = *RK++ ^ \ 908 ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^ 909 ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^ 910 ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^ 911 ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 ); 912 913 PUT_UINT32_LE( t.X[0], output, 0 ); 914 PUT_UINT32_LE( t.X[1], output, 4 ); 915 PUT_UINT32_LE( t.X[2], output, 8 ); 916 PUT_UINT32_LE( t.X[3], output, 12 ); 917 918 mbedtls_platform_zeroize( &t, sizeof( t ) ); 919 920 return( 0 ); 921 } 922 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 923 924 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 925 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 926 const unsigned char input[16], 927 unsigned char output[16] ) 928 { 929 mbedtls_internal_aes_encrypt( ctx, input, output ); 930 } 931 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 932 933 /* 934 * AES-ECB block decryption 935 */ 936 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 937 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 938 const unsigned char input[16], 939 unsigned char output[16] ) 940 { 941 int i; 942 uint32_t *RK = ctx->rk; 943 struct 944 { 945 uint32_t X[4]; 946 uint32_t Y[4]; 947 } t; 948 949 GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++; 950 GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++; 951 GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++; 952 GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++; 953 954 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 955 { 956 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 957 AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] ); 958 } 959 960 AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] ); 961 962 t.X[0] = *RK++ ^ \ 963 ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^ 964 ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^ 965 ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^ 966 ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 ); 967 968 t.X[1] = *RK++ ^ \ 969 ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^ 970 ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^ 971 ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^ 972 ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 ); 973 974 t.X[2] = *RK++ ^ \ 975 ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^ 976 ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^ 977 ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^ 978 ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 ); 979 980 t.X[3] = *RK++ ^ \ 981 ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^ 982 ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^ 983 ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^ 984 ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 ); 985 986 PUT_UINT32_LE( t.X[0], output, 0 ); 987 PUT_UINT32_LE( t.X[1], output, 4 ); 988 PUT_UINT32_LE( t.X[2], output, 8 ); 989 PUT_UINT32_LE( t.X[3], output, 12 ); 990 991 mbedtls_platform_zeroize( &t, sizeof( t ) ); 992 993 return( 0 ); 994 } 995 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 996 997 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 998 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 999 const unsigned char input[16], 1000 unsigned char output[16] ) 1001 { 1002 mbedtls_internal_aes_decrypt( ctx, input, output ); 1003 } 1004 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1005 1006 /* 1007 * AES-ECB block encryption/decryption 1008 */ 1009 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 1010 int mode, 1011 const unsigned char input[16], 1012 unsigned char output[16] ) 1013 { 1014 AES_VALIDATE_RET( ctx != NULL ); 1015 AES_VALIDATE_RET( input != NULL ); 1016 AES_VALIDATE_RET( output != NULL ); 1017 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1018 mode == MBEDTLS_AES_DECRYPT ); 1019 1020 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 1021 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 1022 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 1023 #endif 1024 1025 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1026 if( aes_padlock_ace ) 1027 { 1028 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 1029 return( 0 ); 1030 1031 // If padlock data misaligned, we just fall back to 1032 // unaccelerated mode 1033 // 1034 } 1035 #endif 1036 1037 if( mode == MBEDTLS_AES_ENCRYPT ) 1038 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 1039 else 1040 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 1041 } 1042 1043 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1044 /* 1045 * AES-CBC buffer encryption/decryption 1046 */ 1047 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 1048 int mode, 1049 size_t length, 1050 unsigned char iv[16], 1051 const unsigned char *input, 1052 unsigned char *output ) 1053 { 1054 int i; 1055 unsigned char temp[16]; 1056 1057 AES_VALIDATE_RET( ctx != NULL ); 1058 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1059 mode == MBEDTLS_AES_DECRYPT ); 1060 AES_VALIDATE_RET( iv != NULL ); 1061 AES_VALIDATE_RET( input != NULL ); 1062 AES_VALIDATE_RET( output != NULL ); 1063 1064 if( length % 16 ) 1065 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 1066 1067 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 1068 if( aes_padlock_ace ) 1069 { 1070 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 1071 return( 0 ); 1072 1073 // If padlock data misaligned, we just fall back to 1074 // unaccelerated mode 1075 // 1076 } 1077 #endif 1078 1079 if( mode == MBEDTLS_AES_DECRYPT ) 1080 { 1081 while( length > 0 ) 1082 { 1083 memcpy( temp, input, 16 ); 1084 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 1085 1086 for( i = 0; i < 16; i++ ) 1087 output[i] = (unsigned char)( output[i] ^ iv[i] ); 1088 1089 memcpy( iv, temp, 16 ); 1090 1091 input += 16; 1092 output += 16; 1093 length -= 16; 1094 } 1095 } 1096 else 1097 { 1098 while( length > 0 ) 1099 { 1100 for( i = 0; i < 16; i++ ) 1101 output[i] = (unsigned char)( input[i] ^ iv[i] ); 1102 1103 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 1104 memcpy( iv, output, 16 ); 1105 1106 input += 16; 1107 output += 16; 1108 length -= 16; 1109 } 1110 } 1111 1112 return( 0 ); 1113 } 1114 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1115 1116 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1117 1118 /* Endianess with 64 bits values */ 1119 #ifndef GET_UINT64_LE 1120 #define GET_UINT64_LE(n,b,i) \ 1121 { \ 1122 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 1123 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 1124 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 1125 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 1126 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 1127 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 1128 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 1129 | ( (uint64_t) (b)[(i) ] ); \ 1130 } 1131 #endif 1132 1133 #ifndef PUT_UINT64_LE 1134 #define PUT_UINT64_LE(n,b,i) \ 1135 { \ 1136 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 1137 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 1138 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 1139 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 1140 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 1141 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 1142 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 1143 (b)[(i) ] = (unsigned char) ( (n) ); \ 1144 } 1145 #endif 1146 1147 typedef unsigned char mbedtls_be128[16]; 1148 1149 /* 1150 * GF(2^128) multiplication function 1151 * 1152 * This function multiplies a field element by x in the polynomial field 1153 * representation. It uses 64-bit word operations to gain speed but compensates 1154 * for machine endianess and hence works correctly on both big and little 1155 * endian machines. 1156 */ 1157 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 1158 const unsigned char x[16] ) 1159 { 1160 uint64_t a, b, ra, rb; 1161 1162 GET_UINT64_LE( a, x, 0 ); 1163 GET_UINT64_LE( b, x, 8 ); 1164 1165 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 1166 rb = ( a >> 63 ) | ( b << 1 ); 1167 1168 PUT_UINT64_LE( ra, r, 0 ); 1169 PUT_UINT64_LE( rb, r, 8 ); 1170 } 1171 1172 /* 1173 * AES-XTS buffer encryption/decryption 1174 */ 1175 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 1176 int mode, 1177 size_t length, 1178 const unsigned char data_unit[16], 1179 const unsigned char *input, 1180 unsigned char *output ) 1181 { 1182 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1183 size_t blocks = length / 16; 1184 size_t leftover = length % 16; 1185 unsigned char tweak[16]; 1186 unsigned char prev_tweak[16]; 1187 unsigned char tmp[16]; 1188 1189 AES_VALIDATE_RET( ctx != NULL ); 1190 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1191 mode == MBEDTLS_AES_DECRYPT ); 1192 AES_VALIDATE_RET( data_unit != NULL ); 1193 AES_VALIDATE_RET( input != NULL ); 1194 AES_VALIDATE_RET( output != NULL ); 1195 1196 /* Data units must be at least 16 bytes long. */ 1197 if( length < 16 ) 1198 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1199 1200 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1201 if( length > ( 1 << 20 ) * 16 ) 1202 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1203 1204 /* Compute the tweak. */ 1205 ret = mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, 1206 data_unit, tweak ); 1207 if( ret != 0 ) 1208 return( ret ); 1209 1210 while( blocks-- ) 1211 { 1212 size_t i; 1213 1214 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 1215 { 1216 /* We are on the last block in a decrypt operation that has 1217 * leftover bytes, so we need to use the next tweak for this block, 1218 * and this tweak for the lefover bytes. Save the current tweak for 1219 * the leftovers and then update the current tweak for use on this, 1220 * the last full block. */ 1221 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 1222 mbedtls_gf128mul_x_ble( tweak, tweak ); 1223 } 1224 1225 for( i = 0; i < 16; i++ ) 1226 tmp[i] = input[i] ^ tweak[i]; 1227 1228 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1229 if( ret != 0 ) 1230 return( ret ); 1231 1232 for( i = 0; i < 16; i++ ) 1233 output[i] = tmp[i] ^ tweak[i]; 1234 1235 /* Update the tweak for the next block. */ 1236 mbedtls_gf128mul_x_ble( tweak, tweak ); 1237 1238 output += 16; 1239 input += 16; 1240 } 1241 1242 if( leftover ) 1243 { 1244 /* If we are on the leftover bytes in a decrypt operation, we need to 1245 * use the previous tweak for these bytes (as saved in prev_tweak). */ 1246 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1247 1248 /* We are now on the final part of the data unit, which doesn't divide 1249 * evenly by 16. It's time for ciphertext stealing. */ 1250 size_t i; 1251 unsigned char *prev_output = output - 16; 1252 1253 /* Copy ciphertext bytes from the previous block to our output for each 1254 * byte of cyphertext we won't steal. At the same time, copy the 1255 * remainder of the input for this final round (since the loop bounds 1256 * are the same). */ 1257 for( i = 0; i < leftover; i++ ) 1258 { 1259 output[i] = prev_output[i]; 1260 tmp[i] = input[i] ^ t[i]; 1261 } 1262 1263 /* Copy ciphertext bytes from the previous block for input in this 1264 * round. */ 1265 for( ; i < 16; i++ ) 1266 tmp[i] = prev_output[i] ^ t[i]; 1267 1268 ret = mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp ); 1269 if( ret != 0 ) 1270 return ret; 1271 1272 /* Write the result back to the previous block, overriding the previous 1273 * output we copied. */ 1274 for( i = 0; i < 16; i++ ) 1275 prev_output[i] = tmp[i] ^ t[i]; 1276 } 1277 1278 return( 0 ); 1279 } 1280 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1281 1282 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1283 /* 1284 * AES-CFB128 buffer encryption/decryption 1285 */ 1286 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 1287 int mode, 1288 size_t length, 1289 size_t *iv_off, 1290 unsigned char iv[16], 1291 const unsigned char *input, 1292 unsigned char *output ) 1293 { 1294 int c; 1295 size_t n; 1296 1297 AES_VALIDATE_RET( ctx != NULL ); 1298 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1299 mode == MBEDTLS_AES_DECRYPT ); 1300 AES_VALIDATE_RET( iv_off != NULL ); 1301 AES_VALIDATE_RET( iv != NULL ); 1302 AES_VALIDATE_RET( input != NULL ); 1303 AES_VALIDATE_RET( output != NULL ); 1304 1305 n = *iv_off; 1306 1307 if( n > 15 ) 1308 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1309 1310 if( mode == MBEDTLS_AES_DECRYPT ) 1311 { 1312 while( length-- ) 1313 { 1314 if( n == 0 ) 1315 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1316 1317 c = *input++; 1318 *output++ = (unsigned char)( c ^ iv[n] ); 1319 iv[n] = (unsigned char) c; 1320 1321 n = ( n + 1 ) & 0x0F; 1322 } 1323 } 1324 else 1325 { 1326 while( length-- ) 1327 { 1328 if( n == 0 ) 1329 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1330 1331 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 1332 1333 n = ( n + 1 ) & 0x0F; 1334 } 1335 } 1336 1337 *iv_off = n; 1338 1339 return( 0 ); 1340 } 1341 1342 /* 1343 * AES-CFB8 buffer encryption/decryption 1344 */ 1345 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 1346 int mode, 1347 size_t length, 1348 unsigned char iv[16], 1349 const unsigned char *input, 1350 unsigned char *output ) 1351 { 1352 unsigned char c; 1353 unsigned char ov[17]; 1354 1355 AES_VALIDATE_RET( ctx != NULL ); 1356 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 1357 mode == MBEDTLS_AES_DECRYPT ); 1358 AES_VALIDATE_RET( iv != NULL ); 1359 AES_VALIDATE_RET( input != NULL ); 1360 AES_VALIDATE_RET( output != NULL ); 1361 while( length-- ) 1362 { 1363 memcpy( ov, iv, 16 ); 1364 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1365 1366 if( mode == MBEDTLS_AES_DECRYPT ) 1367 ov[16] = *input; 1368 1369 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 1370 1371 if( mode == MBEDTLS_AES_ENCRYPT ) 1372 ov[16] = c; 1373 1374 memcpy( iv, ov + 1, 16 ); 1375 } 1376 1377 return( 0 ); 1378 } 1379 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1380 1381 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1382 /* 1383 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1384 */ 1385 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 1386 size_t length, 1387 size_t *iv_off, 1388 unsigned char iv[16], 1389 const unsigned char *input, 1390 unsigned char *output ) 1391 { 1392 int ret = 0; 1393 size_t n; 1394 1395 AES_VALIDATE_RET( ctx != NULL ); 1396 AES_VALIDATE_RET( iv_off != NULL ); 1397 AES_VALIDATE_RET( iv != NULL ); 1398 AES_VALIDATE_RET( input != NULL ); 1399 AES_VALIDATE_RET( output != NULL ); 1400 1401 n = *iv_off; 1402 1403 if( n > 15 ) 1404 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1405 1406 while( length-- ) 1407 { 1408 if( n == 0 ) 1409 { 1410 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 1411 if( ret != 0 ) 1412 goto exit; 1413 } 1414 *output++ = *input++ ^ iv[n]; 1415 1416 n = ( n + 1 ) & 0x0F; 1417 } 1418 1419 *iv_off = n; 1420 1421 exit: 1422 return( ret ); 1423 } 1424 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1425 1426 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1427 /* 1428 * AES-CTR buffer encryption/decryption 1429 */ 1430 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 1431 size_t length, 1432 size_t *nc_off, 1433 unsigned char nonce_counter[16], 1434 unsigned char stream_block[16], 1435 const unsigned char *input, 1436 unsigned char *output ) 1437 { 1438 int c, i; 1439 size_t n; 1440 1441 AES_VALIDATE_RET( ctx != NULL ); 1442 AES_VALIDATE_RET( nc_off != NULL ); 1443 AES_VALIDATE_RET( nonce_counter != NULL ); 1444 AES_VALIDATE_RET( stream_block != NULL ); 1445 AES_VALIDATE_RET( input != NULL ); 1446 AES_VALIDATE_RET( output != NULL ); 1447 1448 n = *nc_off; 1449 1450 if ( n > 0x0F ) 1451 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 1452 1453 while( length-- ) 1454 { 1455 if( n == 0 ) { 1456 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 1457 1458 for( i = 16; i > 0; i-- ) 1459 if( ++nonce_counter[i - 1] != 0 ) 1460 break; 1461 } 1462 c = *input++; 1463 *output++ = (unsigned char)( c ^ stream_block[n] ); 1464 1465 n = ( n + 1 ) & 0x0F; 1466 } 1467 1468 *nc_off = n; 1469 1470 return( 0 ); 1471 } 1472 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1473 1474 #endif /* !MBEDTLS_AES_ALT */ 1475 1476 #if defined(MBEDTLS_SELF_TEST) 1477 /* 1478 * AES test vectors from: 1479 * 1480 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1481 */ 1482 static const unsigned char aes_test_ecb_dec[3][16] = 1483 { 1484 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1485 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1486 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1487 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1488 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1489 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1490 }; 1491 1492 static const unsigned char aes_test_ecb_enc[3][16] = 1493 { 1494 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1495 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1496 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1497 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1498 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1499 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1500 }; 1501 1502 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1503 static const unsigned char aes_test_cbc_dec[3][16] = 1504 { 1505 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1506 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1507 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1508 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1509 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1510 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1511 }; 1512 1513 static const unsigned char aes_test_cbc_enc[3][16] = 1514 { 1515 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1516 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1517 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1518 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1519 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1520 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1521 }; 1522 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1523 1524 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1525 /* 1526 * AES-CFB128 test vectors from: 1527 * 1528 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1529 */ 1530 static const unsigned char aes_test_cfb128_key[3][32] = 1531 { 1532 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1533 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1534 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1535 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1536 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1537 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1538 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1539 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1540 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1541 }; 1542 1543 static const unsigned char aes_test_cfb128_iv[16] = 1544 { 1545 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1546 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1547 }; 1548 1549 static const unsigned char aes_test_cfb128_pt[64] = 1550 { 1551 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1552 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1553 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1554 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1555 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1556 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1557 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1558 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1559 }; 1560 1561 static const unsigned char aes_test_cfb128_ct[3][64] = 1562 { 1563 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1564 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1565 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1566 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1567 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1568 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1569 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1570 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1571 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1572 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1573 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1574 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1575 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1576 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1577 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1578 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1579 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1580 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1581 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1582 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1583 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1584 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1585 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1586 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1587 }; 1588 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 1589 1590 #if defined(MBEDTLS_CIPHER_MODE_OFB) 1591 /* 1592 * AES-OFB test vectors from: 1593 * 1594 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1595 */ 1596 static const unsigned char aes_test_ofb_key[3][32] = 1597 { 1598 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1599 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1600 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1601 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1602 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1603 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1604 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1605 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1606 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1607 }; 1608 1609 static const unsigned char aes_test_ofb_iv[16] = 1610 { 1611 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1612 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1613 }; 1614 1615 static const unsigned char aes_test_ofb_pt[64] = 1616 { 1617 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1618 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1619 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1620 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1621 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1622 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1623 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1624 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1625 }; 1626 1627 static const unsigned char aes_test_ofb_ct[3][64] = 1628 { 1629 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1630 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1631 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1632 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1633 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1634 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1635 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1636 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1637 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1638 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1639 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1640 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1641 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1642 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1643 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1644 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1645 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1646 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1647 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1648 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1649 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1650 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1651 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1652 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1653 }; 1654 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 1655 1656 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1657 /* 1658 * AES-CTR test vectors from: 1659 * 1660 * http://www.faqs.org/rfcs/rfc3686.html 1661 */ 1662 1663 static const unsigned char aes_test_ctr_key[3][16] = 1664 { 1665 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1666 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1667 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1668 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1669 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1670 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1671 }; 1672 1673 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 1674 { 1675 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1676 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1677 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1678 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1679 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1680 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1681 }; 1682 1683 static const unsigned char aes_test_ctr_pt[3][48] = 1684 { 1685 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1686 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1687 1688 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1689 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1690 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1691 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1692 1693 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1694 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1695 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1696 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1697 0x20, 0x21, 0x22, 0x23 } 1698 }; 1699 1700 static const unsigned char aes_test_ctr_ct[3][48] = 1701 { 1702 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1703 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1704 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1705 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1706 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1707 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1708 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1709 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1710 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1711 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1712 0x25, 0xB2, 0x07, 0x2F } 1713 }; 1714 1715 static const int aes_test_ctr_len[3] = 1716 { 16, 32, 36 }; 1717 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 1718 1719 #if defined(MBEDTLS_CIPHER_MODE_XTS) 1720 /* 1721 * AES-XTS test vectors from: 1722 * 1723 * IEEE P1619/D16 Annex B 1724 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1725 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1726 */ 1727 static const unsigned char aes_test_xts_key[][32] = 1728 { 1729 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1731 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1732 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1733 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1734 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1735 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1737 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1738 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1739 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1740 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1741 }; 1742 1743 static const unsigned char aes_test_xts_pt32[][32] = 1744 { 1745 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1747 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1748 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1749 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1753 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1754 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1755 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1756 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1757 }; 1758 1759 static const unsigned char aes_test_xts_ct32[][32] = 1760 { 1761 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1762 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1763 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1764 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1765 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1766 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1767 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1768 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1769 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1770 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1771 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1772 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1773 }; 1774 1775 static const unsigned char aes_test_xts_data_unit[][16] = 1776 { 1777 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1779 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1781 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1782 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1783 }; 1784 1785 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 1786 1787 /* 1788 * Checkup routine 1789 */ 1790 int mbedtls_aes_self_test( int verbose ) 1791 { 1792 int ret = 0, i, j, u, mode; 1793 unsigned int keybits; 1794 unsigned char key[32]; 1795 unsigned char buf[64]; 1796 const unsigned char *aes_tests; 1797 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 1798 unsigned char iv[16]; 1799 #endif 1800 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1801 unsigned char prv[16]; 1802 #endif 1803 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1804 defined(MBEDTLS_CIPHER_MODE_OFB) 1805 size_t offset; 1806 #endif 1807 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1808 int len; 1809 #endif 1810 #if defined(MBEDTLS_CIPHER_MODE_CTR) 1811 unsigned char nonce_counter[16]; 1812 unsigned char stream_block[16]; 1813 #endif 1814 mbedtls_aes_context ctx; 1815 1816 memset( key, 0, 32 ); 1817 mbedtls_aes_init( &ctx ); 1818 1819 /* 1820 * ECB mode 1821 */ 1822 for( i = 0; i < 6; i++ ) 1823 { 1824 u = i >> 1; 1825 keybits = 128 + u * 64; 1826 mode = i & 1; 1827 1828 if( verbose != 0 ) 1829 mbedtls_printf( " AES-ECB-%3u (%s): ", keybits, 1830 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1831 1832 memset( buf, 0, 16 ); 1833 1834 if( mode == MBEDTLS_AES_DECRYPT ) 1835 { 1836 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1837 aes_tests = aes_test_ecb_dec[u]; 1838 } 1839 else 1840 { 1841 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1842 aes_tests = aes_test_ecb_enc[u]; 1843 } 1844 1845 /* 1846 * AES-192 is an optional feature that may be unavailable when 1847 * there is an alternative underlying implementation i.e. when 1848 * MBEDTLS_AES_ALT is defined. 1849 */ 1850 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1851 { 1852 mbedtls_printf( "skipped\n" ); 1853 continue; 1854 } 1855 else if( ret != 0 ) 1856 { 1857 goto exit; 1858 } 1859 1860 for( j = 0; j < 10000; j++ ) 1861 { 1862 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 1863 if( ret != 0 ) 1864 goto exit; 1865 } 1866 1867 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1868 { 1869 ret = 1; 1870 goto exit; 1871 } 1872 1873 if( verbose != 0 ) 1874 mbedtls_printf( "passed\n" ); 1875 } 1876 1877 if( verbose != 0 ) 1878 mbedtls_printf( "\n" ); 1879 1880 #if defined(MBEDTLS_CIPHER_MODE_CBC) 1881 /* 1882 * CBC mode 1883 */ 1884 for( i = 0; i < 6; i++ ) 1885 { 1886 u = i >> 1; 1887 keybits = 128 + u * 64; 1888 mode = i & 1; 1889 1890 if( verbose != 0 ) 1891 mbedtls_printf( " AES-CBC-%3u (%s): ", keybits, 1892 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1893 1894 memset( iv , 0, 16 ); 1895 memset( prv, 0, 16 ); 1896 memset( buf, 0, 16 ); 1897 1898 if( mode == MBEDTLS_AES_DECRYPT ) 1899 { 1900 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 1901 aes_tests = aes_test_cbc_dec[u]; 1902 } 1903 else 1904 { 1905 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1906 aes_tests = aes_test_cbc_enc[u]; 1907 } 1908 1909 /* 1910 * AES-192 is an optional feature that may be unavailable when 1911 * there is an alternative underlying implementation i.e. when 1912 * MBEDTLS_AES_ALT is defined. 1913 */ 1914 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1915 { 1916 mbedtls_printf( "skipped\n" ); 1917 continue; 1918 } 1919 else if( ret != 0 ) 1920 { 1921 goto exit; 1922 } 1923 1924 for( j = 0; j < 10000; j++ ) 1925 { 1926 if( mode == MBEDTLS_AES_ENCRYPT ) 1927 { 1928 unsigned char tmp[16]; 1929 1930 memcpy( tmp, prv, 16 ); 1931 memcpy( prv, buf, 16 ); 1932 memcpy( buf, tmp, 16 ); 1933 } 1934 1935 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 1936 if( ret != 0 ) 1937 goto exit; 1938 1939 } 1940 1941 if( memcmp( buf, aes_tests, 16 ) != 0 ) 1942 { 1943 ret = 1; 1944 goto exit; 1945 } 1946 1947 if( verbose != 0 ) 1948 mbedtls_printf( "passed\n" ); 1949 } 1950 1951 if( verbose != 0 ) 1952 mbedtls_printf( "\n" ); 1953 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1954 1955 #if defined(MBEDTLS_CIPHER_MODE_CFB) 1956 /* 1957 * CFB128 mode 1958 */ 1959 for( i = 0; i < 6; i++ ) 1960 { 1961 u = i >> 1; 1962 keybits = 128 + u * 64; 1963 mode = i & 1; 1964 1965 if( verbose != 0 ) 1966 mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits, 1967 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 1968 1969 memcpy( iv, aes_test_cfb128_iv, 16 ); 1970 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 1971 1972 offset = 0; 1973 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 1974 /* 1975 * AES-192 is an optional feature that may be unavailable when 1976 * there is an alternative underlying implementation i.e. when 1977 * MBEDTLS_AES_ALT is defined. 1978 */ 1979 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 1980 { 1981 mbedtls_printf( "skipped\n" ); 1982 continue; 1983 } 1984 else if( ret != 0 ) 1985 { 1986 goto exit; 1987 } 1988 1989 if( mode == MBEDTLS_AES_DECRYPT ) 1990 { 1991 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 1992 aes_tests = aes_test_cfb128_pt; 1993 } 1994 else 1995 { 1996 memcpy( buf, aes_test_cfb128_pt, 64 ); 1997 aes_tests = aes_test_cfb128_ct[u]; 1998 } 1999 2000 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 2001 if( ret != 0 ) 2002 goto exit; 2003 2004 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2005 { 2006 ret = 1; 2007 goto exit; 2008 } 2009 2010 if( verbose != 0 ) 2011 mbedtls_printf( "passed\n" ); 2012 } 2013 2014 if( verbose != 0 ) 2015 mbedtls_printf( "\n" ); 2016 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 2017 2018 #if defined(MBEDTLS_CIPHER_MODE_OFB) 2019 /* 2020 * OFB mode 2021 */ 2022 for( i = 0; i < 6; i++ ) 2023 { 2024 u = i >> 1; 2025 keybits = 128 + u * 64; 2026 mode = i & 1; 2027 2028 if( verbose != 0 ) 2029 mbedtls_printf( " AES-OFB-%3u (%s): ", keybits, 2030 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2031 2032 memcpy( iv, aes_test_ofb_iv, 16 ); 2033 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 2034 2035 offset = 0; 2036 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 2037 /* 2038 * AES-192 is an optional feature that may be unavailable when 2039 * there is an alternative underlying implementation i.e. when 2040 * MBEDTLS_AES_ALT is defined. 2041 */ 2042 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 2043 { 2044 mbedtls_printf( "skipped\n" ); 2045 continue; 2046 } 2047 else if( ret != 0 ) 2048 { 2049 goto exit; 2050 } 2051 2052 if( mode == MBEDTLS_AES_DECRYPT ) 2053 { 2054 memcpy( buf, aes_test_ofb_ct[u], 64 ); 2055 aes_tests = aes_test_ofb_pt; 2056 } 2057 else 2058 { 2059 memcpy( buf, aes_test_ofb_pt, 64 ); 2060 aes_tests = aes_test_ofb_ct[u]; 2061 } 2062 2063 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 2064 if( ret != 0 ) 2065 goto exit; 2066 2067 if( memcmp( buf, aes_tests, 64 ) != 0 ) 2068 { 2069 ret = 1; 2070 goto exit; 2071 } 2072 2073 if( verbose != 0 ) 2074 mbedtls_printf( "passed\n" ); 2075 } 2076 2077 if( verbose != 0 ) 2078 mbedtls_printf( "\n" ); 2079 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 2080 2081 #if defined(MBEDTLS_CIPHER_MODE_CTR) 2082 /* 2083 * CTR mode 2084 */ 2085 for( i = 0; i < 6; i++ ) 2086 { 2087 u = i >> 1; 2088 mode = i & 1; 2089 2090 if( verbose != 0 ) 2091 mbedtls_printf( " AES-CTR-128 (%s): ", 2092 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2093 2094 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 2095 memcpy( key, aes_test_ctr_key[u], 16 ); 2096 2097 offset = 0; 2098 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 2099 goto exit; 2100 2101 len = aes_test_ctr_len[u]; 2102 2103 if( mode == MBEDTLS_AES_DECRYPT ) 2104 { 2105 memcpy( buf, aes_test_ctr_ct[u], len ); 2106 aes_tests = aes_test_ctr_pt[u]; 2107 } 2108 else 2109 { 2110 memcpy( buf, aes_test_ctr_pt[u], len ); 2111 aes_tests = aes_test_ctr_ct[u]; 2112 } 2113 2114 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 2115 stream_block, buf, buf ); 2116 if( ret != 0 ) 2117 goto exit; 2118 2119 if( memcmp( buf, aes_tests, len ) != 0 ) 2120 { 2121 ret = 1; 2122 goto exit; 2123 } 2124 2125 if( verbose != 0 ) 2126 mbedtls_printf( "passed\n" ); 2127 } 2128 2129 if( verbose != 0 ) 2130 mbedtls_printf( "\n" ); 2131 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 2132 2133 #if defined(MBEDTLS_CIPHER_MODE_XTS) 2134 { 2135 static const int num_tests = 2136 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2137 mbedtls_aes_xts_context ctx_xts; 2138 2139 /* 2140 * XTS mode 2141 */ 2142 mbedtls_aes_xts_init( &ctx_xts ); 2143 2144 for( i = 0; i < num_tests << 1; i++ ) 2145 { 2146 const unsigned char *data_unit; 2147 u = i >> 1; 2148 mode = i & 1; 2149 2150 if( verbose != 0 ) 2151 mbedtls_printf( " AES-XTS-128 (%s): ", 2152 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 2153 2154 memset( key, 0, sizeof( key ) ); 2155 memcpy( key, aes_test_xts_key[u], 32 ); 2156 data_unit = aes_test_xts_data_unit[u]; 2157 2158 len = sizeof( *aes_test_xts_ct32 ); 2159 2160 if( mode == MBEDTLS_AES_DECRYPT ) 2161 { 2162 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 2163 if( ret != 0) 2164 goto exit; 2165 memcpy( buf, aes_test_xts_ct32[u], len ); 2166 aes_tests = aes_test_xts_pt32[u]; 2167 } 2168 else 2169 { 2170 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 2171 if( ret != 0) 2172 goto exit; 2173 memcpy( buf, aes_test_xts_pt32[u], len ); 2174 aes_tests = aes_test_xts_ct32[u]; 2175 } 2176 2177 2178 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 2179 buf, buf ); 2180 if( ret != 0 ) 2181 goto exit; 2182 2183 if( memcmp( buf, aes_tests, len ) != 0 ) 2184 { 2185 ret = 1; 2186 goto exit; 2187 } 2188 2189 if( verbose != 0 ) 2190 mbedtls_printf( "passed\n" ); 2191 } 2192 2193 if( verbose != 0 ) 2194 mbedtls_printf( "\n" ); 2195 2196 mbedtls_aes_xts_free( &ctx_xts ); 2197 } 2198 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 2199 2200 ret = 0; 2201 2202 exit: 2203 if( ret != 0 && verbose != 0 ) 2204 mbedtls_printf( "failed\n" ); 2205 2206 mbedtls_aes_free( &ctx ); 2207 2208 return( ret ); 2209 } 2210 2211 #endif /* MBEDTLS_SELF_TEST */ 2212 2213 #endif /* MBEDTLS_AES_C */ 2214