search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
text
[RRG-proxmark3.git] / common / mbedtls / aes.c
blob832228818a41e1fa0ee89bc1547082cc3d2e5ad5
1 /*
2 * FIPS-197 compliant AES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
21 *
22 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
23 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_AES_C)
29
30 #include <string.h>
31
32 #include "mbedtls/aes.h"
33 #include "mbedtls/platform.h"
34 #include "mbedtls/platform_util.h"
35 #include "mbedtls/error.h"
36 #if defined(MBEDTLS_PADLOCK_C)
37 #include "mbedtls/padlock.h"
38 #endif
39 #if defined(MBEDTLS_AESNI_C)
40 #include "mbedtls/aesni.h"
41 #endif
42
43 #if defined(MBEDTLS_SELF_TEST)
44 #if defined(MBEDTLS_PLATFORM_C)
45 #include "mbedtls/platform.h"
46 #else
47 #include <stdio.h>
48 #define mbedtls_printf printf
49 #endif /* MBEDTLS_PLATFORM_C */
50 #endif /* MBEDTLS_SELF_TEST */
51
52 #if !defined(MBEDTLS_AES_ALT)
53
54 /* Parameter validation macros based on platform_util.h */
55 #define AES_VALIDATE_RET( cond ) \
56 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA )
57 #define AES_VALIDATE( cond ) \
58 MBEDTLS_INTERNAL_VALIDATE( cond )
59
60 /*
61 * 32-bit integer manipulation macros (little endian)
62 */
63 #ifndef GET_UINT32_LE
64 #define GET_UINT32_LE(n,b,i) \
65 { \
66 (n) = ( (uint32_t) (b)[(i) ] ) \
67 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
68 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
69 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
70 }
71 #endif
72
73 #ifndef PUT_UINT32_LE
74 #define PUT_UINT32_LE(n,b,i) \
75 { \
76 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
77 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
78 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
79 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
80 }
81 #endif
82
83 #if defined(MBEDTLS_PADLOCK_C) && \
84 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) )
85 static int aes_padlock_ace = -1;
86 #endif
87
88 #if defined(MBEDTLS_AES_ROM_TABLES)
89 /*
90 * Forward S-box
91 */
92 static const unsigned char FSb[256] = {
93 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
94 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
95 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
96 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
97 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
98 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
99 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
100 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
101 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
102 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
103 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
104 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
105 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
106 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
107 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
108 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
109 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
110 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
111 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
112 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
113 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
114 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
115 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
116 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
117 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
118 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
119 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
120 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
121 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
122 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
123 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
124 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
125 };
126
127 /*
128 * Forward tables
129 */
130 #define FT \
131 \
132 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \
133 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \
134 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \
135 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \
136 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \
137 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \
138 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \
139 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \
140 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \
141 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \
142 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \
143 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \
144 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \
145 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \
146 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \
147 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \
148 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \
149 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \
150 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \
151 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \
152 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \
153 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \
154 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \
155 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \
156 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \
157 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \
158 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \
159 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \
160 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \
161 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \
162 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \
163 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \
164 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \
165 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \
166 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \
167 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \
168 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \
169 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \
170 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \
171 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \
172 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \
173 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \
174 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \
175 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \
176 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \
177 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \
178 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \
179 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \
180 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \
181 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \
182 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \
183 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \
184 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \
185 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \
186 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \
187 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \
188 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \
189 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \
190 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \
191 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \
192 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \
193 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \
194 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \
195 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C)
196
197 #define V(a,b,c,d) 0x##a##b##c##d
198 static const uint32_t FT0[256] = { FT };
199 #undef V
200
201 #if !defined(MBEDTLS_AES_FEWER_TABLES)
202
203 #define V(a,b,c,d) 0x##b##c##d##a
204 static const uint32_t FT1[256] = { FT };
205 #undef V
206
207 #define V(a,b,c,d) 0x##c##d##a##b
208 static const uint32_t FT2[256] = { FT };
209 #undef V
210
211 #define V(a,b,c,d) 0x##d##a##b##c
212 static const uint32_t FT3[256] = { FT };
213 #undef V
214
215 #endif /* !MBEDTLS_AES_FEWER_TABLES */
216
217 #undef FT
218
219 /*
220 * Reverse S-box
221 */
222 static const unsigned char RSb[256] = {
223 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
224 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
225 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
226 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
227 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
228 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
229 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
230 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
231 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
232 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
233 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
234 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
235 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
236 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
237 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
238 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
239 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
240 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
241 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
242 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
243 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
244 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
245 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
246 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
247 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
248 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
249 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
250 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
251 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
252 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
253 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
254 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
255 };
256
257 /*
258 * Reverse tables
259 */
260 #define RT \
261 \
262 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \
263 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \
264 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \
265 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \
266 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \
267 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \
268 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \
269 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \
270 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \
271 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \
272 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \
273 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \
274 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \
275 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \
276 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \
277 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \
278 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \
279 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \
280 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \
281 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \
282 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \
283 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \
284 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \
285 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \
286 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \
287 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \
288 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \
289 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \
290 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \
291 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \
292 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \
293 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \
294 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \
295 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \
296 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \
297 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \
298 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \
299 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \
300 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \
301 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \
302 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \
303 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \
304 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \
305 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \
306 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \
307 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \
308 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \
309 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \
310 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \
311 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \
312 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \
313 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \
314 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \
315 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \
316 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \
317 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \
318 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \
319 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \
320 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \
321 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \
322 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \
323 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \
324 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \
325 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0)
326
327 #define V(a,b,c,d) 0x##a##b##c##d
328 static const uint32_t RT0[256] = { RT };
329 #undef V
330
331 #if !defined(MBEDTLS_AES_FEWER_TABLES)
332
333 #define V(a,b,c,d) 0x##b##c##d##a
334 static const uint32_t RT1[256] = { RT };
335 #undef V
336
337 #define V(a,b,c,d) 0x##c##d##a##b
338 static const uint32_t RT2[256] = { RT };
339 #undef V
340
341 #define V(a,b,c,d) 0x##d##a##b##c
342 static const uint32_t RT3[256] = { RT };
343 #undef V
344
345 #endif /* !MBEDTLS_AES_FEWER_TABLES */
346
347 #undef RT
348
349 /*
350 * Round constants
351 */
352 static const uint32_t RCON[10] = {
353 0x00000001, 0x00000002, 0x00000004, 0x00000008,
354 0x00000010, 0x00000020, 0x00000040, 0x00000080,
355 0x0000001B, 0x00000036
356 };
357
358 #else /* MBEDTLS_AES_ROM_TABLES */
359
360 /*
361 * Forward S-box & tables
362 */
363 static unsigned char FSb[256];
364 static uint32_t FT0[256];
365 #if !defined(MBEDTLS_AES_FEWER_TABLES)
366 static uint32_t FT1[256];
367 static uint32_t FT2[256];
368 static uint32_t FT3[256];
369 #endif /* !MBEDTLS_AES_FEWER_TABLES */
370
371 /*
372 * Reverse S-box & tables
373 */
374 static unsigned char RSb[256];
375 static uint32_t RT0[256];
376 #if !defined(MBEDTLS_AES_FEWER_TABLES)
377 static uint32_t RT1[256];
378 static uint32_t RT2[256];
379 static uint32_t RT3[256];
380 #endif /* !MBEDTLS_AES_FEWER_TABLES */
381
382 /*
383 * Round constants
384 */
385 static uint32_t RCON[10];
386
387 /*
388 * Tables generation code
389 */
390 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 )
391 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) )
392 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 )
393
394 static int aes_init_done = 0;
395
396 static void aes_gen_tables(void) {
397 int i, x, y, z;
398 int pow[256];
399 int log[256];
400
401 /*
402 * compute pow and log tables over GF(2^8)
403 */
404 for (i = 0, x = 1; i < 256; i++) {
405 pow[i] = x;
406 log[x] = i;
407 x = (x ^ XTIME(x)) & 0xFF;
408 }
409
410 /*
411 * calculate the round constants
412 */
413 for (i = 0, x = 1; i < 10; i++) {
414 RCON[i] = (uint32_t) x;
415 x = XTIME(x) & 0xFF;
416 }
417
418 /*
419 * generate the forward and reverse S-boxes
420 */
421 FSb[0x00] = 0x63;
422 RSb[0x63] = 0x00;
423
424 for (i = 1; i < 256; i++) {
425 x = pow[255 - log[i]];
426
427 y = x;
428 y = ((y << 1) | (y >> 7)) & 0xFF;
429 x ^= y;
430 y = ((y << 1) | (y >> 7)) & 0xFF;
431 x ^= y;
432 y = ((y << 1) | (y >> 7)) & 0xFF;
433 x ^= y;
434 y = ((y << 1) | (y >> 7)) & 0xFF;
435 x ^= y ^ 0x63;
436
437 FSb[i] = (unsigned char) x;
438 RSb[x] = (unsigned char) i;
439 }
440
441 /*
442 * generate the forward and reverse tables
443 */
444 for (i = 0; i < 256; i++) {
445 x = FSb[i];
446 y = XTIME(x) & 0xFF;
447 z = (y ^ x) & 0xFF;
448
449 FT0[i] = ((uint32_t) y) ^
450 ((uint32_t) x << 8) ^
451 ((uint32_t) x << 16) ^
452 ((uint32_t) z << 24);
453
454 #if !defined(MBEDTLS_AES_FEWER_TABLES)
455 FT1[i] = ROTL8(FT0[i]);
456 FT2[i] = ROTL8(FT1[i]);
457 FT3[i] = ROTL8(FT2[i]);
458 #endif /* !MBEDTLS_AES_FEWER_TABLES */
459
460 x = RSb[i];
461
462 RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
463 ((uint32_t) MUL(0x09, x) << 8) ^
464 ((uint32_t) MUL(0x0D, x) << 16) ^
465 ((uint32_t) MUL(0x0B, x) << 24);
466
467 #if !defined(MBEDTLS_AES_FEWER_TABLES)
468 RT1[i] = ROTL8(RT0[i]);
469 RT2[i] = ROTL8(RT1[i]);
470 RT3[i] = ROTL8(RT2[i]);
471 #endif /* !MBEDTLS_AES_FEWER_TABLES */
472 }
473 }
474
475 #undef ROTL8
476
477 #endif /* MBEDTLS_AES_ROM_TABLES */
478
479 #if defined(MBEDTLS_AES_FEWER_TABLES)
480
481 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) )
482 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) )
483 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) )
484
485 #define AES_RT0(idx) RT0[idx]
486 #define AES_RT1(idx) ROTL8( RT0[idx] )
487 #define AES_RT2(idx) ROTL16( RT0[idx] )
488 #define AES_RT3(idx) ROTL24( RT0[idx] )
489
490 #define AES_FT0(idx) FT0[idx]
491 #define AES_FT1(idx) ROTL8( FT0[idx] )
492 #define AES_FT2(idx) ROTL16( FT0[idx] )
493 #define AES_FT3(idx) ROTL24( FT0[idx] )
494
495 #else /* MBEDTLS_AES_FEWER_TABLES */
496
497 #define AES_RT0(idx) RT0[idx]
498 #define AES_RT1(idx) RT1[idx]
499 #define AES_RT2(idx) RT2[idx]
500 #define AES_RT3(idx) RT3[idx]
501
502 #define AES_FT0(idx) FT0[idx]
503 #define AES_FT1(idx) FT1[idx]
504 #define AES_FT2(idx) FT2[idx]
505 #define AES_FT3(idx) FT3[idx]
506
507 #endif /* MBEDTLS_AES_FEWER_TABLES */
508
509 void mbedtls_aes_init(mbedtls_aes_context *ctx) {
510 AES_VALIDATE(ctx != NULL);
511
512 memset(ctx, 0, sizeof(mbedtls_aes_context));
513 }
514
515 void mbedtls_aes_free(mbedtls_aes_context *ctx) {
516 if (ctx == NULL)
517 return;
518
519 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
520 }
521
522 #if defined(MBEDTLS_CIPHER_MODE_XTS)
523 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) {
524 AES_VALIDATE(ctx != NULL);
525
526 mbedtls_aes_init(&ctx->crypt);
527 mbedtls_aes_init(&ctx->tweak);
528 }
529
530 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) {
531 if (ctx == NULL)
532 return;
533
534 mbedtls_aes_free(&ctx->crypt);
535 mbedtls_aes_free(&ctx->tweak);
536 }
537 #endif /* MBEDTLS_CIPHER_MODE_XTS */
538
539 /*
540 * AES key schedule (encryption)
541 */
542 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
543 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
544 unsigned int keybits) {
545 unsigned int i;
546 uint32_t *RK;
547
548 AES_VALIDATE_RET(ctx != NULL);
549 AES_VALIDATE_RET(key != NULL);
550
551 switch (keybits) {
552 case 128:
553 ctx->nr = 10;
554 break;
555 case 192:
556 ctx->nr = 12;
557 break;
558 case 256:
559 ctx->nr = 14;
560 break;
561 default :
562 return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
563 }
564
565 #if !defined(MBEDTLS_AES_ROM_TABLES)
566 if (aes_init_done == 0) {
567 aes_gen_tables();
568 aes_init_done = 1;
569 }
570 #endif
571
572 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
573 if (aes_padlock_ace == -1)
574 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
575
576 if (aes_padlock_ace)
577 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
578 else
579 #endif
580 ctx->rk = RK = ctx->buf;
581
582 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
583 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
584 return (mbedtls_aesni_setkey_enc((unsigned char *) ctx->rk, key, keybits));
585 #endif
586
587 for (i = 0; i < (keybits >> 5); i++) {
588 GET_UINT32_LE(RK[i], key, i << 2);
589 }
590
591 switch (ctx->nr) {
592 case 10:
593
594 for (i = 0; i < 10; i++, RK += 4) {
595 RK[4] = RK[0] ^ RCON[i] ^
596 ((uint32_t) FSb[(RK[3] >> 8) & 0xFF ]) ^
597 ((uint32_t) FSb[(RK[3] >> 16) & 0xFF ] << 8) ^
598 ((uint32_t) FSb[(RK[3] >> 24) & 0xFF ] << 16) ^
599 ((uint32_t) FSb[(RK[3]) & 0xFF ] << 24);
600
601 RK[5] = RK[1] ^ RK[4];
602 RK[6] = RK[2] ^ RK[5];
603 RK[7] = RK[3] ^ RK[6];
604 }
605 break;
606
607 case 12:
608
609 for (i = 0; i < 8; i++, RK += 6) {
610 RK[6] = RK[0] ^ RCON[i] ^
611 ((uint32_t) FSb[(RK[5] >> 8) & 0xFF ]) ^
612 ((uint32_t) FSb[(RK[5] >> 16) & 0xFF ] << 8) ^
613 ((uint32_t) FSb[(RK[5] >> 24) & 0xFF ] << 16) ^
614 ((uint32_t) FSb[(RK[5]) & 0xFF ] << 24);
615
616 RK[7] = RK[1] ^ RK[6];
617 RK[8] = RK[2] ^ RK[7];
618 RK[9] = RK[3] ^ RK[8];
619 RK[10] = RK[4] ^ RK[9];
620 RK[11] = RK[5] ^ RK[10];
621 }
622 break;
623
624 case 14:
625
626 for (i = 0; i < 7; i++, RK += 8) {
627 RK[8] = RK[0] ^ RCON[i] ^
628 ((uint32_t) FSb[(RK[7] >> 8) & 0xFF ]) ^
629 ((uint32_t) FSb[(RK[7] >> 16) & 0xFF ] << 8) ^
630 ((uint32_t) FSb[(RK[7] >> 24) & 0xFF ] << 16) ^
631 ((uint32_t) FSb[(RK[7]) & 0xFF ] << 24);
632
633 RK[9] = RK[1] ^ RK[8];
634 RK[10] = RK[2] ^ RK[9];
635 RK[11] = RK[3] ^ RK[10];
636
637 RK[12] = RK[4] ^
638 ((uint32_t) FSb[(RK[11]) & 0xFF ]) ^
639 ((uint32_t) FSb[(RK[11] >> 8) & 0xFF ] << 8) ^
640 ((uint32_t) FSb[(RK[11] >> 16) & 0xFF ] << 16) ^
641 ((uint32_t) FSb[(RK[11] >> 24) & 0xFF ] << 24);
642
643 RK[13] = RK[5] ^ RK[12];
644 RK[14] = RK[6] ^ RK[13];
645 RK[15] = RK[7] ^ RK[14];
646 }
647 break;
648 }
649
650 return (0);
651 }
652 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
653
654 /*
655 * AES key schedule (decryption)
656 */
657 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
658 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
659 unsigned int keybits) {
660 int i, j, ret;
661 mbedtls_aes_context cty;
662 uint32_t *RK;
663 uint32_t *SK;
664
665 AES_VALIDATE_RET(ctx != NULL);
666 AES_VALIDATE_RET(key != NULL);
667
668 mbedtls_aes_init(&cty);
669
670 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
671 if (aes_padlock_ace == -1)
672 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
673
674 if (aes_padlock_ace)
675 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
676 else
677 #endif
678 ctx->rk = RK = ctx->buf;
679
680 /* Also checks keybits */
681 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0)
682 goto exit;
683
684 ctx->nr = cty.nr;
685
686 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
687 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
688 mbedtls_aesni_inverse_key((unsigned char *) ctx->rk,
689 (const unsigned char *) cty.rk, ctx->nr);
690 goto exit;
691 }
692 #endif
693
694 SK = cty.rk + cty.nr * 4;
695
696 *RK++ = *SK++;
697 *RK++ = *SK++;
698 *RK++ = *SK++;
699 *RK++ = *SK++;
700
701 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
702 for (j = 0; j < 4; j++, SK++) {
703 *RK++ = AES_RT0(FSb[(*SK) & 0xFF ]) ^
704 AES_RT1(FSb[(*SK >> 8) & 0xFF ]) ^
705 AES_RT2(FSb[(*SK >> 16) & 0xFF ]) ^
706 AES_RT3(FSb[(*SK >> 24) & 0xFF ]);
707 }
708 }
709
710 *RK++ = *SK++;
711 *RK++ = *SK++;
712 *RK++ = *SK++;
713 *RK++ = *SK++;
714
715 exit:
716 mbedtls_aes_free(&cty);
717
718 return (ret);
719 }
720 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
721
722 #if defined(MBEDTLS_CIPHER_MODE_XTS)
723 static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
724 unsigned int keybits,
725 const unsigned char **key1,
726 unsigned int *key1bits,
727 const unsigned char **key2,
728 unsigned int *key2bits) {
729 const unsigned int half_keybits = keybits / 2;
730 const unsigned int half_keybytes = half_keybits / 8;
731
732 switch (keybits) {
733 case 256:
734 break;
735 case 512:
736 break;
737 default :
738 return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
739 }
740
741 *key1bits = half_keybits;
742 *key2bits = half_keybits;
743 *key1 = &key[0];
744 *key2 = &key[half_keybytes];
745
746 return 0;
747 }
748
749 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
750 const unsigned char *key,
751 unsigned int keybits) {
752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
753 const unsigned char *key1, *key2;
754 unsigned int key1bits, key2bits;
755
756 AES_VALIDATE_RET(ctx != NULL);
757 AES_VALIDATE_RET(key != NULL);
758
759 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
760 &key2, &key2bits);
761 if (ret != 0)
762 return (ret);
763
764 /* Set the tweak key. Always set tweak key for the encryption mode. */
765 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
766 if (ret != 0)
767 return (ret);
768
769 /* Set crypt key for encryption. */
770 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
771 }
772
773 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
774 const unsigned char *key,
775 unsigned int keybits) {
776 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
777 const unsigned char *key1, *key2;
778 unsigned int key1bits, key2bits;
779
780 AES_VALIDATE_RET(ctx != NULL);
781 AES_VALIDATE_RET(key != NULL);
782
783 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
784 &key2, &key2bits);
785 if (ret != 0)
786 return (ret);
787
788 /* Set the tweak key. Always set tweak key for encryption. */
789 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
790 if (ret != 0)
791 return (ret);
792
793 /* Set crypt key for decryption. */
794 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
795 }
796 #endif /* MBEDTLS_CIPHER_MODE_XTS */
797
798 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
799 do \
800 { \
801 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \
802 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
803 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
804 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \
805 \
806 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \
807 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
808 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
809 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \
810 \
811 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \
812 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
813 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
814 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \
815 \
816 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \
817 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
818 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
819 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \
820 } while( 0 )
821
822 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
823 do \
824 { \
825 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \
826 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \
827 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \
828 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \
829 \
830 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \
831 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \
832 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \
833 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \
834 \
835 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \
836 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \
837 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \
838 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \
839 \
840 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \
841 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \
842 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \
843 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \
844 } while( 0 )
845
846 /*
847 * AES-ECB block encryption
848 */
849 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
850 int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
851 const unsigned char input[16],
852 unsigned char output[16]) {
853 int i;
854 uint32_t *RK = ctx->rk;
855 struct {
856 uint32_t X[4];
857 uint32_t Y[4];
858 } t;
859
860 GET_UINT32_LE(t.X[0], input, 0);
861 t.X[0] ^= *RK++;
862 GET_UINT32_LE(t.X[1], input, 4);
863 t.X[1] ^= *RK++;
864 GET_UINT32_LE(t.X[2], input, 8);
865 t.X[2] ^= *RK++;
866 GET_UINT32_LE(t.X[3], input, 12);
867 t.X[3] ^= *RK++;
868
869 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
870 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
871 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
872 }
873
874 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
875
876 t.X[0] = *RK++ ^ \
877 ((uint32_t) FSb[(t.Y[0]) & 0xFF ]) ^
878 ((uint32_t) FSb[(t.Y[1] >> 8) & 0xFF ] << 8) ^
879 ((uint32_t) FSb[(t.Y[2] >> 16) & 0xFF ] << 16) ^
880 ((uint32_t) FSb[(t.Y[3] >> 24) & 0xFF ] << 24);
881
882 t.X[1] = *RK++ ^ \
883 ((uint32_t) FSb[(t.Y[1]) & 0xFF ]) ^
884 ((uint32_t) FSb[(t.Y[2] >> 8) & 0xFF ] << 8) ^
885 ((uint32_t) FSb[(t.Y[3] >> 16) & 0xFF ] << 16) ^
886 ((uint32_t) FSb[(t.Y[0] >> 24) & 0xFF ] << 24);
887
888 t.X[2] = *RK++ ^ \
889 ((uint32_t) FSb[(t.Y[2]) & 0xFF ]) ^
890 ((uint32_t) FSb[(t.Y[3] >> 8) & 0xFF ] << 8) ^
891 ((uint32_t) FSb[(t.Y[0] >> 16) & 0xFF ] << 16) ^
892 ((uint32_t) FSb[(t.Y[1] >> 24) & 0xFF ] << 24);
893
894 t.X[3] = *RK++ ^ \
895 ((uint32_t) FSb[(t.Y[3]) & 0xFF ]) ^
896 ((uint32_t) FSb[(t.Y[0] >> 8) & 0xFF ] << 8) ^
897 ((uint32_t) FSb[(t.Y[1] >> 16) & 0xFF ] << 16) ^
898 ((uint32_t) FSb[(t.Y[2] >> 24) & 0xFF ] << 24);
899
900 PUT_UINT32_LE(t.X[0], output, 0);
901 PUT_UINT32_LE(t.X[1], output, 4);
902 PUT_UINT32_LE(t.X[2], output, 8);
903 PUT_UINT32_LE(t.X[3], output, 12);
904
905 mbedtls_platform_zeroize(&t, sizeof(t));
906
907 return (0);
908 }
909 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
910
911 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
912 void mbedtls_aes_encrypt(mbedtls_aes_context *ctx,
913 const unsigned char input[16],
914 unsigned char output[16]) {
915 mbedtls_internal_aes_encrypt(ctx, input, output);
916 }
917 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
918
919 /*
920 * AES-ECB block decryption
921 */
922 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
923 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
924 const unsigned char input[16],
925 unsigned char output[16]) {
926 int i;
927 uint32_t *RK = ctx->rk;
928 struct {
929 uint32_t X[4];
930 uint32_t Y[4];
931 } t;
932
933 GET_UINT32_LE(t.X[0], input, 0);
934 t.X[0] ^= *RK++;
935 GET_UINT32_LE(t.X[1], input, 4);
936 t.X[1] ^= *RK++;
937 GET_UINT32_LE(t.X[2], input, 8);
938 t.X[2] ^= *RK++;
939 GET_UINT32_LE(t.X[3], input, 12);
940 t.X[3] ^= *RK++;
941
942 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
943 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
944 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
945 }
946
947 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
948
949 t.X[0] = *RK++ ^ \
950 ((uint32_t) RSb[(t.Y[0]) & 0xFF ]) ^
951 ((uint32_t) RSb[(t.Y[3] >> 8) & 0xFF ] << 8) ^
952 ((uint32_t) RSb[(t.Y[2] >> 16) & 0xFF ] << 16) ^
953 ((uint32_t) RSb[(t.Y[1] >> 24) & 0xFF ] << 24);
954
955 t.X[1] = *RK++ ^ \
956 ((uint32_t) RSb[(t.Y[1]) & 0xFF ]) ^
957 ((uint32_t) RSb[(t.Y[0] >> 8) & 0xFF ] << 8) ^
958 ((uint32_t) RSb[(t.Y[3] >> 16) & 0xFF ] << 16) ^
959 ((uint32_t) RSb[(t.Y[2] >> 24) & 0xFF ] << 24);
960
961 t.X[2] = *RK++ ^ \
962 ((uint32_t) RSb[(t.Y[2]) & 0xFF ]) ^
963 ((uint32_t) RSb[(t.Y[1] >> 8) & 0xFF ] << 8) ^
964 ((uint32_t) RSb[(t.Y[0] >> 16) & 0xFF ] << 16) ^
965 ((uint32_t) RSb[(t.Y[3] >> 24) & 0xFF ] << 24);
966
967 t.X[3] = *RK++ ^ \
968 ((uint32_t) RSb[(t.Y[3]) & 0xFF ]) ^
969 ((uint32_t) RSb[(t.Y[2] >> 8) & 0xFF ] << 8) ^
970 ((uint32_t) RSb[(t.Y[1] >> 16) & 0xFF ] << 16) ^
971 ((uint32_t) RSb[(t.Y[0] >> 24) & 0xFF ] << 24);
972
973 PUT_UINT32_LE(t.X[0], output, 0);
974 PUT_UINT32_LE(t.X[1], output, 4);
975 PUT_UINT32_LE(t.X[2], output, 8);
976 PUT_UINT32_LE(t.X[3], output, 12);
977
978 mbedtls_platform_zeroize(&t, sizeof(t));
979
980 return (0);
981 }
982 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
983
984 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
985 void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
986 const unsigned char input[16],
987 unsigned char output[16]) {
988 mbedtls_internal_aes_decrypt(ctx, input, output);
989 }
990 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
991
992 /*
993 * AES-ECB block encryption/decryption
994 */
995 int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
996 int mode,
997 const unsigned char input[16],
998 unsigned char output[16]) {
999 AES_VALIDATE_RET(ctx != NULL);
1000 AES_VALIDATE_RET(input != NULL);
1001 AES_VALIDATE_RET(output != NULL);
1002 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1003 mode == MBEDTLS_AES_DECRYPT);
1004
1005 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
1006 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
1007 return (mbedtls_aesni_crypt_ecb(ctx, mode, input, output));
1008 #endif
1009
1010 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1011 if (aes_padlock_ace) {
1012 if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0)
1013 return (0);
1014
1015 // If padlock data misaligned, we just fall back to
1016 // unaccelerated mode
1017 //
1018 }
1019 #endif
1020
1021 if (mode == MBEDTLS_AES_ENCRYPT)
1022 return (mbedtls_internal_aes_encrypt(ctx, input, output));
1023 else
1024 return (mbedtls_internal_aes_decrypt(ctx, input, output));
1025 }
1026
1027 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1028 /*
1029 * AES-CBC buffer encryption/decryption
1030 */
1031 int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1032 int mode,
1033 size_t length,
1034 unsigned char iv[16],
1035 const unsigned char *input,
1036 unsigned char *output) {
1037 int i;
1038 unsigned char temp[16];
1039
1040 AES_VALIDATE_RET(ctx != NULL);
1041 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1042 mode == MBEDTLS_AES_DECRYPT);
1043 AES_VALIDATE_RET(iv != NULL);
1044 AES_VALIDATE_RET(input != NULL);
1045 AES_VALIDATE_RET(output != NULL);
1046
1047 if (length % 16)
1048 return (MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH);
1049
1050 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
1051 if (aes_padlock_ace) {
1052 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0)
1053 return (0);
1054
1055 // If padlock data misaligned, we just fall back to
1056 // unaccelerated mode
1057 //
1058 }
1059 #endif
1060
1061 if (mode == MBEDTLS_AES_DECRYPT) {
1062 while (length > 0) {
1063 memcpy(temp, input, 16);
1064 mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1065
1066 for (i = 0; i < 16; i++)
1067 output[i] = (unsigned char)(output[i] ^ iv[i]);
1068
1069 memcpy(iv, temp, 16);
1070
1071 input += 16;
1072 output += 16;
1073 length -= 16;
1074 }
1075 } else {
1076 while (length > 0) {
1077 for (i = 0; i < 16; i++)
1078 output[i] = (unsigned char)(input[i] ^ iv[i]);
1079
1080 mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1081 memcpy(iv, output, 16);
1082
1083 input += 16;
1084 output += 16;
1085 length -= 16;
1086 }
1087 }
1088
1089 return (0);
1090 }
1091 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1092
1093 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1094
1095 /* Endianess with 64 bits values */
1096 #ifndef GET_UINT64_LE
1097 #define GET_UINT64_LE(n,b,i) \
1098 { \
1099 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \
1100 | ( (uint64_t) (b)[(i) + 6] << 48 ) \
1101 | ( (uint64_t) (b)[(i) + 5] << 40 ) \
1102 | ( (uint64_t) (b)[(i) + 4] << 32 ) \
1103 | ( (uint64_t) (b)[(i) + 3] << 24 ) \
1104 | ( (uint64_t) (b)[(i) + 2] << 16 ) \
1105 | ( (uint64_t) (b)[(i) + 1] << 8 ) \
1106 | ( (uint64_t) (b)[(i) ] ); \
1107 }
1108 #endif
1109
1110 #ifndef PUT_UINT64_LE
1111 #define PUT_UINT64_LE(n,b,i) \
1112 { \
1113 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \
1114 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \
1115 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \
1116 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \
1117 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \
1118 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \
1119 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \
1120 (b)[(i) ] = (unsigned char) ( (n) ); \
1121 }
1122 #endif
1123
1124 typedef unsigned char mbedtls_be128[16];
1125
1126 /*
1127 * GF(2^128) multiplication function
1128 *
1129 * This function multiplies a field element by x in the polynomial field
1130 * representation. It uses 64-bit word operations to gain speed but compensates
1131 * for machine endianess and hence works correctly on both big and little
1132 * endian machines.
1133 */
1134 static void mbedtls_gf128mul_x_ble(unsigned char r[16],
1135 const unsigned char x[16]) {
1136 uint64_t a, b, ra, rb;
1137
1138 GET_UINT64_LE(a, x, 0);
1139 GET_UINT64_LE(b, x, 8);
1140
1141 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1142 rb = (a >> 63) | (b << 1);
1143
1144 PUT_UINT64_LE(ra, r, 0);
1145 PUT_UINT64_LE(rb, r, 8);
1146 }
1147
1148 /*
1149 * AES-XTS buffer encryption/decryption
1150 */
1151 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1152 int mode,
1153 size_t length,
1154 const unsigned char data_unit[16],
1155 const unsigned char *input,
1156 unsigned char *output) {
1157 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1158 size_t blocks = length / 16;
1159 size_t leftover = length % 16;
1160 unsigned char tweak[16];
1161 unsigned char prev_tweak[16];
1162 unsigned char tmp[16];
1163
1164 AES_VALIDATE_RET(ctx != NULL);
1165 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1166 mode == MBEDTLS_AES_DECRYPT);
1167 AES_VALIDATE_RET(data_unit != NULL);
1168 AES_VALIDATE_RET(input != NULL);
1169 AES_VALIDATE_RET(output != NULL);
1170
1171 /* Data units must be at least 16 bytes long. */
1172 if (length < 16)
1173 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1174
1175 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1176 if (length > (1 << 20) * 16)
1177 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1178
1179 /* Compute the tweak. */
1180 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1181 data_unit, tweak);
1182 if (ret != 0)
1183 return (ret);
1184
1185 while (blocks--) {
1186 size_t i;
1187
1188 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
1189 /* We are on the last block in a decrypt operation that has
1190 * leftover bytes, so we need to use the next tweak for this block,
1191 * and this tweak for the lefover bytes. Save the current tweak for
1192 * the leftovers and then update the current tweak for use on this,
1193 * the last full block. */
1194 memcpy(prev_tweak, tweak, sizeof(tweak));
1195 mbedtls_gf128mul_x_ble(tweak, tweak);
1196 }
1197
1198 for (i = 0; i < 16; i++)
1199 tmp[i] = input[i] ^ tweak[i];
1200
1201 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1202 if (ret != 0)
1203 return (ret);
1204
1205 for (i = 0; i < 16; i++)
1206 output[i] = tmp[i] ^ tweak[i];
1207
1208 /* Update the tweak for the next block. */
1209 mbedtls_gf128mul_x_ble(tweak, tweak);
1210
1211 output += 16;
1212 input += 16;
1213 }
1214
1215 if (leftover) {
1216 /* If we are on the leftover bytes in a decrypt operation, we need to
1217 * use the previous tweak for these bytes (as saved in prev_tweak). */
1218 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1219
1220 /* We are now on the final part of the data unit, which doesn't divide
1221 * evenly by 16. It's time for ciphertext stealing. */
1222 size_t i;
1223 unsigned char *prev_output = output - 16;
1224
1225 /* Copy ciphertext bytes from the previous block to our output for each
1226 * byte of cyphertext we won't steal. At the same time, copy the
1227 * remainder of the input for this final round (since the loop bounds
1228 * are the same). */
1229 for (i = 0; i < leftover; i++) {
1230 output[i] = prev_output[i];
1231 tmp[i] = input[i] ^ t[i];
1232 }
1233
1234 /* Copy ciphertext bytes from the previous block for input in this
1235 * round. */
1236 for (; i < 16; i++)
1237 tmp[i] = prev_output[i] ^ t[i];
1238
1239 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1240 if (ret != 0)
1241 return ret;
1242
1243 /* Write the result back to the previous block, overriding the previous
1244 * output we copied. */
1245 for (i = 0; i < 16; i++)
1246 prev_output[i] = tmp[i] ^ t[i];
1247 }
1248
1249 return (0);
1250 }
1251 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1252
1253 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1254 /*
1255 * AES-CFB128 buffer encryption/decryption
1256 */
1257 int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1258 int mode,
1259 size_t length,
1260 size_t *iv_off,
1261 unsigned char iv[16],
1262 const unsigned char *input,
1263 unsigned char *output) {
1264 int c;
1265 size_t n;
1266
1267 AES_VALIDATE_RET(ctx != NULL);
1268 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1269 mode == MBEDTLS_AES_DECRYPT);
1270 AES_VALIDATE_RET(iv_off != NULL);
1271 AES_VALIDATE_RET(iv != NULL);
1272 AES_VALIDATE_RET(input != NULL);
1273 AES_VALIDATE_RET(output != NULL);
1274
1275 n = *iv_off;
1276
1277 if (n > 15)
1278 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1279
1280 if (mode == MBEDTLS_AES_DECRYPT) {
1281 while (length--) {
1282 if (n == 0)
1283 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1284
1285 c = *input++;
1286 *output++ = (unsigned char)(c ^ iv[n]);
1287 iv[n] = (unsigned char) c;
1288
1289 n = (n + 1) & 0x0F;
1290 }
1291 } else {
1292 while (length--) {
1293 if (n == 0)
1294 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1295
1296 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
1297
1298 n = (n + 1) & 0x0F;
1299 }
1300 }
1301
1302 *iv_off = n;
1303
1304 return (0);
1305 }
1306
1307 /*
1308 * AES-CFB8 buffer encryption/decryption
1309 */
1310 int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1311 int mode,
1312 size_t length,
1313 unsigned char iv[16],
1314 const unsigned char *input,
1315 unsigned char *output) {
1316 unsigned char c;
1317 unsigned char ov[17];
1318
1319 AES_VALIDATE_RET(ctx != NULL);
1320 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1321 mode == MBEDTLS_AES_DECRYPT);
1322 AES_VALIDATE_RET(iv != NULL);
1323 AES_VALIDATE_RET(input != NULL);
1324 AES_VALIDATE_RET(output != NULL);
1325 while (length--) {
1326 memcpy(ov, iv, 16);
1327 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1328
1329 if (mode == MBEDTLS_AES_DECRYPT)
1330 ov[16] = *input;
1331
1332 c = *output++ = (unsigned char)(iv[0] ^ *input++);
1333
1334 if (mode == MBEDTLS_AES_ENCRYPT)
1335 ov[16] = c;
1336
1337 memcpy(iv, ov + 1, 16);
1338 }
1339
1340 return (0);
1341 }
1342 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1343
1344 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1345 /*
1346 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1347 */
1348 int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1349 size_t length,
1350 size_t *iv_off,
1351 unsigned char iv[16],
1352 const unsigned char *input,
1353 unsigned char *output) {
1354 int ret = 0;
1355 size_t n;
1356
1357 AES_VALIDATE_RET(ctx != NULL);
1358 AES_VALIDATE_RET(iv_off != NULL);
1359 AES_VALIDATE_RET(iv != NULL);
1360 AES_VALIDATE_RET(input != NULL);
1361 AES_VALIDATE_RET(output != NULL);
1362
1363 n = *iv_off;
1364
1365 if (n > 15)
1366 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1367
1368 while (length--) {
1369 if (n == 0) {
1370 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1371 if (ret != 0)
1372 goto exit;
1373 }
1374 *output++ = *input++ ^ iv[n];
1375
1376 n = (n + 1) & 0x0F;
1377 }
1378
1379 *iv_off = n;
1380
1381 exit:
1382 return (ret);
1383 }
1384 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1385
1386 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1387 /*
1388 * AES-CTR buffer encryption/decryption
1389 */
1390 int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1391 size_t length,
1392 size_t *nc_off,
1393 unsigned char nonce_counter[16],
1394 unsigned char stream_block[16],
1395 const unsigned char *input,
1396 unsigned char *output) {
1397 int c, i;
1398 size_t n;
1399
1400 AES_VALIDATE_RET(ctx != NULL);
1401 AES_VALIDATE_RET(nc_off != NULL);
1402 AES_VALIDATE_RET(nonce_counter != NULL);
1403 AES_VALIDATE_RET(stream_block != NULL);
1404 AES_VALIDATE_RET(input != NULL);
1405 AES_VALIDATE_RET(output != NULL);
1406
1407 n = *nc_off;
1408
1409 if (n > 0x0F)
1410 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1411
1412 while (length--) {
1413 if (n == 0) {
1414 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1415
1416 for (i = 16; i > 0; i--)
1417 if (++nonce_counter[i - 1] != 0)
1418 break;
1419 }
1420 c = *input++;
1421 *output++ = (unsigned char)(c ^ stream_block[n]);
1422
1423 n = (n + 1) & 0x0F;
1424 }
1425
1426 *nc_off = n;
1427
1428 return (0);
1429 }
1430 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1431
1432 #endif /* !MBEDTLS_AES_ALT */
1433
1434 #if defined(MBEDTLS_SELF_TEST)
1435 /*
1436 * AES test vectors from:
1437 *
1438 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1439 */
1440 static const unsigned char aes_test_ecb_dec[3][16] = {
1441 {
1442 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1443 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0
1444 },
1445 {
1446 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1447 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4
1448 },
1449 {
1450 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1451 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE
1452 }
1453 };
1454
1455 static const unsigned char aes_test_ecb_enc[3][16] = {
1456 {
1457 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1458 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F
1459 },
1460 {
1461 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1462 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14
1463 },
1464 {
1465 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1466 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4
1467 }
1468 };
1469
1470 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1471 static const unsigned char aes_test_cbc_dec[3][16] = {
1472 {
1473 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1474 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86
1475 },
1476 {
1477 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1478 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B
1479 },
1480 {
1481 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1482 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13
1483 }
1484 };
1485
1486 static const unsigned char aes_test_cbc_enc[3][16] = {
1487 {
1488 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1489 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D
1490 },
1491 {
1492 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1493 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04
1494 },
1495 {
1496 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1497 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0
1498 }
1499 };
1500 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1501
1502 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1503 /*
1504 * AES-CFB128 test vectors from:
1505 *
1506 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1507 */
1508 static const unsigned char aes_test_cfb128_key[3][32] = {
1509 {
1510 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1511 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C
1512 },
1513 {
1514 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1515 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1516 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B
1517 },
1518 {
1519 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1520 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1521 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1522 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4
1523 }
1524 };
1525
1526 static const unsigned char aes_test_cfb128_iv[16] = {
1527 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1528 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1529 };
1530
1531 static const unsigned char aes_test_cfb128_pt[64] = {
1532 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1533 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1534 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1535 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1536 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1537 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1538 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1539 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1540 };
1541
1542 static const unsigned char aes_test_cfb128_ct[3][64] = {
1543 {
1544 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1545 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1546 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1547 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1548 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1549 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1550 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1551 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6
1552 },
1553 {
1554 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1555 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1556 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1557 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1558 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1559 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1560 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1561 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF
1562 },
1563 {
1564 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1565 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1566 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1567 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1568 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1569 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1570 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1571 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71
1572 }
1573 };
1574 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1575
1576 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1577 /*
1578 * AES-OFB test vectors from:
1579 *
1580 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1581 */
1582 static const unsigned char aes_test_ofb_key[3][32] = {
1583 {
1584 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1585 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C
1586 },
1587 {
1588 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1589 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1590 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B
1591 },
1592 {
1593 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1594 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1595 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1596 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4
1597 }
1598 };
1599
1600 static const unsigned char aes_test_ofb_iv[16] = {
1601 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1602 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1603 };
1604
1605 static const unsigned char aes_test_ofb_pt[64] = {
1606 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1607 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1608 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1609 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1610 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1611 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1612 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1613 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1614 };
1615
1616 static const unsigned char aes_test_ofb_ct[3][64] = {
1617 {
1618 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1619 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1620 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1621 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1622 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1623 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1624 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1625 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e
1626 },
1627 {
1628 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1629 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1630 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1631 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1632 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1633 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1634 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1635 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a
1636 },
1637 {
1638 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1639 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1640 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1641 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1642 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1643 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1644 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1645 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84
1646 }
1647 };
1648 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1649
1650 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1651 /*
1652 * AES-CTR test vectors from:
1653 *
1654 * http://www.faqs.org/rfcs/rfc3686.html
1655 */
1656
1657 static const unsigned char aes_test_ctr_key[3][16] = {
1658 {
1659 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1660 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E
1661 },
1662 {
1663 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1664 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63
1665 },
1666 {
1667 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1668 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC
1669 }
1670 };
1671
1672 static const unsigned char aes_test_ctr_nonce_counter[3][16] = {
1673 {
1674 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1675 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
1676 },
1677 {
1678 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1679 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01
1680 },
1681 {
1682 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1683 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01
1684 }
1685 };
1686
1687 static const unsigned char aes_test_ctr_pt[3][48] = {
1688 {
1689 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1690 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67
1691 },
1692
1693 {
1694 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1695 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1696 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1697 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
1698 },
1699
1700 {
1701 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1702 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1703 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1704 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1705 0x20, 0x21, 0x22, 0x23
1706 }
1707 };
1708
1709 static const unsigned char aes_test_ctr_ct[3][48] = {
1710 {
1711 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1712 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8
1713 },
1714 {
1715 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1716 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1717 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1718 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28
1719 },
1720 {
1721 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1722 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1723 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1724 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1725 0x25, 0xB2, 0x07, 0x2F
1726 }
1727 };
1728
1729 static const int aes_test_ctr_len[3] =
1730 { 16, 32, 36 };
1731 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1732
1733 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1734 /*
1735 * AES-XTS test vectors from:
1736 *
1737 * IEEE P1619/D16 Annex B
1738 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1739 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1740 */
1741 static const unsigned char aes_test_xts_key[][32] = {
1742 {
1743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1745 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1746 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1747 },
1748 {
1749 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1750 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1751 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1752 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
1753 },
1754 {
1755 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1756 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1757 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1758 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
1759 },
1760 };
1761
1762 static const unsigned char aes_test_xts_pt32[][32] = {
1763 {
1764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1765 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1768 },
1769 {
1770 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1771 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1772 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1773 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44
1774 },
1775 {
1776 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1779 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44
1780 },
1781 };
1782
1783 static const unsigned char aes_test_xts_ct32[][32] = {
1784 {
1785 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1786 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1787 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1788 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e
1789 },
1790 {
1791 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1792 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1793 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1794 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0
1795 },
1796 {
1797 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1798 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1799 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1800 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89
1801 },
1802 };
1803
1804 static const unsigned char aes_test_xts_data_unit[][16] = {
1805 {
1806 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1808 },
1809 {
1810 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1811 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1812 },
1813 {
1814 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
1816 },
1817 };
1818
1819 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1820
1821 /*
1822 * Checkup routine
1823 */
1824 int mbedtls_aes_self_test(int verbose) {
1825 int ret = 0, i, j, u, mode;
1826 unsigned int keybits;
1827 unsigned char key[32];
1828 unsigned char buf[64];
1829 const unsigned char *aes_tests;
1830 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB)
1831 unsigned char iv[16];
1832 #endif
1833 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1834 unsigned char prv[16];
1835 #endif
1836 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1837 defined(MBEDTLS_CIPHER_MODE_OFB)
1838 size_t offset;
1839 #endif
1840 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1841 int len;
1842 #endif
1843 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1844 unsigned char nonce_counter[16];
1845 unsigned char stream_block[16];
1846 #endif
1847 mbedtls_aes_context ctx;
1848
1849 memset(key, 0, 32);
1850 mbedtls_aes_init(&ctx);
1851
1852 /*
1853 * ECB mode
1854 */
1855 for (i = 0; i < 6; i++) {
1856 u = i >> 1;
1857 keybits = 128 + u * 64;
1858 mode = i & 1;
1859
1860 if (verbose != 0)
1861 mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1862 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1863
1864 memset(buf, 0, 16);
1865
1866 if (mode == MBEDTLS_AES_DECRYPT) {
1867 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1868 aes_tests = aes_test_ecb_dec[u];
1869 } else {
1870 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1871 aes_tests = aes_test_ecb_enc[u];
1872 }
1873
1874 /*
1875 * AES-192 is an optional feature that may be unavailable when
1876 * there is an alternative underlying implementation i.e. when
1877 * MBEDTLS_AES_ALT is defined.
1878 */
1879 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1880 mbedtls_printf("skipped\n");
1881 continue;
1882 } else if (ret != 0) {
1883 goto exit;
1884 }
1885
1886 for (j = 0; j < 10000; j++) {
1887 ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1888 if (ret != 0)
1889 goto exit;
1890 }
1891
1892 if (memcmp(buf, aes_tests, 16) != 0) {
1893 ret = 1;
1894 goto exit;
1895 }
1896
1897 if (verbose != 0)
1898 mbedtls_printf("passed\n");
1899 }
1900
1901 if (verbose != 0)
1902 mbedtls_printf("\n");
1903
1904 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1905 /*
1906 * CBC mode
1907 */
1908 for (i = 0; i < 6; i++) {
1909 u = i >> 1;
1910 keybits = 128 + u * 64;
1911 mode = i & 1;
1912
1913 if (verbose != 0)
1914 mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1915 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1916
1917 memset(iv, 0, 16);
1918 memset(prv, 0, 16);
1919 memset(buf, 0, 16);
1920
1921 if (mode == MBEDTLS_AES_DECRYPT) {
1922 ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1923 aes_tests = aes_test_cbc_dec[u];
1924 } else {
1925 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1926 aes_tests = aes_test_cbc_enc[u];
1927 }
1928
1929 /*
1930 * AES-192 is an optional feature that may be unavailable when
1931 * there is an alternative underlying implementation i.e. when
1932 * MBEDTLS_AES_ALT is defined.
1933 */
1934 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1935 mbedtls_printf("skipped\n");
1936 continue;
1937 } else if (ret != 0) {
1938 goto exit;
1939 }
1940
1941 for (j = 0; j < 10000; j++) {
1942 if (mode == MBEDTLS_AES_ENCRYPT) {
1943 unsigned char tmp[16];
1944
1945 memcpy(tmp, prv, 16);
1946 memcpy(prv, buf, 16);
1947 memcpy(buf, tmp, 16);
1948 }
1949
1950 ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1951 if (ret != 0)
1952 goto exit;
1953
1954 }
1955
1956 if (memcmp(buf, aes_tests, 16) != 0) {
1957 ret = 1;
1958 goto exit;
1959 }
1960
1961 if (verbose != 0)
1962 mbedtls_printf("passed\n");
1963 }
1964
1965 if (verbose != 0)
1966 mbedtls_printf("\n");
1967 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1968
1969 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1970 /*
1971 * CFB128 mode
1972 */
1973 for (i = 0; i < 6; i++) {
1974 u = i >> 1;
1975 keybits = 128 + u * 64;
1976 mode = i & 1;
1977
1978 if (verbose != 0)
1979 mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
1980 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1981
1982 memcpy(iv, aes_test_cfb128_iv, 16);
1983 memcpy(key, aes_test_cfb128_key[u], keybits / 8);
1984
1985 offset = 0;
1986 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1987 /*
1988 * AES-192 is an optional feature that may be unavailable when
1989 * there is an alternative underlying implementation i.e. when
1990 * MBEDTLS_AES_ALT is defined.
1991 */
1992 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1993 mbedtls_printf("skipped\n");
1994 continue;
1995 } else if (ret != 0) {
1996 goto exit;
1997 }
1998
1999 if (mode == MBEDTLS_AES_DECRYPT) {
2000 memcpy(buf, aes_test_cfb128_ct[u], 64);
2001 aes_tests = aes_test_cfb128_pt;
2002 } else {
2003 memcpy(buf, aes_test_cfb128_pt, 64);
2004 aes_tests = aes_test_cfb128_ct[u];
2005 }
2006
2007 ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
2008 if (ret != 0)
2009 goto exit;
2010
2011 if (memcmp(buf, aes_tests, 64) != 0) {
2012 ret = 1;
2013 goto exit;
2014 }
2015
2016 if (verbose != 0)
2017 mbedtls_printf("passed\n");
2018 }
2019
2020 if (verbose != 0)
2021 mbedtls_printf("\n");
2022 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2023
2024 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2025 /*
2026 * OFB mode
2027 */
2028 for (i = 0; i < 6; i++) {
2029 u = i >> 1;
2030 keybits = 128 + u * 64;
2031 mode = i & 1;
2032
2033 if (verbose != 0)
2034 mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
2035 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2036
2037 memcpy(iv, aes_test_ofb_iv, 16);
2038 memcpy(key, aes_test_ofb_key[u], keybits / 8);
2039
2040 offset = 0;
2041 ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2042 /*
2043 * AES-192 is an optional feature that may be unavailable when
2044 * there is an alternative underlying implementation i.e. when
2045 * MBEDTLS_AES_ALT is defined.
2046 */
2047 if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2048 mbedtls_printf("skipped\n");
2049 continue;
2050 } else if (ret != 0) {
2051 goto exit;
2052 }
2053
2054 if (mode == MBEDTLS_AES_DECRYPT) {
2055 memcpy(buf, aes_test_ofb_ct[u], 64);
2056 aes_tests = aes_test_ofb_pt;
2057 } else {
2058 memcpy(buf, aes_test_ofb_pt, 64);
2059 aes_tests = aes_test_ofb_ct[u];
2060 }
2061
2062 ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2063 if (ret != 0)
2064 goto exit;
2065
2066 if (memcmp(buf, aes_tests, 64) != 0) {
2067 ret = 1;
2068 goto exit;
2069 }
2070
2071 if (verbose != 0)
2072 mbedtls_printf("passed\n");
2073 }
2074
2075 if (verbose != 0)
2076 mbedtls_printf("\n");
2077 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2078
2079 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2080 /*
2081 * CTR mode
2082 */
2083 for (i = 0; i < 6; i++) {
2084 u = i >> 1;
2085 mode = i & 1;
2086
2087 if (verbose != 0)
2088 mbedtls_printf(" AES-CTR-128 (%s): ",
2089 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2090
2091 memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2092 memcpy(key, aes_test_ctr_key[u], 16);
2093
2094 offset = 0;
2095 if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0)
2096 goto exit;
2097
2098 len = aes_test_ctr_len[u];
2099
2100 if (mode == MBEDTLS_AES_DECRYPT) {
2101 memcpy(buf, aes_test_ctr_ct[u], len);
2102 aes_tests = aes_test_ctr_pt[u];
2103 } else {
2104 memcpy(buf, aes_test_ctr_pt[u], len);
2105 aes_tests = aes_test_ctr_ct[u];
2106 }
2107
2108 ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2109 stream_block, buf, buf);
2110 if (ret != 0)
2111 goto exit;
2112
2113 if (memcmp(buf, aes_tests, len) != 0) {
2114 ret = 1;
2115 goto exit;
2116 }
2117
2118 if (verbose != 0)
2119 mbedtls_printf("passed\n");
2120 }
2121
2122 if (verbose != 0)
2123 mbedtls_printf("\n");
2124 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2125
2126 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2127 {
2128 static const int num_tests =
2129 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2130 mbedtls_aes_xts_context ctx_xts;
2131
2132 /*
2133 * XTS mode
2134 */
2135 mbedtls_aes_xts_init(&ctx_xts);
2136
2137 for (i = 0; i < num_tests << 1; i++) {
2138 const unsigned char *data_unit;
2139 u = i >> 1;
2140 mode = i & 1;
2141
2142 if (verbose != 0)
2143 mbedtls_printf(" AES-XTS-128 (%s): ",
2144 (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2145
2146 memset(key, 0, sizeof(key));
2147 memcpy(key, aes_test_xts_key[u], 32);
2148 data_unit = aes_test_xts_data_unit[u];
2149
2150 len = sizeof(*aes_test_xts_ct32);
2151
2152 if (mode == MBEDTLS_AES_DECRYPT) {
2153 ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2154 if (ret != 0)
2155 goto exit;
2156 memcpy(buf, aes_test_xts_ct32[u], len);
2157 aes_tests = aes_test_xts_pt32[u];
2158 } else {
2159 ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2160 if (ret != 0)
2161 goto exit;
2162 memcpy(buf, aes_test_xts_pt32[u], len);
2163 aes_tests = aes_test_xts_ct32[u];
2164 }
2165
2166
2167 ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2168 buf, buf);
2169 if (ret != 0)
2170 goto exit;
2171
2172 if (memcmp(buf, aes_tests, len) != 0) {
2173 ret = 1;
2174 goto exit;
2175 }
2176
2177 if (verbose != 0)
2178 mbedtls_printf("passed\n");
2179 }
2180
2181 if (verbose != 0)
2182 mbedtls_printf("\n");
2183
2184 mbedtls_aes_xts_free(&ctx_xts);
2185 }
2186 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2187
2188 ret = 0;
2189
2190 exit:
2191 if (ret != 0 && verbose != 0)
2192 mbedtls_printf("failed\n");
2193
2194 mbedtls_aes_free(&ctx);
2195
2196 return (ret);
2197 }
2198
2199 #endif /* MBEDTLS_SELF_TEST */
2200
2201 #endif /* MBEDTLS_AES_C */
Proxmark3 - the RFID research Swiss army knife. Iceman firmware