/src/mbedtls/library/aes.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * FIPS-197 compliant AES implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 |
6 | | * |
7 | | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
8 | | * not use this file except in compliance with the License. |
9 | | * You may obtain a copy of the License at |
10 | | * |
11 | | * http://www.apache.org/licenses/LICENSE-2.0 |
12 | | * |
13 | | * Unless required by applicable law or agreed to in writing, software |
14 | | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
15 | | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
16 | | * See the License for the specific language governing permissions and |
17 | | * limitations under the License. |
18 | | */ |
19 | | /* |
20 | | * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. |
21 | | * |
22 | | * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf |
23 | | * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf |
24 | | */ |
25 | | |
26 | | #include "common.h" |
27 | | |
28 | | #if defined(MBEDTLS_AES_C) |
29 | | |
30 | | #include <string.h> |
31 | | |
32 | | #include "mbedtls/aes.h" |
33 | | #include "mbedtls/platform.h" |
34 | | #include "mbedtls/platform_util.h" |
35 | | #include "mbedtls/error.h" |
36 | | #if defined(MBEDTLS_PADLOCK_C) |
37 | | #include "padlock.h" |
38 | | #endif |
39 | | #if defined(MBEDTLS_AESNI_C) |
40 | | #include "aesni.h" |
41 | | #endif |
42 | | |
43 | | #include "mbedtls/platform.h" |
44 | | |
45 | | #if !defined(MBEDTLS_AES_ALT) |
46 | | |
47 | | #if defined(MBEDTLS_PADLOCK_C) && \ |
48 | | (defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16)) |
49 | | static int aes_padlock_ace = -1; |
50 | | #endif |
51 | | |
52 | | #if defined(MBEDTLS_AES_ROM_TABLES) |
53 | | /* |
54 | | * Forward S-box |
55 | | */ |
56 | | static const unsigned char FSb[256] = |
57 | | { |
58 | | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, |
59 | | 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, |
60 | | 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
61 | | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, |
62 | | 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, |
63 | | 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
64 | | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, |
65 | | 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, |
66 | | 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
67 | | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, |
68 | | 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, |
69 | | 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
70 | | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, |
71 | | 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, |
72 | | 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
73 | | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, |
74 | | 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, |
75 | | 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
76 | | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, |
77 | | 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, |
78 | | 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
79 | | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, |
80 | | 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, |
81 | | 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
82 | | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, |
83 | | 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, |
84 | | 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
85 | | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, |
86 | | 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, |
87 | | 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
88 | | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, |
89 | | 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 |
90 | | }; |
91 | | |
92 | | /* |
93 | | * Forward tables |
94 | | */ |
95 | | #define FT \ |
96 | | \ |
97 | | V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \ |
98 | | V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \ |
99 | | V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \ |
100 | | V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \ |
101 | | V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \ |
102 | | V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \ |
103 | | V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \ |
104 | | V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \ |
105 | | V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \ |
106 | | V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \ |
107 | | V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \ |
108 | | V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \ |
109 | | V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \ |
110 | | V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \ |
111 | | V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \ |
112 | | V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \ |
113 | | V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \ |
114 | | V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \ |
115 | | V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \ |
116 | | V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \ |
117 | | V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \ |
118 | | V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \ |
119 | | V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \ |
120 | | V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \ |
121 | | V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \ |
122 | | V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \ |
123 | | V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \ |
124 | | V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \ |
125 | | V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \ |
126 | | V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \ |
127 | | V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \ |
128 | | V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \ |
129 | | V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \ |
130 | | V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \ |
131 | | V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \ |
132 | | V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \ |
133 | | V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \ |
134 | | V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \ |
135 | | V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \ |
136 | | V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \ |
137 | | V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \ |
138 | | V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \ |
139 | | V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \ |
140 | | V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \ |
141 | | V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \ |
142 | | V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \ |
143 | | V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \ |
144 | | V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \ |
145 | | V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \ |
146 | | V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \ |
147 | | V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \ |
148 | | V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \ |
149 | | V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \ |
150 | | V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \ |
151 | | V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \ |
152 | | V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \ |
153 | | V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \ |
154 | | V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \ |
155 | | V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \ |
156 | | V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \ |
157 | | V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \ |
158 | | V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \ |
159 | | V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \ |
160 | | V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C) |
161 | | |
162 | | #define V(a, b, c, d) 0x##a##b##c##d |
163 | | static const uint32_t FT0[256] = { FT }; |
164 | | #undef V |
165 | | |
166 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
167 | | |
168 | | #define V(a, b, c, d) 0x##b##c##d##a |
169 | | static const uint32_t FT1[256] = { FT }; |
170 | | #undef V |
171 | | |
172 | | #define V(a, b, c, d) 0x##c##d##a##b |
173 | | static const uint32_t FT2[256] = { FT }; |
174 | | #undef V |
175 | | |
176 | | #define V(a, b, c, d) 0x##d##a##b##c |
177 | | static const uint32_t FT3[256] = { FT }; |
178 | | #undef V |
179 | | |
180 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
181 | | |
182 | | #undef FT |
183 | | |
184 | | /* |
185 | | * Reverse S-box |
186 | | */ |
187 | | static const unsigned char RSb[256] = |
188 | | { |
189 | | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, |
190 | | 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, |
191 | | 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
192 | | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, |
193 | | 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, |
194 | | 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
195 | | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, |
196 | | 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, |
197 | | 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
198 | | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, |
199 | | 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, |
200 | | 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
201 | | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, |
202 | | 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, |
203 | | 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
204 | | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, |
205 | | 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, |
206 | | 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
207 | | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, |
208 | | 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, |
209 | | 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
210 | | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, |
211 | | 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, |
212 | | 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
213 | | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, |
214 | | 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, |
215 | | 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
216 | | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, |
217 | | 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, |
218 | | 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
219 | | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, |
220 | | 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D |
221 | | }; |
222 | | |
223 | | /* |
224 | | * Reverse tables |
225 | | */ |
226 | | #define RT \ |
227 | | \ |
228 | | V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \ |
229 | | V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \ |
230 | | V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \ |
231 | | V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \ |
232 | | V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \ |
233 | | V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \ |
234 | | V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \ |
235 | | V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \ |
236 | | V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \ |
237 | | V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \ |
238 | | V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \ |
239 | | V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \ |
240 | | V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \ |
241 | | V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \ |
242 | | V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \ |
243 | | V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \ |
244 | | V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \ |
245 | | V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \ |
246 | | V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \ |
247 | | V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \ |
248 | | V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \ |
249 | | V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \ |
250 | | V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \ |
251 | | V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \ |
252 | | V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \ |
253 | | V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \ |
254 | | V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \ |
255 | | V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \ |
256 | | V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \ |
257 | | V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \ |
258 | | V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \ |
259 | | V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \ |
260 | | V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \ |
261 | | V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \ |
262 | | V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \ |
263 | | V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \ |
264 | | V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \ |
265 | | V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \ |
266 | | V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \ |
267 | | V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \ |
268 | | V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \ |
269 | | V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \ |
270 | | V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \ |
271 | | V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \ |
272 | | V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \ |
273 | | V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \ |
274 | | V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \ |
275 | | V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \ |
276 | | V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \ |
277 | | V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \ |
278 | | V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \ |
279 | | V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \ |
280 | | V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \ |
281 | | V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \ |
282 | | V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \ |
283 | | V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \ |
284 | | V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \ |
285 | | V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \ |
286 | | V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \ |
287 | | V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \ |
288 | | V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \ |
289 | | V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \ |
290 | | V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \ |
291 | | V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0) |
292 | | |
293 | | #define V(a, b, c, d) 0x##a##b##c##d |
294 | | static const uint32_t RT0[256] = { RT }; |
295 | | #undef V |
296 | | |
297 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
298 | | |
299 | | #define V(a, b, c, d) 0x##b##c##d##a |
300 | | static const uint32_t RT1[256] = { RT }; |
301 | | #undef V |
302 | | |
303 | | #define V(a, b, c, d) 0x##c##d##a##b |
304 | | static const uint32_t RT2[256] = { RT }; |
305 | | #undef V |
306 | | |
307 | | #define V(a, b, c, d) 0x##d##a##b##c |
308 | | static const uint32_t RT3[256] = { RT }; |
309 | | #undef V |
310 | | |
311 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
312 | | |
313 | | #undef RT |
314 | | |
315 | | /* |
316 | | * Round constants |
317 | | */ |
318 | | static const uint32_t RCON[10] = |
319 | | { |
320 | | 0x00000001, 0x00000002, 0x00000004, 0x00000008, |
321 | | 0x00000010, 0x00000020, 0x00000040, 0x00000080, |
322 | | 0x0000001B, 0x00000036 |
323 | | }; |
324 | | |
325 | | #else /* MBEDTLS_AES_ROM_TABLES */ |
326 | | |
327 | | /* |
328 | | * Forward S-box & tables |
329 | | */ |
330 | | static unsigned char FSb[256]; |
331 | | static uint32_t FT0[256]; |
332 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
333 | | static uint32_t FT1[256]; |
334 | | static uint32_t FT2[256]; |
335 | | static uint32_t FT3[256]; |
336 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
337 | | |
338 | | /* |
339 | | * Reverse S-box & tables |
340 | | */ |
341 | | static unsigned char RSb[256]; |
342 | | static uint32_t RT0[256]; |
343 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
344 | | static uint32_t RT1[256]; |
345 | | static uint32_t RT2[256]; |
346 | | static uint32_t RT3[256]; |
347 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
348 | | |
349 | | /* |
350 | | * Round constants |
351 | | */ |
352 | | static uint32_t RCON[10]; |
353 | | |
354 | | /* |
355 | | * Tables generation code |
356 | | */ |
357 | 2.77M | #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24) |
358 | | #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00)) |
359 | 1.85M | #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) |
360 | | |
361 | | static int aes_init_done = 0; |
362 | | |
363 | | static void aes_gen_tables(void) |
364 | 1.80k | { |
365 | 1.80k | int i, x, y, z; |
366 | 1.80k | int pow[256]; |
367 | 1.80k | int log[256]; |
368 | | |
369 | | /* |
370 | | * compute pow and log tables over GF(2^8) |
371 | | */ |
372 | 464k | for (i = 0, x = 1; i < 256; i++) { |
373 | 463k | pow[i] = x; |
374 | 463k | log[x] = i; |
375 | 463k | x = MBEDTLS_BYTE_0(x ^ XTIME(x)); |
376 | 463k | } |
377 | | |
378 | | /* |
379 | | * calculate the round constants |
380 | | */ |
381 | 19.8k | for (i = 0, x = 1; i < 10; i++) { |
382 | 18.0k | RCON[i] = (uint32_t) x; |
383 | 18.0k | x = MBEDTLS_BYTE_0(XTIME(x)); |
384 | 18.0k | } |
385 | | |
386 | | /* |
387 | | * generate the forward and reverse S-boxes |
388 | | */ |
389 | 1.80k | FSb[0x00] = 0x63; |
390 | 1.80k | RSb[0x63] = 0x00; |
391 | | |
392 | 463k | for (i = 1; i < 256; i++) { |
393 | 461k | x = pow[255 - log[i]]; |
394 | | |
395 | 461k | y = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
396 | 461k | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
397 | 461k | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
398 | 461k | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
399 | 461k | x ^= y ^ 0x63; |
400 | | |
401 | 461k | FSb[i] = (unsigned char) x; |
402 | 461k | RSb[x] = (unsigned char) i; |
403 | 461k | } |
404 | | |
405 | | /* |
406 | | * generate the forward and reverse tables |
407 | | */ |
408 | 464k | for (i = 0; i < 256; i++) { |
409 | 463k | x = FSb[i]; |
410 | 463k | y = MBEDTLS_BYTE_0(XTIME(x)); |
411 | 463k | z = MBEDTLS_BYTE_0(y ^ x); |
412 | | |
413 | 463k | FT0[i] = ((uint32_t) y) ^ |
414 | 463k | ((uint32_t) x << 8) ^ |
415 | 463k | ((uint32_t) x << 16) ^ |
416 | 463k | ((uint32_t) z << 24); |
417 | | |
418 | 463k | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
419 | 463k | FT1[i] = ROTL8(FT0[i]); |
420 | 463k | FT2[i] = ROTL8(FT1[i]); |
421 | 463k | FT3[i] = ROTL8(FT2[i]); |
422 | 463k | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
423 | | |
424 | 463k | x = RSb[i]; |
425 | | |
426 | 463k | RT0[i] = ((uint32_t) MUL(0x0E, x)) ^ |
427 | 463k | ((uint32_t) MUL(0x09, x) << 8) ^ |
428 | 463k | ((uint32_t) MUL(0x0D, x) << 16) ^ |
429 | 463k | ((uint32_t) MUL(0x0B, x) << 24); |
430 | | |
431 | 463k | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
432 | 463k | RT1[i] = ROTL8(RT0[i]); |
433 | 463k | RT2[i] = ROTL8(RT1[i]); |
434 | 463k | RT3[i] = ROTL8(RT2[i]); |
435 | 463k | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
436 | 463k | } |
437 | 1.80k | } |
438 | | |
439 | | #undef ROTL8 |
440 | | |
441 | | #endif /* MBEDTLS_AES_ROM_TABLES */ |
442 | | |
443 | | #if defined(MBEDTLS_AES_FEWER_TABLES) |
444 | | |
445 | | #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24)) |
446 | | #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16)) |
447 | | #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8)) |
448 | | |
449 | | #define AES_RT0(idx) RT0[idx] |
450 | | #define AES_RT1(idx) ROTL8(RT0[idx]) |
451 | | #define AES_RT2(idx) ROTL16(RT0[idx]) |
452 | | #define AES_RT3(idx) ROTL24(RT0[idx]) |
453 | | |
454 | | #define AES_FT0(idx) FT0[idx] |
455 | | #define AES_FT1(idx) ROTL8(FT0[idx]) |
456 | | #define AES_FT2(idx) ROTL16(FT0[idx]) |
457 | | #define AES_FT3(idx) ROTL24(FT0[idx]) |
458 | | |
459 | | #else /* MBEDTLS_AES_FEWER_TABLES */ |
460 | | |
461 | 0 | #define AES_RT0(idx) RT0[idx] |
462 | 0 | #define AES_RT1(idx) RT1[idx] |
463 | 0 | #define AES_RT2(idx) RT2[idx] |
464 | 0 | #define AES_RT3(idx) RT3[idx] |
465 | | |
466 | 0 | #define AES_FT0(idx) FT0[idx] |
467 | 0 | #define AES_FT1(idx) FT1[idx] |
468 | 0 | #define AES_FT2(idx) FT2[idx] |
469 | 0 | #define AES_FT3(idx) FT3[idx] |
470 | | |
471 | | #endif /* MBEDTLS_AES_FEWER_TABLES */ |
472 | | |
473 | | void mbedtls_aes_init(mbedtls_aes_context *ctx) |
474 | 56.6k | { |
475 | 56.6k | memset(ctx, 0, sizeof(mbedtls_aes_context)); |
476 | 56.6k | } |
477 | | |
478 | | void mbedtls_aes_free(mbedtls_aes_context *ctx) |
479 | 56.6k | { |
480 | 56.6k | if (ctx == NULL) { |
481 | 0 | return; |
482 | 0 | } |
483 | | |
484 | 56.6k | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context)); |
485 | 56.6k | } |
486 | | |
487 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
488 | | void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) |
489 | 0 | { |
490 | 0 | mbedtls_aes_init(&ctx->crypt); |
491 | 0 | mbedtls_aes_init(&ctx->tweak); |
492 | 0 | } |
493 | | |
494 | | void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) |
495 | 0 | { |
496 | 0 | if (ctx == NULL) { |
497 | 0 | return; |
498 | 0 | } |
499 | | |
500 | 0 | mbedtls_aes_free(&ctx->crypt); |
501 | 0 | mbedtls_aes_free(&ctx->tweak); |
502 | 0 | } |
503 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
504 | | |
505 | | /* |
506 | | * AES key schedule (encryption) |
507 | | */ |
508 | | #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
509 | | int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, |
510 | | unsigned int keybits) |
511 | 141k | { |
512 | 141k | unsigned int i; |
513 | 141k | uint32_t *RK; |
514 | | |
515 | 141k | switch (keybits) { |
516 | 0 | case 128: ctx->nr = 10; break; |
517 | 0 | case 192: ctx->nr = 12; break; |
518 | 141k | case 256: ctx->nr = 14; break; |
519 | 0 | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
520 | 141k | } |
521 | | |
522 | 141k | #if !defined(MBEDTLS_AES_ROM_TABLES) |
523 | 141k | if (aes_init_done == 0) { |
524 | 1.80k | aes_gen_tables(); |
525 | 1.80k | aes_init_done = 1; |
526 | 1.80k | } |
527 | 141k | #endif |
528 | | |
529 | 141k | ctx->rk_offset = 0; |
530 | | #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) |
531 | | if (aes_padlock_ace == -1) { |
532 | | aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); |
533 | | } |
534 | | |
535 | | if (aes_padlock_ace) { |
536 | | ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16(ctx->buf) - ctx->buf; |
537 | | } |
538 | | #endif |
539 | 141k | RK = ctx->buf + ctx->rk_offset; |
540 | | |
541 | 141k | #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) |
542 | 141k | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
543 | 141k | return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits); |
544 | 141k | } |
545 | 0 | #endif |
546 | | |
547 | 0 | for (i = 0; i < (keybits >> 5); i++) { |
548 | 0 | RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); |
549 | 0 | } |
550 | |
|
551 | 0 | switch (ctx->nr) { |
552 | 0 | case 10: |
553 | |
|
554 | 0 | for (i = 0; i < 10; i++, RK += 4) { |
555 | 0 | RK[4] = RK[0] ^ RCON[i] ^ |
556 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ |
557 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ |
558 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ |
559 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24); |
560 | |
|
561 | 0 | RK[5] = RK[1] ^ RK[4]; |
562 | 0 | RK[6] = RK[2] ^ RK[5]; |
563 | 0 | RK[7] = RK[3] ^ RK[6]; |
564 | 0 | } |
565 | 0 | break; |
566 | | |
567 | 0 | case 12: |
568 | |
|
569 | 0 | for (i = 0; i < 8; i++, RK += 6) { |
570 | 0 | RK[6] = RK[0] ^ RCON[i] ^ |
571 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ |
572 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ |
573 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ |
574 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24); |
575 | |
|
576 | 0 | RK[7] = RK[1] ^ RK[6]; |
577 | 0 | RK[8] = RK[2] ^ RK[7]; |
578 | 0 | RK[9] = RK[3] ^ RK[8]; |
579 | 0 | RK[10] = RK[4] ^ RK[9]; |
580 | 0 | RK[11] = RK[5] ^ RK[10]; |
581 | 0 | } |
582 | 0 | break; |
583 | | |
584 | 0 | case 14: |
585 | |
|
586 | 0 | for (i = 0; i < 7; i++, RK += 8) { |
587 | 0 | RK[8] = RK[0] ^ RCON[i] ^ |
588 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ |
589 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ |
590 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ |
591 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24); |
592 | |
|
593 | 0 | RK[9] = RK[1] ^ RK[8]; |
594 | 0 | RK[10] = RK[2] ^ RK[9]; |
595 | 0 | RK[11] = RK[3] ^ RK[10]; |
596 | |
|
597 | 0 | RK[12] = RK[4] ^ |
598 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^ |
599 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^ |
600 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ |
601 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24); |
602 | |
|
603 | 0 | RK[13] = RK[5] ^ RK[12]; |
604 | 0 | RK[14] = RK[6] ^ RK[13]; |
605 | 0 | RK[15] = RK[7] ^ RK[14]; |
606 | 0 | } |
607 | 0 | break; |
608 | 0 | } |
609 | | |
610 | 0 | return 0; |
611 | 0 | } |
612 | | #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ |
613 | | |
614 | | /* |
615 | | * AES key schedule (decryption) |
616 | | */ |
617 | | #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
618 | | int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, |
619 | | unsigned int keybits) |
620 | 0 | { |
621 | 0 | int i, j, ret; |
622 | 0 | mbedtls_aes_context cty; |
623 | 0 | uint32_t *RK; |
624 | 0 | uint32_t *SK; |
625 | |
|
626 | 0 | mbedtls_aes_init(&cty); |
627 | |
|
628 | 0 | ctx->rk_offset = 0; |
629 | | #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) |
630 | | if (aes_padlock_ace == -1) { |
631 | | aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); |
632 | | } |
633 | | |
634 | | if (aes_padlock_ace) { |
635 | | ctx->rk_offset = MBEDTLS_PADLOCK_ALIGN16(ctx->buf) - ctx->buf; |
636 | | } |
637 | | #endif |
638 | 0 | RK = ctx->buf + ctx->rk_offset; |
639 | | |
640 | | /* Also checks keybits */ |
641 | 0 | if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) { |
642 | 0 | goto exit; |
643 | 0 | } |
644 | | |
645 | 0 | ctx->nr = cty.nr; |
646 | |
|
647 | 0 | #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) |
648 | 0 | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
649 | 0 | mbedtls_aesni_inverse_key((unsigned char *) RK, |
650 | 0 | (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); |
651 | 0 | goto exit; |
652 | 0 | } |
653 | 0 | #endif |
654 | | |
655 | 0 | SK = cty.buf + cty.rk_offset + cty.nr * 4; |
656 | |
|
657 | 0 | *RK++ = *SK++; |
658 | 0 | *RK++ = *SK++; |
659 | 0 | *RK++ = *SK++; |
660 | 0 | *RK++ = *SK++; |
661 | |
|
662 | 0 | for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) { |
663 | 0 | for (j = 0; j < 4; j++, SK++) { |
664 | 0 | *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ |
665 | 0 | AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ |
666 | 0 | AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ |
667 | 0 | AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]); |
668 | 0 | } |
669 | 0 | } |
670 | |
|
671 | 0 | *RK++ = *SK++; |
672 | 0 | *RK++ = *SK++; |
673 | 0 | *RK++ = *SK++; |
674 | 0 | *RK++ = *SK++; |
675 | |
|
676 | 0 | exit: |
677 | 0 | mbedtls_aes_free(&cty); |
678 | |
|
679 | 0 | return ret; |
680 | 0 | } |
681 | | #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ |
682 | | |
683 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
684 | | static int mbedtls_aes_xts_decode_keys(const unsigned char *key, |
685 | | unsigned int keybits, |
686 | | const unsigned char **key1, |
687 | | unsigned int *key1bits, |
688 | | const unsigned char **key2, |
689 | | unsigned int *key2bits) |
690 | 0 | { |
691 | 0 | const unsigned int half_keybits = keybits / 2; |
692 | 0 | const unsigned int half_keybytes = half_keybits / 8; |
693 | |
|
694 | 0 | switch (keybits) { |
695 | 0 | case 256: break; |
696 | 0 | case 512: break; |
697 | 0 | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
698 | 0 | } |
699 | | |
700 | 0 | *key1bits = half_keybits; |
701 | 0 | *key2bits = half_keybits; |
702 | 0 | *key1 = &key[0]; |
703 | 0 | *key2 = &key[half_keybytes]; |
704 | |
|
705 | 0 | return 0; |
706 | 0 | } |
707 | | |
708 | | int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, |
709 | | const unsigned char *key, |
710 | | unsigned int keybits) |
711 | 0 | { |
712 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
713 | 0 | const unsigned char *key1, *key2; |
714 | 0 | unsigned int key1bits, key2bits; |
715 | |
|
716 | 0 | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
717 | 0 | &key2, &key2bits); |
718 | 0 | if (ret != 0) { |
719 | 0 | return ret; |
720 | 0 | } |
721 | | |
722 | | /* Set the tweak key. Always set tweak key for the encryption mode. */ |
723 | 0 | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
724 | 0 | if (ret != 0) { |
725 | 0 | return ret; |
726 | 0 | } |
727 | | |
728 | | /* Set crypt key for encryption. */ |
729 | 0 | return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); |
730 | 0 | } |
731 | | |
732 | | int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, |
733 | | const unsigned char *key, |
734 | | unsigned int keybits) |
735 | 0 | { |
736 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
737 | 0 | const unsigned char *key1, *key2; |
738 | 0 | unsigned int key1bits, key2bits; |
739 | |
|
740 | 0 | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
741 | 0 | &key2, &key2bits); |
742 | 0 | if (ret != 0) { |
743 | 0 | return ret; |
744 | 0 | } |
745 | | |
746 | | /* Set the tweak key. Always set tweak key for encryption. */ |
747 | 0 | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
748 | 0 | if (ret != 0) { |
749 | 0 | return ret; |
750 | 0 | } |
751 | | |
752 | | /* Set crypt key for decryption. */ |
753 | 0 | return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); |
754 | 0 | } |
755 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
756 | | |
757 | | #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
758 | 0 | do \ |
759 | 0 | { \ |
760 | 0 | (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
761 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
762 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
763 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y3)); \ |
764 | 0 | \ |
765 | 0 | (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
766 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
767 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
768 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y0)); \ |
769 | 0 | \ |
770 | 0 | (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
771 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
772 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
773 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y1)); \ |
774 | 0 | \ |
775 | 0 | (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
776 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
777 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
778 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y2)); \ |
779 | 0 | } while (0) |
780 | | |
781 | | #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
782 | 0 | do \ |
783 | 0 | { \ |
784 | 0 | (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
785 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
786 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
787 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y1)); \ |
788 | 0 | \ |
789 | 0 | (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
790 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
791 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
792 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y2)); \ |
793 | 0 | \ |
794 | 0 | (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
795 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
796 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
797 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y3)); \ |
798 | 0 | \ |
799 | 0 | (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
800 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
801 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
802 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y0)); \ |
803 | 0 | } while (0) |
804 | | |
805 | | /* |
806 | | * AES-ECB block encryption |
807 | | */ |
808 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) |
809 | | int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, |
810 | | const unsigned char input[16], |
811 | | unsigned char output[16]) |
812 | 0 | { |
813 | 0 | int i; |
814 | 0 | uint32_t *RK = ctx->buf + ctx->rk_offset; |
815 | 0 | struct { |
816 | 0 | uint32_t X[4]; |
817 | 0 | uint32_t Y[4]; |
818 | 0 | } t; |
819 | |
|
820 | 0 | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
821 | 0 | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
822 | 0 | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
823 | 0 | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
824 | |
|
825 | 0 | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
826 | 0 | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
827 | 0 | AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
828 | 0 | } |
829 | |
|
830 | 0 | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
831 | |
|
832 | 0 | t.X[0] = *RK++ ^ \ |
833 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
834 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
835 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
836 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
837 | |
|
838 | 0 | t.X[1] = *RK++ ^ \ |
839 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
840 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
841 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
842 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
843 | |
|
844 | 0 | t.X[2] = *RK++ ^ \ |
845 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
846 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
847 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
848 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
849 | |
|
850 | 0 | t.X[3] = *RK++ ^ \ |
851 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
852 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
853 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
854 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
855 | |
|
856 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
857 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
858 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
859 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
860 | |
|
861 | 0 | mbedtls_platform_zeroize(&t, sizeof(t)); |
862 | |
|
863 | 0 | return 0; |
864 | 0 | } |
865 | | #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ |
866 | | |
867 | | /* |
868 | | * AES-ECB block decryption |
869 | | */ |
870 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) |
871 | | int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, |
872 | | const unsigned char input[16], |
873 | | unsigned char output[16]) |
874 | 0 | { |
875 | 0 | int i; |
876 | 0 | uint32_t *RK = ctx->buf + ctx->rk_offset; |
877 | 0 | struct { |
878 | 0 | uint32_t X[4]; |
879 | 0 | uint32_t Y[4]; |
880 | 0 | } t; |
881 | |
|
882 | 0 | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
883 | 0 | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
884 | 0 | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
885 | 0 | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
886 | |
|
887 | 0 | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
888 | 0 | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
889 | 0 | AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
890 | 0 | } |
891 | |
|
892 | 0 | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
893 | |
|
894 | 0 | t.X[0] = *RK++ ^ \ |
895 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
896 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
897 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
898 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
899 | |
|
900 | 0 | t.X[1] = *RK++ ^ \ |
901 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
902 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
903 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
904 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
905 | |
|
906 | 0 | t.X[2] = *RK++ ^ \ |
907 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
908 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
909 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
910 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
911 | |
|
912 | 0 | t.X[3] = *RK++ ^ \ |
913 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
914 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
915 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
916 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
917 | |
|
918 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
919 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
920 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
921 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
922 | |
|
923 | 0 | mbedtls_platform_zeroize(&t, sizeof(t)); |
924 | |
|
925 | 0 | return 0; |
926 | 0 | } |
927 | | #endif /* !MBEDTLS_AES_DECRYPT_ALT */ |
928 | | |
929 | | /* |
930 | | * AES-ECB block encryption/decryption |
931 | | */ |
932 | | int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, |
933 | | int mode, |
934 | | const unsigned char input[16], |
935 | | unsigned char output[16]) |
936 | 821k | { |
937 | 821k | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
938 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
939 | 0 | } |
940 | | |
941 | 821k | #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) |
942 | 821k | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
943 | 821k | return mbedtls_aesni_crypt_ecb(ctx, mode, input, output); |
944 | 821k | } |
945 | 0 | #endif |
946 | | |
947 | | #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) |
948 | | if (aes_padlock_ace > 0) { |
949 | | if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0) { |
950 | | return 0; |
951 | | } |
952 | | |
953 | | // If padlock data misaligned, we just fall back to |
954 | | // unaccelerated mode |
955 | | // |
956 | | } |
957 | | #endif |
958 | | |
959 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
960 | 0 | return mbedtls_internal_aes_encrypt(ctx, input, output); |
961 | 0 | } else { |
962 | 0 | return mbedtls_internal_aes_decrypt(ctx, input, output); |
963 | 0 | } |
964 | 0 | } |
965 | | |
966 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
967 | | /* |
968 | | * AES-CBC buffer encryption/decryption |
969 | | */ |
970 | | int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, |
971 | | int mode, |
972 | | size_t length, |
973 | | unsigned char iv[16], |
974 | | const unsigned char *input, |
975 | | unsigned char *output) |
976 | 0 | { |
977 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
978 | 0 | unsigned char temp[16]; |
979 | |
|
980 | 0 | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
981 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
982 | 0 | } |
983 | | |
984 | 0 | if (length % 16) { |
985 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
986 | 0 | } |
987 | | |
988 | | #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) |
989 | | if (aes_padlock_ace > 0) { |
990 | | if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { |
991 | | return 0; |
992 | | } |
993 | | |
994 | | // If padlock data misaligned, we just fall back to |
995 | | // unaccelerated mode |
996 | | // |
997 | | } |
998 | | #endif |
999 | | |
1000 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1001 | 0 | while (length > 0) { |
1002 | 0 | memcpy(temp, input, 16); |
1003 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output); |
1004 | 0 | if (ret != 0) { |
1005 | 0 | goto exit; |
1006 | 0 | } |
1007 | | |
1008 | 0 | mbedtls_xor(output, output, iv, 16); |
1009 | |
|
1010 | 0 | memcpy(iv, temp, 16); |
1011 | |
|
1012 | 0 | input += 16; |
1013 | 0 | output += 16; |
1014 | 0 | length -= 16; |
1015 | 0 | } |
1016 | 0 | } else { |
1017 | 0 | while (length > 0) { |
1018 | 0 | mbedtls_xor(output, input, iv, 16); |
1019 | |
|
1020 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output); |
1021 | 0 | if (ret != 0) { |
1022 | 0 | goto exit; |
1023 | 0 | } |
1024 | 0 | memcpy(iv, output, 16); |
1025 | |
|
1026 | 0 | input += 16; |
1027 | 0 | output += 16; |
1028 | 0 | length -= 16; |
1029 | 0 | } |
1030 | 0 | } |
1031 | 0 | ret = 0; |
1032 | |
|
1033 | 0 | exit: |
1034 | 0 | return ret; |
1035 | 0 | } |
1036 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1037 | | |
1038 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1039 | | |
1040 | | typedef unsigned char mbedtls_be128[16]; |
1041 | | |
1042 | | /* |
1043 | | * GF(2^128) multiplication function |
1044 | | * |
1045 | | * This function multiplies a field element by x in the polynomial field |
1046 | | * representation. It uses 64-bit word operations to gain speed but compensates |
1047 | | * for machine endianness and hence works correctly on both big and little |
1048 | | * endian machines. |
1049 | | */ |
1050 | | static void mbedtls_gf128mul_x_ble(unsigned char r[16], |
1051 | | const unsigned char x[16]) |
1052 | 0 | { |
1053 | 0 | uint64_t a, b, ra, rb; |
1054 | |
|
1055 | 0 | a = MBEDTLS_GET_UINT64_LE(x, 0); |
1056 | 0 | b = MBEDTLS_GET_UINT64_LE(x, 8); |
1057 | |
|
1058 | 0 | ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); |
1059 | 0 | rb = (a >> 63) | (b << 1); |
1060 | |
|
1061 | 0 | MBEDTLS_PUT_UINT64_LE(ra, r, 0); |
1062 | 0 | MBEDTLS_PUT_UINT64_LE(rb, r, 8); |
1063 | 0 | } |
1064 | | |
1065 | | /* |
1066 | | * AES-XTS buffer encryption/decryption |
1067 | | */ |
1068 | | int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, |
1069 | | int mode, |
1070 | | size_t length, |
1071 | | const unsigned char data_unit[16], |
1072 | | const unsigned char *input, |
1073 | | unsigned char *output) |
1074 | 0 | { |
1075 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1076 | 0 | size_t blocks = length / 16; |
1077 | 0 | size_t leftover = length % 16; |
1078 | 0 | unsigned char tweak[16]; |
1079 | 0 | unsigned char prev_tweak[16]; |
1080 | 0 | unsigned char tmp[16]; |
1081 | |
|
1082 | 0 | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1083 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1084 | 0 | } |
1085 | | |
1086 | | /* Data units must be at least 16 bytes long. */ |
1087 | 0 | if (length < 16) { |
1088 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1089 | 0 | } |
1090 | | |
1091 | | /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ |
1092 | 0 | if (length > (1 << 20) * 16) { |
1093 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1094 | 0 | } |
1095 | | |
1096 | | /* Compute the tweak. */ |
1097 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, |
1098 | 0 | data_unit, tweak); |
1099 | 0 | if (ret != 0) { |
1100 | 0 | return ret; |
1101 | 0 | } |
1102 | | |
1103 | 0 | while (blocks--) { |
1104 | 0 | if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) { |
1105 | | /* We are on the last block in a decrypt operation that has |
1106 | | * leftover bytes, so we need to use the next tweak for this block, |
1107 | | * and this tweak for the leftover bytes. Save the current tweak for |
1108 | | * the leftovers and then update the current tweak for use on this, |
1109 | | * the last full block. */ |
1110 | 0 | memcpy(prev_tweak, tweak, sizeof(tweak)); |
1111 | 0 | mbedtls_gf128mul_x_ble(tweak, tweak); |
1112 | 0 | } |
1113 | |
|
1114 | 0 | mbedtls_xor(tmp, input, tweak, 16); |
1115 | |
|
1116 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1117 | 0 | if (ret != 0) { |
1118 | 0 | return ret; |
1119 | 0 | } |
1120 | | |
1121 | 0 | mbedtls_xor(output, tmp, tweak, 16); |
1122 | | |
1123 | | /* Update the tweak for the next block. */ |
1124 | 0 | mbedtls_gf128mul_x_ble(tweak, tweak); |
1125 | |
|
1126 | 0 | output += 16; |
1127 | 0 | input += 16; |
1128 | 0 | } |
1129 | | |
1130 | 0 | if (leftover) { |
1131 | | /* If we are on the leftover bytes in a decrypt operation, we need to |
1132 | | * use the previous tweak for these bytes (as saved in prev_tweak). */ |
1133 | 0 | unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; |
1134 | | |
1135 | | /* We are now on the final part of the data unit, which doesn't divide |
1136 | | * evenly by 16. It's time for ciphertext stealing. */ |
1137 | 0 | size_t i; |
1138 | 0 | unsigned char *prev_output = output - 16; |
1139 | | |
1140 | | /* Copy ciphertext bytes from the previous block to our output for each |
1141 | | * byte of ciphertext we won't steal. */ |
1142 | 0 | for (i = 0; i < leftover; i++) { |
1143 | 0 | output[i] = prev_output[i]; |
1144 | 0 | } |
1145 | | |
1146 | | /* Copy the remainder of the input for this final round. */ |
1147 | 0 | mbedtls_xor(tmp, input, t, leftover); |
1148 | | |
1149 | | /* Copy ciphertext bytes from the previous block for input in this |
1150 | | * round. */ |
1151 | 0 | mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); |
1152 | |
|
1153 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1154 | 0 | if (ret != 0) { |
1155 | 0 | return ret; |
1156 | 0 | } |
1157 | | |
1158 | | /* Write the result back to the previous block, overriding the previous |
1159 | | * output we copied. */ |
1160 | 0 | mbedtls_xor(prev_output, tmp, t, 16); |
1161 | 0 | } |
1162 | | |
1163 | 0 | return 0; |
1164 | 0 | } |
1165 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1166 | | |
1167 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1168 | | /* |
1169 | | * AES-CFB128 buffer encryption/decryption |
1170 | | */ |
1171 | | int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, |
1172 | | int mode, |
1173 | | size_t length, |
1174 | | size_t *iv_off, |
1175 | | unsigned char iv[16], |
1176 | | const unsigned char *input, |
1177 | | unsigned char *output) |
1178 | 0 | { |
1179 | 0 | int c; |
1180 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1181 | 0 | size_t n; |
1182 | |
|
1183 | 0 | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1184 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1185 | 0 | } |
1186 | | |
1187 | 0 | n = *iv_off; |
1188 | |
|
1189 | 0 | if (n > 15) { |
1190 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1191 | 0 | } |
1192 | | |
1193 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1194 | 0 | while (length--) { |
1195 | 0 | if (n == 0) { |
1196 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1197 | 0 | if (ret != 0) { |
1198 | 0 | goto exit; |
1199 | 0 | } |
1200 | 0 | } |
1201 | | |
1202 | 0 | c = *input++; |
1203 | 0 | *output++ = (unsigned char) (c ^ iv[n]); |
1204 | 0 | iv[n] = (unsigned char) c; |
1205 | |
|
1206 | 0 | n = (n + 1) & 0x0F; |
1207 | 0 | } |
1208 | 0 | } else { |
1209 | 0 | while (length--) { |
1210 | 0 | if (n == 0) { |
1211 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1212 | 0 | if (ret != 0) { |
1213 | 0 | goto exit; |
1214 | 0 | } |
1215 | 0 | } |
1216 | | |
1217 | 0 | iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); |
1218 | |
|
1219 | 0 | n = (n + 1) & 0x0F; |
1220 | 0 | } |
1221 | 0 | } |
1222 | | |
1223 | 0 | *iv_off = n; |
1224 | 0 | ret = 0; |
1225 | |
|
1226 | 0 | exit: |
1227 | 0 | return ret; |
1228 | 0 | } |
1229 | | |
1230 | | /* |
1231 | | * AES-CFB8 buffer encryption/decryption |
1232 | | */ |
1233 | | int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, |
1234 | | int mode, |
1235 | | size_t length, |
1236 | | unsigned char iv[16], |
1237 | | const unsigned char *input, |
1238 | | unsigned char *output) |
1239 | 0 | { |
1240 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1241 | 0 | unsigned char c; |
1242 | 0 | unsigned char ov[17]; |
1243 | |
|
1244 | 0 | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1245 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1246 | 0 | } |
1247 | 0 | while (length--) { |
1248 | 0 | memcpy(ov, iv, 16); |
1249 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1250 | 0 | if (ret != 0) { |
1251 | 0 | goto exit; |
1252 | 0 | } |
1253 | | |
1254 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1255 | 0 | ov[16] = *input; |
1256 | 0 | } |
1257 | |
|
1258 | 0 | c = *output++ = (unsigned char) (iv[0] ^ *input++); |
1259 | |
|
1260 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
1261 | 0 | ov[16] = c; |
1262 | 0 | } |
1263 | |
|
1264 | 0 | memcpy(iv, ov + 1, 16); |
1265 | 0 | } |
1266 | 0 | ret = 0; |
1267 | |
|
1268 | 0 | exit: |
1269 | 0 | return ret; |
1270 | 0 | } |
1271 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1272 | | |
1273 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1274 | | /* |
1275 | | * AES-OFB (Output Feedback Mode) buffer encryption/decryption |
1276 | | */ |
1277 | | int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, |
1278 | | size_t length, |
1279 | | size_t *iv_off, |
1280 | | unsigned char iv[16], |
1281 | | const unsigned char *input, |
1282 | | unsigned char *output) |
1283 | 0 | { |
1284 | 0 | int ret = 0; |
1285 | 0 | size_t n; |
1286 | |
|
1287 | 0 | n = *iv_off; |
1288 | |
|
1289 | 0 | if (n > 15) { |
1290 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1291 | 0 | } |
1292 | | |
1293 | 0 | while (length--) { |
1294 | 0 | if (n == 0) { |
1295 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1296 | 0 | if (ret != 0) { |
1297 | 0 | goto exit; |
1298 | 0 | } |
1299 | 0 | } |
1300 | 0 | *output++ = *input++ ^ iv[n]; |
1301 | |
|
1302 | 0 | n = (n + 1) & 0x0F; |
1303 | 0 | } |
1304 | | |
1305 | 0 | *iv_off = n; |
1306 | |
|
1307 | 0 | exit: |
1308 | 0 | return ret; |
1309 | 0 | } |
1310 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1311 | | |
1312 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1313 | | /* |
1314 | | * AES-CTR buffer encryption/decryption |
1315 | | */ |
1316 | | int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, |
1317 | | size_t length, |
1318 | | size_t *nc_off, |
1319 | | unsigned char nonce_counter[16], |
1320 | | unsigned char stream_block[16], |
1321 | | const unsigned char *input, |
1322 | | unsigned char *output) |
1323 | 0 | { |
1324 | 0 | int c, i; |
1325 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1326 | 0 | size_t n; |
1327 | |
|
1328 | 0 | n = *nc_off; |
1329 | |
|
1330 | 0 | if (n > 0x0F) { |
1331 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1332 | 0 | } |
1333 | | |
1334 | 0 | while (length--) { |
1335 | 0 | if (n == 0) { |
1336 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block); |
1337 | 0 | if (ret != 0) { |
1338 | 0 | goto exit; |
1339 | 0 | } |
1340 | | |
1341 | 0 | for (i = 16; i > 0; i--) { |
1342 | 0 | if (++nonce_counter[i - 1] != 0) { |
1343 | 0 | break; |
1344 | 0 | } |
1345 | 0 | } |
1346 | 0 | } |
1347 | 0 | c = *input++; |
1348 | 0 | *output++ = (unsigned char) (c ^ stream_block[n]); |
1349 | |
|
1350 | 0 | n = (n + 1) & 0x0F; |
1351 | 0 | } |
1352 | | |
1353 | 0 | *nc_off = n; |
1354 | 0 | ret = 0; |
1355 | |
|
1356 | 0 | exit: |
1357 | 0 | return ret; |
1358 | 0 | } |
1359 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1360 | | |
1361 | | #endif /* !MBEDTLS_AES_ALT */ |
1362 | | |
1363 | | #if defined(MBEDTLS_SELF_TEST) |
1364 | | /* |
1365 | | * AES test vectors from: |
1366 | | * |
1367 | | * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip |
1368 | | */ |
1369 | | static const unsigned char aes_test_ecb_dec[3][16] = |
1370 | | { |
1371 | | { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, |
1372 | | 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, |
1373 | | { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, |
1374 | | 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, |
1375 | | { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, |
1376 | | 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } |
1377 | | }; |
1378 | | |
1379 | | static const unsigned char aes_test_ecb_enc[3][16] = |
1380 | | { |
1381 | | { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, |
1382 | | 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, |
1383 | | { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, |
1384 | | 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, |
1385 | | { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, |
1386 | | 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } |
1387 | | }; |
1388 | | |
1389 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1390 | | static const unsigned char aes_test_cbc_dec[3][16] = |
1391 | | { |
1392 | | { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, |
1393 | | 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, |
1394 | | { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, |
1395 | | 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, |
1396 | | { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, |
1397 | | 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } |
1398 | | }; |
1399 | | |
1400 | | static const unsigned char aes_test_cbc_enc[3][16] = |
1401 | | { |
1402 | | { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, |
1403 | | 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, |
1404 | | { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, |
1405 | | 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, |
1406 | | { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, |
1407 | | 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } |
1408 | | }; |
1409 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1410 | | |
1411 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1412 | | /* |
1413 | | * AES-CFB128 test vectors from: |
1414 | | * |
1415 | | * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |
1416 | | */ |
1417 | | static const unsigned char aes_test_cfb128_key[3][32] = |
1418 | | { |
1419 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1420 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1421 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1422 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1423 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1424 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1425 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1426 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1427 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1428 | | }; |
1429 | | |
1430 | | static const unsigned char aes_test_cfb128_iv[16] = |
1431 | | { |
1432 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1433 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1434 | | }; |
1435 | | |
1436 | | static const unsigned char aes_test_cfb128_pt[64] = |
1437 | | { |
1438 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1439 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1440 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1441 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1442 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1443 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1444 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1445 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1446 | | }; |
1447 | | |
1448 | | static const unsigned char aes_test_cfb128_ct[3][64] = |
1449 | | { |
1450 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1451 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1452 | | 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, |
1453 | | 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, |
1454 | | 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, |
1455 | | 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, |
1456 | | 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, |
1457 | | 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, |
1458 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1459 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1460 | | 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, |
1461 | | 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, |
1462 | | 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, |
1463 | | 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, |
1464 | | 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, |
1465 | | 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, |
1466 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1467 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1468 | | 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, |
1469 | | 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, |
1470 | | 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, |
1471 | | 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, |
1472 | | 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, |
1473 | | 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } |
1474 | | }; |
1475 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1476 | | |
1477 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1478 | | /* |
1479 | | * AES-OFB test vectors from: |
1480 | | * |
1481 | | * https://csrc.nist.gov/publications/detail/sp/800-38a/final |
1482 | | */ |
1483 | | static const unsigned char aes_test_ofb_key[3][32] = |
1484 | | { |
1485 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1486 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1487 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1488 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1489 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1490 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1491 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1492 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1493 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1494 | | }; |
1495 | | |
1496 | | static const unsigned char aes_test_ofb_iv[16] = |
1497 | | { |
1498 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1499 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1500 | | }; |
1501 | | |
1502 | | static const unsigned char aes_test_ofb_pt[64] = |
1503 | | { |
1504 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1505 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1506 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1507 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1508 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1509 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1510 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1511 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1512 | | }; |
1513 | | |
1514 | | static const unsigned char aes_test_ofb_ct[3][64] = |
1515 | | { |
1516 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1517 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1518 | | 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, |
1519 | | 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, |
1520 | | 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, |
1521 | | 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, |
1522 | | 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, |
1523 | | 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, |
1524 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1525 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1526 | | 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, |
1527 | | 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, |
1528 | | 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, |
1529 | | 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, |
1530 | | 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, |
1531 | | 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, |
1532 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1533 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1534 | | 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, |
1535 | | 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, |
1536 | | 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, |
1537 | | 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, |
1538 | | 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, |
1539 | | 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } |
1540 | | }; |
1541 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1542 | | |
1543 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1544 | | /* |
1545 | | * AES-CTR test vectors from: |
1546 | | * |
1547 | | * http://www.faqs.org/rfcs/rfc3686.html |
1548 | | */ |
1549 | | |
1550 | | static const unsigned char aes_test_ctr_key[3][16] = |
1551 | | { |
1552 | | { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, |
1553 | | 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, |
1554 | | { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, |
1555 | | 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, |
1556 | | { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, |
1557 | | 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } |
1558 | | }; |
1559 | | |
1560 | | static const unsigned char aes_test_ctr_nonce_counter[3][16] = |
1561 | | { |
1562 | | { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, |
1563 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, |
1564 | | { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, |
1565 | | 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, |
1566 | | { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, |
1567 | | 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } |
1568 | | }; |
1569 | | |
1570 | | static const unsigned char aes_test_ctr_pt[3][48] = |
1571 | | { |
1572 | | { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, |
1573 | | 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, |
1574 | | |
1575 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1576 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1577 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1578 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, |
1579 | | |
1580 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1581 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1582 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1583 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, |
1584 | | 0x20, 0x21, 0x22, 0x23 } |
1585 | | }; |
1586 | | |
1587 | | static const unsigned char aes_test_ctr_ct[3][48] = |
1588 | | { |
1589 | | { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, |
1590 | | 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, |
1591 | | { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, |
1592 | | 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, |
1593 | | 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, |
1594 | | 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, |
1595 | | { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, |
1596 | | 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, |
1597 | | 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, |
1598 | | 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, |
1599 | | 0x25, 0xB2, 0x07, 0x2F } |
1600 | | }; |
1601 | | |
1602 | | static const int aes_test_ctr_len[3] = |
1603 | | { 16, 32, 36 }; |
1604 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1605 | | |
1606 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1607 | | /* |
1608 | | * AES-XTS test vectors from: |
1609 | | * |
1610 | | * IEEE P1619/D16 Annex B |
1611 | | * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf |
1612 | | * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) |
1613 | | */ |
1614 | | static const unsigned char aes_test_xts_key[][32] = |
1615 | | { |
1616 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1617 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1618 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1619 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1620 | | { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1621 | | 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1622 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1623 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1624 | | { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, |
1625 | | 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, |
1626 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1627 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1628 | | }; |
1629 | | |
1630 | | static const unsigned char aes_test_xts_pt32[][32] = |
1631 | | { |
1632 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1633 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1634 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1635 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1636 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1637 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1638 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1639 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1640 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1641 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1642 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1643 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1644 | | }; |
1645 | | |
1646 | | static const unsigned char aes_test_xts_ct32[][32] = |
1647 | | { |
1648 | | { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, |
1649 | | 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, |
1650 | | 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, |
1651 | | 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, |
1652 | | { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, |
1653 | | 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, |
1654 | | 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, |
1655 | | 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, |
1656 | | { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, |
1657 | | 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, |
1658 | | 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, |
1659 | | 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, |
1660 | | }; |
1661 | | |
1662 | | static const unsigned char aes_test_xts_data_unit[][16] = |
1663 | | { |
1664 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1665 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1666 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1667 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1668 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1669 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1670 | | }; |
1671 | | |
1672 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1673 | | |
1674 | | /* |
1675 | | * Checkup routine |
1676 | | */ |
1677 | | int mbedtls_aes_self_test(int verbose) |
1678 | 0 | { |
1679 | 0 | int ret = 0, i, j, u, mode; |
1680 | 0 | unsigned int keybits; |
1681 | 0 | unsigned char key[32]; |
1682 | 0 | unsigned char buf[64]; |
1683 | 0 | const unsigned char *aes_tests; |
1684 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1685 | 0 | defined(MBEDTLS_CIPHER_MODE_OFB) |
1686 | 0 | unsigned char iv[16]; |
1687 | 0 | #endif |
1688 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1689 | 0 | unsigned char prv[16]; |
1690 | 0 | #endif |
1691 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1692 | 0 | defined(MBEDTLS_CIPHER_MODE_OFB) |
1693 | 0 | size_t offset; |
1694 | 0 | #endif |
1695 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) |
1696 | 0 | int len; |
1697 | 0 | #endif |
1698 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1699 | 0 | unsigned char nonce_counter[16]; |
1700 | 0 | unsigned char stream_block[16]; |
1701 | 0 | #endif |
1702 | 0 | mbedtls_aes_context ctx; |
1703 | |
|
1704 | 0 | memset(key, 0, 32); |
1705 | 0 | mbedtls_aes_init(&ctx); |
1706 | | |
1707 | | /* |
1708 | | * ECB mode |
1709 | | */ |
1710 | 0 | for (i = 0; i < 6; i++) { |
1711 | 0 | u = i >> 1; |
1712 | 0 | keybits = 128 + u * 64; |
1713 | 0 | mode = i & 1; |
1714 | |
|
1715 | 0 | if (verbose != 0) { |
1716 | 0 | mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, |
1717 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1718 | 0 | } |
1719 | |
|
1720 | 0 | memset(buf, 0, 16); |
1721 | |
|
1722 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1723 | 0 | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1724 | 0 | aes_tests = aes_test_ecb_dec[u]; |
1725 | 0 | } else { |
1726 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1727 | 0 | aes_tests = aes_test_ecb_enc[u]; |
1728 | 0 | } |
1729 | | |
1730 | | /* |
1731 | | * AES-192 is an optional feature that may be unavailable when |
1732 | | * there is an alternative underlying implementation i.e. when |
1733 | | * MBEDTLS_AES_ALT is defined. |
1734 | | */ |
1735 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1736 | 0 | mbedtls_printf("skipped\n"); |
1737 | 0 | continue; |
1738 | 0 | } else if (ret != 0) { |
1739 | 0 | goto exit; |
1740 | 0 | } |
1741 | | |
1742 | 0 | for (j = 0; j < 10000; j++) { |
1743 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf); |
1744 | 0 | if (ret != 0) { |
1745 | 0 | goto exit; |
1746 | 0 | } |
1747 | 0 | } |
1748 | | |
1749 | 0 | if (memcmp(buf, aes_tests, 16) != 0) { |
1750 | 0 | ret = 1; |
1751 | 0 | goto exit; |
1752 | 0 | } |
1753 | | |
1754 | 0 | if (verbose != 0) { |
1755 | 0 | mbedtls_printf("passed\n"); |
1756 | 0 | } |
1757 | 0 | } |
1758 | | |
1759 | 0 | if (verbose != 0) { |
1760 | 0 | mbedtls_printf("\n"); |
1761 | 0 | } |
1762 | |
|
1763 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1764 | | /* |
1765 | | * CBC mode |
1766 | | */ |
1767 | 0 | for (i = 0; i < 6; i++) { |
1768 | 0 | u = i >> 1; |
1769 | 0 | keybits = 128 + u * 64; |
1770 | 0 | mode = i & 1; |
1771 | |
|
1772 | 0 | if (verbose != 0) { |
1773 | 0 | mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, |
1774 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1775 | 0 | } |
1776 | |
|
1777 | 0 | memset(iv, 0, 16); |
1778 | 0 | memset(prv, 0, 16); |
1779 | 0 | memset(buf, 0, 16); |
1780 | |
|
1781 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1782 | 0 | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1783 | 0 | aes_tests = aes_test_cbc_dec[u]; |
1784 | 0 | } else { |
1785 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1786 | 0 | aes_tests = aes_test_cbc_enc[u]; |
1787 | 0 | } |
1788 | | |
1789 | | /* |
1790 | | * AES-192 is an optional feature that may be unavailable when |
1791 | | * there is an alternative underlying implementation i.e. when |
1792 | | * MBEDTLS_AES_ALT is defined. |
1793 | | */ |
1794 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1795 | 0 | mbedtls_printf("skipped\n"); |
1796 | 0 | continue; |
1797 | 0 | } else if (ret != 0) { |
1798 | 0 | goto exit; |
1799 | 0 | } |
1800 | | |
1801 | 0 | for (j = 0; j < 10000; j++) { |
1802 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
1803 | 0 | unsigned char tmp[16]; |
1804 | |
|
1805 | 0 | memcpy(tmp, prv, 16); |
1806 | 0 | memcpy(prv, buf, 16); |
1807 | 0 | memcpy(buf, tmp, 16); |
1808 | 0 | } |
1809 | |
|
1810 | 0 | ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); |
1811 | 0 | if (ret != 0) { |
1812 | 0 | goto exit; |
1813 | 0 | } |
1814 | |
|
1815 | 0 | } |
1816 | | |
1817 | 0 | if (memcmp(buf, aes_tests, 16) != 0) { |
1818 | 0 | ret = 1; |
1819 | 0 | goto exit; |
1820 | 0 | } |
1821 | | |
1822 | 0 | if (verbose != 0) { |
1823 | 0 | mbedtls_printf("passed\n"); |
1824 | 0 | } |
1825 | 0 | } |
1826 | | |
1827 | 0 | if (verbose != 0) { |
1828 | 0 | mbedtls_printf("\n"); |
1829 | 0 | } |
1830 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1831 | |
|
1832 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1833 | | /* |
1834 | | * CFB128 mode |
1835 | | */ |
1836 | 0 | for (i = 0; i < 6; i++) { |
1837 | 0 | u = i >> 1; |
1838 | 0 | keybits = 128 + u * 64; |
1839 | 0 | mode = i & 1; |
1840 | |
|
1841 | 0 | if (verbose != 0) { |
1842 | 0 | mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, |
1843 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1844 | 0 | } |
1845 | |
|
1846 | 0 | memcpy(iv, aes_test_cfb128_iv, 16); |
1847 | 0 | memcpy(key, aes_test_cfb128_key[u], keybits / 8); |
1848 | |
|
1849 | 0 | offset = 0; |
1850 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1851 | | /* |
1852 | | * AES-192 is an optional feature that may be unavailable when |
1853 | | * there is an alternative underlying implementation i.e. when |
1854 | | * MBEDTLS_AES_ALT is defined. |
1855 | | */ |
1856 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1857 | 0 | mbedtls_printf("skipped\n"); |
1858 | 0 | continue; |
1859 | 0 | } else if (ret != 0) { |
1860 | 0 | goto exit; |
1861 | 0 | } |
1862 | | |
1863 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1864 | 0 | memcpy(buf, aes_test_cfb128_ct[u], 64); |
1865 | 0 | aes_tests = aes_test_cfb128_pt; |
1866 | 0 | } else { |
1867 | 0 | memcpy(buf, aes_test_cfb128_pt, 64); |
1868 | 0 | aes_tests = aes_test_cfb128_ct[u]; |
1869 | 0 | } |
1870 | |
|
1871 | 0 | ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf); |
1872 | 0 | if (ret != 0) { |
1873 | 0 | goto exit; |
1874 | 0 | } |
1875 | | |
1876 | 0 | if (memcmp(buf, aes_tests, 64) != 0) { |
1877 | 0 | ret = 1; |
1878 | 0 | goto exit; |
1879 | 0 | } |
1880 | | |
1881 | 0 | if (verbose != 0) { |
1882 | 0 | mbedtls_printf("passed\n"); |
1883 | 0 | } |
1884 | 0 | } |
1885 | | |
1886 | 0 | if (verbose != 0) { |
1887 | 0 | mbedtls_printf("\n"); |
1888 | 0 | } |
1889 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1890 | |
|
1891 | 0 | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1892 | | /* |
1893 | | * OFB mode |
1894 | | */ |
1895 | 0 | for (i = 0; i < 6; i++) { |
1896 | 0 | u = i >> 1; |
1897 | 0 | keybits = 128 + u * 64; |
1898 | 0 | mode = i & 1; |
1899 | |
|
1900 | 0 | if (verbose != 0) { |
1901 | 0 | mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, |
1902 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1903 | 0 | } |
1904 | |
|
1905 | 0 | memcpy(iv, aes_test_ofb_iv, 16); |
1906 | 0 | memcpy(key, aes_test_ofb_key[u], keybits / 8); |
1907 | |
|
1908 | 0 | offset = 0; |
1909 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1910 | | /* |
1911 | | * AES-192 is an optional feature that may be unavailable when |
1912 | | * there is an alternative underlying implementation i.e. when |
1913 | | * MBEDTLS_AES_ALT is defined. |
1914 | | */ |
1915 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1916 | 0 | mbedtls_printf("skipped\n"); |
1917 | 0 | continue; |
1918 | 0 | } else if (ret != 0) { |
1919 | 0 | goto exit; |
1920 | 0 | } |
1921 | | |
1922 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1923 | 0 | memcpy(buf, aes_test_ofb_ct[u], 64); |
1924 | 0 | aes_tests = aes_test_ofb_pt; |
1925 | 0 | } else { |
1926 | 0 | memcpy(buf, aes_test_ofb_pt, 64); |
1927 | 0 | aes_tests = aes_test_ofb_ct[u]; |
1928 | 0 | } |
1929 | |
|
1930 | 0 | ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf); |
1931 | 0 | if (ret != 0) { |
1932 | 0 | goto exit; |
1933 | 0 | } |
1934 | | |
1935 | 0 | if (memcmp(buf, aes_tests, 64) != 0) { |
1936 | 0 | ret = 1; |
1937 | 0 | goto exit; |
1938 | 0 | } |
1939 | | |
1940 | 0 | if (verbose != 0) { |
1941 | 0 | mbedtls_printf("passed\n"); |
1942 | 0 | } |
1943 | 0 | } |
1944 | | |
1945 | 0 | if (verbose != 0) { |
1946 | 0 | mbedtls_printf("\n"); |
1947 | 0 | } |
1948 | 0 | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1949 | |
|
1950 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1951 | | /* |
1952 | | * CTR mode |
1953 | | */ |
1954 | 0 | for (i = 0; i < 6; i++) { |
1955 | 0 | u = i >> 1; |
1956 | 0 | mode = i & 1; |
1957 | |
|
1958 | 0 | if (verbose != 0) { |
1959 | 0 | mbedtls_printf(" AES-CTR-128 (%s): ", |
1960 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1961 | 0 | } |
1962 | |
|
1963 | 0 | memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); |
1964 | 0 | memcpy(key, aes_test_ctr_key[u], 16); |
1965 | |
|
1966 | 0 | offset = 0; |
1967 | 0 | if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) { |
1968 | 0 | goto exit; |
1969 | 0 | } |
1970 | | |
1971 | 0 | len = aes_test_ctr_len[u]; |
1972 | |
|
1973 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1974 | 0 | memcpy(buf, aes_test_ctr_ct[u], len); |
1975 | 0 | aes_tests = aes_test_ctr_pt[u]; |
1976 | 0 | } else { |
1977 | 0 | memcpy(buf, aes_test_ctr_pt[u], len); |
1978 | 0 | aes_tests = aes_test_ctr_ct[u]; |
1979 | 0 | } |
1980 | |
|
1981 | 0 | ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter, |
1982 | 0 | stream_block, buf, buf); |
1983 | 0 | if (ret != 0) { |
1984 | 0 | goto exit; |
1985 | 0 | } |
1986 | | |
1987 | 0 | if (memcmp(buf, aes_tests, len) != 0) { |
1988 | 0 | ret = 1; |
1989 | 0 | goto exit; |
1990 | 0 | } |
1991 | | |
1992 | 0 | if (verbose != 0) { |
1993 | 0 | mbedtls_printf("passed\n"); |
1994 | 0 | } |
1995 | 0 | } |
1996 | | |
1997 | 0 | if (verbose != 0) { |
1998 | 0 | mbedtls_printf("\n"); |
1999 | 0 | } |
2000 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
2001 | |
|
2002 | 0 | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
2003 | 0 | { |
2004 | 0 | static const int num_tests = |
2005 | 0 | sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); |
2006 | 0 | mbedtls_aes_xts_context ctx_xts; |
2007 | | |
2008 | | /* |
2009 | | * XTS mode |
2010 | | */ |
2011 | 0 | mbedtls_aes_xts_init(&ctx_xts); |
2012 | |
|
2013 | 0 | for (i = 0; i < num_tests << 1; i++) { |
2014 | 0 | const unsigned char *data_unit; |
2015 | 0 | u = i >> 1; |
2016 | 0 | mode = i & 1; |
2017 | |
|
2018 | 0 | if (verbose != 0) { |
2019 | 0 | mbedtls_printf(" AES-XTS-128 (%s): ", |
2020 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2021 | 0 | } |
2022 | |
|
2023 | 0 | memset(key, 0, sizeof(key)); |
2024 | 0 | memcpy(key, aes_test_xts_key[u], 32); |
2025 | 0 | data_unit = aes_test_xts_data_unit[u]; |
2026 | |
|
2027 | 0 | len = sizeof(*aes_test_xts_ct32); |
2028 | |
|
2029 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
2030 | 0 | ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256); |
2031 | 0 | if (ret != 0) { |
2032 | 0 | goto exit; |
2033 | 0 | } |
2034 | 0 | memcpy(buf, aes_test_xts_ct32[u], len); |
2035 | 0 | aes_tests = aes_test_xts_pt32[u]; |
2036 | 0 | } else { |
2037 | 0 | ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256); |
2038 | 0 | if (ret != 0) { |
2039 | 0 | goto exit; |
2040 | 0 | } |
2041 | 0 | memcpy(buf, aes_test_xts_pt32[u], len); |
2042 | 0 | aes_tests = aes_test_xts_ct32[u]; |
2043 | 0 | } |
2044 | | |
2045 | | |
2046 | 0 | ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, |
2047 | 0 | buf, buf); |
2048 | 0 | if (ret != 0) { |
2049 | 0 | goto exit; |
2050 | 0 | } |
2051 | | |
2052 | 0 | if (memcmp(buf, aes_tests, len) != 0) { |
2053 | 0 | ret = 1; |
2054 | 0 | goto exit; |
2055 | 0 | } |
2056 | | |
2057 | 0 | if (verbose != 0) { |
2058 | 0 | mbedtls_printf("passed\n"); |
2059 | 0 | } |
2060 | 0 | } |
2061 | | |
2062 | 0 | if (verbose != 0) { |
2063 | 0 | mbedtls_printf("\n"); |
2064 | 0 | } |
2065 | |
|
2066 | 0 | mbedtls_aes_xts_free(&ctx_xts); |
2067 | 0 | } |
2068 | 0 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
2069 | | |
2070 | 0 | ret = 0; |
2071 | |
|
2072 | 0 | exit: |
2073 | 0 | if (ret != 0 && verbose != 0) { |
2074 | 0 | mbedtls_printf("failed\n"); |
2075 | 0 | } |
2076 | |
|
2077 | 0 | mbedtls_aes_free(&ctx); |
2078 | |
|
2079 | 0 | return ret; |
2080 | 0 | } |
2081 | | |
2082 | | #endif /* MBEDTLS_SELF_TEST */ |
2083 | | |
2084 | | #endif /* MBEDTLS_AES_C */ |