Coverage Report

Created: 2024-11-21 07:03

/src/mbedtls/library/aes.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  FIPS-197 compliant AES implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
9
 *
10
 *  https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
11
 *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_AES_C)
17
18
#include <string.h>
19
20
#include "mbedtls/aes.h"
21
#include "mbedtls/platform.h"
22
#include "mbedtls/platform_util.h"
23
#include "mbedtls/error.h"
24
25
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
26
#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
27
    (defined(MBEDTLS_ARCH_IS_X64)       && defined(MBEDTLS_AESNI_C)) || \
28
    (defined(MBEDTLS_ARCH_IS_X86)       && defined(MBEDTLS_AESNI_C)))
29
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
30
#endif
31
#endif
32
33
#if defined(MBEDTLS_ARCH_IS_X86)
34
#if defined(MBEDTLS_PADLOCK_C)
35
#if !defined(MBEDTLS_HAVE_ASM)
36
#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
37
#endif
38
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
39
#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
40
    "MBEDTLS_PADLOCK_C is set"
41
#endif
42
#endif
43
#endif
44
45
#if defined(MBEDTLS_PADLOCK_C)
46
#include "padlock.h"
47
#endif
48
#if defined(MBEDTLS_AESNI_C)
49
#include "aesni.h"
50
#endif
51
#if defined(MBEDTLS_AESCE_C)
52
#include "aesce.h"
53
#endif
54
55
#include "mbedtls/platform.h"
56
#include "ctr.h"
57
58
/*
59
 * This is a convenience shorthand macro to check if we need reverse S-box and
60
 * reverse tables. It's private and only defined in this file.
61
 */
62
#if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \
63
    (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \
64
    !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
65
#define MBEDTLS_AES_NEED_REVERSE_TABLES
66
#endif
67
68
#if !defined(MBEDTLS_AES_ALT)
69
70
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
71
static int aes_padlock_ace = -1;
72
#endif
73
74
#if defined(MBEDTLS_AES_ROM_TABLES)
75
/*
76
 * Forward S-box
77
 */
78
MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
79
{
80
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81
    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85
    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87
    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91
    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93
    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97
    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99
    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103
    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105
    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109
    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111
    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112
};
113
114
/*
115
 * Forward tables
116
 */
117
#define FT \
118
\
119
    V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
120
    V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
121
    V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
122
    V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
123
    V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
124
    V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
125
    V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
126
    V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
127
    V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
128
    V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
129
    V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
130
    V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
131
    V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
132
    V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
133
    V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
134
    V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
135
    V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
136
    V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
137
    V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
138
    V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
139
    V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
140
    V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
141
    V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
142
    V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
143
    V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
144
    V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
145
    V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
146
    V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
147
    V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
148
    V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
149
    V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
150
    V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
151
    V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
152
    V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
153
    V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
154
    V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
155
    V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
156
    V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
157
    V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
158
    V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
159
    V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
160
    V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
161
    V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
162
    V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
163
    V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
164
    V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
165
    V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
166
    V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
167
    V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
168
    V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
169
    V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
170
    V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
171
    V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
172
    V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
173
    V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
174
    V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
175
    V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
176
    V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
177
    V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
178
    V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
179
    V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
180
    V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
181
    V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
182
    V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
183
184
#define V(a, b, c, d) 0x##a##b##c##d
185
MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
186
#undef V
187
188
#define V(a, b, c, d) 0x##b##c##d##a
189
MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
190
#undef V
191
192
#define V(a, b, c, d) 0x##c##d##a##b
193
MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
194
#undef V
195
196
#define V(a, b, c, d) 0x##d##a##b##c
197
MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
198
#undef V
199
200
#undef FT
201
202
/*
203
 * Reverse S-box
204
 */
205
MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
206
{
207
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208
    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209
    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211
    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212
    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214
    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215
    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217
    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218
    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220
    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221
    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223
    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224
    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226
    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227
    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229
    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230
    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232
    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233
    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235
    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236
    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238
    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239
};
240
241
/*
242
 * Reverse tables
243
 */
244
#define RT \
245
\
246
    V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
247
    V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
248
    V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
249
    V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
250
    V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
251
    V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
252
    V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
253
    V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
254
    V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
255
    V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
256
    V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
257
    V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
258
    V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
259
    V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
260
    V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
261
    V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
262
    V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
263
    V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
264
    V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
265
    V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
266
    V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
267
    V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
268
    V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
269
    V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
270
    V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
271
    V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
272
    V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
273
    V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
274
    V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
275
    V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
276
    V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
277
    V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
278
    V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
279
    V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
280
    V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
281
    V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
282
    V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
283
    V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
284
    V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
285
    V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
286
    V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
287
    V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
288
    V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
289
    V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
290
    V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
291
    V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
292
    V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
293
    V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
294
    V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
295
    V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
296
    V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
297
    V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
298
    V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
299
    V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
300
    V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
301
    V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
302
    V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
303
    V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
304
    V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
305
    V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
306
    V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
307
    V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
308
    V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
309
    V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
310
311
312
#define V(a, b, c, d) 0x##a##b##c##d
313
MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
314
#undef V
315
316
#define V(a, b, c, d) 0x##b##c##d##a
317
MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
318
#undef V
319
320
#define V(a, b, c, d) 0x##c##d##a##b
321
MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
322
#undef V
323
324
#define V(a, b, c, d) 0x##d##a##b##c
325
MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
326
#undef V
327
328
#undef RT
329
330
/*
331
 * Round constants
332
 */
333
MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
334
{
335
    0x00000001, 0x00000002, 0x00000004, 0x00000008,
336
    0x00000010, 0x00000020, 0x00000040, 0x00000080,
337
    0x0000001B, 0x00000036
338
};
339
340
#else /* MBEDTLS_AES_ROM_TABLES */
341
342
/*
343
 * Forward S-box & tables
344
 */
345
MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
346
MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
347
MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
348
MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
349
MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
350
351
/*
352
 * Reverse S-box & tables
353
 */
354
MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
355
356
MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
357
MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
358
MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
359
MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
360
361
/*
362
 * Round constants
363
 */
364
MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
365
366
/*
367
 * Tables generation code
368
 */
369
15.3k
#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
370
5.22k
#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
371
10.2k
#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
372
373
MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
374
375
MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
376
10
{
377
10
    int i;
378
10
    uint8_t x, y, z;
379
10
    uint8_t pow[256];
380
10
    uint8_t log[256];
381
382
    /*
383
     * compute pow and log tables over GF(2^8)
384
     */
385
2.57k
    for (i = 0, x = 1; i < 256; i++) {
386
2.56k
        pow[i] = x;
387
2.56k
        log[x] = (uint8_t) i;
388
2.56k
        x ^= XTIME(x);
389
2.56k
    }
390
391
    /*
392
     * calculate the round constants
393
     */
394
110
    for (i = 0, x = 1; i < 10; i++) {
395
100
        round_constants[i] = x;
396
100
        x = XTIME(x);
397
100
    }
398
399
    /*
400
     * generate the forward and reverse S-boxes
401
     */
402
10
    FSb[0x00] = 0x63;
403
10
#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
404
10
    RSb[0x63] = 0x00;
405
10
#endif
406
407
2.56k
    for (i = 1; i < 256; i++) {
408
2.55k
        x = pow[255 - log[i]];
409
410
2.55k
        y  = x; y = (y << 1) | (y >> 7);
411
2.55k
        x ^= y; y = (y << 1) | (y >> 7);
412
2.55k
        x ^= y; y = (y << 1) | (y >> 7);
413
2.55k
        x ^= y; y = (y << 1) | (y >> 7);
414
2.55k
        x ^= y ^ 0x63;
415
416
2.55k
        FSb[i] = x;
417
2.55k
#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
418
2.55k
        RSb[x] = (unsigned char) i;
419
2.55k
#endif
420
2.55k
    }
421
422
    /*
423
     * generate the forward and reverse tables
424
     */
425
2.57k
    for (i = 0; i < 256; i++) {
426
2.56k
        x = FSb[i];
427
2.56k
        y = XTIME(x);
428
2.56k
        z = y ^ x;
429
430
2.56k
        FT0[i] = ((uint32_t) y) ^
431
2.56k
                 ((uint32_t) x <<  8) ^
432
2.56k
                 ((uint32_t) x << 16) ^
433
2.56k
                 ((uint32_t) z << 24);
434
435
2.56k
#if !defined(MBEDTLS_AES_FEWER_TABLES)
436
2.56k
        FT1[i] = ROTL8(FT0[i]);
437
2.56k
        FT2[i] = ROTL8(FT1[i]);
438
2.56k
        FT3[i] = ROTL8(FT2[i]);
439
2.56k
#endif /* !MBEDTLS_AES_FEWER_TABLES */
440
441
2.56k
#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
442
2.56k
        x = RSb[i];
443
444
2.56k
        RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
445
2.56k
                 ((uint32_t) MUL(0x09, x) <<  8) ^
446
2.56k
                 ((uint32_t) MUL(0x0D, x) << 16) ^
447
2.56k
                 ((uint32_t) MUL(0x0B, x) << 24);
448
449
2.56k
#if !defined(MBEDTLS_AES_FEWER_TABLES)
450
2.56k
        RT1[i] = ROTL8(RT0[i]);
451
2.56k
        RT2[i] = ROTL8(RT1[i]);
452
2.56k
        RT3[i] = ROTL8(RT2[i]);
453
2.56k
#endif /* !MBEDTLS_AES_FEWER_TABLES */
454
2.56k
#endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */
455
2.56k
    }
456
10
}
457
458
#undef ROTL8
459
460
#endif /* MBEDTLS_AES_ROM_TABLES */
461
462
#if defined(MBEDTLS_AES_FEWER_TABLES)
463
464
#define ROTL8(x)  ((uint32_t) ((x) <<  8) + (uint32_t) ((x) >> 24))
465
#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
466
#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >>  8))
467
468
#define AES_RT0(idx) RT0[idx]
469
#define AES_RT1(idx) ROTL8(RT0[idx])
470
#define AES_RT2(idx) ROTL16(RT0[idx])
471
#define AES_RT3(idx) ROTL24(RT0[idx])
472
473
#define AES_FT0(idx) FT0[idx]
474
#define AES_FT1(idx) ROTL8(FT0[idx])
475
#define AES_FT2(idx) ROTL16(FT0[idx])
476
#define AES_FT3(idx) ROTL24(FT0[idx])
477
478
#else /* MBEDTLS_AES_FEWER_TABLES */
479
480
0
#define AES_RT0(idx) RT0[idx]
481
0
#define AES_RT1(idx) RT1[idx]
482
0
#define AES_RT2(idx) RT2[idx]
483
0
#define AES_RT3(idx) RT3[idx]
484
485
0
#define AES_FT0(idx) FT0[idx]
486
0
#define AES_FT1(idx) FT1[idx]
487
0
#define AES_FT2(idx) FT2[idx]
488
0
#define AES_FT3(idx) FT3[idx]
489
490
#endif /* MBEDTLS_AES_FEWER_TABLES */
491
492
void mbedtls_aes_init(mbedtls_aes_context *ctx)
493
455
{
494
455
    memset(ctx, 0, sizeof(mbedtls_aes_context));
495
455
}
496
497
void mbedtls_aes_free(mbedtls_aes_context *ctx)
498
445
{
499
445
    if (ctx == NULL) {
500
0
        return;
501
0
    }
502
503
445
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
504
445
}
505
506
#if defined(MBEDTLS_CIPHER_MODE_XTS)
507
void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
508
23
{
509
23
    mbedtls_aes_init(&ctx->crypt);
510
23
    mbedtls_aes_init(&ctx->tweak);
511
23
}
512
513
void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
514
23
{
515
23
    if (ctx == NULL) {
516
0
        return;
517
0
    }
518
519
23
    mbedtls_aes_free(&ctx->crypt);
520
23
    mbedtls_aes_free(&ctx->tweak);
521
23
}
522
#endif /* MBEDTLS_CIPHER_MODE_XTS */
523
524
/* Some implementations need the round keys to be aligned.
525
 * Return an offset to be added to buf, such that (buf + offset) is
526
 * correctly aligned.
527
 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
528
 * i.e. an offset of 1 means 4 bytes and so on.
529
 */
530
#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) ||        \
531
    (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
532
#define MAY_NEED_TO_ALIGN
533
#endif
534
535
MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
536
332
{
537
#if defined(MAY_NEED_TO_ALIGN)
538
    int align_16_bytes = 0;
539
540
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
541
    if (aes_padlock_ace == -1) {
542
        aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
543
    }
544
    if (aes_padlock_ace) {
545
        align_16_bytes = 1;
546
    }
547
#endif
548
549
#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
550
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
551
        align_16_bytes = 1;
552
    }
553
#endif
554
555
    if (align_16_bytes) {
556
        /* These implementations needs 16-byte alignment
557
         * for the round key array. */
558
        unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
559
        if (delta == 0) {
560
            return 0;
561
        } else {
562
            return 4 - delta; // 16 bytes = 4 uint32_t
563
        }
564
    }
565
#else /* MAY_NEED_TO_ALIGN */
566
332
    (void) buf;
567
332
#endif /* MAY_NEED_TO_ALIGN */
568
569
332
    return 0;
570
332
}
571
572
/*
573
 * AES key schedule (encryption)
574
 */
575
#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
576
int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
577
                           unsigned int keybits)
578
310
{
579
310
    uint32_t *RK;
580
581
310
    switch (keybits) {
582
123
        case 128: ctx->nr = 10; break;
583
0
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
584
72
        case 192: ctx->nr = 12; break;
585
115
        case 256: ctx->nr = 14; break;
586
0
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
587
0
        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
588
310
    }
589
590
310
#if !defined(MBEDTLS_AES_ROM_TABLES)
591
310
    if (aes_init_done == 0) {
592
10
        aes_gen_tables();
593
10
        aes_init_done = 1;
594
10
    }
595
310
#endif
596
597
310
    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
598
310
    RK = ctx->buf + ctx->rk_offset;
599
600
310
#if defined(MBEDTLS_AESNI_HAVE_CODE)
601
310
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
602
310
        return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
603
310
    }
604
0
#endif
605
606
#if defined(MBEDTLS_AESCE_HAVE_CODE)
607
    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
608
        return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
609
    }
610
#endif
611
612
0
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
613
0
    for (unsigned int i = 0; i < (keybits >> 5); i++) {
614
0
        RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
615
0
    }
616
617
0
    switch (ctx->nr) {
618
0
        case 10:
619
620
0
            for (unsigned int i = 0; i < 10; i++, RK += 4) {
621
0
                RK[4]  = RK[0] ^ round_constants[i] ^
622
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
623
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] <<  8) ^
624
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
625
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
626
627
0
                RK[5]  = RK[1] ^ RK[4];
628
0
                RK[6]  = RK[2] ^ RK[5];
629
0
                RK[7]  = RK[3] ^ RK[6];
630
0
            }
631
0
            break;
632
633
0
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
634
0
        case 12:
635
636
0
            for (unsigned int i = 0; i < 8; i++, RK += 6) {
637
0
                RK[6]  = RK[0] ^ round_constants[i] ^
638
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
639
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] <<  8) ^
640
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
641
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
642
643
0
                RK[7]  = RK[1] ^ RK[6];
644
0
                RK[8]  = RK[2] ^ RK[7];
645
0
                RK[9]  = RK[3] ^ RK[8];
646
0
                RK[10] = RK[4] ^ RK[9];
647
0
                RK[11] = RK[5] ^ RK[10];
648
0
            }
649
0
            break;
650
651
0
        case 14:
652
653
0
            for (unsigned int i = 0; i < 7; i++, RK += 8) {
654
0
                RK[8]  = RK[0] ^ round_constants[i] ^
655
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
656
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] <<  8) ^
657
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
658
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
659
660
0
                RK[9]  = RK[1] ^ RK[8];
661
0
                RK[10] = RK[2] ^ RK[9];
662
0
                RK[11] = RK[3] ^ RK[10];
663
664
0
                RK[12] = RK[4] ^
665
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
666
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] <<  8) ^
667
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
668
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
669
670
0
                RK[13] = RK[5] ^ RK[12];
671
0
                RK[14] = RK[6] ^ RK[13];
672
0
                RK[15] = RK[7] ^ RK[14];
673
0
            }
674
0
            break;
675
0
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
676
0
    }
677
678
0
    return 0;
679
0
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
680
0
}
681
#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
682
683
/*
684
 * AES key schedule (decryption)
685
 */
686
#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
687
int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
688
                           unsigned int keybits)
689
22
{
690
22
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
691
22
    uint32_t *SK;
692
22
#endif
693
22
    int ret;
694
22
    mbedtls_aes_context cty;
695
22
    uint32_t *RK;
696
697
698
22
    mbedtls_aes_init(&cty);
699
700
22
    ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
701
22
    RK = ctx->buf + ctx->rk_offset;
702
703
    /* Also checks keybits */
704
22
    if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
705
0
        goto exit;
706
0
    }
707
708
22
    ctx->nr = cty.nr;
709
710
22
#if defined(MBEDTLS_AESNI_HAVE_CODE)
711
22
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
712
22
        mbedtls_aesni_inverse_key((unsigned char *) RK,
713
22
                                  (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
714
22
        goto exit;
715
22
    }
716
0
#endif
717
718
#if defined(MBEDTLS_AESCE_HAVE_CODE)
719
    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
720
        mbedtls_aesce_inverse_key(
721
            (unsigned char *) RK,
722
            (const unsigned char *) (cty.buf + cty.rk_offset),
723
            ctx->nr);
724
        goto exit;
725
    }
726
#endif
727
728
0
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
729
0
    SK = cty.buf + cty.rk_offset + cty.nr * 4;
730
731
0
    *RK++ = *SK++;
732
0
    *RK++ = *SK++;
733
0
    *RK++ = *SK++;
734
0
    *RK++ = *SK++;
735
0
    SK -= 8;
736
0
    for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
737
0
        for (int j = 0; j < 4; j++, SK++) {
738
0
            *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
739
0
                    AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
740
0
                    AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
741
0
                    AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
742
0
        }
743
0
    }
744
745
0
    *RK++ = *SK++;
746
0
    *RK++ = *SK++;
747
0
    *RK++ = *SK++;
748
0
    *RK++ = *SK++;
749
0
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
750
22
exit:
751
22
    mbedtls_aes_free(&cty);
752
753
22
    return ret;
754
0
}
755
#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
756
757
#if defined(MBEDTLS_CIPHER_MODE_XTS)
758
static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
759
                                       unsigned int keybits,
760
                                       const unsigned char **key1,
761
                                       unsigned int *key1bits,
762
                                       const unsigned char **key2,
763
                                       unsigned int *key2bits)
764
4
{
765
4
    const unsigned int half_keybits = keybits / 2;
766
4
    const unsigned int half_keybytes = half_keybits / 8;
767
768
4
    switch (keybits) {
769
1
        case 256: break;
770
3
        case 512: break;
771
0
        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
772
4
    }
773
774
4
    *key1bits = half_keybits;
775
4
    *key2bits = half_keybits;
776
4
    *key1 = &key[0];
777
4
    *key2 = &key[half_keybytes];
778
779
4
    return 0;
780
4
}
781
782
int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
783
                               const unsigned char *key,
784
                               unsigned int keybits)
785
2
{
786
2
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
787
2
    const unsigned char *key1, *key2;
788
2
    unsigned int key1bits, key2bits;
789
790
2
    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
791
2
                                      &key2, &key2bits);
792
2
    if (ret != 0) {
793
0
        return ret;
794
0
    }
795
796
    /* Set the tweak key. Always set tweak key for the encryption mode. */
797
2
    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
798
2
    if (ret != 0) {
799
0
        return ret;
800
0
    }
801
802
    /* Set crypt key for encryption. */
803
2
    return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
804
2
}
805
806
int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
807
                               const unsigned char *key,
808
                               unsigned int keybits)
809
2
{
810
2
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
811
2
    const unsigned char *key1, *key2;
812
2
    unsigned int key1bits, key2bits;
813
814
2
    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
815
2
                                      &key2, &key2bits);
816
2
    if (ret != 0) {
817
0
        return ret;
818
0
    }
819
820
    /* Set the tweak key. Always set tweak key for encryption. */
821
2
    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
822
2
    if (ret != 0) {
823
0
        return ret;
824
0
    }
825
826
    /* Set crypt key for decryption. */
827
2
    return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
828
2
}
829
#endif /* MBEDTLS_CIPHER_MODE_XTS */
830
831
#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
832
0
    do                                                      \
833
0
    {                                                       \
834
0
        (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^    \
835
0
               AES_FT1(MBEDTLS_BYTE_1(Y1)) ^    \
836
0
               AES_FT2(MBEDTLS_BYTE_2(Y2)) ^    \
837
0
               AES_FT3(MBEDTLS_BYTE_3(Y3));     \
838
0
                                                            \
839
0
        (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^    \
840
0
               AES_FT1(MBEDTLS_BYTE_1(Y2)) ^    \
841
0
               AES_FT2(MBEDTLS_BYTE_2(Y3)) ^    \
842
0
               AES_FT3(MBEDTLS_BYTE_3(Y0));     \
843
0
                                                            \
844
0
        (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^    \
845
0
               AES_FT1(MBEDTLS_BYTE_1(Y3)) ^    \
846
0
               AES_FT2(MBEDTLS_BYTE_2(Y0)) ^    \
847
0
               AES_FT3(MBEDTLS_BYTE_3(Y1));     \
848
0
                                                            \
849
0
        (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^    \
850
0
               AES_FT1(MBEDTLS_BYTE_1(Y0)) ^    \
851
0
               AES_FT2(MBEDTLS_BYTE_2(Y1)) ^    \
852
0
               AES_FT3(MBEDTLS_BYTE_3(Y2));     \
853
0
    } while (0)
854
855
#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
856
0
    do                                                      \
857
0
    {                                                       \
858
0
        (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^    \
859
0
               AES_RT1(MBEDTLS_BYTE_1(Y3)) ^    \
860
0
               AES_RT2(MBEDTLS_BYTE_2(Y2)) ^    \
861
0
               AES_RT3(MBEDTLS_BYTE_3(Y1));     \
862
0
                                                            \
863
0
        (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^    \
864
0
               AES_RT1(MBEDTLS_BYTE_1(Y0)) ^    \
865
0
               AES_RT2(MBEDTLS_BYTE_2(Y3)) ^    \
866
0
               AES_RT3(MBEDTLS_BYTE_3(Y2));     \
867
0
                                                            \
868
0
        (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^    \
869
0
               AES_RT1(MBEDTLS_BYTE_1(Y1)) ^    \
870
0
               AES_RT2(MBEDTLS_BYTE_2(Y0)) ^    \
871
0
               AES_RT3(MBEDTLS_BYTE_3(Y3));     \
872
0
                                                            \
873
0
        (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^    \
874
0
               AES_RT1(MBEDTLS_BYTE_1(Y2)) ^    \
875
0
               AES_RT2(MBEDTLS_BYTE_2(Y1)) ^    \
876
0
               AES_RT3(MBEDTLS_BYTE_3(Y0));     \
877
0
    } while (0)
878
879
/*
880
 * AES-ECB block encryption
881
 */
882
#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
883
int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
884
                                 const unsigned char input[16],
885
                                 unsigned char output[16])
886
0
{
887
0
    int i;
888
0
    uint32_t *RK = ctx->buf + ctx->rk_offset;
889
0
    struct {
890
0
        uint32_t X[4];
891
0
        uint32_t Y[4];
892
0
    } t;
893
894
0
    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
895
0
    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
896
0
    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
897
0
    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
898
899
0
    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
900
0
        AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
901
0
        AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
902
0
    }
903
904
0
    AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
905
906
0
    t.X[0] = *RK++ ^ \
907
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
908
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
909
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
910
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
911
912
0
    t.X[1] = *RK++ ^ \
913
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
914
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
915
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
916
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
917
918
0
    t.X[2] = *RK++ ^ \
919
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
920
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
921
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
922
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
923
924
0
    t.X[3] = *RK++ ^ \
925
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
926
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
927
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
928
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
929
930
0
    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
931
0
    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
932
0
    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
933
0
    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
934
935
0
    mbedtls_platform_zeroize(&t, sizeof(t));
936
937
0
    return 0;
938
0
}
939
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
940
941
/*
942
 * AES-ECB block decryption
943
 */
944
#if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
945
int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
946
                                 const unsigned char input[16],
947
                                 unsigned char output[16])
948
0
{
949
0
    int i;
950
0
    uint32_t *RK = ctx->buf + ctx->rk_offset;
951
0
    struct {
952
0
        uint32_t X[4];
953
0
        uint32_t Y[4];
954
0
    } t;
955
956
0
    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
957
0
    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
958
0
    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
959
0
    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
960
961
0
    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
962
0
        AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
963
0
        AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
964
0
    }
965
966
0
    AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
967
968
0
    t.X[0] = *RK++ ^ \
969
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
970
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
971
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
972
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
973
974
0
    t.X[1] = *RK++ ^ \
975
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
976
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
977
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
978
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
979
980
0
    t.X[2] = *RK++ ^ \
981
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
982
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
983
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
984
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
985
986
0
    t.X[3] = *RK++ ^ \
987
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
988
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
989
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
990
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
991
992
0
    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
993
0
    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
994
0
    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
995
0
    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
996
997
0
    mbedtls_platform_zeroize(&t, sizeof(t));
998
999
0
    return 0;
1000
0
}
1001
#endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
1002
1003
/* VIA Padlock and our intrinsics-based implementation of AESNI require
1004
 * the round keys to be aligned on a 16-byte boundary. We take care of this
1005
 * before creating them, but the AES context may have moved (this can happen
1006
 * if the library is called from a language with managed memory), and in later
1007
 * calls it might have a different alignment with respect to 16-byte memory.
1008
 * So we may need to realign.
1009
 */
1010
MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
1011
0
{
1012
0
    unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
1013
0
    if (new_offset != ctx->rk_offset) {
1014
0
        memmove(ctx->buf + new_offset,     // new address
1015
0
                ctx->buf + ctx->rk_offset, // current address
1016
0
                (ctx->nr + 1) * 16);       // number of round keys * bytes per rk
1017
0
        ctx->rk_offset = new_offset;
1018
0
    }
1019
0
}
1020
1021
/*
1022
 * AES-ECB block encryption/decryption
1023
 */
1024
int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
1025
                          int mode,
1026
                          const unsigned char input[16],
1027
                          unsigned char output[16])
1028
3.59k
{
1029
3.59k
    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1030
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1031
0
    }
1032
1033
#if defined(MAY_NEED_TO_ALIGN)
1034
    aes_maybe_realign(ctx);
1035
#endif
1036
1037
3.59k
#if defined(MBEDTLS_AESNI_HAVE_CODE)
1038
3.59k
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1039
3.59k
        return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
1040
3.59k
    }
1041
0
#endif
1042
1043
#if defined(MBEDTLS_AESCE_HAVE_CODE)
1044
    if (MBEDTLS_AESCE_HAS_SUPPORT()) {
1045
        return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
1046
    }
1047
#endif
1048
1049
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1050
    if (aes_padlock_ace > 0) {
1051
        return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
1052
    }
1053
#endif
1054
1055
0
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
1056
0
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1057
0
    if (mode == MBEDTLS_AES_DECRYPT) {
1058
0
        return mbedtls_internal_aes_decrypt(ctx, input, output);
1059
0
    } else
1060
0
#endif
1061
0
    {
1062
0
        return mbedtls_internal_aes_encrypt(ctx, input, output);
1063
0
    }
1064
0
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
1065
0
}
1066
1067
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1068
1069
/*
1070
 * AES-CBC buffer encryption/decryption
1071
 */
1072
int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1073
                          int mode,
1074
                          size_t length,
1075
                          unsigned char iv[16],
1076
                          const unsigned char *input,
1077
                          unsigned char *output)
1078
2
{
1079
2
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1080
2
    unsigned char temp[16];
1081
1082
2
    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1083
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1084
0
    }
1085
1086
    /* Nothing to do if length is zero. */
1087
2
    if (length == 0) {
1088
0
        return 0;
1089
0
    }
1090
1091
2
    if (length % 16) {
1092
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1093
0
    }
1094
1095
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1096
    if (aes_padlock_ace > 0) {
1097
        if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1098
            return 0;
1099
        }
1100
1101
        // If padlock data misaligned, we just fall back to
1102
        // unaccelerated mode
1103
        //
1104
    }
1105
#endif
1106
1107
2
    const unsigned char *ivp = iv;
1108
1109
2
    if (mode == MBEDTLS_AES_DECRYPT) {
1110
0
        while (length > 0) {
1111
0
            memcpy(temp, input, 16);
1112
0
            ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1113
0
            if (ret != 0) {
1114
0
                goto exit;
1115
0
            }
1116
            /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
1117
             * the result for the next block in CBC, and the cost of transferring that data from
1118
             * NEON registers, NEON is slower on aarch64. */
1119
0
            mbedtls_xor_no_simd(output, output, iv, 16);
1120
1121
0
            memcpy(iv, temp, 16);
1122
1123
0
            input  += 16;
1124
0
            output += 16;
1125
0
            length -= 16;
1126
0
        }
1127
2
    } else {
1128
4
        while (length > 0) {
1129
2
            mbedtls_xor_no_simd(output, input, ivp, 16);
1130
1131
2
            ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1132
2
            if (ret != 0) {
1133
0
                goto exit;
1134
0
            }
1135
2
            ivp = output;
1136
1137
2
            input  += 16;
1138
2
            output += 16;
1139
2
            length -= 16;
1140
2
        }
1141
2
        memcpy(iv, ivp, 16);
1142
2
    }
1143
2
    ret = 0;
1144
1145
2
exit:
1146
2
    return ret;
1147
2
}
1148
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1149
1150
#if defined(MBEDTLS_CIPHER_MODE_XTS)
1151
1152
typedef unsigned char mbedtls_be128[16];
1153
1154
/*
1155
 * GF(2^128) multiplication function
1156
 *
1157
 * This function multiplies a field element by x in the polynomial field
1158
 * representation. It uses 64-bit word operations to gain speed but compensates
1159
 * for machine endianness and hence works correctly on both big and little
1160
 * endian machines.
1161
 */
1162
#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
1163
MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
1164
#endif
1165
static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
1166
                                          const unsigned char x[16])
1167
0
{
1168
0
    uint64_t a, b, ra, rb;
1169
1170
0
    a = MBEDTLS_GET_UINT64_LE(x, 0);
1171
0
    b = MBEDTLS_GET_UINT64_LE(x, 8);
1172
1173
0
    ra = (a << 1)  ^ 0x0087 >> (8 - ((b >> 63) << 3));
1174
0
    rb = (a >> 63) | (b << 1);
1175
1176
0
    MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1177
0
    MBEDTLS_PUT_UINT64_LE(rb, r, 8);
1178
0
}
1179
1180
/*
1181
 * AES-XTS buffer encryption/decryption
1182
 *
1183
 * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
1184
 * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
1185
 */
1186
#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
1187
MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
1188
#endif
1189
int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1190
                          int mode,
1191
                          size_t length,
1192
                          const unsigned char data_unit[16],
1193
                          const unsigned char *input,
1194
                          unsigned char *output)
1195
0
{
1196
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1197
0
    size_t blocks = length / 16;
1198
0
    size_t leftover = length % 16;
1199
0
    unsigned char tweak[16];
1200
0
    unsigned char prev_tweak[16];
1201
0
    unsigned char tmp[16];
1202
1203
0
    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1204
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1205
0
    }
1206
1207
    /* Data units must be at least 16 bytes long. */
1208
0
    if (length < 16) {
1209
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1210
0
    }
1211
1212
    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1213
0
    if (length > (1 << 20) * 16) {
1214
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1215
0
    }
1216
1217
    /* Compute the tweak. */
1218
0
    ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1219
0
                                data_unit, tweak);
1220
0
    if (ret != 0) {
1221
0
        return ret;
1222
0
    }
1223
1224
0
    while (blocks--) {
1225
0
        if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
1226
            /* We are on the last block in a decrypt operation that has
1227
             * leftover bytes, so we need to use the next tweak for this block,
1228
             * and this tweak for the leftover bytes. Save the current tweak for
1229
             * the leftovers and then update the current tweak for use on this,
1230
             * the last full block. */
1231
0
            memcpy(prev_tweak, tweak, sizeof(tweak));
1232
0
            mbedtls_gf128mul_x_ble(tweak, tweak);
1233
0
        }
1234
1235
0
        mbedtls_xor(tmp, input, tweak, 16);
1236
1237
0
        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1238
0
        if (ret != 0) {
1239
0
            return ret;
1240
0
        }
1241
1242
0
        mbedtls_xor(output, tmp, tweak, 16);
1243
1244
        /* Update the tweak for the next block. */
1245
0
        mbedtls_gf128mul_x_ble(tweak, tweak);
1246
1247
0
        output += 16;
1248
0
        input += 16;
1249
0
    }
1250
1251
0
    if (leftover) {
1252
        /* If we are on the leftover bytes in a decrypt operation, we need to
1253
         * use the previous tweak for these bytes (as saved in prev_tweak). */
1254
0
        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1255
1256
        /* We are now on the final part of the data unit, which doesn't divide
1257
         * evenly by 16. It's time for ciphertext stealing. */
1258
0
        size_t i;
1259
0
        unsigned char *prev_output = output - 16;
1260
1261
        /* Copy ciphertext bytes from the previous block to our output for each
1262
         * byte of ciphertext we won't steal. */
1263
0
        for (i = 0; i < leftover; i++) {
1264
0
            output[i] = prev_output[i];
1265
0
        }
1266
1267
        /* Copy the remainder of the input for this final round. */
1268
0
        mbedtls_xor(tmp, input, t, leftover);
1269
1270
        /* Copy ciphertext bytes from the previous block for input in this
1271
         * round. */
1272
0
        mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
1273
1274
0
        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1275
0
        if (ret != 0) {
1276
0
            return ret;
1277
0
        }
1278
1279
        /* Write the result back to the previous block, overriding the previous
1280
         * output we copied. */
1281
0
        mbedtls_xor(prev_output, tmp, t, 16);
1282
0
    }
1283
1284
0
    return 0;
1285
0
}
1286
#endif /* MBEDTLS_CIPHER_MODE_XTS */
1287
1288
#if defined(MBEDTLS_CIPHER_MODE_CFB)
1289
/*
1290
 * AES-CFB128 buffer encryption/decryption
1291
 */
1292
int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1293
                             int mode,
1294
                             size_t length,
1295
                             size_t *iv_off,
1296
                             unsigned char iv[16],
1297
                             const unsigned char *input,
1298
                             unsigned char *output)
1299
4
{
1300
4
    int c;
1301
4
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1302
4
    size_t n;
1303
1304
4
    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1305
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1306
0
    }
1307
1308
4
    n = *iv_off;
1309
1310
4
    if (n > 15) {
1311
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1312
0
    }
1313
1314
4
    if (mode == MBEDTLS_AES_DECRYPT) {
1315
0
        while (length--) {
1316
0
            if (n == 0) {
1317
0
                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1318
0
                if (ret != 0) {
1319
0
                    goto exit;
1320
0
                }
1321
0
            }
1322
1323
0
            c = *input++;
1324
0
            *output++ = (unsigned char) (c ^ iv[n]);
1325
0
            iv[n] = (unsigned char) c;
1326
1327
0
            n = (n + 1) & 0x0F;
1328
0
        }
1329
4
    } else {
1330
20
        while (length--) {
1331
16
            if (n == 0) {
1332
1
                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1333
1
                if (ret != 0) {
1334
0
                    goto exit;
1335
0
                }
1336
1
            }
1337
1338
16
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
1339
1340
16
            n = (n + 1) & 0x0F;
1341
16
        }
1342
4
    }
1343
1344
4
    *iv_off = n;
1345
4
    ret = 0;
1346
1347
4
exit:
1348
4
    return ret;
1349
4
}
1350
1351
/*
1352
 * AES-CFB8 buffer encryption/decryption
1353
 */
1354
int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1355
                           int mode,
1356
                           size_t length,
1357
                           unsigned char iv[16],
1358
                           const unsigned char *input,
1359
                           unsigned char *output)
1360
0
{
1361
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1362
0
    unsigned char c;
1363
0
    unsigned char ov[17];
1364
1365
0
    if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) {
1366
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1367
0
    }
1368
0
    while (length--) {
1369
0
        memcpy(ov, iv, 16);
1370
0
        ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1371
0
        if (ret != 0) {
1372
0
            goto exit;
1373
0
        }
1374
1375
0
        if (mode == MBEDTLS_AES_DECRYPT) {
1376
0
            ov[16] = *input;
1377
0
        }
1378
1379
0
        c = *output++ = (unsigned char) (iv[0] ^ *input++);
1380
1381
0
        if (mode == MBEDTLS_AES_ENCRYPT) {
1382
0
            ov[16] = c;
1383
0
        }
1384
1385
0
        memcpy(iv, ov + 1, 16);
1386
0
    }
1387
0
    ret = 0;
1388
1389
0
exit:
1390
0
    return ret;
1391
0
}
1392
#endif /* MBEDTLS_CIPHER_MODE_CFB */
1393
1394
#if defined(MBEDTLS_CIPHER_MODE_OFB)
1395
/*
1396
 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1397
 */
1398
int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1399
                          size_t length,
1400
                          size_t *iv_off,
1401
                          unsigned char iv[16],
1402
                          const unsigned char *input,
1403
                          unsigned char *output)
1404
38
{
1405
38
    int ret = 0;
1406
38
    size_t n;
1407
1408
38
    n = *iv_off;
1409
1410
38
    if (n > 15) {
1411
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1412
0
    }
1413
1414
1.16k
    while (length--) {
1415
1.12k
        if (n == 0) {
1416
72
            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1417
72
            if (ret != 0) {
1418
0
                goto exit;
1419
0
            }
1420
72
        }
1421
1.12k
        *output++ =  *input++ ^ iv[n];
1422
1423
1.12k
        n = (n + 1) & 0x0F;
1424
1.12k
    }
1425
1426
38
    *iv_off = n;
1427
1428
38
exit:
1429
38
    return ret;
1430
38
}
1431
#endif /* MBEDTLS_CIPHER_MODE_OFB */
1432
1433
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1434
/*
1435
 * AES-CTR buffer encryption/decryption
1436
 */
1437
int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1438
                          size_t length,
1439
                          size_t *nc_off,
1440
                          unsigned char nonce_counter[16],
1441
                          unsigned char stream_block[16],
1442
                          const unsigned char *input,
1443
                          unsigned char *output)
1444
0
{
1445
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1446
1447
0
    size_t offset = *nc_off;
1448
1449
0
    if (offset > 0x0F) {
1450
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1451
0
    }
1452
1453
0
    for (size_t i = 0; i < length;) {
1454
0
        size_t n = 16;
1455
0
        if (offset == 0) {
1456
0
            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1457
0
            if (ret != 0) {
1458
0
                goto exit;
1459
0
            }
1460
0
            mbedtls_ctr_increment_counter(nonce_counter);
1461
0
        } else {
1462
0
            n -= offset;
1463
0
        }
1464
1465
0
        if (n > (length - i)) {
1466
0
            n = (length - i);
1467
0
        }
1468
0
        mbedtls_xor(&output[i], &input[i], &stream_block[offset], n);
1469
        // offset might be non-zero for the last block, but in that case, we don't use it again
1470
0
        offset = 0;
1471
0
        i += n;
1472
0
    }
1473
1474
    // capture offset for future resumption
1475
0
    *nc_off = (*nc_off + length) % 16;
1476
1477
0
    ret = 0;
1478
1479
0
exit:
1480
0
    return ret;
1481
0
}
1482
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1483
1484
#endif /* !MBEDTLS_AES_ALT */
1485
1486
#if defined(MBEDTLS_SELF_TEST)
1487
/*
1488
 * AES test vectors from:
1489
 *
1490
 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1491
 */
1492
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1493
static const unsigned char aes_test_ecb_dec[][16] =
1494
{
1495
    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1496
      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1497
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1498
    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1499
      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1500
    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1501
      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1502
#endif
1503
};
1504
#endif
1505
1506
static const unsigned char aes_test_ecb_enc[][16] =
1507
{
1508
    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1509
      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1510
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1511
    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1512
      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1513
    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1514
      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1515
#endif
1516
};
1517
1518
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1519
static const unsigned char aes_test_cbc_dec[][16] =
1520
{
1521
    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1522
      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1523
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1524
    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1525
      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1526
    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1527
      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1528
#endif
1529
};
1530
1531
static const unsigned char aes_test_cbc_enc[][16] =
1532
{
1533
    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1534
      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1535
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1536
    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1537
      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1538
    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1539
      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1540
#endif
1541
};
1542
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1543
1544
#if defined(MBEDTLS_CIPHER_MODE_CFB)
1545
/*
1546
 * AES-CFB128 test vectors from:
1547
 *
1548
 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1549
 */
1550
static const unsigned char aes_test_cfb128_key[][32] =
1551
{
1552
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1553
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1554
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1555
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1556
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1557
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1558
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1559
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1560
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1561
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1562
#endif
1563
};
1564
1565
static const unsigned char aes_test_cfb128_iv[16] =
1566
{
1567
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1568
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1569
};
1570
1571
static const unsigned char aes_test_cfb128_pt[64] =
1572
{
1573
    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1574
    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1575
    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1576
    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1577
    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1578
    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1579
    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1580
    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1581
};
1582
1583
static const unsigned char aes_test_cfb128_ct[][64] =
1584
{
1585
    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1586
      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1587
      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1588
      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1589
      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1590
      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1591
      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1592
      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1593
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1594
    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1595
      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1596
      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1597
      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1598
      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1599
      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1600
      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1601
      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1602
    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1603
      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1604
      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1605
      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1606
      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1607
      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1608
      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1609
      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1610
#endif
1611
};
1612
#endif /* MBEDTLS_CIPHER_MODE_CFB */
1613
1614
#if defined(MBEDTLS_CIPHER_MODE_OFB)
1615
/*
1616
 * AES-OFB test vectors from:
1617
 *
1618
 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1619
 */
1620
static const unsigned char aes_test_ofb_key[][32] =
1621
{
1622
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1623
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1624
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1625
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1626
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1627
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1628
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1629
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1630
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1631
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1632
#endif
1633
};
1634
1635
static const unsigned char aes_test_ofb_iv[16] =
1636
{
1637
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1638
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1639
};
1640
1641
static const unsigned char aes_test_ofb_pt[64] =
1642
{
1643
    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1644
    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1645
    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1646
    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1647
    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1648
    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1649
    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1650
    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1651
};
1652
1653
static const unsigned char aes_test_ofb_ct[][64] =
1654
{
1655
    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1656
      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1657
      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1658
      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1659
      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1660
      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1661
      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1662
      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1663
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1664
    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1665
      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1666
      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1667
      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1668
      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1669
      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1670
      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1671
      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1672
    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1673
      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1674
      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1675
      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1676
      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1677
      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1678
      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1679
      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1680
#endif
1681
};
1682
#endif /* MBEDTLS_CIPHER_MODE_OFB */
1683
1684
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1685
/*
1686
 * AES-CTR test vectors from:
1687
 *
1688
 * http://www.faqs.org/rfcs/rfc3686.html
1689
 */
1690
1691
static const unsigned char aes_test_ctr_key[][16] =
1692
{
1693
    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1694
      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1695
    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1696
      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1697
    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1698
      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1699
};
1700
1701
static const unsigned char aes_test_ctr_nonce_counter[][16] =
1702
{
1703
    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1704
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1705
    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1706
      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1707
    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1708
      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1709
};
1710
1711
static const unsigned char aes_test_ctr_pt[][48] =
1712
{
1713
    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1714
      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1715
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1716
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1717
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1718
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1719
1720
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1721
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1722
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1723
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1724
      0x20, 0x21, 0x22, 0x23 }
1725
};
1726
1727
static const unsigned char aes_test_ctr_ct[][48] =
1728
{
1729
    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1730
      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1731
    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1732
      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1733
      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1734
      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1735
    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1736
      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1737
      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1738
      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1739
      0x25, 0xB2, 0x07, 0x2F }
1740
};
1741
1742
static const int aes_test_ctr_len[3] =
1743
{ 16, 32, 36 };
1744
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1745
1746
#if defined(MBEDTLS_CIPHER_MODE_XTS)
1747
/*
1748
 * AES-XTS test vectors from:
1749
 *
1750
 * IEEE P1619/D16 Annex B
1751
 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1752
 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1753
 */
1754
static const unsigned char aes_test_xts_key[][32] =
1755
{
1756
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1757
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1760
    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1761
      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1762
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1763
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1764
    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1765
      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1766
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1767
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1768
};
1769
1770
static const unsigned char aes_test_xts_pt32[][32] =
1771
{
1772
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1776
    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1779
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1780
    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1783
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1784
};
1785
1786
static const unsigned char aes_test_xts_ct32[][32] =
1787
{
1788
    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1789
      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1790
      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1791
      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1792
    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1793
      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1794
      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1795
      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1796
    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1797
      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1798
      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1799
      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1800
};
1801
1802
static const unsigned char aes_test_xts_data_unit[][16] =
1803
{
1804
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1805
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1806
    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1807
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1808
    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1809
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1810
};
1811
1812
#endif /* MBEDTLS_CIPHER_MODE_XTS */
1813
1814
/*
1815
 * Checkup routine
1816
 */
1817
int mbedtls_aes_self_test(int verbose)
1818
0
{
1819
0
    int ret = 0, i, j, u, mode;
1820
0
    unsigned int keybits;
1821
0
    unsigned char key[32];
1822
0
    unsigned char buf[64];
1823
0
    const unsigned char *aes_tests;
1824
0
#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1825
0
    defined(MBEDTLS_CIPHER_MODE_OFB)
1826
0
    unsigned char iv[16];
1827
0
#endif
1828
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1829
0
    unsigned char prv[16];
1830
0
#endif
1831
0
#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1832
0
    defined(MBEDTLS_CIPHER_MODE_OFB)
1833
0
    size_t offset;
1834
0
#endif
1835
0
#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1836
0
    int len;
1837
0
#endif
1838
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1839
0
    unsigned char nonce_counter[16];
1840
0
    unsigned char stream_block[16];
1841
0
#endif
1842
0
    mbedtls_aes_context ctx;
1843
1844
0
    memset(key, 0, 32);
1845
0
    mbedtls_aes_init(&ctx);
1846
1847
0
    if (verbose != 0) {
1848
#if defined(MBEDTLS_AES_ALT)
1849
        mbedtls_printf("  AES note: alternative implementation.\n");
1850
#else /* MBEDTLS_AES_ALT */
1851
0
#if defined(MBEDTLS_AESNI_HAVE_CODE)
1852
0
#if MBEDTLS_AESNI_HAVE_CODE == 1
1853
0
        mbedtls_printf("  AES note: AESNI code present (assembly implementation).\n");
1854
#elif MBEDTLS_AESNI_HAVE_CODE == 2
1855
        mbedtls_printf("  AES note: AESNI code present (intrinsics implementation).\n");
1856
#else
1857
#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
1858
#endif
1859
0
        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1860
0
            mbedtls_printf("  AES note: using AESNI.\n");
1861
0
        } else
1862
0
#endif
1863
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1864
        if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
1865
            mbedtls_printf("  AES note: using VIA Padlock.\n");
1866
        } else
1867
#endif
1868
#if defined(MBEDTLS_AESCE_HAVE_CODE)
1869
        if (MBEDTLS_AESCE_HAS_SUPPORT()) {
1870
            mbedtls_printf("  AES note: using AESCE.\n");
1871
        } else
1872
#endif
1873
0
        {
1874
0
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
1875
0
            mbedtls_printf("  AES note: built-in implementation.\n");
1876
0
#endif
1877
0
        }
1878
0
#endif /* MBEDTLS_AES_ALT */
1879
0
    }
1880
1881
    /*
1882
     * ECB mode
1883
     */
1884
0
    {
1885
0
        static const int num_tests =
1886
0
            sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc);
1887
1888
0
        for (i = 0; i < num_tests << 1; i++) {
1889
0
            u = i >> 1;
1890
0
            keybits = 128 + u * 64;
1891
0
            mode = i & 1;
1892
1893
0
            if (verbose != 0) {
1894
0
                mbedtls_printf("  AES-ECB-%3u (%s): ", keybits,
1895
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1896
0
            }
1897
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1898
            if (mode == MBEDTLS_AES_DECRYPT) {
1899
                if (verbose != 0) {
1900
                    mbedtls_printf("skipped\n");
1901
                }
1902
                continue;
1903
            }
1904
#endif
1905
1906
0
            memset(buf, 0, 16);
1907
1908
0
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1909
0
            if (mode == MBEDTLS_AES_DECRYPT) {
1910
0
                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1911
0
                aes_tests = aes_test_ecb_dec[u];
1912
0
            } else
1913
0
#endif
1914
0
            {
1915
0
                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1916
0
                aes_tests = aes_test_ecb_enc[u];
1917
0
            }
1918
1919
            /*
1920
             * AES-192 is an optional feature that may be unavailable when
1921
             * there is an alternative underlying implementation i.e. when
1922
             * MBEDTLS_AES_ALT is defined.
1923
             */
1924
0
            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1925
0
                mbedtls_printf("skipped\n");
1926
0
                continue;
1927
0
            } else if (ret != 0) {
1928
0
                goto exit;
1929
0
            }
1930
1931
0
            for (j = 0; j < 10000; j++) {
1932
0
                ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1933
0
                if (ret != 0) {
1934
0
                    goto exit;
1935
0
                }
1936
0
            }
1937
1938
0
            if (memcmp(buf, aes_tests, 16) != 0) {
1939
0
                ret = 1;
1940
0
                goto exit;
1941
0
            }
1942
1943
0
            if (verbose != 0) {
1944
0
                mbedtls_printf("passed\n");
1945
0
            }
1946
0
        }
1947
1948
0
        if (verbose != 0) {
1949
0
            mbedtls_printf("\n");
1950
0
        }
1951
0
    }
1952
1953
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1954
    /*
1955
     * CBC mode
1956
     */
1957
0
    {
1958
0
        static const int num_tests =
1959
0
            sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
1960
1961
0
        for (i = 0; i < num_tests << 1; i++) {
1962
0
            u = i >> 1;
1963
0
            keybits = 128 + u * 64;
1964
0
            mode = i & 1;
1965
1966
0
            if (verbose != 0) {
1967
0
                mbedtls_printf("  AES-CBC-%3u (%s): ", keybits,
1968
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1969
0
            }
1970
1971
0
            memset(iv, 0, 16);
1972
0
            memset(prv, 0, 16);
1973
0
            memset(buf, 0, 16);
1974
1975
0
            if (mode == MBEDTLS_AES_DECRYPT) {
1976
0
                ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1977
0
                aes_tests = aes_test_cbc_dec[u];
1978
0
            } else {
1979
0
                ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1980
0
                aes_tests = aes_test_cbc_enc[u];
1981
0
            }
1982
1983
            /*
1984
             * AES-192 is an optional feature that may be unavailable when
1985
             * there is an alternative underlying implementation i.e. when
1986
             * MBEDTLS_AES_ALT is defined.
1987
             */
1988
0
            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1989
0
                mbedtls_printf("skipped\n");
1990
0
                continue;
1991
0
            } else if (ret != 0) {
1992
0
                goto exit;
1993
0
            }
1994
1995
0
            for (j = 0; j < 10000; j++) {
1996
0
                if (mode == MBEDTLS_AES_ENCRYPT) {
1997
0
                    unsigned char tmp[16];
1998
1999
0
                    memcpy(tmp, prv, 16);
2000
0
                    memcpy(prv, buf, 16);
2001
0
                    memcpy(buf, tmp, 16);
2002
0
                }
2003
2004
0
                ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
2005
0
                if (ret != 0) {
2006
0
                    goto exit;
2007
0
                }
2008
2009
0
            }
2010
2011
0
            if (memcmp(buf, aes_tests, 16) != 0) {
2012
0
                ret = 1;
2013
0
                goto exit;
2014
0
            }
2015
2016
0
            if (verbose != 0) {
2017
0
                mbedtls_printf("passed\n");
2018
0
            }
2019
0
        }
2020
2021
0
        if (verbose != 0) {
2022
0
            mbedtls_printf("\n");
2023
0
        }
2024
0
    }
2025
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
2026
2027
0
#if defined(MBEDTLS_CIPHER_MODE_CFB)
2028
    /*
2029
     * CFB128 mode
2030
     */
2031
0
    {
2032
0
        static const int num_tests =
2033
0
            sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
2034
2035
0
        for (i = 0; i < num_tests << 1; i++) {
2036
0
            u = i >> 1;
2037
0
            keybits = 128 + u * 64;
2038
0
            mode = i & 1;
2039
2040
0
            if (verbose != 0) {
2041
0
                mbedtls_printf("  AES-CFB128-%3u (%s): ", keybits,
2042
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2043
0
            }
2044
2045
0
            memcpy(iv,  aes_test_cfb128_iv, 16);
2046
0
            memcpy(key, aes_test_cfb128_key[u], keybits / 8);
2047
2048
0
            offset = 0;
2049
0
            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2050
            /*
2051
             * AES-192 is an optional feature that may be unavailable when
2052
             * there is an alternative underlying implementation i.e. when
2053
             * MBEDTLS_AES_ALT is defined.
2054
             */
2055
0
            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2056
0
                mbedtls_printf("skipped\n");
2057
0
                continue;
2058
0
            } else if (ret != 0) {
2059
0
                goto exit;
2060
0
            }
2061
2062
0
            if (mode == MBEDTLS_AES_DECRYPT) {
2063
0
                memcpy(buf, aes_test_cfb128_ct[u], 64);
2064
0
                aes_tests = aes_test_cfb128_pt;
2065
0
            } else {
2066
0
                memcpy(buf, aes_test_cfb128_pt, 64);
2067
0
                aes_tests = aes_test_cfb128_ct[u];
2068
0
            }
2069
2070
0
            ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
2071
0
            if (ret != 0) {
2072
0
                goto exit;
2073
0
            }
2074
2075
0
            if (memcmp(buf, aes_tests, 64) != 0) {
2076
0
                ret = 1;
2077
0
                goto exit;
2078
0
            }
2079
2080
0
            if (verbose != 0) {
2081
0
                mbedtls_printf("passed\n");
2082
0
            }
2083
0
        }
2084
2085
0
        if (verbose != 0) {
2086
0
            mbedtls_printf("\n");
2087
0
        }
2088
0
    }
2089
0
#endif /* MBEDTLS_CIPHER_MODE_CFB */
2090
2091
0
#if defined(MBEDTLS_CIPHER_MODE_OFB)
2092
    /*
2093
     * OFB mode
2094
     */
2095
0
    {
2096
0
        static const int num_tests =
2097
0
            sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
2098
2099
0
        for (i = 0; i < num_tests << 1; i++) {
2100
0
            u = i >> 1;
2101
0
            keybits = 128 + u * 64;
2102
0
            mode = i & 1;
2103
2104
0
            if (verbose != 0) {
2105
0
                mbedtls_printf("  AES-OFB-%3u (%s): ", keybits,
2106
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2107
0
            }
2108
2109
0
            memcpy(iv,  aes_test_ofb_iv, 16);
2110
0
            memcpy(key, aes_test_ofb_key[u], keybits / 8);
2111
2112
0
            offset = 0;
2113
0
            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2114
            /*
2115
             * AES-192 is an optional feature that may be unavailable when
2116
             * there is an alternative underlying implementation i.e. when
2117
             * MBEDTLS_AES_ALT is defined.
2118
             */
2119
0
            if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2120
0
                mbedtls_printf("skipped\n");
2121
0
                continue;
2122
0
            } else if (ret != 0) {
2123
0
                goto exit;
2124
0
            }
2125
2126
0
            if (mode == MBEDTLS_AES_DECRYPT) {
2127
0
                memcpy(buf, aes_test_ofb_ct[u], 64);
2128
0
                aes_tests = aes_test_ofb_pt;
2129
0
            } else {
2130
0
                memcpy(buf, aes_test_ofb_pt, 64);
2131
0
                aes_tests = aes_test_ofb_ct[u];
2132
0
            }
2133
2134
0
            ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2135
0
            if (ret != 0) {
2136
0
                goto exit;
2137
0
            }
2138
2139
0
            if (memcmp(buf, aes_tests, 64) != 0) {
2140
0
                ret = 1;
2141
0
                goto exit;
2142
0
            }
2143
2144
0
            if (verbose != 0) {
2145
0
                mbedtls_printf("passed\n");
2146
0
            }
2147
0
        }
2148
2149
0
        if (verbose != 0) {
2150
0
            mbedtls_printf("\n");
2151
0
        }
2152
0
    }
2153
0
#endif /* MBEDTLS_CIPHER_MODE_OFB */
2154
2155
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
2156
    /*
2157
     * CTR mode
2158
     */
2159
0
    {
2160
0
        static const int num_tests =
2161
0
            sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
2162
2163
0
        for (i = 0; i < num_tests << 1; i++) {
2164
0
            u = i >> 1;
2165
0
            mode = i & 1;
2166
2167
0
            if (verbose != 0) {
2168
0
                mbedtls_printf("  AES-CTR-128 (%s): ",
2169
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2170
0
            }
2171
2172
0
            memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2173
0
            memcpy(key, aes_test_ctr_key[u], 16);
2174
2175
0
            offset = 0;
2176
0
            if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
2177
0
                goto exit;
2178
0
            }
2179
2180
0
            len = aes_test_ctr_len[u];
2181
2182
0
            if (mode == MBEDTLS_AES_DECRYPT) {
2183
0
                memcpy(buf, aes_test_ctr_ct[u], len);
2184
0
                aes_tests = aes_test_ctr_pt[u];
2185
0
            } else {
2186
0
                memcpy(buf, aes_test_ctr_pt[u], len);
2187
0
                aes_tests = aes_test_ctr_ct[u];
2188
0
            }
2189
2190
0
            ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2191
0
                                        stream_block, buf, buf);
2192
0
            if (ret != 0) {
2193
0
                goto exit;
2194
0
            }
2195
2196
0
            if (memcmp(buf, aes_tests, len) != 0) {
2197
0
                ret = 1;
2198
0
                goto exit;
2199
0
            }
2200
2201
0
            if (verbose != 0) {
2202
0
                mbedtls_printf("passed\n");
2203
0
            }
2204
0
        }
2205
0
    }
2206
2207
0
    if (verbose != 0) {
2208
0
        mbedtls_printf("\n");
2209
0
    }
2210
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
2211
2212
0
#if defined(MBEDTLS_CIPHER_MODE_XTS)
2213
    /*
2214
     * XTS mode
2215
     */
2216
0
    {
2217
0
        static const int num_tests =
2218
0
            sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2219
0
        mbedtls_aes_xts_context ctx_xts;
2220
2221
0
        mbedtls_aes_xts_init(&ctx_xts);
2222
2223
0
        for (i = 0; i < num_tests << 1; i++) {
2224
0
            const unsigned char *data_unit;
2225
0
            u = i >> 1;
2226
0
            mode = i & 1;
2227
2228
0
            if (verbose != 0) {
2229
0
                mbedtls_printf("  AES-XTS-128 (%s): ",
2230
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2231
0
            }
2232
2233
0
            memset(key, 0, sizeof(key));
2234
0
            memcpy(key, aes_test_xts_key[u], 32);
2235
0
            data_unit = aes_test_xts_data_unit[u];
2236
2237
0
            len = sizeof(*aes_test_xts_ct32);
2238
2239
0
            if (mode == MBEDTLS_AES_DECRYPT) {
2240
0
                ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2241
0
                if (ret != 0) {
2242
0
                    goto exit;
2243
0
                }
2244
0
                memcpy(buf, aes_test_xts_ct32[u], len);
2245
0
                aes_tests = aes_test_xts_pt32[u];
2246
0
            } else {
2247
0
                ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2248
0
                if (ret != 0) {
2249
0
                    goto exit;
2250
0
                }
2251
0
                memcpy(buf, aes_test_xts_pt32[u], len);
2252
0
                aes_tests = aes_test_xts_ct32[u];
2253
0
            }
2254
2255
2256
0
            ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2257
0
                                        buf, buf);
2258
0
            if (ret != 0) {
2259
0
                goto exit;
2260
0
            }
2261
2262
0
            if (memcmp(buf, aes_tests, len) != 0) {
2263
0
                ret = 1;
2264
0
                goto exit;
2265
0
            }
2266
2267
0
            if (verbose != 0) {
2268
0
                mbedtls_printf("passed\n");
2269
0
            }
2270
0
        }
2271
2272
0
        if (verbose != 0) {
2273
0
            mbedtls_printf("\n");
2274
0
        }
2275
2276
0
        mbedtls_aes_xts_free(&ctx_xts);
2277
0
    }
2278
0
#endif /* MBEDTLS_CIPHER_MODE_XTS */
2279
2280
0
    ret = 0;
2281
2282
0
exit:
2283
0
    if (ret != 0 && verbose != 0) {
2284
0
        mbedtls_printf("failed\n");
2285
0
    }
2286
2287
0
    mbedtls_aes_free(&ctx);
2288
2289
0
    return ret;
2290
0
}
2291
2292
#endif /* MBEDTLS_SELF_TEST */
2293
2294
#endif /* MBEDTLS_AES_C */