/src/openthread/third_party/mbedtls/repo/library/aes.c
Line | Count | Source |
1 | | /* |
2 | | * FIPS-197 compliant AES implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. |
9 | | * |
10 | | * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf |
11 | | * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf |
12 | | */ |
13 | | |
14 | | #include "common.h" |
15 | | |
16 | | #if defined(MBEDTLS_AES_C) |
17 | | |
18 | | #include <string.h> |
19 | | |
20 | | #include "mbedtls/aes.h" |
21 | | #include "mbedtls/platform.h" |
22 | | #include "mbedtls/platform_util.h" |
23 | | #include "mbedtls/error.h" |
24 | | |
25 | | #if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
26 | | #if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \ |
27 | | (defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \ |
28 | | (defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C))) |
29 | | #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" |
30 | | #endif |
31 | | #endif |
32 | | |
33 | | #if defined(MBEDTLS_ARCH_IS_X86) |
34 | | #if defined(MBEDTLS_PADLOCK_C) |
35 | | #if !defined(MBEDTLS_HAVE_ASM) |
36 | | #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" |
37 | | #endif |
38 | | #if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
39 | | #error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \ |
40 | | "MBEDTLS_PADLOCK_C is set" |
41 | | #endif |
42 | | #endif |
43 | | #endif |
44 | | |
45 | | #if defined(MBEDTLS_PADLOCK_C) |
46 | | #include "padlock.h" |
47 | | #endif |
48 | | #if defined(MBEDTLS_AESNI_C) |
49 | | #include "aesni.h" |
50 | | #endif |
51 | | #if defined(MBEDTLS_AESCE_C) |
52 | | #include "aesce.h" |
53 | | #endif |
54 | | |
55 | | #include "mbedtls/platform.h" |
56 | | #include "ctr.h" |
57 | | |
58 | | /* |
59 | | * This is a convenience shorthand macro to check if we need reverse S-box and |
60 | | * reverse tables. It's private and only defined in this file. |
61 | | */ |
62 | | #if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \ |
63 | | (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \ |
64 | | !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
65 | | #define MBEDTLS_AES_NEED_REVERSE_TABLES |
66 | | #endif |
67 | | |
68 | | #if !defined(MBEDTLS_AES_ALT) |
69 | | |
70 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
71 | | static int aes_padlock_ace = -1; |
72 | | #endif |
73 | | |
74 | | #if defined(MBEDTLS_AES_ROM_TABLES) |
75 | | /* |
76 | | * Forward S-box |
77 | | */ |
78 | | MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] = |
79 | | { |
80 | | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, |
81 | | 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, |
82 | | 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
83 | | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, |
84 | | 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, |
85 | | 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
86 | | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, |
87 | | 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, |
88 | | 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
89 | | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, |
90 | | 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, |
91 | | 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
92 | | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, |
93 | | 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, |
94 | | 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
95 | | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, |
96 | | 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, |
97 | | 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
98 | | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, |
99 | | 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, |
100 | | 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
101 | | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, |
102 | | 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, |
103 | | 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
104 | | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, |
105 | | 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, |
106 | | 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
107 | | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, |
108 | | 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, |
109 | | 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
110 | | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, |
111 | | 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 |
112 | | }; |
113 | | |
114 | | /* |
115 | | * Forward tables |
116 | | */ |
117 | | #define FT \ |
118 | | \ |
119 | | V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \ |
120 | | V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \ |
121 | | V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \ |
122 | | V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \ |
123 | | V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \ |
124 | | V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \ |
125 | | V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \ |
126 | | V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \ |
127 | | V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \ |
128 | | V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \ |
129 | | V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \ |
130 | | V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \ |
131 | | V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \ |
132 | | V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \ |
133 | | V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \ |
134 | | V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \ |
135 | | V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \ |
136 | | V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \ |
137 | | V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \ |
138 | | V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \ |
139 | | V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \ |
140 | | V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \ |
141 | | V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \ |
142 | | V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \ |
143 | | V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \ |
144 | | V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \ |
145 | | V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \ |
146 | | V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \ |
147 | | V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \ |
148 | | V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \ |
149 | | V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \ |
150 | | V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \ |
151 | | V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \ |
152 | | V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \ |
153 | | V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \ |
154 | | V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \ |
155 | | V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \ |
156 | | V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \ |
157 | | V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \ |
158 | | V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \ |
159 | | V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \ |
160 | | V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \ |
161 | | V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \ |
162 | | V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \ |
163 | | V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \ |
164 | | V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \ |
165 | | V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \ |
166 | | V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \ |
167 | | V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \ |
168 | | V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \ |
169 | | V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \ |
170 | | V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \ |
171 | | V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \ |
172 | | V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \ |
173 | | V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \ |
174 | | V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \ |
175 | | V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \ |
176 | | V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \ |
177 | | V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \ |
178 | | V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \ |
179 | | V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \ |
180 | | V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \ |
181 | | V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \ |
182 | | V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C) |
183 | | |
184 | | #define V(a, b, c, d) 0x##a##b##c##d |
185 | | MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT }; |
186 | | #undef V |
187 | | |
188 | | #define V(a, b, c, d) 0x##b##c##d##a |
189 | | MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT }; |
190 | | #undef V |
191 | | |
192 | | #define V(a, b, c, d) 0x##c##d##a##b |
193 | | MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT }; |
194 | | #undef V |
195 | | |
196 | | #define V(a, b, c, d) 0x##d##a##b##c |
197 | | MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT }; |
198 | | #undef V |
199 | | |
200 | | #undef FT |
201 | | |
202 | | /* |
203 | | * Reverse S-box |
204 | | */ |
205 | | MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] = |
206 | | { |
207 | | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, |
208 | | 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, |
209 | | 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
210 | | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, |
211 | | 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, |
212 | | 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
213 | | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, |
214 | | 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, |
215 | | 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
216 | | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, |
217 | | 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, |
218 | | 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
219 | | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, |
220 | | 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, |
221 | | 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
222 | | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, |
223 | | 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, |
224 | | 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
225 | | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, |
226 | | 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, |
227 | | 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
228 | | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, |
229 | | 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, |
230 | | 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
231 | | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, |
232 | | 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, |
233 | | 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
234 | | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, |
235 | | 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, |
236 | | 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
237 | | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, |
238 | | 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D |
239 | | }; |
240 | | |
241 | | /* |
242 | | * Reverse tables |
243 | | */ |
244 | | #define RT \ |
245 | | \ |
246 | | V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \ |
247 | | V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \ |
248 | | V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \ |
249 | | V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \ |
250 | | V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \ |
251 | | V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \ |
252 | | V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \ |
253 | | V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \ |
254 | | V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \ |
255 | | V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \ |
256 | | V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \ |
257 | | V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \ |
258 | | V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \ |
259 | | V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \ |
260 | | V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \ |
261 | | V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \ |
262 | | V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \ |
263 | | V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \ |
264 | | V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \ |
265 | | V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \ |
266 | | V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \ |
267 | | V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \ |
268 | | V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \ |
269 | | V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \ |
270 | | V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \ |
271 | | V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \ |
272 | | V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \ |
273 | | V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \ |
274 | | V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \ |
275 | | V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \ |
276 | | V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \ |
277 | | V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \ |
278 | | V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \ |
279 | | V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \ |
280 | | V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \ |
281 | | V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \ |
282 | | V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \ |
283 | | V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \ |
284 | | V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \ |
285 | | V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \ |
286 | | V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \ |
287 | | V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \ |
288 | | V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \ |
289 | | V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \ |
290 | | V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \ |
291 | | V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \ |
292 | | V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \ |
293 | | V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \ |
294 | | V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \ |
295 | | V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \ |
296 | | V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \ |
297 | | V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \ |
298 | | V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \ |
299 | | V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \ |
300 | | V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \ |
301 | | V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \ |
302 | | V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \ |
303 | | V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \ |
304 | | V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \ |
305 | | V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \ |
306 | | V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \ |
307 | | V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \ |
308 | | V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \ |
309 | | V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0) |
310 | | |
311 | | |
312 | | #define V(a, b, c, d) 0x##a##b##c##d |
313 | | MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT }; |
314 | | #undef V |
315 | | |
316 | | #define V(a, b, c, d) 0x##b##c##d##a |
317 | | MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT }; |
318 | | #undef V |
319 | | |
320 | | #define V(a, b, c, d) 0x##c##d##a##b |
321 | | MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT }; |
322 | | #undef V |
323 | | |
324 | | #define V(a, b, c, d) 0x##d##a##b##c |
325 | | MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT }; |
326 | | #undef V |
327 | | |
328 | | #undef RT |
329 | | |
330 | | /* |
331 | | * Round constants |
332 | | */ |
333 | | MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] = |
334 | | { |
335 | | 0x00000001, 0x00000002, 0x00000004, 0x00000008, |
336 | | 0x00000010, 0x00000020, 0x00000040, 0x00000080, |
337 | | 0x0000001B, 0x00000036 |
338 | | }; |
339 | | |
340 | | #else /* MBEDTLS_AES_ROM_TABLES */ |
341 | | |
342 | | /* |
343 | | * Forward S-box & tables |
344 | | */ |
345 | | MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256]; |
346 | | MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256]; |
347 | | MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256]; |
348 | | MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256]; |
349 | | MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256]; |
350 | | |
351 | | /* |
352 | | * Reverse S-box & tables |
353 | | */ |
354 | | MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256]; |
355 | | |
356 | | MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256]; |
357 | | MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256]; |
358 | | MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256]; |
359 | | MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256]; |
360 | | |
361 | | /* |
362 | | * Round constants |
363 | | */ |
364 | | MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10]; |
365 | | |
366 | | /* |
367 | | * Tables generation code |
368 | | */ |
369 | | #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24) |
370 | | #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00)) |
371 | | #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) |
372 | | |
373 | | MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0; |
374 | | |
375 | | MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void) |
376 | | { |
377 | | int i; |
378 | | uint8_t x, y, z; |
379 | | uint8_t pow[256]; |
380 | | uint8_t log[256]; |
381 | | |
382 | | /* |
383 | | * compute pow and log tables over GF(2^8) |
384 | | */ |
385 | | for (i = 0, x = 1; i < 256; i++) { |
386 | | pow[i] = x; |
387 | | log[x] = (uint8_t) i; |
388 | | x ^= XTIME(x); |
389 | | } |
390 | | |
391 | | /* |
392 | | * calculate the round constants |
393 | | */ |
394 | | for (i = 0, x = 1; i < 10; i++) { |
395 | | round_constants[i] = x; |
396 | | x = XTIME(x); |
397 | | } |
398 | | |
399 | | /* |
400 | | * generate the forward and reverse S-boxes |
401 | | */ |
402 | | FSb[0x00] = 0x63; |
403 | | #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) |
404 | | RSb[0x63] = 0x00; |
405 | | #endif |
406 | | |
407 | | for (i = 1; i < 256; i++) { |
408 | | x = pow[255 - log[i]]; |
409 | | |
410 | | y = x; y = (y << 1) | (y >> 7); |
411 | | x ^= y; y = (y << 1) | (y >> 7); |
412 | | x ^= y; y = (y << 1) | (y >> 7); |
413 | | x ^= y; y = (y << 1) | (y >> 7); |
414 | | x ^= y ^ 0x63; |
415 | | |
416 | | FSb[i] = x; |
417 | | #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) |
418 | | RSb[x] = (unsigned char) i; |
419 | | #endif |
420 | | } |
421 | | |
422 | | /* |
423 | | * generate the forward and reverse tables |
424 | | */ |
425 | | for (i = 0; i < 256; i++) { |
426 | | x = FSb[i]; |
427 | | y = XTIME(x); |
428 | | z = y ^ x; |
429 | | |
430 | | FT0[i] = ((uint32_t) y) ^ |
431 | | ((uint32_t) x << 8) ^ |
432 | | ((uint32_t) x << 16) ^ |
433 | | ((uint32_t) z << 24); |
434 | | |
435 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
436 | | FT1[i] = ROTL8(FT0[i]); |
437 | | FT2[i] = ROTL8(FT1[i]); |
438 | | FT3[i] = ROTL8(FT2[i]); |
439 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
440 | | |
441 | | #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) |
442 | | x = RSb[i]; |
443 | | |
444 | | RT0[i] = ((uint32_t) MUL(0x0E, x)) ^ |
445 | | ((uint32_t) MUL(0x09, x) << 8) ^ |
446 | | ((uint32_t) MUL(0x0D, x) << 16) ^ |
447 | | ((uint32_t) MUL(0x0B, x) << 24); |
448 | | |
449 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
450 | | RT1[i] = ROTL8(RT0[i]); |
451 | | RT2[i] = ROTL8(RT1[i]); |
452 | | RT3[i] = ROTL8(RT2[i]); |
453 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
454 | | #endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */ |
455 | | } |
456 | | } |
457 | | |
458 | | #undef ROTL8 |
459 | | |
460 | | #endif /* MBEDTLS_AES_ROM_TABLES */ |
461 | | |
462 | | #if defined(MBEDTLS_AES_FEWER_TABLES) |
463 | | |
464 | | #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24)) |
465 | | #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16)) |
466 | | #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8)) |
467 | | |
468 | | #define AES_RT0(idx) RT0[idx] |
469 | | #define AES_RT1(idx) ROTL8(RT0[idx]) |
470 | | #define AES_RT2(idx) ROTL16(RT0[idx]) |
471 | | #define AES_RT3(idx) ROTL24(RT0[idx]) |
472 | | |
473 | | #define AES_FT0(idx) FT0[idx] |
474 | | #define AES_FT1(idx) ROTL8(FT0[idx]) |
475 | | #define AES_FT2(idx) ROTL16(FT0[idx]) |
476 | | #define AES_FT3(idx) ROTL24(FT0[idx]) |
477 | | |
478 | | #else /* MBEDTLS_AES_FEWER_TABLES */ |
479 | | |
480 | | #define AES_RT0(idx) RT0[idx] |
481 | | #define AES_RT1(idx) RT1[idx] |
482 | | #define AES_RT2(idx) RT2[idx] |
483 | | #define AES_RT3(idx) RT3[idx] |
484 | | |
485 | 858M | #define AES_FT0(idx) FT0[idx] |
486 | 858M | #define AES_FT1(idx) FT1[idx] |
487 | 858M | #define AES_FT2(idx) FT2[idx] |
488 | 858M | #define AES_FT3(idx) FT3[idx] |
489 | | |
490 | | #endif /* MBEDTLS_AES_FEWER_TABLES */ |
491 | | |
492 | | void mbedtls_aes_init(mbedtls_aes_context *ctx) |
493 | 2.00M | { |
494 | 2.00M | memset(ctx, 0, sizeof(mbedtls_aes_context)); |
495 | 2.00M | } |
496 | | |
497 | | void mbedtls_aes_free(mbedtls_aes_context *ctx) |
498 | 2.00M | { |
499 | 2.00M | if (ctx == NULL) { |
500 | 0 | return; |
501 | 0 | } |
502 | | |
503 | 2.00M | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context)); |
504 | 2.00M | } |
505 | | |
506 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
507 | | void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) |
508 | | { |
509 | | mbedtls_aes_init(&ctx->crypt); |
510 | | mbedtls_aes_init(&ctx->tweak); |
511 | | } |
512 | | |
513 | | void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) |
514 | | { |
515 | | if (ctx == NULL) { |
516 | | return; |
517 | | } |
518 | | |
519 | | mbedtls_aes_free(&ctx->crypt); |
520 | | mbedtls_aes_free(&ctx->tweak); |
521 | | } |
522 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
523 | | |
524 | | /* Some implementations need the round keys to be aligned. |
525 | | * Return an offset to be added to buf, such that (buf + offset) is |
526 | | * correctly aligned. |
527 | | * Note that the offset is in units of elements of buf, i.e. 32-bit words, |
528 | | * i.e. an offset of 1 means 4 bytes and so on. |
529 | | */ |
530 | | #if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \ |
531 | | (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2) |
532 | | #define MAY_NEED_TO_ALIGN |
533 | | #endif |
534 | | |
535 | | MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf) |
536 | 2.53M | { |
537 | | #if defined(MAY_NEED_TO_ALIGN) |
538 | | int align_16_bytes = 0; |
539 | | |
540 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
541 | | if (aes_padlock_ace == -1) { |
542 | | aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); |
543 | | } |
544 | | if (aes_padlock_ace) { |
545 | | align_16_bytes = 1; |
546 | | } |
547 | | #endif |
548 | | |
549 | | #if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2 |
550 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
551 | | align_16_bytes = 1; |
552 | | } |
553 | | #endif |
554 | | |
555 | | if (align_16_bytes) { |
556 | | /* These implementations needs 16-byte alignment |
557 | | * for the round key array. */ |
558 | | unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4; |
559 | | if (delta == 0) { |
560 | | return 0; |
561 | | } else { |
562 | | return 4 - delta; // 16 bytes = 4 uint32_t |
563 | | } |
564 | | } |
565 | | #else /* MAY_NEED_TO_ALIGN */ |
566 | 2.53M | (void) buf; |
567 | 2.53M | #endif /* MAY_NEED_TO_ALIGN */ |
568 | | |
569 | 2.53M | return 0; |
570 | 2.53M | } |
571 | | |
572 | | /* |
573 | | * AES key schedule (encryption) |
574 | | */ |
575 | | #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
576 | | int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, |
577 | | unsigned int keybits) |
578 | 2.53M | { |
579 | 2.53M | uint32_t *RK; |
580 | | |
581 | 2.53M | switch (keybits) { |
582 | 2.53M | case 128: ctx->nr = 10; break; |
583 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
584 | | case 192: ctx->nr = 12; break; |
585 | | case 256: ctx->nr = 14; break; |
586 | | #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ |
587 | 0 | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
588 | 2.53M | } |
589 | | |
590 | | #if !defined(MBEDTLS_AES_ROM_TABLES) |
591 | | if (aes_init_done == 0) { |
592 | | aes_gen_tables(); |
593 | | aes_init_done = 1; |
594 | | } |
595 | | #endif |
596 | | |
597 | 2.53M | ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); |
598 | 2.53M | RK = ctx->buf + ctx->rk_offset; |
599 | | |
600 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
601 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
602 | | return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits); |
603 | | } |
604 | | #endif |
605 | | |
606 | | #if defined(MBEDTLS_AESCE_HAVE_CODE) |
607 | | if (MBEDTLS_AESCE_HAS_SUPPORT()) { |
608 | | return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits); |
609 | | } |
610 | | #endif |
611 | | |
612 | 2.53M | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
613 | 12.6M | for (unsigned int i = 0; i < (keybits >> 5); i++) { |
614 | 10.1M | RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); |
615 | 10.1M | } |
616 | | |
617 | 2.53M | switch (ctx->nr) { |
618 | 2.53M | case 10: |
619 | | |
620 | 27.8M | for (unsigned int i = 0; i < 10; i++, RK += 4) { |
621 | 25.3M | RK[4] = RK[0] ^ round_constants[i] ^ |
622 | 25.3M | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ |
623 | 25.3M | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ |
624 | 25.3M | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ |
625 | 25.3M | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24); |
626 | | |
627 | 25.3M | RK[5] = RK[1] ^ RK[4]; |
628 | 25.3M | RK[6] = RK[2] ^ RK[5]; |
629 | 25.3M | RK[7] = RK[3] ^ RK[6]; |
630 | 25.3M | } |
631 | 2.53M | break; |
632 | | |
633 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
634 | | case 12: |
635 | | |
636 | | for (unsigned int i = 0; i < 8; i++, RK += 6) { |
637 | | RK[6] = RK[0] ^ round_constants[i] ^ |
638 | | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ |
639 | | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ |
640 | | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ |
641 | | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24); |
642 | | |
643 | | RK[7] = RK[1] ^ RK[6]; |
644 | | RK[8] = RK[2] ^ RK[7]; |
645 | | RK[9] = RK[3] ^ RK[8]; |
646 | | RK[10] = RK[4] ^ RK[9]; |
647 | | RK[11] = RK[5] ^ RK[10]; |
648 | | } |
649 | | break; |
650 | | |
651 | | case 14: |
652 | | |
653 | | for (unsigned int i = 0; i < 7; i++, RK += 8) { |
654 | | RK[8] = RK[0] ^ round_constants[i] ^ |
655 | | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ |
656 | | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ |
657 | | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ |
658 | | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24); |
659 | | |
660 | | RK[9] = RK[1] ^ RK[8]; |
661 | | RK[10] = RK[2] ^ RK[9]; |
662 | | RK[11] = RK[3] ^ RK[10]; |
663 | | |
664 | | RK[12] = RK[4] ^ |
665 | | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^ |
666 | | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^ |
667 | | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ |
668 | | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24); |
669 | | |
670 | | RK[13] = RK[5] ^ RK[12]; |
671 | | RK[14] = RK[6] ^ RK[13]; |
672 | | RK[15] = RK[7] ^ RK[14]; |
673 | | } |
674 | | break; |
675 | | #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ |
676 | 2.53M | } |
677 | | |
678 | 2.53M | return 0; |
679 | 2.53M | #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ |
680 | 2.53M | } |
681 | | #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ |
682 | | |
683 | | /* |
684 | | * AES key schedule (decryption) |
685 | | */ |
686 | | #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
687 | | int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, |
688 | | unsigned int keybits) |
689 | | { |
690 | | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
691 | | uint32_t *SK; |
692 | | #endif |
693 | | int ret; |
694 | | mbedtls_aes_context cty; |
695 | | uint32_t *RK; |
696 | | |
697 | | |
698 | | mbedtls_aes_init(&cty); |
699 | | |
700 | | ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); |
701 | | RK = ctx->buf + ctx->rk_offset; |
702 | | |
703 | | /* Also checks keybits */ |
704 | | if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) { |
705 | | goto exit; |
706 | | } |
707 | | |
708 | | ctx->nr = cty.nr; |
709 | | |
710 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
711 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
712 | | mbedtls_aesni_inverse_key((unsigned char *) RK, |
713 | | (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); |
714 | | goto exit; |
715 | | } |
716 | | #endif |
717 | | |
718 | | #if defined(MBEDTLS_AESCE_HAVE_CODE) |
719 | | if (MBEDTLS_AESCE_HAS_SUPPORT()) { |
720 | | mbedtls_aesce_inverse_key( |
721 | | (unsigned char *) RK, |
722 | | (const unsigned char *) (cty.buf + cty.rk_offset), |
723 | | ctx->nr); |
724 | | goto exit; |
725 | | } |
726 | | #endif |
727 | | |
728 | | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
729 | | SK = cty.buf + cty.rk_offset + cty.nr * 4; |
730 | | |
731 | | *RK++ = *SK++; |
732 | | *RK++ = *SK++; |
733 | | *RK++ = *SK++; |
734 | | *RK++ = *SK++; |
735 | | SK -= 8; |
736 | | for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) { |
737 | | for (int j = 0; j < 4; j++, SK++) { |
738 | | *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ |
739 | | AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ |
740 | | AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ |
741 | | AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]); |
742 | | } |
743 | | } |
744 | | |
745 | | *RK++ = *SK++; |
746 | | *RK++ = *SK++; |
747 | | *RK++ = *SK++; |
748 | | *RK++ = *SK++; |
749 | | #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ |
750 | | exit: |
751 | | mbedtls_aes_free(&cty); |
752 | | |
753 | | return ret; |
754 | | } |
755 | | #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ |
756 | | |
757 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
758 | | static int mbedtls_aes_xts_decode_keys(const unsigned char *key, |
759 | | unsigned int keybits, |
760 | | const unsigned char **key1, |
761 | | unsigned int *key1bits, |
762 | | const unsigned char **key2, |
763 | | unsigned int *key2bits) |
764 | | { |
765 | | const unsigned int half_keybits = keybits / 2; |
766 | | const unsigned int half_keybytes = half_keybits / 8; |
767 | | |
768 | | switch (keybits) { |
769 | | case 256: break; |
770 | | case 512: break; |
771 | | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
772 | | } |
773 | | |
774 | | *key1bits = half_keybits; |
775 | | *key2bits = half_keybits; |
776 | | *key1 = &key[0]; |
777 | | *key2 = &key[half_keybytes]; |
778 | | |
779 | | return 0; |
780 | | } |
781 | | |
782 | | int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, |
783 | | const unsigned char *key, |
784 | | unsigned int keybits) |
785 | | { |
786 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
787 | | const unsigned char *key1, *key2; |
788 | | unsigned int key1bits, key2bits; |
789 | | |
790 | | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
791 | | &key2, &key2bits); |
792 | | if (ret != 0) { |
793 | | return ret; |
794 | | } |
795 | | |
796 | | /* Set the tweak key. Always set tweak key for the encryption mode. */ |
797 | | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
798 | | if (ret != 0) { |
799 | | return ret; |
800 | | } |
801 | | |
802 | | /* Set crypt key for encryption. */ |
803 | | return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); |
804 | | } |
805 | | |
806 | | int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, |
807 | | const unsigned char *key, |
808 | | unsigned int keybits) |
809 | | { |
810 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
811 | | const unsigned char *key1, *key2; |
812 | | unsigned int key1bits, key2bits; |
813 | | |
814 | | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
815 | | &key2, &key2bits); |
816 | | if (ret != 0) { |
817 | | return ret; |
818 | | } |
819 | | |
820 | | /* Set the tweak key. Always set tweak key for encryption. */ |
821 | | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
822 | | if (ret != 0) { |
823 | | return ret; |
824 | | } |
825 | | |
826 | | /* Set crypt key for decryption. */ |
827 | | return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); |
828 | | } |
829 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
830 | | |
831 | | #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
832 | 214M | do \ |
833 | 214M | { \ |
834 | 214M | (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
835 | 214M | AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
836 | 214M | AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
837 | 214M | AES_FT3(MBEDTLS_BYTE_3(Y3)); \ |
838 | 214M | \ |
839 | 214M | (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
840 | 214M | AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
841 | 214M | AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
842 | 214M | AES_FT3(MBEDTLS_BYTE_3(Y0)); \ |
843 | 214M | \ |
844 | 214M | (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
845 | 214M | AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
846 | 214M | AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
847 | 214M | AES_FT3(MBEDTLS_BYTE_3(Y1)); \ |
848 | 214M | \ |
849 | 214M | (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
850 | 214M | AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
851 | 214M | AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
852 | 214M | AES_FT3(MBEDTLS_BYTE_3(Y2)); \ |
853 | 214M | } while (0) |
854 | | |
855 | | #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
856 | | do \ |
857 | | { \ |
858 | | (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
859 | | AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
860 | | AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
861 | | AES_RT3(MBEDTLS_BYTE_3(Y1)); \ |
862 | | \ |
863 | | (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
864 | | AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
865 | | AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
866 | | AES_RT3(MBEDTLS_BYTE_3(Y2)); \ |
867 | | \ |
868 | | (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
869 | | AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
870 | | AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
871 | | AES_RT3(MBEDTLS_BYTE_3(Y3)); \ |
872 | | \ |
873 | | (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
874 | | AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
875 | | AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
876 | | AES_RT3(MBEDTLS_BYTE_3(Y0)); \ |
877 | | } while (0) |
878 | | |
879 | | /* |
880 | | * AES-ECB block encryption |
881 | | */ |
882 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) |
883 | | int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, |
884 | | const unsigned char input[16], |
885 | | unsigned char output[16]) |
886 | 23.9M | { |
887 | 23.9M | int i; |
888 | 23.9M | uint32_t *RK = ctx->buf + ctx->rk_offset; |
889 | 23.9M | struct { |
890 | 23.9M | uint32_t X[4]; |
891 | 23.9M | uint32_t Y[4]; |
892 | 23.9M | } t; |
893 | | |
894 | 23.9M | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
895 | 23.9M | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
896 | 23.9M | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
897 | 23.9M | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
898 | | |
899 | 119M | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
900 | 95.3M | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
901 | 95.3M | AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
902 | 95.3M | } |
903 | | |
904 | 23.9M | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
905 | | |
906 | 23.9M | t.X[0] = *RK++ ^ \ |
907 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
908 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
909 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
910 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
911 | | |
912 | 23.9M | t.X[1] = *RK++ ^ \ |
913 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
914 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
915 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
916 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
917 | | |
918 | 23.9M | t.X[2] = *RK++ ^ \ |
919 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
920 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
921 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
922 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
923 | | |
924 | 23.9M | t.X[3] = *RK++ ^ \ |
925 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
926 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
927 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
928 | 23.9M | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
929 | | |
930 | 23.9M | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
931 | 23.9M | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
932 | 23.9M | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
933 | 23.9M | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
934 | | |
935 | 23.9M | mbedtls_platform_zeroize(&t, sizeof(t)); |
936 | | |
937 | 23.9M | return 0; |
938 | 23.9M | } |
939 | | #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ |
940 | | |
941 | | /* |
942 | | * AES-ECB block decryption |
943 | | */ |
944 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
945 | | int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, |
946 | | const unsigned char input[16], |
947 | | unsigned char output[16]) |
948 | | { |
949 | | int i; |
950 | | uint32_t *RK = ctx->buf + ctx->rk_offset; |
951 | | struct { |
952 | | uint32_t X[4]; |
953 | | uint32_t Y[4]; |
954 | | } t; |
955 | | |
956 | | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
957 | | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
958 | | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
959 | | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
960 | | |
961 | | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
962 | | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
963 | | AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
964 | | } |
965 | | |
966 | | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
967 | | |
968 | | t.X[0] = *RK++ ^ \ |
969 | | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
970 | | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
971 | | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
972 | | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
973 | | |
974 | | t.X[1] = *RK++ ^ \ |
975 | | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
976 | | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
977 | | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
978 | | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
979 | | |
980 | | t.X[2] = *RK++ ^ \ |
981 | | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
982 | | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
983 | | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
984 | | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
985 | | |
986 | | t.X[3] = *RK++ ^ \ |
987 | | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
988 | | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
989 | | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
990 | | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
991 | | |
992 | | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
993 | | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
994 | | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
995 | | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
996 | | |
997 | | mbedtls_platform_zeroize(&t, sizeof(t)); |
998 | | |
999 | | return 0; |
1000 | | } |
1001 | | #endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ |
1002 | | |
1003 | | /* VIA Padlock and our intrinsics-based implementation of AESNI require |
1004 | | * the round keys to be aligned on a 16-byte boundary. We take care of this |
1005 | | * before creating them, but the AES context may have moved (this can happen |
1006 | | * if the library is called from a language with managed memory), and in later |
1007 | | * calls it might have a different alignment with respect to 16-byte memory. |
1008 | | * So we may need to realign. |
1009 | | */ |
1010 | | MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx) |
1011 | 0 | { |
1012 | 0 | unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); |
1013 | 0 | if (new_offset != ctx->rk_offset) { |
1014 | 0 | memmove(ctx->buf + new_offset, // new address |
1015 | 0 | ctx->buf + ctx->rk_offset, // current address |
1016 | 0 | (ctx->nr + 1) * 16); // number of round keys * bytes per rk |
1017 | 0 | ctx->rk_offset = new_offset; |
1018 | 0 | } |
1019 | 0 | } |
1020 | | |
1021 | | /* |
1022 | | * AES-ECB block encryption/decryption |
1023 | | */ |
1024 | | int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, |
1025 | | int mode, |
1026 | | const unsigned char input[16], |
1027 | | unsigned char output[16]) |
1028 | 23.9M | { |
1029 | 23.9M | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1030 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1031 | 0 | } |
1032 | | |
1033 | | #if defined(MAY_NEED_TO_ALIGN) |
1034 | | aes_maybe_realign(ctx); |
1035 | | #endif |
1036 | | |
1037 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
1038 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
1039 | | return mbedtls_aesni_crypt_ecb(ctx, mode, input, output); |
1040 | | } |
1041 | | #endif |
1042 | | |
1043 | | #if defined(MBEDTLS_AESCE_HAVE_CODE) |
1044 | | if (MBEDTLS_AESCE_HAS_SUPPORT()) { |
1045 | | return mbedtls_aesce_crypt_ecb(ctx, mode, input, output); |
1046 | | } |
1047 | | #endif |
1048 | | |
1049 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1050 | | if (aes_padlock_ace > 0) { |
1051 | | return mbedtls_padlock_xcryptecb(ctx, mode, input, output); |
1052 | | } |
1053 | | #endif |
1054 | | |
1055 | 23.9M | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
1056 | | #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
1057 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1058 | | return mbedtls_internal_aes_decrypt(ctx, input, output); |
1059 | | } else |
1060 | | #endif |
1061 | 23.9M | { |
1062 | 23.9M | return mbedtls_internal_aes_encrypt(ctx, input, output); |
1063 | 23.9M | } |
1064 | 23.9M | #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ |
1065 | 23.9M | } |
1066 | | |
1067 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1068 | | |
1069 | | /* |
1070 | | * AES-CBC buffer encryption/decryption |
1071 | | */ |
1072 | | int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, |
1073 | | int mode, |
1074 | | size_t length, |
1075 | | unsigned char iv[16], |
1076 | | const unsigned char *input, |
1077 | | unsigned char *output) |
1078 | | { |
1079 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1080 | | unsigned char temp[16]; |
1081 | | |
1082 | | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1083 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1084 | | } |
1085 | | |
1086 | | /* Nothing to do if length is zero. */ |
1087 | | if (length == 0) { |
1088 | | return 0; |
1089 | | } |
1090 | | |
1091 | | if (length % 16) { |
1092 | | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1093 | | } |
1094 | | |
1095 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1096 | | if (aes_padlock_ace > 0) { |
1097 | | if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { |
1098 | | return 0; |
1099 | | } |
1100 | | |
1101 | | // If padlock data misaligned, we just fall back to |
1102 | | // unaccelerated mode |
1103 | | // |
1104 | | } |
1105 | | #endif |
1106 | | |
1107 | | const unsigned char *ivp = iv; |
1108 | | |
1109 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1110 | | while (length > 0) { |
1111 | | memcpy(temp, input, 16); |
1112 | | ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output); |
1113 | | if (ret != 0) { |
1114 | | goto exit; |
1115 | | } |
1116 | | /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on |
1117 | | * the result for the next block in CBC, and the cost of transferring that data from |
1118 | | * NEON registers, NEON is slower on aarch64. */ |
1119 | | mbedtls_xor_no_simd(output, output, iv, 16); |
1120 | | |
1121 | | memcpy(iv, temp, 16); |
1122 | | |
1123 | | input += 16; |
1124 | | output += 16; |
1125 | | length -= 16; |
1126 | | } |
1127 | | } else { |
1128 | | while (length > 0) { |
1129 | | mbedtls_xor_no_simd(output, input, ivp, 16); |
1130 | | |
1131 | | ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output); |
1132 | | if (ret != 0) { |
1133 | | goto exit; |
1134 | | } |
1135 | | ivp = output; |
1136 | | |
1137 | | input += 16; |
1138 | | output += 16; |
1139 | | length -= 16; |
1140 | | } |
1141 | | memcpy(iv, ivp, 16); |
1142 | | } |
1143 | | ret = 0; |
1144 | | |
1145 | | exit: |
1146 | | return ret; |
1147 | | } |
1148 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1149 | | |
1150 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1151 | | |
1152 | | typedef unsigned char mbedtls_be128[16]; |
1153 | | |
1154 | | /* |
1155 | | * GF(2^128) multiplication function |
1156 | | * |
1157 | | * This function multiplies a field element by x in the polynomial field |
1158 | | * representation. It uses 64-bit word operations to gain speed but compensates |
1159 | | * for machine endianness and hence works correctly on both big and little |
1160 | | * endian machines. |
1161 | | */ |
1162 | | #if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C) |
1163 | | MBEDTLS_OPTIMIZE_FOR_PERFORMANCE |
1164 | | #endif |
1165 | | static inline void mbedtls_gf128mul_x_ble(unsigned char r[16], |
1166 | | const unsigned char x[16]) |
1167 | | { |
1168 | | uint64_t a, b, ra, rb; |
1169 | | |
1170 | | a = MBEDTLS_GET_UINT64_LE(x, 0); |
1171 | | b = MBEDTLS_GET_UINT64_LE(x, 8); |
1172 | | |
1173 | | ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); |
1174 | | rb = (a >> 63) | (b << 1); |
1175 | | |
1176 | | MBEDTLS_PUT_UINT64_LE(ra, r, 0); |
1177 | | MBEDTLS_PUT_UINT64_LE(rb, r, 8); |
1178 | | } |
1179 | | |
1180 | | /* |
1181 | | * AES-XTS buffer encryption/decryption |
1182 | | * |
1183 | | * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble() |
1184 | | * is a 3x performance improvement for gcc -Os, if we have hardware AES support. |
1185 | | */ |
1186 | | #if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C) |
1187 | | MBEDTLS_OPTIMIZE_FOR_PERFORMANCE |
1188 | | #endif |
1189 | | int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, |
1190 | | int mode, |
1191 | | size_t length, |
1192 | | const unsigned char data_unit[16], |
1193 | | const unsigned char *input, |
1194 | | unsigned char *output) |
1195 | | { |
1196 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1197 | | size_t blocks = length / 16; |
1198 | | size_t leftover = length % 16; |
1199 | | unsigned char tweak[16]; |
1200 | | unsigned char prev_tweak[16]; |
1201 | | unsigned char tmp[16]; |
1202 | | |
1203 | | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1204 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1205 | | } |
1206 | | |
1207 | | /* Data units must be at least 16 bytes long. */ |
1208 | | if (length < 16) { |
1209 | | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1210 | | } |
1211 | | |
1212 | | /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ |
1213 | | if (length > (1 << 20) * 16) { |
1214 | | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1215 | | } |
1216 | | |
1217 | | /* Compute the tweak. */ |
1218 | | ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, |
1219 | | data_unit, tweak); |
1220 | | if (ret != 0) { |
1221 | | return ret; |
1222 | | } |
1223 | | |
1224 | | while (blocks--) { |
1225 | | if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) { |
1226 | | /* We are on the last block in a decrypt operation that has |
1227 | | * leftover bytes, so we need to use the next tweak for this block, |
1228 | | * and this tweak for the leftover bytes. Save the current tweak for |
1229 | | * the leftovers and then update the current tweak for use on this, |
1230 | | * the last full block. */ |
1231 | | memcpy(prev_tweak, tweak, sizeof(tweak)); |
1232 | | mbedtls_gf128mul_x_ble(tweak, tweak); |
1233 | | } |
1234 | | |
1235 | | mbedtls_xor(tmp, input, tweak, 16); |
1236 | | |
1237 | | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1238 | | if (ret != 0) { |
1239 | | return ret; |
1240 | | } |
1241 | | |
1242 | | mbedtls_xor(output, tmp, tweak, 16); |
1243 | | |
1244 | | /* Update the tweak for the next block. */ |
1245 | | mbedtls_gf128mul_x_ble(tweak, tweak); |
1246 | | |
1247 | | output += 16; |
1248 | | input += 16; |
1249 | | } |
1250 | | |
1251 | | if (leftover) { |
1252 | | /* If we are on the leftover bytes in a decrypt operation, we need to |
1253 | | * use the previous tweak for these bytes (as saved in prev_tweak). */ |
1254 | | unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; |
1255 | | |
1256 | | /* We are now on the final part of the data unit, which doesn't divide |
1257 | | * evenly by 16. It's time for ciphertext stealing. */ |
1258 | | size_t i; |
1259 | | unsigned char *prev_output = output - 16; |
1260 | | |
1261 | | /* Copy ciphertext bytes from the previous block to our output for each |
1262 | | * byte of ciphertext we won't steal. */ |
1263 | | for (i = 0; i < leftover; i++) { |
1264 | | output[i] = prev_output[i]; |
1265 | | } |
1266 | | |
1267 | | /* Copy the remainder of the input for this final round. */ |
1268 | | mbedtls_xor(tmp, input, t, leftover); |
1269 | | |
1270 | | /* Copy ciphertext bytes from the previous block for input in this |
1271 | | * round. */ |
1272 | | mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); |
1273 | | |
1274 | | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1275 | | if (ret != 0) { |
1276 | | return ret; |
1277 | | } |
1278 | | |
1279 | | /* Write the result back to the previous block, overriding the previous |
1280 | | * output we copied. */ |
1281 | | mbedtls_xor(prev_output, tmp, t, 16); |
1282 | | } |
1283 | | |
1284 | | return 0; |
1285 | | } |
1286 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1287 | | |
1288 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1289 | | /* |
1290 | | * AES-CFB128 buffer encryption/decryption |
1291 | | */ |
1292 | | int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, |
1293 | | int mode, |
1294 | | size_t length, |
1295 | | size_t *iv_off, |
1296 | | unsigned char iv[16], |
1297 | | const unsigned char *input, |
1298 | | unsigned char *output) |
1299 | | { |
1300 | | int c; |
1301 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1302 | | size_t n; |
1303 | | |
1304 | | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1305 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1306 | | } |
1307 | | |
1308 | | n = *iv_off; |
1309 | | |
1310 | | if (n > 15) { |
1311 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1312 | | } |
1313 | | |
1314 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1315 | | while (length--) { |
1316 | | if (n == 0) { |
1317 | | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1318 | | if (ret != 0) { |
1319 | | goto exit; |
1320 | | } |
1321 | | } |
1322 | | |
1323 | | c = *input++; |
1324 | | *output++ = (unsigned char) (c ^ iv[n]); |
1325 | | iv[n] = (unsigned char) c; |
1326 | | |
1327 | | n = (n + 1) & 0x0F; |
1328 | | } |
1329 | | } else { |
1330 | | while (length--) { |
1331 | | if (n == 0) { |
1332 | | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1333 | | if (ret != 0) { |
1334 | | goto exit; |
1335 | | } |
1336 | | } |
1337 | | |
1338 | | iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); |
1339 | | |
1340 | | n = (n + 1) & 0x0F; |
1341 | | } |
1342 | | } |
1343 | | |
1344 | | *iv_off = n; |
1345 | | ret = 0; |
1346 | | |
1347 | | exit: |
1348 | | return ret; |
1349 | | } |
1350 | | |
1351 | | /* |
1352 | | * AES-CFB8 buffer encryption/decryption |
1353 | | */ |
1354 | | int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, |
1355 | | int mode, |
1356 | | size_t length, |
1357 | | unsigned char iv[16], |
1358 | | const unsigned char *input, |
1359 | | unsigned char *output) |
1360 | | { |
1361 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1362 | | unsigned char c; |
1363 | | unsigned char ov[17]; |
1364 | | |
1365 | | if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { |
1366 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1367 | | } |
1368 | | while (length--) { |
1369 | | memcpy(ov, iv, 16); |
1370 | | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1371 | | if (ret != 0) { |
1372 | | goto exit; |
1373 | | } |
1374 | | |
1375 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1376 | | ov[16] = *input; |
1377 | | } |
1378 | | |
1379 | | c = *output++ = (unsigned char) (iv[0] ^ *input++); |
1380 | | |
1381 | | if (mode == MBEDTLS_AES_ENCRYPT) { |
1382 | | ov[16] = c; |
1383 | | } |
1384 | | |
1385 | | memcpy(iv, ov + 1, 16); |
1386 | | } |
1387 | | ret = 0; |
1388 | | |
1389 | | exit: |
1390 | | return ret; |
1391 | | } |
1392 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1393 | | |
1394 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1395 | | /* |
1396 | | * AES-OFB (Output Feedback Mode) buffer encryption/decryption |
1397 | | */ |
1398 | | int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, |
1399 | | size_t length, |
1400 | | size_t *iv_off, |
1401 | | unsigned char iv[16], |
1402 | | const unsigned char *input, |
1403 | | unsigned char *output) |
1404 | | { |
1405 | | int ret = 0; |
1406 | | size_t n; |
1407 | | |
1408 | | n = *iv_off; |
1409 | | |
1410 | | if (n > 15) { |
1411 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1412 | | } |
1413 | | |
1414 | | while (length--) { |
1415 | | if (n == 0) { |
1416 | | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1417 | | if (ret != 0) { |
1418 | | goto exit; |
1419 | | } |
1420 | | } |
1421 | | *output++ = *input++ ^ iv[n]; |
1422 | | |
1423 | | n = (n + 1) & 0x0F; |
1424 | | } |
1425 | | |
1426 | | *iv_off = n; |
1427 | | |
1428 | | exit: |
1429 | | return ret; |
1430 | | } |
1431 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1432 | | |
1433 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1434 | | /* |
1435 | | * AES-CTR buffer encryption/decryption |
1436 | | */ |
1437 | | int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, |
1438 | | size_t length, |
1439 | | size_t *nc_off, |
1440 | | unsigned char nonce_counter[16], |
1441 | | unsigned char stream_block[16], |
1442 | | const unsigned char *input, |
1443 | | unsigned char *output) |
1444 | | { |
1445 | | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1446 | | |
1447 | | size_t offset = *nc_off; |
1448 | | |
1449 | | if (offset > 0x0F) { |
1450 | | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1451 | | } |
1452 | | |
1453 | | for (size_t i = 0; i < length;) { |
1454 | | size_t n = 16; |
1455 | | if (offset == 0) { |
1456 | | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block); |
1457 | | if (ret != 0) { |
1458 | | goto exit; |
1459 | | } |
1460 | | mbedtls_ctr_increment_counter(nonce_counter); |
1461 | | } else { |
1462 | | n -= offset; |
1463 | | } |
1464 | | |
1465 | | if (n > (length - i)) { |
1466 | | n = (length - i); |
1467 | | } |
1468 | | mbedtls_xor(&output[i], &input[i], &stream_block[offset], n); |
1469 | | // offset might be non-zero for the last block, but in that case, we don't use it again |
1470 | | offset = 0; |
1471 | | i += n; |
1472 | | } |
1473 | | |
1474 | | // capture offset for future resumption |
1475 | | *nc_off = (*nc_off + length) % 16; |
1476 | | |
1477 | | ret = 0; |
1478 | | |
1479 | | exit: |
1480 | | return ret; |
1481 | | } |
1482 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1483 | | |
1484 | | #endif /* !MBEDTLS_AES_ALT */ |
1485 | | |
1486 | | #if defined(MBEDTLS_SELF_TEST) |
1487 | | /* |
1488 | | * AES test vectors from: |
1489 | | * |
1490 | | * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip |
1491 | | */ |
1492 | | #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
1493 | | static const unsigned char aes_test_ecb_dec[][16] = |
1494 | | { |
1495 | | { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, |
1496 | | 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, |
1497 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1498 | | { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, |
1499 | | 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, |
1500 | | { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, |
1501 | | 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } |
1502 | | #endif |
1503 | | }; |
1504 | | #endif |
1505 | | |
1506 | | static const unsigned char aes_test_ecb_enc[][16] = |
1507 | | { |
1508 | | { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, |
1509 | | 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, |
1510 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1511 | | { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, |
1512 | | 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, |
1513 | | { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, |
1514 | | 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } |
1515 | | #endif |
1516 | | }; |
1517 | | |
1518 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1519 | | static const unsigned char aes_test_cbc_dec[][16] = |
1520 | | { |
1521 | | { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, |
1522 | | 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, |
1523 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1524 | | { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, |
1525 | | 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, |
1526 | | { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, |
1527 | | 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } |
1528 | | #endif |
1529 | | }; |
1530 | | |
1531 | | static const unsigned char aes_test_cbc_enc[][16] = |
1532 | | { |
1533 | | { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, |
1534 | | 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, |
1535 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1536 | | { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, |
1537 | | 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, |
1538 | | { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, |
1539 | | 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } |
1540 | | #endif |
1541 | | }; |
1542 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1543 | | |
1544 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1545 | | /* |
1546 | | * AES-CFB128 test vectors from: |
1547 | | * |
1548 | | * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |
1549 | | */ |
1550 | | static const unsigned char aes_test_cfb128_key[][32] = |
1551 | | { |
1552 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1553 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1554 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1555 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1556 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1557 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1558 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1559 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1560 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1561 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1562 | | #endif |
1563 | | }; |
1564 | | |
1565 | | static const unsigned char aes_test_cfb128_iv[16] = |
1566 | | { |
1567 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1568 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1569 | | }; |
1570 | | |
1571 | | static const unsigned char aes_test_cfb128_pt[64] = |
1572 | | { |
1573 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1574 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1575 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1576 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1577 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1578 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1579 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1580 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1581 | | }; |
1582 | | |
1583 | | static const unsigned char aes_test_cfb128_ct[][64] = |
1584 | | { |
1585 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1586 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1587 | | 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, |
1588 | | 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, |
1589 | | 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, |
1590 | | 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, |
1591 | | 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, |
1592 | | 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, |
1593 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1594 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1595 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1596 | | 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, |
1597 | | 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, |
1598 | | 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, |
1599 | | 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, |
1600 | | 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, |
1601 | | 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, |
1602 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1603 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1604 | | 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, |
1605 | | 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, |
1606 | | 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, |
1607 | | 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, |
1608 | | 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, |
1609 | | 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } |
1610 | | #endif |
1611 | | }; |
1612 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1613 | | |
1614 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1615 | | /* |
1616 | | * AES-OFB test vectors from: |
1617 | | * |
1618 | | * https://csrc.nist.gov/publications/detail/sp/800-38a/final |
1619 | | */ |
1620 | | static const unsigned char aes_test_ofb_key[][32] = |
1621 | | { |
1622 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1623 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1624 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1625 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1626 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1627 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1628 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1629 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1630 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1631 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1632 | | #endif |
1633 | | }; |
1634 | | |
1635 | | static const unsigned char aes_test_ofb_iv[16] = |
1636 | | { |
1637 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1638 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1639 | | }; |
1640 | | |
1641 | | static const unsigned char aes_test_ofb_pt[64] = |
1642 | | { |
1643 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1644 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1645 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1646 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1647 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1648 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1649 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1650 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1651 | | }; |
1652 | | |
1653 | | static const unsigned char aes_test_ofb_ct[][64] = |
1654 | | { |
1655 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1656 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1657 | | 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, |
1658 | | 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, |
1659 | | 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, |
1660 | | 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, |
1661 | | 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, |
1662 | | 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, |
1663 | | #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) |
1664 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1665 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1666 | | 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, |
1667 | | 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, |
1668 | | 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, |
1669 | | 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, |
1670 | | 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, |
1671 | | 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, |
1672 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1673 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1674 | | 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, |
1675 | | 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, |
1676 | | 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, |
1677 | | 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, |
1678 | | 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, |
1679 | | 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } |
1680 | | #endif |
1681 | | }; |
1682 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1683 | | |
1684 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1685 | | /* |
1686 | | * AES-CTR test vectors from: |
1687 | | * |
1688 | | * http://www.faqs.org/rfcs/rfc3686.html |
1689 | | */ |
1690 | | |
1691 | | static const unsigned char aes_test_ctr_key[][16] = |
1692 | | { |
1693 | | { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, |
1694 | | 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, |
1695 | | { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, |
1696 | | 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, |
1697 | | { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, |
1698 | | 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } |
1699 | | }; |
1700 | | |
1701 | | static const unsigned char aes_test_ctr_nonce_counter[][16] = |
1702 | | { |
1703 | | { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, |
1704 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, |
1705 | | { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, |
1706 | | 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, |
1707 | | { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, |
1708 | | 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } |
1709 | | }; |
1710 | | |
1711 | | static const unsigned char aes_test_ctr_pt[][48] = |
1712 | | { |
1713 | | { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, |
1714 | | 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, |
1715 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1716 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1717 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1718 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, |
1719 | | |
1720 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1721 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1722 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1723 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, |
1724 | | 0x20, 0x21, 0x22, 0x23 } |
1725 | | }; |
1726 | | |
1727 | | static const unsigned char aes_test_ctr_ct[][48] = |
1728 | | { |
1729 | | { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, |
1730 | | 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, |
1731 | | { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, |
1732 | | 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, |
1733 | | 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, |
1734 | | 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, |
1735 | | { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, |
1736 | | 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, |
1737 | | 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, |
1738 | | 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, |
1739 | | 0x25, 0xB2, 0x07, 0x2F } |
1740 | | }; |
1741 | | |
1742 | | static const int aes_test_ctr_len[3] = |
1743 | | { 16, 32, 36 }; |
1744 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1745 | | |
1746 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1747 | | /* |
1748 | | * AES-XTS test vectors from: |
1749 | | * |
1750 | | * IEEE P1619/D16 Annex B |
1751 | | * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf |
1752 | | * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) |
1753 | | */ |
1754 | | static const unsigned char aes_test_xts_key[][32] = |
1755 | | { |
1756 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1757 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1758 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1759 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1760 | | { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1761 | | 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1762 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1763 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1764 | | { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, |
1765 | | 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, |
1766 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1767 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1768 | | }; |
1769 | | |
1770 | | static const unsigned char aes_test_xts_pt32[][32] = |
1771 | | { |
1772 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1773 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1774 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1775 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1776 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1777 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1778 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1779 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1780 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1781 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1782 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1783 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1784 | | }; |
1785 | | |
1786 | | static const unsigned char aes_test_xts_ct32[][32] = |
1787 | | { |
1788 | | { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, |
1789 | | 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, |
1790 | | 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, |
1791 | | 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, |
1792 | | { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, |
1793 | | 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, |
1794 | | 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, |
1795 | | 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, |
1796 | | { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, |
1797 | | 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, |
1798 | | 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, |
1799 | | 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, |
1800 | | }; |
1801 | | |
1802 | | static const unsigned char aes_test_xts_data_unit[][16] = |
1803 | | { |
1804 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1805 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1806 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1807 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1808 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1809 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1810 | | }; |
1811 | | |
1812 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1813 | | |
1814 | | /* |
1815 | | * Checkup routine |
1816 | | */ |
1817 | | int mbedtls_aes_self_test(int verbose) |
1818 | | { |
1819 | | int ret = 0, i, j, u, mode; |
1820 | | unsigned int keybits; |
1821 | | unsigned char key[32]; |
1822 | | unsigned char buf[64]; |
1823 | | const unsigned char *aes_tests; |
1824 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1825 | | defined(MBEDTLS_CIPHER_MODE_OFB) |
1826 | | unsigned char iv[16]; |
1827 | | #endif |
1828 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1829 | | unsigned char prv[16]; |
1830 | | #endif |
1831 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1832 | | defined(MBEDTLS_CIPHER_MODE_OFB) |
1833 | | size_t offset; |
1834 | | #endif |
1835 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) |
1836 | | int len; |
1837 | | #endif |
1838 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1839 | | unsigned char nonce_counter[16]; |
1840 | | unsigned char stream_block[16]; |
1841 | | #endif |
1842 | | mbedtls_aes_context ctx; |
1843 | | |
1844 | | memset(key, 0, 32); |
1845 | | mbedtls_aes_init(&ctx); |
1846 | | |
1847 | | if (verbose != 0) { |
1848 | | #if defined(MBEDTLS_AES_ALT) |
1849 | | mbedtls_printf(" AES note: alternative implementation.\n"); |
1850 | | #else /* MBEDTLS_AES_ALT */ |
1851 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
1852 | | #if MBEDTLS_AESNI_HAVE_CODE == 1 |
1853 | | mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n"); |
1854 | | #elif MBEDTLS_AESNI_HAVE_CODE == 2 |
1855 | | mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n"); |
1856 | | #else |
1857 | | #error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE" |
1858 | | #endif |
1859 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
1860 | | mbedtls_printf(" AES note: using AESNI.\n"); |
1861 | | } else |
1862 | | #endif |
1863 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1864 | | if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { |
1865 | | mbedtls_printf(" AES note: using VIA Padlock.\n"); |
1866 | | } else |
1867 | | #endif |
1868 | | #if defined(MBEDTLS_AESCE_HAVE_CODE) |
1869 | | if (MBEDTLS_AESCE_HAS_SUPPORT()) { |
1870 | | mbedtls_printf(" AES note: using AESCE.\n"); |
1871 | | } else |
1872 | | #endif |
1873 | | { |
1874 | | #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) |
1875 | | mbedtls_printf(" AES note: built-in implementation.\n"); |
1876 | | #endif |
1877 | | } |
1878 | | #endif /* MBEDTLS_AES_ALT */ |
1879 | | } |
1880 | | |
1881 | | /* |
1882 | | * ECB mode |
1883 | | */ |
1884 | | { |
1885 | | static const int num_tests = |
1886 | | sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc); |
1887 | | |
1888 | | for (i = 0; i < num_tests << 1; i++) { |
1889 | | u = i >> 1; |
1890 | | keybits = 128 + u * 64; |
1891 | | mode = i & 1; |
1892 | | |
1893 | | if (verbose != 0) { |
1894 | | mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, |
1895 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1896 | | } |
1897 | | #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
1898 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1899 | | if (verbose != 0) { |
1900 | | mbedtls_printf("skipped\n"); |
1901 | | } |
1902 | | continue; |
1903 | | } |
1904 | | #endif |
1905 | | |
1906 | | memset(buf, 0, 16); |
1907 | | |
1908 | | #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) |
1909 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1910 | | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1911 | | aes_tests = aes_test_ecb_dec[u]; |
1912 | | } else |
1913 | | #endif |
1914 | | { |
1915 | | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1916 | | aes_tests = aes_test_ecb_enc[u]; |
1917 | | } |
1918 | | |
1919 | | /* |
1920 | | * AES-192 is an optional feature that may be unavailable when |
1921 | | * there is an alternative underlying implementation i.e. when |
1922 | | * MBEDTLS_AES_ALT is defined. |
1923 | | */ |
1924 | | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1925 | | mbedtls_printf("skipped\n"); |
1926 | | continue; |
1927 | | } else if (ret != 0) { |
1928 | | goto exit; |
1929 | | } |
1930 | | |
1931 | | for (j = 0; j < 10000; j++) { |
1932 | | ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf); |
1933 | | if (ret != 0) { |
1934 | | goto exit; |
1935 | | } |
1936 | | } |
1937 | | |
1938 | | if (memcmp(buf, aes_tests, 16) != 0) { |
1939 | | ret = 1; |
1940 | | goto exit; |
1941 | | } |
1942 | | |
1943 | | if (verbose != 0) { |
1944 | | mbedtls_printf("passed\n"); |
1945 | | } |
1946 | | } |
1947 | | |
1948 | | if (verbose != 0) { |
1949 | | mbedtls_printf("\n"); |
1950 | | } |
1951 | | } |
1952 | | |
1953 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1954 | | /* |
1955 | | * CBC mode |
1956 | | */ |
1957 | | { |
1958 | | static const int num_tests = |
1959 | | sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec); |
1960 | | |
1961 | | for (i = 0; i < num_tests << 1; i++) { |
1962 | | u = i >> 1; |
1963 | | keybits = 128 + u * 64; |
1964 | | mode = i & 1; |
1965 | | |
1966 | | if (verbose != 0) { |
1967 | | mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, |
1968 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1969 | | } |
1970 | | |
1971 | | memset(iv, 0, 16); |
1972 | | memset(prv, 0, 16); |
1973 | | memset(buf, 0, 16); |
1974 | | |
1975 | | if (mode == MBEDTLS_AES_DECRYPT) { |
1976 | | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1977 | | aes_tests = aes_test_cbc_dec[u]; |
1978 | | } else { |
1979 | | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1980 | | aes_tests = aes_test_cbc_enc[u]; |
1981 | | } |
1982 | | |
1983 | | /* |
1984 | | * AES-192 is an optional feature that may be unavailable when |
1985 | | * there is an alternative underlying implementation i.e. when |
1986 | | * MBEDTLS_AES_ALT is defined. |
1987 | | */ |
1988 | | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1989 | | mbedtls_printf("skipped\n"); |
1990 | | continue; |
1991 | | } else if (ret != 0) { |
1992 | | goto exit; |
1993 | | } |
1994 | | |
1995 | | for (j = 0; j < 10000; j++) { |
1996 | | if (mode == MBEDTLS_AES_ENCRYPT) { |
1997 | | unsigned char tmp[16]; |
1998 | | |
1999 | | memcpy(tmp, prv, 16); |
2000 | | memcpy(prv, buf, 16); |
2001 | | memcpy(buf, tmp, 16); |
2002 | | } |
2003 | | |
2004 | | ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); |
2005 | | if (ret != 0) { |
2006 | | goto exit; |
2007 | | } |
2008 | | |
2009 | | } |
2010 | | |
2011 | | if (memcmp(buf, aes_tests, 16) != 0) { |
2012 | | ret = 1; |
2013 | | goto exit; |
2014 | | } |
2015 | | |
2016 | | if (verbose != 0) { |
2017 | | mbedtls_printf("passed\n"); |
2018 | | } |
2019 | | } |
2020 | | |
2021 | | if (verbose != 0) { |
2022 | | mbedtls_printf("\n"); |
2023 | | } |
2024 | | } |
2025 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
2026 | | |
2027 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
2028 | | /* |
2029 | | * CFB128 mode |
2030 | | */ |
2031 | | { |
2032 | | static const int num_tests = |
2033 | | sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key); |
2034 | | |
2035 | | for (i = 0; i < num_tests << 1; i++) { |
2036 | | u = i >> 1; |
2037 | | keybits = 128 + u * 64; |
2038 | | mode = i & 1; |
2039 | | |
2040 | | if (verbose != 0) { |
2041 | | mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, |
2042 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2043 | | } |
2044 | | |
2045 | | memcpy(iv, aes_test_cfb128_iv, 16); |
2046 | | memcpy(key, aes_test_cfb128_key[u], keybits / 8); |
2047 | | |
2048 | | offset = 0; |
2049 | | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
2050 | | /* |
2051 | | * AES-192 is an optional feature that may be unavailable when |
2052 | | * there is an alternative underlying implementation i.e. when |
2053 | | * MBEDTLS_AES_ALT is defined. |
2054 | | */ |
2055 | | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
2056 | | mbedtls_printf("skipped\n"); |
2057 | | continue; |
2058 | | } else if (ret != 0) { |
2059 | | goto exit; |
2060 | | } |
2061 | | |
2062 | | if (mode == MBEDTLS_AES_DECRYPT) { |
2063 | | memcpy(buf, aes_test_cfb128_ct[u], 64); |
2064 | | aes_tests = aes_test_cfb128_pt; |
2065 | | } else { |
2066 | | memcpy(buf, aes_test_cfb128_pt, 64); |
2067 | | aes_tests = aes_test_cfb128_ct[u]; |
2068 | | } |
2069 | | |
2070 | | ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf); |
2071 | | if (ret != 0) { |
2072 | | goto exit; |
2073 | | } |
2074 | | |
2075 | | if (memcmp(buf, aes_tests, 64) != 0) { |
2076 | | ret = 1; |
2077 | | goto exit; |
2078 | | } |
2079 | | |
2080 | | if (verbose != 0) { |
2081 | | mbedtls_printf("passed\n"); |
2082 | | } |
2083 | | } |
2084 | | |
2085 | | if (verbose != 0) { |
2086 | | mbedtls_printf("\n"); |
2087 | | } |
2088 | | } |
2089 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
2090 | | |
2091 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
2092 | | /* |
2093 | | * OFB mode |
2094 | | */ |
2095 | | { |
2096 | | static const int num_tests = |
2097 | | sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key); |
2098 | | |
2099 | | for (i = 0; i < num_tests << 1; i++) { |
2100 | | u = i >> 1; |
2101 | | keybits = 128 + u * 64; |
2102 | | mode = i & 1; |
2103 | | |
2104 | | if (verbose != 0) { |
2105 | | mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, |
2106 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2107 | | } |
2108 | | |
2109 | | memcpy(iv, aes_test_ofb_iv, 16); |
2110 | | memcpy(key, aes_test_ofb_key[u], keybits / 8); |
2111 | | |
2112 | | offset = 0; |
2113 | | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
2114 | | /* |
2115 | | * AES-192 is an optional feature that may be unavailable when |
2116 | | * there is an alternative underlying implementation i.e. when |
2117 | | * MBEDTLS_AES_ALT is defined. |
2118 | | */ |
2119 | | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
2120 | | mbedtls_printf("skipped\n"); |
2121 | | continue; |
2122 | | } else if (ret != 0) { |
2123 | | goto exit; |
2124 | | } |
2125 | | |
2126 | | if (mode == MBEDTLS_AES_DECRYPT) { |
2127 | | memcpy(buf, aes_test_ofb_ct[u], 64); |
2128 | | aes_tests = aes_test_ofb_pt; |
2129 | | } else { |
2130 | | memcpy(buf, aes_test_ofb_pt, 64); |
2131 | | aes_tests = aes_test_ofb_ct[u]; |
2132 | | } |
2133 | | |
2134 | | ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf); |
2135 | | if (ret != 0) { |
2136 | | goto exit; |
2137 | | } |
2138 | | |
2139 | | if (memcmp(buf, aes_tests, 64) != 0) { |
2140 | | ret = 1; |
2141 | | goto exit; |
2142 | | } |
2143 | | |
2144 | | if (verbose != 0) { |
2145 | | mbedtls_printf("passed\n"); |
2146 | | } |
2147 | | } |
2148 | | |
2149 | | if (verbose != 0) { |
2150 | | mbedtls_printf("\n"); |
2151 | | } |
2152 | | } |
2153 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
2154 | | |
2155 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
2156 | | /* |
2157 | | * CTR mode |
2158 | | */ |
2159 | | { |
2160 | | static const int num_tests = |
2161 | | sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key); |
2162 | | |
2163 | | for (i = 0; i < num_tests << 1; i++) { |
2164 | | u = i >> 1; |
2165 | | mode = i & 1; |
2166 | | |
2167 | | if (verbose != 0) { |
2168 | | mbedtls_printf(" AES-CTR-128 (%s): ", |
2169 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2170 | | } |
2171 | | |
2172 | | memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); |
2173 | | memcpy(key, aes_test_ctr_key[u], 16); |
2174 | | |
2175 | | offset = 0; |
2176 | | if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) { |
2177 | | goto exit; |
2178 | | } |
2179 | | |
2180 | | len = aes_test_ctr_len[u]; |
2181 | | |
2182 | | if (mode == MBEDTLS_AES_DECRYPT) { |
2183 | | memcpy(buf, aes_test_ctr_ct[u], len); |
2184 | | aes_tests = aes_test_ctr_pt[u]; |
2185 | | } else { |
2186 | | memcpy(buf, aes_test_ctr_pt[u], len); |
2187 | | aes_tests = aes_test_ctr_ct[u]; |
2188 | | } |
2189 | | |
2190 | | ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter, |
2191 | | stream_block, buf, buf); |
2192 | | if (ret != 0) { |
2193 | | goto exit; |
2194 | | } |
2195 | | |
2196 | | if (memcmp(buf, aes_tests, len) != 0) { |
2197 | | ret = 1; |
2198 | | goto exit; |
2199 | | } |
2200 | | |
2201 | | if (verbose != 0) { |
2202 | | mbedtls_printf("passed\n"); |
2203 | | } |
2204 | | } |
2205 | | } |
2206 | | |
2207 | | if (verbose != 0) { |
2208 | | mbedtls_printf("\n"); |
2209 | | } |
2210 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
2211 | | |
2212 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
2213 | | /* |
2214 | | * XTS mode |
2215 | | */ |
2216 | | { |
2217 | | static const int num_tests = |
2218 | | sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); |
2219 | | mbedtls_aes_xts_context ctx_xts; |
2220 | | |
2221 | | mbedtls_aes_xts_init(&ctx_xts); |
2222 | | |
2223 | | for (i = 0; i < num_tests << 1; i++) { |
2224 | | const unsigned char *data_unit; |
2225 | | u = i >> 1; |
2226 | | mode = i & 1; |
2227 | | |
2228 | | if (verbose != 0) { |
2229 | | mbedtls_printf(" AES-XTS-128 (%s): ", |
2230 | | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2231 | | } |
2232 | | |
2233 | | memset(key, 0, sizeof(key)); |
2234 | | memcpy(key, aes_test_xts_key[u], 32); |
2235 | | data_unit = aes_test_xts_data_unit[u]; |
2236 | | |
2237 | | len = sizeof(*aes_test_xts_ct32); |
2238 | | |
2239 | | if (mode == MBEDTLS_AES_DECRYPT) { |
2240 | | ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256); |
2241 | | if (ret != 0) { |
2242 | | goto exit; |
2243 | | } |
2244 | | memcpy(buf, aes_test_xts_ct32[u], len); |
2245 | | aes_tests = aes_test_xts_pt32[u]; |
2246 | | } else { |
2247 | | ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256); |
2248 | | if (ret != 0) { |
2249 | | goto exit; |
2250 | | } |
2251 | | memcpy(buf, aes_test_xts_pt32[u], len); |
2252 | | aes_tests = aes_test_xts_ct32[u]; |
2253 | | } |
2254 | | |
2255 | | |
2256 | | ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, |
2257 | | buf, buf); |
2258 | | if (ret != 0) { |
2259 | | goto exit; |
2260 | | } |
2261 | | |
2262 | | if (memcmp(buf, aes_tests, len) != 0) { |
2263 | | ret = 1; |
2264 | | goto exit; |
2265 | | } |
2266 | | |
2267 | | if (verbose != 0) { |
2268 | | mbedtls_printf("passed\n"); |
2269 | | } |
2270 | | } |
2271 | | |
2272 | | if (verbose != 0) { |
2273 | | mbedtls_printf("\n"); |
2274 | | } |
2275 | | |
2276 | | mbedtls_aes_xts_free(&ctx_xts); |
2277 | | } |
2278 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
2279 | | |
2280 | | ret = 0; |
2281 | | |
2282 | | exit: |
2283 | | if (ret != 0 && verbose != 0) { |
2284 | | mbedtls_printf("failed\n"); |
2285 | | } |
2286 | | |
2287 | | mbedtls_aes_free(&ctx); |
2288 | | |
2289 | | return ret; |
2290 | | } |
2291 | | |
2292 | | #endif /* MBEDTLS_SELF_TEST */ |
2293 | | |
2294 | | #endif /* MBEDTLS_AES_C */ |