/work/mbedtls-2.28.8/library/aes.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * FIPS-197 compliant AES implementation |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | /* |
8 | | * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. |
9 | | * |
10 | | * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf |
11 | | * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf |
12 | | */ |
13 | | |
14 | | #include "common.h" |
15 | | |
16 | | #if defined(MBEDTLS_AES_C) |
17 | | |
18 | | #include <string.h> |
19 | | |
20 | | #include "mbedtls/aes.h" |
21 | | #include "mbedtls/platform.h" |
22 | | #include "mbedtls/platform_util.h" |
23 | | #include "mbedtls/error.h" |
24 | | #if defined(MBEDTLS_PADLOCK_C) |
25 | | #include "mbedtls/padlock.h" |
26 | | #endif |
27 | | #if defined(MBEDTLS_AESNI_C) |
28 | | #include "mbedtls/aesni.h" |
29 | | #endif |
30 | | |
31 | | #include "mbedtls/platform.h" |
32 | | |
33 | | #if !defined(MBEDTLS_AES_ALT) |
34 | | |
35 | | /* Parameter validation macros based on platform_util.h */ |
36 | | #define AES_VALIDATE_RET(cond) \ |
37 | 0 | MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA) |
38 | | #define AES_VALIDATE(cond) \ |
39 | 0 | MBEDTLS_INTERNAL_VALIDATE(cond) |
40 | | |
41 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
42 | | static int aes_padlock_ace = -1; |
43 | | #endif |
44 | | |
45 | | #if defined(MBEDTLS_AES_ROM_TABLES) |
46 | | /* |
47 | | * Forward S-box |
48 | | */ |
49 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \ |
50 | | !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
51 | | static const unsigned char FSb[256] = |
52 | | { |
53 | | 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, |
54 | | 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, |
55 | | 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, |
56 | | 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, |
57 | | 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, |
58 | | 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, |
59 | | 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, |
60 | | 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, |
61 | | 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, |
62 | | 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, |
63 | | 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, |
64 | | 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, |
65 | | 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, |
66 | | 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, |
67 | | 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, |
68 | | 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, |
69 | | 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, |
70 | | 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, |
71 | | 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, |
72 | | 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, |
73 | | 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, |
74 | | 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, |
75 | | 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, |
76 | | 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, |
77 | | 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, |
78 | | 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, |
79 | | 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, |
80 | | 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, |
81 | | 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, |
82 | | 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, |
83 | | 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, |
84 | | 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 |
85 | | }; |
86 | | #endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \ |
87 | | !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */ |
88 | | |
89 | | /* |
90 | | * Forward tables |
91 | | */ |
92 | | #define FT \ |
93 | | \ |
94 | | V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \ |
95 | | V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \ |
96 | | V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \ |
97 | | V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \ |
98 | | V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \ |
99 | | V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \ |
100 | | V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \ |
101 | | V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \ |
102 | | V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \ |
103 | | V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \ |
104 | | V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \ |
105 | | V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \ |
106 | | V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \ |
107 | | V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \ |
108 | | V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \ |
109 | | V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \ |
110 | | V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \ |
111 | | V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \ |
112 | | V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \ |
113 | | V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \ |
114 | | V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \ |
115 | | V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \ |
116 | | V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \ |
117 | | V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \ |
118 | | V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \ |
119 | | V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \ |
120 | | V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \ |
121 | | V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \ |
122 | | V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \ |
123 | | V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \ |
124 | | V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \ |
125 | | V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \ |
126 | | V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \ |
127 | | V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \ |
128 | | V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \ |
129 | | V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \ |
130 | | V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \ |
131 | | V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \ |
132 | | V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \ |
133 | | V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \ |
134 | | V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \ |
135 | | V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \ |
136 | | V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \ |
137 | | V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \ |
138 | | V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \ |
139 | | V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \ |
140 | | V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \ |
141 | | V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \ |
142 | | V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \ |
143 | | V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \ |
144 | | V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \ |
145 | | V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \ |
146 | | V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \ |
147 | | V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \ |
148 | | V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \ |
149 | | V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \ |
150 | | V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \ |
151 | | V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \ |
152 | | V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \ |
153 | | V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \ |
154 | | V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \ |
155 | | V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \ |
156 | | V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \ |
157 | | V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C) |
158 | | |
159 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) |
160 | | #define V(a, b, c, d) 0x##a##b##c##d |
161 | | static const uint32_t FT0[256] = { FT }; |
162 | | #undef V |
163 | | |
164 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
165 | | |
166 | | #define V(a, b, c, d) 0x##b##c##d##a |
167 | | static const uint32_t FT1[256] = { FT }; |
168 | | #undef V |
169 | | |
170 | | #define V(a, b, c, d) 0x##c##d##a##b |
171 | | static const uint32_t FT2[256] = { FT }; |
172 | | #undef V |
173 | | |
174 | | #define V(a, b, c, d) 0x##d##a##b##c |
175 | | static const uint32_t FT3[256] = { FT }; |
176 | | #undef V |
177 | | |
178 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
179 | | |
180 | | #endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) */ |
181 | | |
182 | | #undef FT |
183 | | |
184 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) |
185 | | /* |
186 | | * Reverse S-box |
187 | | */ |
188 | | static const unsigned char RSb[256] = |
189 | | { |
190 | | 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, |
191 | | 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, |
192 | | 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, |
193 | | 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, |
194 | | 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, |
195 | | 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, |
196 | | 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, |
197 | | 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, |
198 | | 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, |
199 | | 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, |
200 | | 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, |
201 | | 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, |
202 | | 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, |
203 | | 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, |
204 | | 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, |
205 | | 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, |
206 | | 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, |
207 | | 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, |
208 | | 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, |
209 | | 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, |
210 | | 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, |
211 | | 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, |
212 | | 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, |
213 | | 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, |
214 | | 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, |
215 | | 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, |
216 | | 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, |
217 | | 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, |
218 | | 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, |
219 | | 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, |
220 | | 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, |
221 | | 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D |
222 | | }; |
223 | | #endif /* defined(MBEDTLS_AES_DECRYPT_ALT)) */ |
224 | | |
225 | | /* |
226 | | * Reverse tables |
227 | | */ |
228 | | #define RT \ |
229 | | \ |
230 | | V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \ |
231 | | V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \ |
232 | | V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \ |
233 | | V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \ |
234 | | V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \ |
235 | | V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \ |
236 | | V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \ |
237 | | V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \ |
238 | | V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \ |
239 | | V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \ |
240 | | V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \ |
241 | | V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \ |
242 | | V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \ |
243 | | V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \ |
244 | | V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \ |
245 | | V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \ |
246 | | V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \ |
247 | | V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \ |
248 | | V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \ |
249 | | V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \ |
250 | | V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \ |
251 | | V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \ |
252 | | V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \ |
253 | | V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \ |
254 | | V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \ |
255 | | V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \ |
256 | | V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \ |
257 | | V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \ |
258 | | V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \ |
259 | | V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \ |
260 | | V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \ |
261 | | V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \ |
262 | | V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \ |
263 | | V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \ |
264 | | V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \ |
265 | | V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \ |
266 | | V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \ |
267 | | V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \ |
268 | | V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \ |
269 | | V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \ |
270 | | V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \ |
271 | | V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \ |
272 | | V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \ |
273 | | V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \ |
274 | | V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \ |
275 | | V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \ |
276 | | V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \ |
277 | | V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \ |
278 | | V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \ |
279 | | V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \ |
280 | | V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \ |
281 | | V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \ |
282 | | V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \ |
283 | | V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \ |
284 | | V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \ |
285 | | V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \ |
286 | | V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \ |
287 | | V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \ |
288 | | V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \ |
289 | | V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \ |
290 | | V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \ |
291 | | V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \ |
292 | | V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \ |
293 | | V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0) |
294 | | |
295 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
296 | | |
297 | | #define V(a, b, c, d) 0x##a##b##c##d |
298 | | static const uint32_t RT0[256] = { RT }; |
299 | | #undef V |
300 | | |
301 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
302 | | |
303 | | #define V(a, b, c, d) 0x##b##c##d##a |
304 | | static const uint32_t RT1[256] = { RT }; |
305 | | #undef V |
306 | | |
307 | | #define V(a, b, c, d) 0x##c##d##a##b |
308 | | static const uint32_t RT2[256] = { RT }; |
309 | | #undef V |
310 | | |
311 | | #define V(a, b, c, d) 0x##d##a##b##c |
312 | | static const uint32_t RT3[256] = { RT }; |
313 | | #undef V |
314 | | |
315 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
316 | | |
317 | | #endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */ |
318 | | |
319 | | #undef RT |
320 | | |
321 | | #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
322 | | /* |
323 | | * Round constants |
324 | | */ |
325 | | static const uint32_t round_constants[10] = |
326 | | { |
327 | | 0x00000001, 0x00000002, 0x00000004, 0x00000008, |
328 | | 0x00000010, 0x00000020, 0x00000040, 0x00000080, |
329 | | 0x0000001B, 0x00000036 |
330 | | }; |
331 | | #endif /* !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */ |
332 | | |
333 | | #else /* MBEDTLS_AES_ROM_TABLES */ |
334 | | |
335 | | /* |
336 | | * Forward S-box & tables |
337 | | */ |
338 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \ |
339 | | !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
340 | | static unsigned char FSb[256]; |
341 | | #endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \ |
342 | | !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */ |
343 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
344 | | static uint32_t FT0[256]; |
345 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
346 | | static uint32_t FT1[256]; |
347 | | static uint32_t FT2[256]; |
348 | | static uint32_t FT3[256]; |
349 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
350 | | #endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */ |
351 | | |
352 | | /* |
353 | | * Reverse S-box & tables |
354 | | */ |
355 | | #if !(defined(MBEDTLS_AES_SETKEY_ENC_ALT) && defined(MBEDTLS_AES_DECRYPT_ALT)) |
356 | | static unsigned char RSb[256]; |
357 | | #endif /* !(defined(MBEDTLS_AES_SETKEY_ENC_ALT) && defined(MBEDTLS_AES_DECRYPT_ALT)) */ |
358 | | |
359 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
360 | | static uint32_t RT0[256]; |
361 | | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
362 | | static uint32_t RT1[256]; |
363 | | static uint32_t RT2[256]; |
364 | | static uint32_t RT3[256]; |
365 | | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
366 | | #endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */ |
367 | | |
368 | | #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
369 | | /* |
370 | | * Round constants |
371 | | */ |
372 | | static uint32_t round_constants[10]; |
373 | | |
374 | | /* |
375 | | * Tables generation code |
376 | | */ |
377 | 0 | #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24) |
378 | | #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00)) |
379 | 0 | #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) |
380 | | |
381 | | static int aes_init_done = 0; |
382 | | |
383 | | static void aes_gen_tables(void) |
384 | 0 | { |
385 | 0 | int i, x, y, z; |
386 | 0 | int pow[256]; |
387 | 0 | int log[256]; |
388 | | |
389 | | /* |
390 | | * compute pow and log tables over GF(2^8) |
391 | | */ |
392 | 0 | for (i = 0, x = 1; i < 256; i++) { |
393 | 0 | pow[i] = x; |
394 | 0 | log[x] = i; |
395 | 0 | x = MBEDTLS_BYTE_0(x ^ XTIME(x)); |
396 | 0 | } |
397 | | |
398 | | /* |
399 | | * calculate the round constants |
400 | | */ |
401 | 0 | for (i = 0, x = 1; i < 10; i++) { |
402 | 0 | round_constants[i] = (uint32_t) x; |
403 | 0 | x = MBEDTLS_BYTE_0(XTIME(x)); |
404 | 0 | } |
405 | | |
406 | | /* |
407 | | * generate the forward and reverse S-boxes |
408 | | */ |
409 | 0 | FSb[0x00] = 0x63; |
410 | 0 | RSb[0x63] = 0x00; |
411 | |
|
412 | 0 | for (i = 1; i < 256; i++) { |
413 | 0 | x = pow[255 - log[i]]; |
414 | |
|
415 | 0 | y = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
416 | 0 | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
417 | 0 | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
418 | 0 | x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7)); |
419 | 0 | x ^= y ^ 0x63; |
420 | |
|
421 | 0 | FSb[i] = (unsigned char) x; |
422 | 0 | RSb[x] = (unsigned char) i; |
423 | 0 | } |
424 | | |
425 | | /* |
426 | | * generate the forward and reverse tables |
427 | | */ |
428 | 0 | for (i = 0; i < 256; i++) { |
429 | 0 | x = FSb[i]; |
430 | 0 | y = MBEDTLS_BYTE_0(XTIME(x)); |
431 | 0 | z = MBEDTLS_BYTE_0(y ^ x); |
432 | |
|
433 | 0 | FT0[i] = ((uint32_t) y) ^ |
434 | 0 | ((uint32_t) x << 8) ^ |
435 | 0 | ((uint32_t) x << 16) ^ |
436 | 0 | ((uint32_t) z << 24); |
437 | |
|
438 | 0 | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
439 | 0 | FT1[i] = ROTL8(FT0[i]); |
440 | 0 | FT2[i] = ROTL8(FT1[i]); |
441 | 0 | FT3[i] = ROTL8(FT2[i]); |
442 | 0 | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
443 | |
|
444 | 0 | x = RSb[i]; |
445 | |
|
446 | 0 | #if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
447 | 0 | RT0[i] = ((uint32_t) MUL(0x0E, x)) ^ |
448 | 0 | ((uint32_t) MUL(0x09, x) << 8) ^ |
449 | 0 | ((uint32_t) MUL(0x0D, x) << 16) ^ |
450 | 0 | ((uint32_t) MUL(0x0B, x) << 24); |
451 | |
|
452 | 0 | #if !defined(MBEDTLS_AES_FEWER_TABLES) |
453 | 0 | RT1[i] = ROTL8(RT0[i]); |
454 | 0 | RT2[i] = ROTL8(RT1[i]); |
455 | 0 | RT3[i] = ROTL8(RT2[i]); |
456 | 0 | #endif /* !MBEDTLS_AES_FEWER_TABLES */ |
457 | 0 | #endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */ |
458 | 0 | } |
459 | 0 | } |
460 | | |
461 | | #endif /* !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */ |
462 | | |
463 | | #undef ROTL8 |
464 | | |
465 | | #endif /* MBEDTLS_AES_ROM_TABLES */ |
466 | | |
467 | | #if defined(MBEDTLS_AES_FEWER_TABLES) |
468 | | |
469 | | #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24)) |
470 | | #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16)) |
471 | | #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8)) |
472 | | |
473 | | #define AES_RT0(idx) RT0[idx] |
474 | | #define AES_RT1(idx) ROTL8(RT0[idx]) |
475 | | #define AES_RT2(idx) ROTL16(RT0[idx]) |
476 | | #define AES_RT3(idx) ROTL24(RT0[idx]) |
477 | | |
478 | | #define AES_FT0(idx) FT0[idx] |
479 | | #define AES_FT1(idx) ROTL8(FT0[idx]) |
480 | | #define AES_FT2(idx) ROTL16(FT0[idx]) |
481 | | #define AES_FT3(idx) ROTL24(FT0[idx]) |
482 | | |
483 | | #else /* MBEDTLS_AES_FEWER_TABLES */ |
484 | | |
485 | 0 | #define AES_RT0(idx) RT0[idx] |
486 | 0 | #define AES_RT1(idx) RT1[idx] |
487 | 0 | #define AES_RT2(idx) RT2[idx] |
488 | 0 | #define AES_RT3(idx) RT3[idx] |
489 | | |
490 | 0 | #define AES_FT0(idx) FT0[idx] |
491 | 0 | #define AES_FT1(idx) FT1[idx] |
492 | 0 | #define AES_FT2(idx) FT2[idx] |
493 | 0 | #define AES_FT3(idx) FT3[idx] |
494 | | |
495 | | #endif /* MBEDTLS_AES_FEWER_TABLES */ |
496 | | |
497 | | void mbedtls_aes_init(mbedtls_aes_context *ctx) |
498 | 0 | { |
499 | 0 | AES_VALIDATE(ctx != NULL); |
500 | |
|
501 | 0 | memset(ctx, 0, sizeof(mbedtls_aes_context)); |
502 | 0 | } |
503 | | |
504 | | void mbedtls_aes_free(mbedtls_aes_context *ctx) |
505 | 0 | { |
506 | 0 | if (ctx == NULL) { |
507 | 0 | return; |
508 | 0 | } |
509 | | |
510 | 0 | mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context)); |
511 | 0 | } |
512 | | |
513 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
514 | | void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) |
515 | 0 | { |
516 | 0 | AES_VALIDATE(ctx != NULL); |
517 | |
|
518 | 0 | mbedtls_aes_init(&ctx->crypt); |
519 | 0 | mbedtls_aes_init(&ctx->tweak); |
520 | 0 | } |
521 | | |
522 | | void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) |
523 | 0 | { |
524 | 0 | if (ctx == NULL) { |
525 | 0 | return; |
526 | 0 | } |
527 | | |
528 | 0 | mbedtls_aes_free(&ctx->crypt); |
529 | 0 | mbedtls_aes_free(&ctx->tweak); |
530 | 0 | } |
531 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
532 | | |
533 | | /* Some implementations need the round keys to be aligned. |
534 | | * Return an offset to be added to buf, such that (buf + offset) is |
535 | | * correctly aligned. |
536 | | * Note that the offset is in units of elements of buf, i.e. 32-bit words, |
537 | | * i.e. an offset of 1 means 4 bytes and so on. |
538 | | */ |
539 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) || \ |
540 | | (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2) |
541 | | #define MAY_NEED_TO_ALIGN |
542 | | #endif |
543 | | |
544 | | #if defined(MAY_NEED_TO_ALIGN) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) || \ |
545 | | !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
546 | | static unsigned mbedtls_aes_rk_offset(uint32_t *buf) |
547 | 0 | { |
548 | | #if defined(MAY_NEED_TO_ALIGN) |
549 | | int align_16_bytes = 0; |
550 | | |
551 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
552 | | if (aes_padlock_ace == -1) { |
553 | | aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); |
554 | | } |
555 | | if (aes_padlock_ace) { |
556 | | align_16_bytes = 1; |
557 | | } |
558 | | #endif |
559 | | |
560 | | #if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2 |
561 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
562 | | align_16_bytes = 1; |
563 | | } |
564 | | #endif |
565 | | |
566 | | if (align_16_bytes) { |
567 | | /* These implementations needs 16-byte alignment |
568 | | * for the round key array. */ |
569 | | unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4; |
570 | | if (delta == 0) { |
571 | | return 0; |
572 | | } else { |
573 | | return 4 - delta; // 16 bytes = 4 uint32_t |
574 | | } |
575 | | } |
576 | | #else /* MAY_NEED_TO_ALIGN */ |
577 | 0 | (void) buf; |
578 | 0 | #endif /* MAY_NEED_TO_ALIGN */ |
579 | |
|
580 | 0 | return 0; |
581 | 0 | } |
582 | | #endif /* defined(MAY_NEED_TO_ALIGN) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) || \ |
583 | | !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */ |
584 | | |
585 | | /* |
586 | | * AES key schedule (encryption) |
587 | | */ |
588 | | #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) |
589 | | int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, |
590 | | unsigned int keybits) |
591 | 0 | { |
592 | 0 | unsigned int i; |
593 | 0 | uint32_t *RK; |
594 | |
|
595 | 0 | AES_VALIDATE_RET(ctx != NULL); |
596 | 0 | AES_VALIDATE_RET(key != NULL); |
597 | |
|
598 | 0 | switch (keybits) { |
599 | 0 | case 128: ctx->nr = 10; break; |
600 | 0 | case 192: ctx->nr = 12; break; |
601 | 0 | case 256: ctx->nr = 14; break; |
602 | 0 | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
603 | 0 | } |
604 | | |
605 | 0 | #if !defined(MBEDTLS_AES_ROM_TABLES) |
606 | 0 | if (aes_init_done == 0) { |
607 | 0 | aes_gen_tables(); |
608 | 0 | aes_init_done = 1; |
609 | 0 | } |
610 | 0 | #endif |
611 | |
|
612 | 0 | ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf); |
613 | |
|
614 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
615 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
616 | | return mbedtls_aesni_setkey_enc((unsigned char *) ctx->rk, key, keybits); |
617 | | } |
618 | | #endif |
619 | |
|
620 | 0 | for (i = 0; i < (keybits >> 5); i++) { |
621 | 0 | RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); |
622 | 0 | } |
623 | |
|
624 | 0 | switch (ctx->nr) { |
625 | 0 | case 10: |
626 | |
|
627 | 0 | for (i = 0; i < 10; i++, RK += 4) { |
628 | 0 | RK[4] = RK[0] ^ round_constants[i] ^ |
629 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ |
630 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ |
631 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ |
632 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24); |
633 | |
|
634 | 0 | RK[5] = RK[1] ^ RK[4]; |
635 | 0 | RK[6] = RK[2] ^ RK[5]; |
636 | 0 | RK[7] = RK[3] ^ RK[6]; |
637 | 0 | } |
638 | 0 | break; |
639 | | |
640 | 0 | case 12: |
641 | |
|
642 | 0 | for (i = 0; i < 8; i++, RK += 6) { |
643 | 0 | RK[6] = RK[0] ^ round_constants[i] ^ |
644 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ |
645 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ |
646 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ |
647 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24); |
648 | |
|
649 | 0 | RK[7] = RK[1] ^ RK[6]; |
650 | 0 | RK[8] = RK[2] ^ RK[7]; |
651 | 0 | RK[9] = RK[3] ^ RK[8]; |
652 | 0 | RK[10] = RK[4] ^ RK[9]; |
653 | 0 | RK[11] = RK[5] ^ RK[10]; |
654 | 0 | } |
655 | 0 | break; |
656 | | |
657 | 0 | case 14: |
658 | |
|
659 | 0 | for (i = 0; i < 7; i++, RK += 8) { |
660 | 0 | RK[8] = RK[0] ^ round_constants[i] ^ |
661 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ |
662 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ |
663 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ |
664 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24); |
665 | |
|
666 | 0 | RK[9] = RK[1] ^ RK[8]; |
667 | 0 | RK[10] = RK[2] ^ RK[9]; |
668 | 0 | RK[11] = RK[3] ^ RK[10]; |
669 | |
|
670 | 0 | RK[12] = RK[4] ^ |
671 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^ |
672 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^ |
673 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ |
674 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24); |
675 | |
|
676 | 0 | RK[13] = RK[5] ^ RK[12]; |
677 | 0 | RK[14] = RK[6] ^ RK[13]; |
678 | 0 | RK[15] = RK[7] ^ RK[14]; |
679 | 0 | } |
680 | 0 | break; |
681 | 0 | } |
682 | | |
683 | 0 | return 0; |
684 | 0 | } |
685 | | #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ |
686 | | |
687 | | /* |
688 | | * AES key schedule (decryption) |
689 | | */ |
690 | | #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) |
691 | | int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, |
692 | | unsigned int keybits) |
693 | 0 | { |
694 | 0 | int i, j, ret; |
695 | 0 | mbedtls_aes_context cty; |
696 | 0 | uint32_t *RK; |
697 | 0 | uint32_t *SK; |
698 | |
|
699 | 0 | AES_VALIDATE_RET(ctx != NULL); |
700 | 0 | AES_VALIDATE_RET(key != NULL); |
701 | |
|
702 | 0 | mbedtls_aes_init(&cty); |
703 | |
|
704 | 0 | ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf); |
705 | | |
706 | | /* Also checks keybits */ |
707 | 0 | if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) { |
708 | 0 | goto exit; |
709 | 0 | } |
710 | | |
711 | 0 | ctx->nr = cty.nr; |
712 | |
|
713 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
714 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
715 | | mbedtls_aesni_inverse_key((unsigned char *) ctx->rk, |
716 | | (const unsigned char *) cty.rk, ctx->nr); |
717 | | goto exit; |
718 | | } |
719 | | #endif |
720 | |
|
721 | 0 | SK = cty.rk + cty.nr * 4; |
722 | |
|
723 | 0 | *RK++ = *SK++; |
724 | 0 | *RK++ = *SK++; |
725 | 0 | *RK++ = *SK++; |
726 | 0 | *RK++ = *SK++; |
727 | |
|
728 | 0 | for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) { |
729 | 0 | for (j = 0; j < 4; j++, SK++) { |
730 | 0 | *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ |
731 | 0 | AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ |
732 | 0 | AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ |
733 | 0 | AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]); |
734 | 0 | } |
735 | 0 | } |
736 | |
|
737 | 0 | *RK++ = *SK++; |
738 | 0 | *RK++ = *SK++; |
739 | 0 | *RK++ = *SK++; |
740 | 0 | *RK++ = *SK++; |
741 | |
|
742 | 0 | exit: |
743 | 0 | mbedtls_aes_free(&cty); |
744 | |
|
745 | 0 | return ret; |
746 | 0 | } |
747 | | #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ |
748 | | |
749 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
750 | | static int mbedtls_aes_xts_decode_keys(const unsigned char *key, |
751 | | unsigned int keybits, |
752 | | const unsigned char **key1, |
753 | | unsigned int *key1bits, |
754 | | const unsigned char **key2, |
755 | | unsigned int *key2bits) |
756 | 0 | { |
757 | 0 | const unsigned int half_keybits = keybits / 2; |
758 | 0 | const unsigned int half_keybytes = half_keybits / 8; |
759 | |
|
760 | 0 | switch (keybits) { |
761 | 0 | case 256: break; |
762 | 0 | case 512: break; |
763 | 0 | default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; |
764 | 0 | } |
765 | | |
766 | 0 | *key1bits = half_keybits; |
767 | 0 | *key2bits = half_keybits; |
768 | 0 | *key1 = &key[0]; |
769 | 0 | *key2 = &key[half_keybytes]; |
770 | |
|
771 | 0 | return 0; |
772 | 0 | } |
773 | | |
774 | | int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, |
775 | | const unsigned char *key, |
776 | | unsigned int keybits) |
777 | 0 | { |
778 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
779 | 0 | const unsigned char *key1, *key2; |
780 | 0 | unsigned int key1bits, key2bits; |
781 | |
|
782 | 0 | AES_VALIDATE_RET(ctx != NULL); |
783 | 0 | AES_VALIDATE_RET(key != NULL); |
784 | |
|
785 | 0 | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
786 | 0 | &key2, &key2bits); |
787 | 0 | if (ret != 0) { |
788 | 0 | return ret; |
789 | 0 | } |
790 | | |
791 | | /* Set the tweak key. Always set tweak key for the encryption mode. */ |
792 | 0 | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
793 | 0 | if (ret != 0) { |
794 | 0 | return ret; |
795 | 0 | } |
796 | | |
797 | | /* Set crypt key for encryption. */ |
798 | 0 | return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); |
799 | 0 | } |
800 | | |
801 | | int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, |
802 | | const unsigned char *key, |
803 | | unsigned int keybits) |
804 | 0 | { |
805 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
806 | 0 | const unsigned char *key1, *key2; |
807 | 0 | unsigned int key1bits, key2bits; |
808 | |
|
809 | 0 | AES_VALIDATE_RET(ctx != NULL); |
810 | 0 | AES_VALIDATE_RET(key != NULL); |
811 | |
|
812 | 0 | ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, |
813 | 0 | &key2, &key2bits); |
814 | 0 | if (ret != 0) { |
815 | 0 | return ret; |
816 | 0 | } |
817 | | |
818 | | /* Set the tweak key. Always set tweak key for encryption. */ |
819 | 0 | ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); |
820 | 0 | if (ret != 0) { |
821 | 0 | return ret; |
822 | 0 | } |
823 | | |
824 | | /* Set crypt key for decryption. */ |
825 | 0 | return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); |
826 | 0 | } |
827 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
828 | | |
829 | | #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
830 | 0 | do \ |
831 | 0 | { \ |
832 | 0 | (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
833 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
834 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
835 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y3)); \ |
836 | 0 | \ |
837 | 0 | (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
838 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
839 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
840 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y0)); \ |
841 | 0 | \ |
842 | 0 | (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
843 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
844 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
845 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y1)); \ |
846 | 0 | \ |
847 | 0 | (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
848 | 0 | AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
849 | 0 | AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
850 | 0 | AES_FT3(MBEDTLS_BYTE_3(Y2)); \ |
851 | 0 | } while (0) |
852 | | |
853 | | #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ |
854 | 0 | do \ |
855 | 0 | { \ |
856 | 0 | (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \ |
857 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \ |
858 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \ |
859 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y1)); \ |
860 | 0 | \ |
861 | 0 | (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \ |
862 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \ |
863 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \ |
864 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y2)); \ |
865 | 0 | \ |
866 | 0 | (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \ |
867 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \ |
868 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \ |
869 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y3)); \ |
870 | 0 | \ |
871 | 0 | (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \ |
872 | 0 | AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \ |
873 | 0 | AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \ |
874 | 0 | AES_RT3(MBEDTLS_BYTE_3(Y0)); \ |
875 | 0 | } while (0) |
876 | | |
877 | | /* |
878 | | * AES-ECB block encryption |
879 | | */ |
880 | | #if !defined(MBEDTLS_AES_ENCRYPT_ALT) |
881 | | int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, |
882 | | const unsigned char input[16], |
883 | | unsigned char output[16]) |
884 | 0 | { |
885 | 0 | int i; |
886 | 0 | uint32_t *RK = ctx->rk; |
887 | 0 | struct { |
888 | 0 | uint32_t X[4]; |
889 | 0 | uint32_t Y[4]; |
890 | 0 | } t; |
891 | |
|
892 | 0 | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
893 | 0 | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
894 | 0 | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
895 | 0 | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
896 | |
|
897 | 0 | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
898 | 0 | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
899 | 0 | AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
900 | 0 | } |
901 | |
|
902 | 0 | AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
903 | |
|
904 | 0 | t.X[0] = *RK++ ^ \ |
905 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
906 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
907 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
908 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
909 | |
|
910 | 0 | t.X[1] = *RK++ ^ \ |
911 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
912 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
913 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
914 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
915 | |
|
916 | 0 | t.X[2] = *RK++ ^ \ |
917 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
918 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
919 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
920 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
921 | |
|
922 | 0 | t.X[3] = *RK++ ^ \ |
923 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
924 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
925 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
926 | 0 | ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
927 | |
|
928 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
929 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
930 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
931 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
932 | |
|
933 | 0 | mbedtls_platform_zeroize(&t, sizeof(t)); |
934 | |
|
935 | 0 | return 0; |
936 | 0 | } |
937 | | #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ |
938 | | |
939 | | #if !defined(MBEDTLS_DEPRECATED_REMOVED) |
940 | | void mbedtls_aes_encrypt(mbedtls_aes_context *ctx, |
941 | | const unsigned char input[16], |
942 | | unsigned char output[16]) |
943 | 0 | { |
944 | 0 | MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_encrypt(ctx, input, output)); |
945 | 0 | } |
946 | | #endif /* !MBEDTLS_DEPRECATED_REMOVED */ |
947 | | |
948 | | /* |
949 | | * AES-ECB block decryption |
950 | | */ |
951 | | #if !defined(MBEDTLS_AES_DECRYPT_ALT) |
952 | | int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, |
953 | | const unsigned char input[16], |
954 | | unsigned char output[16]) |
955 | 0 | { |
956 | 0 | int i; |
957 | 0 | uint32_t *RK = ctx->rk; |
958 | 0 | struct { |
959 | 0 | uint32_t X[4]; |
960 | 0 | uint32_t Y[4]; |
961 | 0 | } t; |
962 | |
|
963 | 0 | t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; |
964 | 0 | t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; |
965 | 0 | t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; |
966 | 0 | t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; |
967 | |
|
968 | 0 | for (i = (ctx->nr >> 1) - 1; i > 0; i--) { |
969 | 0 | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
970 | 0 | AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); |
971 | 0 | } |
972 | |
|
973 | 0 | AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); |
974 | |
|
975 | 0 | t.X[0] = *RK++ ^ \ |
976 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ |
977 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ |
978 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ |
979 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); |
980 | |
|
981 | 0 | t.X[1] = *RK++ ^ \ |
982 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ |
983 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ |
984 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ |
985 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); |
986 | |
|
987 | 0 | t.X[2] = *RK++ ^ \ |
988 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ |
989 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ |
990 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ |
991 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); |
992 | |
|
993 | 0 | t.X[3] = *RK++ ^ \ |
994 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ |
995 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ |
996 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ |
997 | 0 | ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); |
998 | |
|
999 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); |
1000 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); |
1001 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); |
1002 | 0 | MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); |
1003 | |
|
1004 | 0 | mbedtls_platform_zeroize(&t, sizeof(t)); |
1005 | |
|
1006 | 0 | return 0; |
1007 | 0 | } |
1008 | | #endif /* !MBEDTLS_AES_DECRYPT_ALT */ |
1009 | | |
1010 | | #if !defined(MBEDTLS_DEPRECATED_REMOVED) |
1011 | | void mbedtls_aes_decrypt(mbedtls_aes_context *ctx, |
1012 | | const unsigned char input[16], |
1013 | | unsigned char output[16]) |
1014 | 0 | { |
1015 | 0 | MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_decrypt(ctx, input, output)); |
1016 | 0 | } |
1017 | | #endif /* !MBEDTLS_DEPRECATED_REMOVED */ |
1018 | | |
1019 | | #if defined(MAY_NEED_TO_ALIGN) |
1020 | | /* VIA Padlock and our intrinsics-based implementation of AESNI require |
1021 | | * the round keys to be aligned on a 16-byte boundary. We take care of this |
1022 | | * before creating them, but the AES context may have moved (this can happen |
1023 | | * if the library is called from a language with managed memory), and in later |
1024 | | * calls it might have a different alignment with respect to 16-byte memory. |
1025 | | * So we may need to realign. |
1026 | | * NOTE: In the LTS branch, the context contains a pointer to within itself, |
1027 | | * so if it has been moved, things will probably go pear-shaped. We keep this |
1028 | | * code for compatibility with the development branch, in case of future changes. |
1029 | | */ |
1030 | | static void aes_maybe_realign(mbedtls_aes_context *ctx) |
1031 | | { |
1032 | | unsigned current_offset = (unsigned) (ctx->rk - ctx->buf); |
1033 | | unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); |
1034 | | if (new_offset != current_offset) { |
1035 | | memmove(ctx->buf + new_offset, // new address |
1036 | | ctx->buf + current_offset, // current address |
1037 | | (ctx->nr + 1) * 16); // number of round keys * bytes per rk |
1038 | | ctx->rk = ctx->buf + new_offset; |
1039 | | } |
1040 | | } |
1041 | | #endif |
1042 | | |
1043 | | /* |
1044 | | * AES-ECB block encryption/decryption |
1045 | | */ |
1046 | | int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, |
1047 | | int mode, |
1048 | | const unsigned char input[16], |
1049 | | unsigned char output[16]) |
1050 | 0 | { |
1051 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1052 | 0 | AES_VALIDATE_RET(input != NULL); |
1053 | 0 | AES_VALIDATE_RET(output != NULL); |
1054 | 0 | AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || |
1055 | 0 | mode == MBEDTLS_AES_DECRYPT); |
1056 | |
|
1057 | | #if defined(MAY_NEED_TO_ALIGN) |
1058 | | aes_maybe_realign(ctx); |
1059 | | #endif |
1060 | |
|
1061 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
1062 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
1063 | | return mbedtls_aesni_crypt_ecb(ctx, mode, input, output); |
1064 | | } |
1065 | | #endif |
1066 | |
|
1067 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1068 | | if (aes_padlock_ace) { |
1069 | | return mbedtls_padlock_xcryptecb(ctx, mode, input, output); |
1070 | | } |
1071 | | #endif |
1072 | |
|
1073 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
1074 | 0 | return mbedtls_internal_aes_encrypt(ctx, input, output); |
1075 | 0 | } else { |
1076 | 0 | return mbedtls_internal_aes_decrypt(ctx, input, output); |
1077 | 0 | } |
1078 | 0 | } |
1079 | | |
1080 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1081 | | /* |
1082 | | * AES-CBC buffer encryption/decryption |
1083 | | */ |
1084 | | int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, |
1085 | | int mode, |
1086 | | size_t length, |
1087 | | unsigned char iv[16], |
1088 | | const unsigned char *input, |
1089 | | unsigned char *output) |
1090 | 0 | { |
1091 | 0 | int i; |
1092 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1093 | 0 | unsigned char temp[16]; |
1094 | |
|
1095 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1096 | 0 | AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || |
1097 | 0 | mode == MBEDTLS_AES_DECRYPT); |
1098 | 0 | AES_VALIDATE_RET(iv != NULL); |
1099 | 0 | AES_VALIDATE_RET(input != NULL); |
1100 | 0 | AES_VALIDATE_RET(output != NULL); |
1101 | |
|
1102 | 0 | if (length % 16) { |
1103 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1104 | 0 | } |
1105 | | |
1106 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1107 | | if (aes_padlock_ace) { |
1108 | | if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { |
1109 | | return 0; |
1110 | | } |
1111 | | |
1112 | | // If padlock data misaligned, we just fall back to |
1113 | | // unaccelerated mode |
1114 | | // |
1115 | | } |
1116 | | #endif |
1117 | | |
1118 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1119 | 0 | while (length > 0) { |
1120 | 0 | memcpy(temp, input, 16); |
1121 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output); |
1122 | 0 | if (ret != 0) { |
1123 | 0 | goto exit; |
1124 | 0 | } |
1125 | | |
1126 | 0 | for (i = 0; i < 16; i++) { |
1127 | 0 | output[i] = (unsigned char) (output[i] ^ iv[i]); |
1128 | 0 | } |
1129 | |
|
1130 | 0 | memcpy(iv, temp, 16); |
1131 | |
|
1132 | 0 | input += 16; |
1133 | 0 | output += 16; |
1134 | 0 | length -= 16; |
1135 | 0 | } |
1136 | 0 | } else { |
1137 | 0 | while (length > 0) { |
1138 | 0 | for (i = 0; i < 16; i++) { |
1139 | 0 | output[i] = (unsigned char) (input[i] ^ iv[i]); |
1140 | 0 | } |
1141 | |
|
1142 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output); |
1143 | 0 | if (ret != 0) { |
1144 | 0 | goto exit; |
1145 | 0 | } |
1146 | 0 | memcpy(iv, output, 16); |
1147 | |
|
1148 | 0 | input += 16; |
1149 | 0 | output += 16; |
1150 | 0 | length -= 16; |
1151 | 0 | } |
1152 | 0 | } |
1153 | 0 | ret = 0; |
1154 | |
|
1155 | 0 | exit: |
1156 | 0 | return ret; |
1157 | 0 | } |
1158 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1159 | | |
1160 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1161 | | |
1162 | | typedef unsigned char mbedtls_be128[16]; |
1163 | | |
1164 | | /* |
1165 | | * GF(2^128) multiplication function |
1166 | | * |
1167 | | * This function multiplies a field element by x in the polynomial field |
1168 | | * representation. It uses 64-bit word operations to gain speed but compensates |
1169 | | * for machine endianness and hence works correctly on both big and little |
1170 | | * endian machines. |
1171 | | */ |
1172 | | static void mbedtls_gf128mul_x_ble(unsigned char r[16], |
1173 | | const unsigned char x[16]) |
1174 | 0 | { |
1175 | 0 | uint64_t a, b, ra, rb; |
1176 | |
|
1177 | 0 | a = MBEDTLS_GET_UINT64_LE(x, 0); |
1178 | 0 | b = MBEDTLS_GET_UINT64_LE(x, 8); |
1179 | |
|
1180 | 0 | ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); |
1181 | 0 | rb = (a >> 63) | (b << 1); |
1182 | |
|
1183 | 0 | MBEDTLS_PUT_UINT64_LE(ra, r, 0); |
1184 | 0 | MBEDTLS_PUT_UINT64_LE(rb, r, 8); |
1185 | 0 | } |
1186 | | |
1187 | | /* |
1188 | | * AES-XTS buffer encryption/decryption |
1189 | | */ |
1190 | | int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, |
1191 | | int mode, |
1192 | | size_t length, |
1193 | | const unsigned char data_unit[16], |
1194 | | const unsigned char *input, |
1195 | | unsigned char *output) |
1196 | 0 | { |
1197 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1198 | 0 | size_t blocks = length / 16; |
1199 | 0 | size_t leftover = length % 16; |
1200 | 0 | unsigned char tweak[16]; |
1201 | 0 | unsigned char prev_tweak[16]; |
1202 | 0 | unsigned char tmp[16]; |
1203 | |
|
1204 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1205 | 0 | AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || |
1206 | 0 | mode == MBEDTLS_AES_DECRYPT); |
1207 | 0 | AES_VALIDATE_RET(data_unit != NULL); |
1208 | 0 | AES_VALIDATE_RET(input != NULL); |
1209 | 0 | AES_VALIDATE_RET(output != NULL); |
1210 | | |
1211 | | /* Data units must be at least 16 bytes long. */ |
1212 | 0 | if (length < 16) { |
1213 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1214 | 0 | } |
1215 | | |
1216 | | /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ |
1217 | 0 | if (length > (1 << 20) * 16) { |
1218 | 0 | return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; |
1219 | 0 | } |
1220 | | |
1221 | | /* Compute the tweak. */ |
1222 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, |
1223 | 0 | data_unit, tweak); |
1224 | 0 | if (ret != 0) { |
1225 | 0 | return ret; |
1226 | 0 | } |
1227 | | |
1228 | 0 | while (blocks--) { |
1229 | 0 | size_t i; |
1230 | |
|
1231 | 0 | if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) { |
1232 | | /* We are on the last block in a decrypt operation that has |
1233 | | * leftover bytes, so we need to use the next tweak for this block, |
1234 | | * and this tweak for the leftover bytes. Save the current tweak for |
1235 | | * the leftovers and then update the current tweak for use on this, |
1236 | | * the last full block. */ |
1237 | 0 | memcpy(prev_tweak, tweak, sizeof(tweak)); |
1238 | 0 | mbedtls_gf128mul_x_ble(tweak, tweak); |
1239 | 0 | } |
1240 | |
|
1241 | 0 | for (i = 0; i < 16; i++) { |
1242 | 0 | tmp[i] = input[i] ^ tweak[i]; |
1243 | 0 | } |
1244 | |
|
1245 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1246 | 0 | if (ret != 0) { |
1247 | 0 | return ret; |
1248 | 0 | } |
1249 | | |
1250 | 0 | for (i = 0; i < 16; i++) { |
1251 | 0 | output[i] = tmp[i] ^ tweak[i]; |
1252 | 0 | } |
1253 | | |
1254 | | /* Update the tweak for the next block. */ |
1255 | 0 | mbedtls_gf128mul_x_ble(tweak, tweak); |
1256 | |
|
1257 | 0 | output += 16; |
1258 | 0 | input += 16; |
1259 | 0 | } |
1260 | | |
1261 | 0 | if (leftover) { |
1262 | | /* If we are on the leftover bytes in a decrypt operation, we need to |
1263 | | * use the previous tweak for these bytes (as saved in prev_tweak). */ |
1264 | 0 | unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; |
1265 | | |
1266 | | /* We are now on the final part of the data unit, which doesn't divide |
1267 | | * evenly by 16. It's time for ciphertext stealing. */ |
1268 | 0 | size_t i; |
1269 | 0 | unsigned char *prev_output = output - 16; |
1270 | | |
1271 | | /* Copy ciphertext bytes from the previous block to our output for each |
1272 | | * byte of ciphertext we won't steal. At the same time, copy the |
1273 | | * remainder of the input for this final round (since the loop bounds |
1274 | | * are the same). */ |
1275 | 0 | for (i = 0; i < leftover; i++) { |
1276 | 0 | output[i] = prev_output[i]; |
1277 | 0 | tmp[i] = input[i] ^ t[i]; |
1278 | 0 | } |
1279 | | |
1280 | | /* Copy ciphertext bytes from the previous block for input in this |
1281 | | * round. */ |
1282 | 0 | for (; i < 16; i++) { |
1283 | 0 | tmp[i] = prev_output[i] ^ t[i]; |
1284 | 0 | } |
1285 | |
|
1286 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); |
1287 | 0 | if (ret != 0) { |
1288 | 0 | return ret; |
1289 | 0 | } |
1290 | | |
1291 | | /* Write the result back to the previous block, overriding the previous |
1292 | | * output we copied. */ |
1293 | 0 | for (i = 0; i < 16; i++) { |
1294 | 0 | prev_output[i] = tmp[i] ^ t[i]; |
1295 | 0 | } |
1296 | 0 | } |
1297 | | |
1298 | 0 | return 0; |
1299 | 0 | } |
1300 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1301 | | |
1302 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1303 | | /* |
1304 | | * AES-CFB128 buffer encryption/decryption |
1305 | | */ |
1306 | | int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, |
1307 | | int mode, |
1308 | | size_t length, |
1309 | | size_t *iv_off, |
1310 | | unsigned char iv[16], |
1311 | | const unsigned char *input, |
1312 | | unsigned char *output) |
1313 | 0 | { |
1314 | 0 | int c; |
1315 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1316 | 0 | size_t n; |
1317 | |
|
1318 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1319 | 0 | AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || |
1320 | 0 | mode == MBEDTLS_AES_DECRYPT); |
1321 | 0 | AES_VALIDATE_RET(iv_off != NULL); |
1322 | 0 | AES_VALIDATE_RET(iv != NULL); |
1323 | 0 | AES_VALIDATE_RET(input != NULL); |
1324 | 0 | AES_VALIDATE_RET(output != NULL); |
1325 | |
|
1326 | 0 | n = *iv_off; |
1327 | |
|
1328 | 0 | if (n > 15) { |
1329 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1330 | 0 | } |
1331 | | |
1332 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1333 | 0 | while (length--) { |
1334 | 0 | if (n == 0) { |
1335 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1336 | 0 | if (ret != 0) { |
1337 | 0 | goto exit; |
1338 | 0 | } |
1339 | 0 | } |
1340 | | |
1341 | 0 | c = *input++; |
1342 | 0 | *output++ = (unsigned char) (c ^ iv[n]); |
1343 | 0 | iv[n] = (unsigned char) c; |
1344 | |
|
1345 | 0 | n = (n + 1) & 0x0F; |
1346 | 0 | } |
1347 | 0 | } else { |
1348 | 0 | while (length--) { |
1349 | 0 | if (n == 0) { |
1350 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1351 | 0 | if (ret != 0) { |
1352 | 0 | goto exit; |
1353 | 0 | } |
1354 | 0 | } |
1355 | | |
1356 | 0 | iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); |
1357 | |
|
1358 | 0 | n = (n + 1) & 0x0F; |
1359 | 0 | } |
1360 | 0 | } |
1361 | | |
1362 | 0 | *iv_off = n; |
1363 | 0 | ret = 0; |
1364 | |
|
1365 | 0 | exit: |
1366 | 0 | return ret; |
1367 | 0 | } |
1368 | | |
1369 | | /* |
1370 | | * AES-CFB8 buffer encryption/decryption |
1371 | | */ |
1372 | | int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, |
1373 | | int mode, |
1374 | | size_t length, |
1375 | | unsigned char iv[16], |
1376 | | const unsigned char *input, |
1377 | | unsigned char *output) |
1378 | 0 | { |
1379 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1380 | 0 | unsigned char c; |
1381 | 0 | unsigned char ov[17]; |
1382 | |
|
1383 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1384 | 0 | AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || |
1385 | 0 | mode == MBEDTLS_AES_DECRYPT); |
1386 | 0 | AES_VALIDATE_RET(iv != NULL); |
1387 | 0 | AES_VALIDATE_RET(input != NULL); |
1388 | 0 | AES_VALIDATE_RET(output != NULL); |
1389 | 0 | while (length--) { |
1390 | 0 | memcpy(ov, iv, 16); |
1391 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1392 | 0 | if (ret != 0) { |
1393 | 0 | goto exit; |
1394 | 0 | } |
1395 | | |
1396 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1397 | 0 | ov[16] = *input; |
1398 | 0 | } |
1399 | |
|
1400 | 0 | c = *output++ = (unsigned char) (iv[0] ^ *input++); |
1401 | |
|
1402 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
1403 | 0 | ov[16] = c; |
1404 | 0 | } |
1405 | |
|
1406 | 0 | memcpy(iv, ov + 1, 16); |
1407 | 0 | } |
1408 | 0 | ret = 0; |
1409 | |
|
1410 | 0 | exit: |
1411 | 0 | return ret; |
1412 | 0 | } |
1413 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1414 | | |
1415 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1416 | | /* |
1417 | | * AES-OFB (Output Feedback Mode) buffer encryption/decryption |
1418 | | */ |
1419 | | int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, |
1420 | | size_t length, |
1421 | | size_t *iv_off, |
1422 | | unsigned char iv[16], |
1423 | | const unsigned char *input, |
1424 | | unsigned char *output) |
1425 | 0 | { |
1426 | 0 | int ret = 0; |
1427 | 0 | size_t n; |
1428 | |
|
1429 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1430 | 0 | AES_VALIDATE_RET(iv_off != NULL); |
1431 | 0 | AES_VALIDATE_RET(iv != NULL); |
1432 | 0 | AES_VALIDATE_RET(input != NULL); |
1433 | 0 | AES_VALIDATE_RET(output != NULL); |
1434 | |
|
1435 | 0 | n = *iv_off; |
1436 | |
|
1437 | 0 | if (n > 15) { |
1438 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1439 | 0 | } |
1440 | | |
1441 | 0 | while (length--) { |
1442 | 0 | if (n == 0) { |
1443 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); |
1444 | 0 | if (ret != 0) { |
1445 | 0 | goto exit; |
1446 | 0 | } |
1447 | 0 | } |
1448 | 0 | *output++ = *input++ ^ iv[n]; |
1449 | |
|
1450 | 0 | n = (n + 1) & 0x0F; |
1451 | 0 | } |
1452 | | |
1453 | 0 | *iv_off = n; |
1454 | |
|
1455 | 0 | exit: |
1456 | 0 | return ret; |
1457 | 0 | } |
1458 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1459 | | |
1460 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1461 | | /* |
1462 | | * AES-CTR buffer encryption/decryption |
1463 | | */ |
1464 | | int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, |
1465 | | size_t length, |
1466 | | size_t *nc_off, |
1467 | | unsigned char nonce_counter[16], |
1468 | | unsigned char stream_block[16], |
1469 | | const unsigned char *input, |
1470 | | unsigned char *output) |
1471 | 0 | { |
1472 | 0 | int c, i; |
1473 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1474 | 0 | size_t n; |
1475 | |
|
1476 | 0 | AES_VALIDATE_RET(ctx != NULL); |
1477 | 0 | AES_VALIDATE_RET(nc_off != NULL); |
1478 | 0 | AES_VALIDATE_RET(nonce_counter != NULL); |
1479 | 0 | AES_VALIDATE_RET(stream_block != NULL); |
1480 | 0 | AES_VALIDATE_RET(input != NULL); |
1481 | 0 | AES_VALIDATE_RET(output != NULL); |
1482 | |
|
1483 | 0 | n = *nc_off; |
1484 | |
|
1485 | 0 | if (n > 0x0F) { |
1486 | 0 | return MBEDTLS_ERR_AES_BAD_INPUT_DATA; |
1487 | 0 | } |
1488 | | |
1489 | 0 | while (length--) { |
1490 | 0 | if (n == 0) { |
1491 | 0 | ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block); |
1492 | 0 | if (ret != 0) { |
1493 | 0 | goto exit; |
1494 | 0 | } |
1495 | | |
1496 | 0 | for (i = 16; i > 0; i--) { |
1497 | 0 | if (++nonce_counter[i - 1] != 0) { |
1498 | 0 | break; |
1499 | 0 | } |
1500 | 0 | } |
1501 | 0 | } |
1502 | 0 | c = *input++; |
1503 | 0 | *output++ = (unsigned char) (c ^ stream_block[n]); |
1504 | |
|
1505 | 0 | n = (n + 1) & 0x0F; |
1506 | 0 | } |
1507 | | |
1508 | 0 | *nc_off = n; |
1509 | 0 | ret = 0; |
1510 | |
|
1511 | 0 | exit: |
1512 | 0 | return ret; |
1513 | 0 | } |
1514 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1515 | | |
1516 | | #endif /* !MBEDTLS_AES_ALT */ |
1517 | | |
1518 | | #if defined(MBEDTLS_SELF_TEST) |
1519 | | /* |
1520 | | * AES test vectors from: |
1521 | | * |
1522 | | * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip |
1523 | | */ |
1524 | | static const unsigned char aes_test_ecb_dec[3][16] = |
1525 | | { |
1526 | | { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, |
1527 | | 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, |
1528 | | { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, |
1529 | | 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, |
1530 | | { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, |
1531 | | 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } |
1532 | | }; |
1533 | | |
1534 | | static const unsigned char aes_test_ecb_enc[3][16] = |
1535 | | { |
1536 | | { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, |
1537 | | 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, |
1538 | | { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, |
1539 | | 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, |
1540 | | { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, |
1541 | | 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } |
1542 | | }; |
1543 | | |
1544 | | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1545 | | static const unsigned char aes_test_cbc_dec[3][16] = |
1546 | | { |
1547 | | { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, |
1548 | | 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, |
1549 | | { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, |
1550 | | 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, |
1551 | | { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, |
1552 | | 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } |
1553 | | }; |
1554 | | |
1555 | | static const unsigned char aes_test_cbc_enc[3][16] = |
1556 | | { |
1557 | | { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, |
1558 | | 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, |
1559 | | { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, |
1560 | | 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, |
1561 | | { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, |
1562 | | 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } |
1563 | | }; |
1564 | | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
1565 | | |
1566 | | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
1567 | | /* |
1568 | | * AES-CFB128 test vectors from: |
1569 | | * |
1570 | | * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf |
1571 | | */ |
1572 | | static const unsigned char aes_test_cfb128_key[3][32] = |
1573 | | { |
1574 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1575 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1576 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1577 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1578 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1579 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1580 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1581 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1582 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1583 | | }; |
1584 | | |
1585 | | static const unsigned char aes_test_cfb128_iv[16] = |
1586 | | { |
1587 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1588 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1589 | | }; |
1590 | | |
1591 | | static const unsigned char aes_test_cfb128_pt[64] = |
1592 | | { |
1593 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1594 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1595 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1596 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1597 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1598 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1599 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1600 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1601 | | }; |
1602 | | |
1603 | | static const unsigned char aes_test_cfb128_ct[3][64] = |
1604 | | { |
1605 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1606 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1607 | | 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, |
1608 | | 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, |
1609 | | 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, |
1610 | | 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, |
1611 | | 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, |
1612 | | 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, |
1613 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1614 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1615 | | 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, |
1616 | | 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, |
1617 | | 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, |
1618 | | 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, |
1619 | | 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, |
1620 | | 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, |
1621 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1622 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1623 | | 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, |
1624 | | 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, |
1625 | | 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, |
1626 | | 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, |
1627 | | 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, |
1628 | | 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } |
1629 | | }; |
1630 | | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
1631 | | |
1632 | | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
1633 | | /* |
1634 | | * AES-OFB test vectors from: |
1635 | | * |
1636 | | * https://csrc.nist.gov/publications/detail/sp/800-38a/final |
1637 | | */ |
1638 | | static const unsigned char aes_test_ofb_key[3][32] = |
1639 | | { |
1640 | | { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, |
1641 | | 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, |
1642 | | { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, |
1643 | | 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, |
1644 | | 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, |
1645 | | { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, |
1646 | | 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, |
1647 | | 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, |
1648 | | 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } |
1649 | | }; |
1650 | | |
1651 | | static const unsigned char aes_test_ofb_iv[16] = |
1652 | | { |
1653 | | 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1654 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F |
1655 | | }; |
1656 | | |
1657 | | static const unsigned char aes_test_ofb_pt[64] = |
1658 | | { |
1659 | | 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, |
1660 | | 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, |
1661 | | 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, |
1662 | | 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, |
1663 | | 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, |
1664 | | 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, |
1665 | | 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, |
1666 | | 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 |
1667 | | }; |
1668 | | |
1669 | | static const unsigned char aes_test_ofb_ct[3][64] = |
1670 | | { |
1671 | | { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, |
1672 | | 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, |
1673 | | 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, |
1674 | | 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, |
1675 | | 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, |
1676 | | 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, |
1677 | | 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, |
1678 | | 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, |
1679 | | { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, |
1680 | | 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, |
1681 | | 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, |
1682 | | 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, |
1683 | | 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, |
1684 | | 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, |
1685 | | 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, |
1686 | | 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, |
1687 | | { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, |
1688 | | 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, |
1689 | | 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, |
1690 | | 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, |
1691 | | 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, |
1692 | | 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, |
1693 | | 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, |
1694 | | 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } |
1695 | | }; |
1696 | | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
1697 | | |
1698 | | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1699 | | /* |
1700 | | * AES-CTR test vectors from: |
1701 | | * |
1702 | | * http://www.faqs.org/rfcs/rfc3686.html |
1703 | | */ |
1704 | | |
1705 | | static const unsigned char aes_test_ctr_key[3][16] = |
1706 | | { |
1707 | | { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, |
1708 | | 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, |
1709 | | { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, |
1710 | | 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, |
1711 | | { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, |
1712 | | 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } |
1713 | | }; |
1714 | | |
1715 | | static const unsigned char aes_test_ctr_nonce_counter[3][16] = |
1716 | | { |
1717 | | { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, |
1718 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, |
1719 | | { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, |
1720 | | 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, |
1721 | | { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, |
1722 | | 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } |
1723 | | }; |
1724 | | |
1725 | | static const unsigned char aes_test_ctr_pt[3][48] = |
1726 | | { |
1727 | | { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, |
1728 | | 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, |
1729 | | |
1730 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1731 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1732 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1733 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, |
1734 | | |
1735 | | { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, |
1736 | | 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, |
1737 | | 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, |
1738 | | 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, |
1739 | | 0x20, 0x21, 0x22, 0x23 } |
1740 | | }; |
1741 | | |
1742 | | static const unsigned char aes_test_ctr_ct[3][48] = |
1743 | | { |
1744 | | { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, |
1745 | | 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, |
1746 | | { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, |
1747 | | 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, |
1748 | | 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, |
1749 | | 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, |
1750 | | { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, |
1751 | | 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, |
1752 | | 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, |
1753 | | 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, |
1754 | | 0x25, 0xB2, 0x07, 0x2F } |
1755 | | }; |
1756 | | |
1757 | | static const int aes_test_ctr_len[3] = |
1758 | | { 16, 32, 36 }; |
1759 | | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
1760 | | |
1761 | | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
1762 | | /* |
1763 | | * AES-XTS test vectors from: |
1764 | | * |
1765 | | * IEEE P1619/D16 Annex B |
1766 | | * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf |
1767 | | * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) |
1768 | | */ |
1769 | | static const unsigned char aes_test_xts_key[][32] = |
1770 | | { |
1771 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1772 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1773 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1774 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1775 | | { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1776 | | 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, |
1777 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1778 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1779 | | { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, |
1780 | | 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, |
1781 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, |
1782 | | 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, |
1783 | | }; |
1784 | | |
1785 | | static const unsigned char aes_test_xts_pt32[][32] = |
1786 | | { |
1787 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1788 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1789 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1790 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1791 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1792 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1793 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1794 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1795 | | { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1796 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1797 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, |
1798 | | 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, |
1799 | | }; |
1800 | | |
1801 | | static const unsigned char aes_test_xts_ct32[][32] = |
1802 | | { |
1803 | | { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, |
1804 | | 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, |
1805 | | 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, |
1806 | | 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, |
1807 | | { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, |
1808 | | 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, |
1809 | | 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, |
1810 | | 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, |
1811 | | { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, |
1812 | | 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, |
1813 | | 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, |
1814 | | 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, |
1815 | | }; |
1816 | | |
1817 | | static const unsigned char aes_test_xts_data_unit[][16] = |
1818 | | { |
1819 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, |
1820 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1821 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1822 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1823 | | { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, |
1824 | | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
1825 | | }; |
1826 | | |
1827 | | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
1828 | | |
1829 | | /* |
1830 | | * Checkup routine |
1831 | | */ |
1832 | | int mbedtls_aes_self_test(int verbose) |
1833 | 0 | { |
1834 | 0 | int ret = 0, i, j, u, mode; |
1835 | 0 | unsigned int keybits; |
1836 | 0 | unsigned char key[32]; |
1837 | 0 | unsigned char buf[64]; |
1838 | 0 | const unsigned char *aes_tests; |
1839 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1840 | 0 | defined(MBEDTLS_CIPHER_MODE_OFB) |
1841 | 0 | unsigned char iv[16]; |
1842 | 0 | #endif |
1843 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1844 | 0 | unsigned char prv[16]; |
1845 | 0 | #endif |
1846 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ |
1847 | 0 | defined(MBEDTLS_CIPHER_MODE_OFB) |
1848 | 0 | size_t offset; |
1849 | 0 | #endif |
1850 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) |
1851 | 0 | int len; |
1852 | 0 | #endif |
1853 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
1854 | 0 | unsigned char nonce_counter[16]; |
1855 | 0 | unsigned char stream_block[16]; |
1856 | 0 | #endif |
1857 | 0 | mbedtls_aes_context ctx; |
1858 | |
|
1859 | 0 | memset(key, 0, 32); |
1860 | 0 | mbedtls_aes_init(&ctx); |
1861 | |
|
1862 | 0 | if (verbose != 0) { |
1863 | | #if defined(MBEDTLS_AES_ALT) |
1864 | | mbedtls_printf(" AES note: alternative implementation.\n"); |
1865 | | #else /* MBEDTLS_AES_ALT */ |
1866 | | #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) |
1867 | | if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { |
1868 | | mbedtls_printf(" AES note: using VIA Padlock.\n"); |
1869 | | } else |
1870 | | #endif |
1871 | | #if defined(MBEDTLS_AESNI_HAVE_CODE) |
1872 | | if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { |
1873 | | mbedtls_printf(" AES note: using AESNI via "); |
1874 | | #if MBEDTLS_AESNI_HAVE_CODE == 1 |
1875 | | mbedtls_printf("assembly"); |
1876 | | #elif MBEDTLS_AESNI_HAVE_CODE == 2 |
1877 | | mbedtls_printf("intrinsics"); |
1878 | | #else |
1879 | | mbedtls_printf("(unknown)"); |
1880 | | #endif |
1881 | | mbedtls_printf(".\n"); |
1882 | | } else |
1883 | | #endif |
1884 | 0 | mbedtls_printf(" AES note: built-in implementation.\n"); |
1885 | 0 | #endif /* MBEDTLS_AES_ALT */ |
1886 | 0 | } |
1887 | | |
1888 | | /* |
1889 | | * ECB mode |
1890 | | */ |
1891 | 0 | for (i = 0; i < 6; i++) { |
1892 | 0 | u = i >> 1; |
1893 | 0 | keybits = 128 + u * 64; |
1894 | 0 | mode = i & 1; |
1895 | |
|
1896 | 0 | if (verbose != 0) { |
1897 | 0 | mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, |
1898 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1899 | 0 | } |
1900 | |
|
1901 | 0 | memset(buf, 0, 16); |
1902 | |
|
1903 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1904 | 0 | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1905 | 0 | aes_tests = aes_test_ecb_dec[u]; |
1906 | 0 | } else { |
1907 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1908 | 0 | aes_tests = aes_test_ecb_enc[u]; |
1909 | 0 | } |
1910 | | |
1911 | | /* |
1912 | | * AES-192 is an optional feature that may be unavailable when |
1913 | | * there is an alternative underlying implementation i.e. when |
1914 | | * MBEDTLS_AES_ALT is defined. |
1915 | | */ |
1916 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1917 | 0 | mbedtls_printf("skipped\n"); |
1918 | 0 | continue; |
1919 | 0 | } else if (ret != 0) { |
1920 | 0 | goto exit; |
1921 | 0 | } |
1922 | | |
1923 | 0 | for (j = 0; j < 10000; j++) { |
1924 | 0 | ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf); |
1925 | 0 | if (ret != 0) { |
1926 | 0 | goto exit; |
1927 | 0 | } |
1928 | 0 | } |
1929 | | |
1930 | 0 | if (memcmp(buf, aes_tests, 16) != 0) { |
1931 | 0 | ret = 1; |
1932 | 0 | goto exit; |
1933 | 0 | } |
1934 | | |
1935 | 0 | if (verbose != 0) { |
1936 | 0 | mbedtls_printf("passed\n"); |
1937 | 0 | } |
1938 | 0 | } |
1939 | | |
1940 | 0 | if (verbose != 0) { |
1941 | 0 | mbedtls_printf("\n"); |
1942 | 0 | } |
1943 | |
|
1944 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CBC) |
1945 | | /* |
1946 | | * CBC mode |
1947 | | */ |
1948 | 0 | for (i = 0; i < 6; i++) { |
1949 | 0 | u = i >> 1; |
1950 | 0 | keybits = 128 + u * 64; |
1951 | 0 | mode = i & 1; |
1952 | |
|
1953 | 0 | if (verbose != 0) { |
1954 | 0 | mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, |
1955 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
1956 | 0 | } |
1957 | |
|
1958 | 0 | memset(iv, 0, 16); |
1959 | 0 | memset(prv, 0, 16); |
1960 | 0 | memset(buf, 0, 16); |
1961 | |
|
1962 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
1963 | 0 | ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); |
1964 | 0 | aes_tests = aes_test_cbc_dec[u]; |
1965 | 0 | } else { |
1966 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
1967 | 0 | aes_tests = aes_test_cbc_enc[u]; |
1968 | 0 | } |
1969 | | |
1970 | | /* |
1971 | | * AES-192 is an optional feature that may be unavailable when |
1972 | | * there is an alternative underlying implementation i.e. when |
1973 | | * MBEDTLS_AES_ALT is defined. |
1974 | | */ |
1975 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
1976 | 0 | mbedtls_printf("skipped\n"); |
1977 | 0 | continue; |
1978 | 0 | } else if (ret != 0) { |
1979 | 0 | goto exit; |
1980 | 0 | } |
1981 | | |
1982 | 0 | for (j = 0; j < 10000; j++) { |
1983 | 0 | if (mode == MBEDTLS_AES_ENCRYPT) { |
1984 | 0 | unsigned char tmp[16]; |
1985 | |
|
1986 | 0 | memcpy(tmp, prv, 16); |
1987 | 0 | memcpy(prv, buf, 16); |
1988 | 0 | memcpy(buf, tmp, 16); |
1989 | 0 | } |
1990 | |
|
1991 | 0 | ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); |
1992 | 0 | if (ret != 0) { |
1993 | 0 | goto exit; |
1994 | 0 | } |
1995 | |
|
1996 | 0 | } |
1997 | | |
1998 | 0 | if (memcmp(buf, aes_tests, 16) != 0) { |
1999 | 0 | ret = 1; |
2000 | 0 | goto exit; |
2001 | 0 | } |
2002 | | |
2003 | 0 | if (verbose != 0) { |
2004 | 0 | mbedtls_printf("passed\n"); |
2005 | 0 | } |
2006 | 0 | } |
2007 | | |
2008 | 0 | if (verbose != 0) { |
2009 | 0 | mbedtls_printf("\n"); |
2010 | 0 | } |
2011 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CBC */ |
2012 | |
|
2013 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CFB) |
2014 | | /* |
2015 | | * CFB128 mode |
2016 | | */ |
2017 | 0 | for (i = 0; i < 6; i++) { |
2018 | 0 | u = i >> 1; |
2019 | 0 | keybits = 128 + u * 64; |
2020 | 0 | mode = i & 1; |
2021 | |
|
2022 | 0 | if (verbose != 0) { |
2023 | 0 | mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, |
2024 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2025 | 0 | } |
2026 | |
|
2027 | 0 | memcpy(iv, aes_test_cfb128_iv, 16); |
2028 | 0 | memcpy(key, aes_test_cfb128_key[u], keybits / 8); |
2029 | |
|
2030 | 0 | offset = 0; |
2031 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
2032 | | /* |
2033 | | * AES-192 is an optional feature that may be unavailable when |
2034 | | * there is an alternative underlying implementation i.e. when |
2035 | | * MBEDTLS_AES_ALT is defined. |
2036 | | */ |
2037 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
2038 | 0 | mbedtls_printf("skipped\n"); |
2039 | 0 | continue; |
2040 | 0 | } else if (ret != 0) { |
2041 | 0 | goto exit; |
2042 | 0 | } |
2043 | | |
2044 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
2045 | 0 | memcpy(buf, aes_test_cfb128_ct[u], 64); |
2046 | 0 | aes_tests = aes_test_cfb128_pt; |
2047 | 0 | } else { |
2048 | 0 | memcpy(buf, aes_test_cfb128_pt, 64); |
2049 | 0 | aes_tests = aes_test_cfb128_ct[u]; |
2050 | 0 | } |
2051 | |
|
2052 | 0 | ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf); |
2053 | 0 | if (ret != 0) { |
2054 | 0 | goto exit; |
2055 | 0 | } |
2056 | | |
2057 | 0 | if (memcmp(buf, aes_tests, 64) != 0) { |
2058 | 0 | ret = 1; |
2059 | 0 | goto exit; |
2060 | 0 | } |
2061 | | |
2062 | 0 | if (verbose != 0) { |
2063 | 0 | mbedtls_printf("passed\n"); |
2064 | 0 | } |
2065 | 0 | } |
2066 | | |
2067 | 0 | if (verbose != 0) { |
2068 | 0 | mbedtls_printf("\n"); |
2069 | 0 | } |
2070 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CFB */ |
2071 | |
|
2072 | 0 | #if defined(MBEDTLS_CIPHER_MODE_OFB) |
2073 | | /* |
2074 | | * OFB mode |
2075 | | */ |
2076 | 0 | for (i = 0; i < 6; i++) { |
2077 | 0 | u = i >> 1; |
2078 | 0 | keybits = 128 + u * 64; |
2079 | 0 | mode = i & 1; |
2080 | |
|
2081 | 0 | if (verbose != 0) { |
2082 | 0 | mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, |
2083 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2084 | 0 | } |
2085 | |
|
2086 | 0 | memcpy(iv, aes_test_ofb_iv, 16); |
2087 | 0 | memcpy(key, aes_test_ofb_key[u], keybits / 8); |
2088 | |
|
2089 | 0 | offset = 0; |
2090 | 0 | ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); |
2091 | | /* |
2092 | | * AES-192 is an optional feature that may be unavailable when |
2093 | | * there is an alternative underlying implementation i.e. when |
2094 | | * MBEDTLS_AES_ALT is defined. |
2095 | | */ |
2096 | 0 | if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { |
2097 | 0 | mbedtls_printf("skipped\n"); |
2098 | 0 | continue; |
2099 | 0 | } else if (ret != 0) { |
2100 | 0 | goto exit; |
2101 | 0 | } |
2102 | | |
2103 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
2104 | 0 | memcpy(buf, aes_test_ofb_ct[u], 64); |
2105 | 0 | aes_tests = aes_test_ofb_pt; |
2106 | 0 | } else { |
2107 | 0 | memcpy(buf, aes_test_ofb_pt, 64); |
2108 | 0 | aes_tests = aes_test_ofb_ct[u]; |
2109 | 0 | } |
2110 | |
|
2111 | 0 | ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf); |
2112 | 0 | if (ret != 0) { |
2113 | 0 | goto exit; |
2114 | 0 | } |
2115 | | |
2116 | 0 | if (memcmp(buf, aes_tests, 64) != 0) { |
2117 | 0 | ret = 1; |
2118 | 0 | goto exit; |
2119 | 0 | } |
2120 | | |
2121 | 0 | if (verbose != 0) { |
2122 | 0 | mbedtls_printf("passed\n"); |
2123 | 0 | } |
2124 | 0 | } |
2125 | | |
2126 | 0 | if (verbose != 0) { |
2127 | 0 | mbedtls_printf("\n"); |
2128 | 0 | } |
2129 | 0 | #endif /* MBEDTLS_CIPHER_MODE_OFB */ |
2130 | |
|
2131 | 0 | #if defined(MBEDTLS_CIPHER_MODE_CTR) |
2132 | | /* |
2133 | | * CTR mode |
2134 | | */ |
2135 | 0 | for (i = 0; i < 6; i++) { |
2136 | 0 | u = i >> 1; |
2137 | 0 | mode = i & 1; |
2138 | |
|
2139 | 0 | if (verbose != 0) { |
2140 | 0 | mbedtls_printf(" AES-CTR-128 (%s): ", |
2141 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2142 | 0 | } |
2143 | |
|
2144 | 0 | memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); |
2145 | 0 | memcpy(key, aes_test_ctr_key[u], 16); |
2146 | |
|
2147 | 0 | offset = 0; |
2148 | 0 | if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) { |
2149 | 0 | goto exit; |
2150 | 0 | } |
2151 | | |
2152 | 0 | len = aes_test_ctr_len[u]; |
2153 | |
|
2154 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
2155 | 0 | memcpy(buf, aes_test_ctr_ct[u], len); |
2156 | 0 | aes_tests = aes_test_ctr_pt[u]; |
2157 | 0 | } else { |
2158 | 0 | memcpy(buf, aes_test_ctr_pt[u], len); |
2159 | 0 | aes_tests = aes_test_ctr_ct[u]; |
2160 | 0 | } |
2161 | |
|
2162 | 0 | ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter, |
2163 | 0 | stream_block, buf, buf); |
2164 | 0 | if (ret != 0) { |
2165 | 0 | goto exit; |
2166 | 0 | } |
2167 | | |
2168 | 0 | if (memcmp(buf, aes_tests, len) != 0) { |
2169 | 0 | ret = 1; |
2170 | 0 | goto exit; |
2171 | 0 | } |
2172 | | |
2173 | 0 | if (verbose != 0) { |
2174 | 0 | mbedtls_printf("passed\n"); |
2175 | 0 | } |
2176 | 0 | } |
2177 | | |
2178 | 0 | if (verbose != 0) { |
2179 | 0 | mbedtls_printf("\n"); |
2180 | 0 | } |
2181 | 0 | #endif /* MBEDTLS_CIPHER_MODE_CTR */ |
2182 | |
|
2183 | 0 | #if defined(MBEDTLS_CIPHER_MODE_XTS) |
2184 | 0 | { |
2185 | 0 | static const int num_tests = |
2186 | 0 | sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); |
2187 | 0 | mbedtls_aes_xts_context ctx_xts; |
2188 | | |
2189 | | /* |
2190 | | * XTS mode |
2191 | | */ |
2192 | 0 | mbedtls_aes_xts_init(&ctx_xts); |
2193 | |
|
2194 | 0 | for (i = 0; i < num_tests << 1; i++) { |
2195 | 0 | const unsigned char *data_unit; |
2196 | 0 | u = i >> 1; |
2197 | 0 | mode = i & 1; |
2198 | |
|
2199 | 0 | if (verbose != 0) { |
2200 | 0 | mbedtls_printf(" AES-XTS-128 (%s): ", |
2201 | 0 | (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); |
2202 | 0 | } |
2203 | |
|
2204 | 0 | memset(key, 0, sizeof(key)); |
2205 | 0 | memcpy(key, aes_test_xts_key[u], 32); |
2206 | 0 | data_unit = aes_test_xts_data_unit[u]; |
2207 | |
|
2208 | 0 | len = sizeof(*aes_test_xts_ct32); |
2209 | |
|
2210 | 0 | if (mode == MBEDTLS_AES_DECRYPT) { |
2211 | 0 | ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256); |
2212 | 0 | if (ret != 0) { |
2213 | 0 | goto exit; |
2214 | 0 | } |
2215 | 0 | memcpy(buf, aes_test_xts_ct32[u], len); |
2216 | 0 | aes_tests = aes_test_xts_pt32[u]; |
2217 | 0 | } else { |
2218 | 0 | ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256); |
2219 | 0 | if (ret != 0) { |
2220 | 0 | goto exit; |
2221 | 0 | } |
2222 | 0 | memcpy(buf, aes_test_xts_pt32[u], len); |
2223 | 0 | aes_tests = aes_test_xts_ct32[u]; |
2224 | 0 | } |
2225 | | |
2226 | | |
2227 | 0 | ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, |
2228 | 0 | buf, buf); |
2229 | 0 | if (ret != 0) { |
2230 | 0 | goto exit; |
2231 | 0 | } |
2232 | | |
2233 | 0 | if (memcmp(buf, aes_tests, len) != 0) { |
2234 | 0 | ret = 1; |
2235 | 0 | goto exit; |
2236 | 0 | } |
2237 | | |
2238 | 0 | if (verbose != 0) { |
2239 | 0 | mbedtls_printf("passed\n"); |
2240 | 0 | } |
2241 | 0 | } |
2242 | | |
2243 | 0 | if (verbose != 0) { |
2244 | 0 | mbedtls_printf("\n"); |
2245 | 0 | } |
2246 | |
|
2247 | 0 | mbedtls_aes_xts_free(&ctx_xts); |
2248 | 0 | } |
2249 | 0 | #endif /* MBEDTLS_CIPHER_MODE_XTS */ |
2250 | | |
2251 | 0 | ret = 0; |
2252 | |
|
2253 | 0 | exit: |
2254 | 0 | if (ret != 0 && verbose != 0) { |
2255 | 0 | mbedtls_printf("failed\n"); |
2256 | 0 | } |
2257 | |
|
2258 | 0 | mbedtls_aes_free(&ctx); |
2259 | |
|
2260 | 0 | return ret; |
2261 | 0 | } |
2262 | | |
2263 | | #endif /* MBEDTLS_SELF_TEST */ |
2264 | | |
2265 | | #endif /* MBEDTLS_AES_C */ |