Coverage Report

Created: 2025-07-01 06:54

/work/mbedtls-2.28.8/library/aes.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  FIPS-197 compliant AES implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
9
 *
10
 *  https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
11
 *  http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_AES_C)
17
18
#include <string.h>
19
20
#include "mbedtls/aes.h"
21
#include "mbedtls/platform.h"
22
#include "mbedtls/platform_util.h"
23
#include "mbedtls/error.h"
24
#if defined(MBEDTLS_PADLOCK_C)
25
#include "mbedtls/padlock.h"
26
#endif
27
#if defined(MBEDTLS_AESNI_C)
28
#include "mbedtls/aesni.h"
29
#endif
30
31
#include "mbedtls/platform.h"
32
33
#if !defined(MBEDTLS_AES_ALT)
34
35
/* Parameter validation macros based on platform_util.h */
36
#define AES_VALIDATE_RET(cond)    \
37
0
    MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA)
38
#define AES_VALIDATE(cond)        \
39
0
    MBEDTLS_INTERNAL_VALIDATE(cond)
40
41
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
42
static int aes_padlock_ace = -1;
43
#endif
44
45
#if defined(MBEDTLS_AES_ROM_TABLES)
46
/*
47
 * Forward S-box
48
 */
49
#if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \
50
    !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
51
static const unsigned char FSb[256] =
52
{
53
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
54
    0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
55
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
56
    0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
57
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
58
    0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
59
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
60
    0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
61
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
62
    0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
63
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
64
    0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
65
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
66
    0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
67
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
68
    0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
69
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
70
    0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
71
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
72
    0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
73
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
74
    0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
75
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
76
    0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
77
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
78
    0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
79
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
80
    0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
81
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
82
    0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
83
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
84
    0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
85
};
86
#endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \
87
          !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */
88
89
/*
90
 * Forward tables
91
 */
92
#define FT \
93
\
94
    V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
95
    V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
96
    V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
97
    V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
98
    V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
99
    V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
100
    V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
101
    V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
102
    V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
103
    V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
104
    V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
105
    V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
106
    V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
107
    V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
108
    V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
109
    V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
110
    V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
111
    V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
112
    V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
113
    V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
114
    V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
115
    V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
116
    V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
117
    V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
118
    V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
119
    V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
120
    V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
121
    V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
122
    V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
123
    V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
124
    V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
125
    V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
126
    V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
127
    V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
128
    V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
129
    V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
130
    V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
131
    V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
132
    V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
133
    V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
134
    V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
135
    V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
136
    V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
137
    V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
138
    V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
139
    V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
140
    V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
141
    V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
142
    V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
143
    V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
144
    V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
145
    V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
146
    V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
147
    V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
148
    V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
149
    V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
150
    V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
151
    V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
152
    V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
153
    V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
154
    V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
155
    V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
156
    V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
157
    V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
158
159
#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
160
#define V(a, b, c, d) 0x##a##b##c##d
161
static const uint32_t FT0[256] = { FT };
162
#undef V
163
164
#if !defined(MBEDTLS_AES_FEWER_TABLES)
165
166
#define V(a, b, c, d) 0x##b##c##d##a
167
static const uint32_t FT1[256] = { FT };
168
#undef V
169
170
#define V(a, b, c, d) 0x##c##d##a##b
171
static const uint32_t FT2[256] = { FT };
172
#undef V
173
174
#define V(a, b, c, d) 0x##d##a##b##c
175
static const uint32_t FT3[256] = { FT };
176
#undef V
177
178
#endif /* !MBEDTLS_AES_FEWER_TABLES */
179
180
#endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) */
181
182
#undef FT
183
184
#if !defined(MBEDTLS_AES_DECRYPT_ALT)
185
/*
186
 * Reverse S-box
187
 */
188
static const unsigned char RSb[256] =
189
{
190
    0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
191
    0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
192
    0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
193
    0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
194
    0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
195
    0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
196
    0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
197
    0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
198
    0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
199
    0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
200
    0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
201
    0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
202
    0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
203
    0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
204
    0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
205
    0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
206
    0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
207
    0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
208
    0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
209
    0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
210
    0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
211
    0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
212
    0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
213
    0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
214
    0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
215
    0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
216
    0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
217
    0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
218
    0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
219
    0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
220
    0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
221
    0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
222
};
223
#endif /* defined(MBEDTLS_AES_DECRYPT_ALT)) */
224
225
/*
226
 * Reverse tables
227
 */
228
#define RT \
229
\
230
    V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
231
    V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
232
    V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
233
    V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
234
    V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
235
    V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
236
    V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
237
    V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
238
    V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
239
    V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
240
    V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
241
    V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
242
    V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
243
    V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
244
    V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
245
    V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
246
    V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
247
    V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
248
    V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
249
    V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
250
    V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
251
    V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
252
    V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
253
    V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
254
    V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
255
    V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
256
    V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
257
    V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
258
    V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
259
    V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
260
    V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
261
    V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
262
    V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
263
    V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
264
    V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
265
    V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
266
    V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
267
    V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
268
    V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
269
    V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
270
    V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
271
    V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
272
    V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
273
    V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
274
    V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
275
    V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
276
    V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
277
    V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
278
    V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
279
    V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
280
    V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
281
    V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
282
    V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
283
    V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
284
    V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
285
    V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
286
    V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
287
    V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
288
    V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
289
    V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
290
    V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
291
    V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
292
    V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
293
    V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
294
295
#if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
296
297
#define V(a, b, c, d) 0x##a##b##c##d
298
static const uint32_t RT0[256] = { RT };
299
#undef V
300
301
#if !defined(MBEDTLS_AES_FEWER_TABLES)
302
303
#define V(a, b, c, d) 0x##b##c##d##a
304
static const uint32_t RT1[256] = { RT };
305
#undef V
306
307
#define V(a, b, c, d) 0x##c##d##a##b
308
static const uint32_t RT2[256] = { RT };
309
#undef V
310
311
#define V(a, b, c, d) 0x##d##a##b##c
312
static const uint32_t RT3[256] = { RT };
313
#undef V
314
315
#endif /* !MBEDTLS_AES_FEWER_TABLES */
316
317
#endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */
318
319
#undef RT
320
321
#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
322
/*
323
 * Round constants
324
 */
325
static const uint32_t round_constants[10] =
326
{
327
    0x00000001, 0x00000002, 0x00000004, 0x00000008,
328
    0x00000010, 0x00000020, 0x00000040, 0x00000080,
329
    0x0000001B, 0x00000036
330
};
331
#endif /* !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */
332
333
#else /* MBEDTLS_AES_ROM_TABLES */
334
335
/*
336
 * Forward S-box & tables
337
 */
338
#if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \
339
    !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
340
static unsigned char FSb[256];
341
#endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) || \
342
          !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */
343
#if !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
344
static uint32_t FT0[256];
345
#if !defined(MBEDTLS_AES_FEWER_TABLES)
346
static uint32_t FT1[256];
347
static uint32_t FT2[256];
348
static uint32_t FT3[256];
349
#endif /* !MBEDTLS_AES_FEWER_TABLES */
350
#endif /* !defined(MBEDTLS_AES_ENCRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */
351
352
/*
353
 * Reverse S-box & tables
354
 */
355
#if !(defined(MBEDTLS_AES_SETKEY_ENC_ALT) && defined(MBEDTLS_AES_DECRYPT_ALT))
356
static unsigned char RSb[256];
357
#endif /* !(defined(MBEDTLS_AES_SETKEY_ENC_ALT) && defined(MBEDTLS_AES_DECRYPT_ALT)) */
358
359
#if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
360
static uint32_t RT0[256];
361
#if !defined(MBEDTLS_AES_FEWER_TABLES)
362
static uint32_t RT1[256];
363
static uint32_t RT2[256];
364
static uint32_t RT3[256];
365
#endif /* !MBEDTLS_AES_FEWER_TABLES */
366
#endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */
367
368
#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
369
/*
370
 * Round constants
371
 */
372
static uint32_t round_constants[10];
373
374
/*
375
 * Tables generation code
376
 */
377
0
#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
378
#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
379
0
#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
380
381
static int aes_init_done = 0;
382
383
static void aes_gen_tables(void)
384
0
{
385
0
    int i, x, y, z;
386
0
    int pow[256];
387
0
    int log[256];
388
389
    /*
390
     * compute pow and log tables over GF(2^8)
391
     */
392
0
    for (i = 0, x = 1; i < 256; i++) {
393
0
        pow[i] = x;
394
0
        log[x] = i;
395
0
        x = MBEDTLS_BYTE_0(x ^ XTIME(x));
396
0
    }
397
398
    /*
399
     * calculate the round constants
400
     */
401
0
    for (i = 0, x = 1; i < 10; i++) {
402
0
        round_constants[i] = (uint32_t) x;
403
0
        x = MBEDTLS_BYTE_0(XTIME(x));
404
0
    }
405
406
    /*
407
     * generate the forward and reverse S-boxes
408
     */
409
0
    FSb[0x00] = 0x63;
410
0
    RSb[0x63] = 0x00;
411
412
0
    for (i = 1; i < 256; i++) {
413
0
        x = pow[255 - log[i]];
414
415
0
        y  = x; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
416
0
        x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
417
0
        x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
418
0
        x ^= y; y = MBEDTLS_BYTE_0((y << 1) | (y >> 7));
419
0
        x ^= y ^ 0x63;
420
421
0
        FSb[i] = (unsigned char) x;
422
0
        RSb[x] = (unsigned char) i;
423
0
    }
424
425
    /*
426
     * generate the forward and reverse tables
427
     */
428
0
    for (i = 0; i < 256; i++) {
429
0
        x = FSb[i];
430
0
        y = MBEDTLS_BYTE_0(XTIME(x));
431
0
        z = MBEDTLS_BYTE_0(y ^ x);
432
433
0
        FT0[i] = ((uint32_t) y) ^
434
0
                 ((uint32_t) x <<  8) ^
435
0
                 ((uint32_t) x << 16) ^
436
0
                 ((uint32_t) z << 24);
437
438
0
#if !defined(MBEDTLS_AES_FEWER_TABLES)
439
0
        FT1[i] = ROTL8(FT0[i]);
440
0
        FT2[i] = ROTL8(FT1[i]);
441
0
        FT3[i] = ROTL8(FT2[i]);
442
0
#endif /* !MBEDTLS_AES_FEWER_TABLES */
443
444
0
        x = RSb[i];
445
446
0
#if !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
447
0
        RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
448
0
                 ((uint32_t) MUL(0x09, x) <<  8) ^
449
0
                 ((uint32_t) MUL(0x0D, x) << 16) ^
450
0
                 ((uint32_t) MUL(0x0B, x) << 24);
451
452
0
#if !defined(MBEDTLS_AES_FEWER_TABLES)
453
0
        RT1[i] = ROTL8(RT0[i]);
454
0
        RT2[i] = ROTL8(RT1[i]);
455
0
        RT3[i] = ROTL8(RT2[i]);
456
0
#endif /* !MBEDTLS_AES_FEWER_TABLES */
457
0
#endif /* !defined(MBEDTLS_AES_DECRYPT_ALT) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) */
458
0
    }
459
0
}
460
461
#endif /* !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */
462
463
#undef ROTL8
464
465
#endif /* MBEDTLS_AES_ROM_TABLES */
466
467
#if defined(MBEDTLS_AES_FEWER_TABLES)
468
469
#define ROTL8(x)  ((uint32_t) ((x) <<  8) + (uint32_t) ((x) >> 24))
470
#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
471
#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >>  8))
472
473
#define AES_RT0(idx) RT0[idx]
474
#define AES_RT1(idx) ROTL8(RT0[idx])
475
#define AES_RT2(idx) ROTL16(RT0[idx])
476
#define AES_RT3(idx) ROTL24(RT0[idx])
477
478
#define AES_FT0(idx) FT0[idx]
479
#define AES_FT1(idx) ROTL8(FT0[idx])
480
#define AES_FT2(idx) ROTL16(FT0[idx])
481
#define AES_FT3(idx) ROTL24(FT0[idx])
482
483
#else /* MBEDTLS_AES_FEWER_TABLES */
484
485
0
#define AES_RT0(idx) RT0[idx]
486
0
#define AES_RT1(idx) RT1[idx]
487
0
#define AES_RT2(idx) RT2[idx]
488
0
#define AES_RT3(idx) RT3[idx]
489
490
0
#define AES_FT0(idx) FT0[idx]
491
0
#define AES_FT1(idx) FT1[idx]
492
0
#define AES_FT2(idx) FT2[idx]
493
0
#define AES_FT3(idx) FT3[idx]
494
495
#endif /* MBEDTLS_AES_FEWER_TABLES */
496
497
void mbedtls_aes_init(mbedtls_aes_context *ctx)
498
0
{
499
0
    AES_VALIDATE(ctx != NULL);
500
501
0
    memset(ctx, 0, sizeof(mbedtls_aes_context));
502
0
}
503
504
void mbedtls_aes_free(mbedtls_aes_context *ctx)
505
0
{
506
0
    if (ctx == NULL) {
507
0
        return;
508
0
    }
509
510
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
511
0
}
512
513
#if defined(MBEDTLS_CIPHER_MODE_XTS)
514
void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
515
0
{
516
0
    AES_VALIDATE(ctx != NULL);
517
518
0
    mbedtls_aes_init(&ctx->crypt);
519
0
    mbedtls_aes_init(&ctx->tweak);
520
0
}
521
522
void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
523
0
{
524
0
    if (ctx == NULL) {
525
0
        return;
526
0
    }
527
528
0
    mbedtls_aes_free(&ctx->crypt);
529
0
    mbedtls_aes_free(&ctx->tweak);
530
0
}
531
#endif /* MBEDTLS_CIPHER_MODE_XTS */
532
533
/* Some implementations need the round keys to be aligned.
534
 * Return an offset to be added to buf, such that (buf + offset) is
535
 * correctly aligned.
536
 * Note that the offset is in units of elements of buf, i.e. 32-bit words,
537
 * i.e. an offset of 1 means 4 bytes and so on.
538
 */
539
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) || \
540
    (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
541
#define MAY_NEED_TO_ALIGN
542
#endif
543
544
#if defined(MAY_NEED_TO_ALIGN) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) || \
545
    !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
546
static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
547
0
{
548
#if defined(MAY_NEED_TO_ALIGN)
549
    int align_16_bytes = 0;
550
551
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
552
    if (aes_padlock_ace == -1) {
553
        aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
554
    }
555
    if (aes_padlock_ace) {
556
        align_16_bytes = 1;
557
    }
558
#endif
559
560
#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
561
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
562
        align_16_bytes = 1;
563
    }
564
#endif
565
566
    if (align_16_bytes) {
567
        /* These implementations needs 16-byte alignment
568
         * for the round key array. */
569
        unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
570
        if (delta == 0) {
571
            return 0;
572
        } else {
573
            return 4 - delta; // 16 bytes = 4 uint32_t
574
        }
575
    }
576
#else /* MAY_NEED_TO_ALIGN */
577
0
    (void) buf;
578
0
#endif /* MAY_NEED_TO_ALIGN */
579
580
0
    return 0;
581
0
}
582
#endif /* defined(MAY_NEED_TO_ALIGN) || !defined(MBEDTLS_AES_SETKEY_DEC_ALT) || \
583
          !defined(MBEDTLS_AES_SETKEY_ENC_ALT) */
584
585
/*
586
 * AES key schedule (encryption)
587
 */
588
#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
589
int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
590
                           unsigned int keybits)
591
0
{
592
0
    unsigned int i;
593
0
    uint32_t *RK;
594
595
0
    AES_VALIDATE_RET(ctx != NULL);
596
0
    AES_VALIDATE_RET(key != NULL);
597
598
0
    switch (keybits) {
599
0
        case 128: ctx->nr = 10; break;
600
0
        case 192: ctx->nr = 12; break;
601
0
        case 256: ctx->nr = 14; break;
602
0
        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
603
0
    }
604
605
0
#if !defined(MBEDTLS_AES_ROM_TABLES)
606
0
    if (aes_init_done == 0) {
607
0
        aes_gen_tables();
608
0
        aes_init_done = 1;
609
0
    }
610
0
#endif
611
612
0
    ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf);
613
614
#if defined(MBEDTLS_AESNI_HAVE_CODE)
615
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
616
        return mbedtls_aesni_setkey_enc((unsigned char *) ctx->rk, key, keybits);
617
    }
618
#endif
619
620
0
    for (i = 0; i < (keybits >> 5); i++) {
621
0
        RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
622
0
    }
623
624
0
    switch (ctx->nr) {
625
0
        case 10:
626
627
0
            for (i = 0; i < 10; i++, RK += 4) {
628
0
                RK[4]  = RK[0] ^ round_constants[i] ^
629
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
630
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] <<  8) ^
631
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
632
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
633
634
0
                RK[5]  = RK[1] ^ RK[4];
635
0
                RK[6]  = RK[2] ^ RK[5];
636
0
                RK[7]  = RK[3] ^ RK[6];
637
0
            }
638
0
            break;
639
640
0
        case 12:
641
642
0
            for (i = 0; i < 8; i++, RK += 6) {
643
0
                RK[6]  = RK[0] ^ round_constants[i] ^
644
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
645
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] <<  8) ^
646
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
647
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
648
649
0
                RK[7]  = RK[1] ^ RK[6];
650
0
                RK[8]  = RK[2] ^ RK[7];
651
0
                RK[9]  = RK[3] ^ RK[8];
652
0
                RK[10] = RK[4] ^ RK[9];
653
0
                RK[11] = RK[5] ^ RK[10];
654
0
            }
655
0
            break;
656
657
0
        case 14:
658
659
0
            for (i = 0; i < 7; i++, RK += 8) {
660
0
                RK[8]  = RK[0] ^ round_constants[i] ^
661
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
662
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] <<  8) ^
663
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
664
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
665
666
0
                RK[9]  = RK[1] ^ RK[8];
667
0
                RK[10] = RK[2] ^ RK[9];
668
0
                RK[11] = RK[3] ^ RK[10];
669
670
0
                RK[12] = RK[4] ^
671
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
672
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] <<  8) ^
673
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
674
0
                         ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
675
676
0
                RK[13] = RK[5] ^ RK[12];
677
0
                RK[14] = RK[6] ^ RK[13];
678
0
                RK[15] = RK[7] ^ RK[14];
679
0
            }
680
0
            break;
681
0
    }
682
683
0
    return 0;
684
0
}
685
#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
686
687
/*
688
 * AES key schedule (decryption)
689
 */
690
#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
691
int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
692
                           unsigned int keybits)
693
0
{
694
0
    int i, j, ret;
695
0
    mbedtls_aes_context cty;
696
0
    uint32_t *RK;
697
0
    uint32_t *SK;
698
699
0
    AES_VALIDATE_RET(ctx != NULL);
700
0
    AES_VALIDATE_RET(key != NULL);
701
702
0
    mbedtls_aes_init(&cty);
703
704
0
    ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf);
705
706
    /* Also checks keybits */
707
0
    if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
708
0
        goto exit;
709
0
    }
710
711
0
    ctx->nr = cty.nr;
712
713
#if defined(MBEDTLS_AESNI_HAVE_CODE)
714
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
715
        mbedtls_aesni_inverse_key((unsigned char *) ctx->rk,
716
                                  (const unsigned char *) cty.rk, ctx->nr);
717
        goto exit;
718
    }
719
#endif
720
721
0
    SK = cty.rk + cty.nr * 4;
722
723
0
    *RK++ = *SK++;
724
0
    *RK++ = *SK++;
725
0
    *RK++ = *SK++;
726
0
    *RK++ = *SK++;
727
728
0
    for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
729
0
        for (j = 0; j < 4; j++, SK++) {
730
0
            *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
731
0
                    AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
732
0
                    AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
733
0
                    AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
734
0
        }
735
0
    }
736
737
0
    *RK++ = *SK++;
738
0
    *RK++ = *SK++;
739
0
    *RK++ = *SK++;
740
0
    *RK++ = *SK++;
741
742
0
exit:
743
0
    mbedtls_aes_free(&cty);
744
745
0
    return ret;
746
0
}
747
#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
748
749
#if defined(MBEDTLS_CIPHER_MODE_XTS)
750
static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
751
                                       unsigned int keybits,
752
                                       const unsigned char **key1,
753
                                       unsigned int *key1bits,
754
                                       const unsigned char **key2,
755
                                       unsigned int *key2bits)
756
0
{
757
0
    const unsigned int half_keybits = keybits / 2;
758
0
    const unsigned int half_keybytes = half_keybits / 8;
759
760
0
    switch (keybits) {
761
0
        case 256: break;
762
0
        case 512: break;
763
0
        default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
764
0
    }
765
766
0
    *key1bits = half_keybits;
767
0
    *key2bits = half_keybits;
768
0
    *key1 = &key[0];
769
0
    *key2 = &key[half_keybytes];
770
771
0
    return 0;
772
0
}
773
774
int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
775
                               const unsigned char *key,
776
                               unsigned int keybits)
777
0
{
778
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
779
0
    const unsigned char *key1, *key2;
780
0
    unsigned int key1bits, key2bits;
781
782
0
    AES_VALIDATE_RET(ctx != NULL);
783
0
    AES_VALIDATE_RET(key != NULL);
784
785
0
    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
786
0
                                      &key2, &key2bits);
787
0
    if (ret != 0) {
788
0
        return ret;
789
0
    }
790
791
    /* Set the tweak key. Always set tweak key for the encryption mode. */
792
0
    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
793
0
    if (ret != 0) {
794
0
        return ret;
795
0
    }
796
797
    /* Set crypt key for encryption. */
798
0
    return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
799
0
}
800
801
int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
802
                               const unsigned char *key,
803
                               unsigned int keybits)
804
0
{
805
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
806
0
    const unsigned char *key1, *key2;
807
0
    unsigned int key1bits, key2bits;
808
809
0
    AES_VALIDATE_RET(ctx != NULL);
810
0
    AES_VALIDATE_RET(key != NULL);
811
812
0
    ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
813
0
                                      &key2, &key2bits);
814
0
    if (ret != 0) {
815
0
        return ret;
816
0
    }
817
818
    /* Set the tweak key. Always set tweak key for encryption. */
819
0
    ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
820
0
    if (ret != 0) {
821
0
        return ret;
822
0
    }
823
824
    /* Set crypt key for decryption. */
825
0
    return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
826
0
}
827
#endif /* MBEDTLS_CIPHER_MODE_XTS */
828
829
#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
830
0
    do                                                      \
831
0
    {                                                       \
832
0
        (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^    \
833
0
               AES_FT1(MBEDTLS_BYTE_1(Y1)) ^    \
834
0
               AES_FT2(MBEDTLS_BYTE_2(Y2)) ^    \
835
0
               AES_FT3(MBEDTLS_BYTE_3(Y3));     \
836
0
                                                            \
837
0
        (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^    \
838
0
               AES_FT1(MBEDTLS_BYTE_1(Y2)) ^    \
839
0
               AES_FT2(MBEDTLS_BYTE_2(Y3)) ^    \
840
0
               AES_FT3(MBEDTLS_BYTE_3(Y0));     \
841
0
                                                            \
842
0
        (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^    \
843
0
               AES_FT1(MBEDTLS_BYTE_1(Y3)) ^    \
844
0
               AES_FT2(MBEDTLS_BYTE_2(Y0)) ^    \
845
0
               AES_FT3(MBEDTLS_BYTE_3(Y1));     \
846
0
                                                            \
847
0
        (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^    \
848
0
               AES_FT1(MBEDTLS_BYTE_1(Y0)) ^    \
849
0
               AES_FT2(MBEDTLS_BYTE_2(Y1)) ^    \
850
0
               AES_FT3(MBEDTLS_BYTE_3(Y2));     \
851
0
    } while (0)
852
853
#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3)                 \
854
0
    do                                                      \
855
0
    {                                                       \
856
0
        (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^    \
857
0
               AES_RT1(MBEDTLS_BYTE_1(Y3)) ^    \
858
0
               AES_RT2(MBEDTLS_BYTE_2(Y2)) ^    \
859
0
               AES_RT3(MBEDTLS_BYTE_3(Y1));     \
860
0
                                                            \
861
0
        (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^    \
862
0
               AES_RT1(MBEDTLS_BYTE_1(Y0)) ^    \
863
0
               AES_RT2(MBEDTLS_BYTE_2(Y3)) ^    \
864
0
               AES_RT3(MBEDTLS_BYTE_3(Y2));     \
865
0
                                                            \
866
0
        (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^    \
867
0
               AES_RT1(MBEDTLS_BYTE_1(Y1)) ^    \
868
0
               AES_RT2(MBEDTLS_BYTE_2(Y0)) ^    \
869
0
               AES_RT3(MBEDTLS_BYTE_3(Y3));     \
870
0
                                                            \
871
0
        (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^    \
872
0
               AES_RT1(MBEDTLS_BYTE_1(Y2)) ^    \
873
0
               AES_RT2(MBEDTLS_BYTE_2(Y1)) ^    \
874
0
               AES_RT3(MBEDTLS_BYTE_3(Y0));     \
875
0
    } while (0)
876
877
/*
878
 * AES-ECB block encryption
879
 */
880
#if !defined(MBEDTLS_AES_ENCRYPT_ALT)
881
int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
882
                                 const unsigned char input[16],
883
                                 unsigned char output[16])
884
0
{
885
0
    int i;
886
0
    uint32_t *RK = ctx->rk;
887
0
    struct {
888
0
        uint32_t X[4];
889
0
        uint32_t Y[4];
890
0
    } t;
891
892
0
    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
893
0
    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
894
0
    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
895
0
    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
896
897
0
    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
898
0
        AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
899
0
        AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
900
0
    }
901
902
0
    AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
903
904
0
    t.X[0] = *RK++ ^ \
905
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
906
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
907
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
908
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
909
910
0
    t.X[1] = *RK++ ^ \
911
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
912
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
913
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
914
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
915
916
0
    t.X[2] = *RK++ ^ \
917
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
918
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
919
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
920
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
921
922
0
    t.X[3] = *RK++ ^ \
923
0
             ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
924
0
             ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
925
0
             ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
926
0
             ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
927
928
0
    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
929
0
    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
930
0
    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
931
0
    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
932
933
0
    mbedtls_platform_zeroize(&t, sizeof(t));
934
935
0
    return 0;
936
0
}
937
#endif /* !MBEDTLS_AES_ENCRYPT_ALT */
938
939
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
940
void mbedtls_aes_encrypt(mbedtls_aes_context *ctx,
941
                         const unsigned char input[16],
942
                         unsigned char output[16])
943
0
{
944
0
    MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_encrypt(ctx, input, output));
945
0
}
946
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
947
948
/*
949
 * AES-ECB block decryption
950
 */
951
#if !defined(MBEDTLS_AES_DECRYPT_ALT)
952
int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
953
                                 const unsigned char input[16],
954
                                 unsigned char output[16])
955
0
{
956
0
    int i;
957
0
    uint32_t *RK = ctx->rk;
958
0
    struct {
959
0
        uint32_t X[4];
960
0
        uint32_t Y[4];
961
0
    } t;
962
963
0
    t.X[0] = MBEDTLS_GET_UINT32_LE(input,  0); t.X[0] ^= *RK++;
964
0
    t.X[1] = MBEDTLS_GET_UINT32_LE(input,  4); t.X[1] ^= *RK++;
965
0
    t.X[2] = MBEDTLS_GET_UINT32_LE(input,  8); t.X[2] ^= *RK++;
966
0
    t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
967
968
0
    for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
969
0
        AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
970
0
        AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
971
0
    }
972
973
0
    AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
974
975
0
    t.X[0] = *RK++ ^ \
976
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
977
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] <<  8) ^
978
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
979
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
980
981
0
    t.X[1] = *RK++ ^ \
982
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
983
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] <<  8) ^
984
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
985
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
986
987
0
    t.X[2] = *RK++ ^ \
988
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
989
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] <<  8) ^
990
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
991
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
992
993
0
    t.X[3] = *RK++ ^ \
994
0
             ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
995
0
             ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] <<  8) ^
996
0
             ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
997
0
             ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
998
999
0
    MBEDTLS_PUT_UINT32_LE(t.X[0], output,  0);
1000
0
    MBEDTLS_PUT_UINT32_LE(t.X[1], output,  4);
1001
0
    MBEDTLS_PUT_UINT32_LE(t.X[2], output,  8);
1002
0
    MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
1003
1004
0
    mbedtls_platform_zeroize(&t, sizeof(t));
1005
1006
0
    return 0;
1007
0
}
1008
#endif /* !MBEDTLS_AES_DECRYPT_ALT */
1009
1010
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1011
void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
1012
                         const unsigned char input[16],
1013
                         unsigned char output[16])
1014
0
{
1015
0
    MBEDTLS_IGNORE_RETURN(mbedtls_internal_aes_decrypt(ctx, input, output));
1016
0
}
1017
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
1018
1019
#if defined(MAY_NEED_TO_ALIGN)
1020
/* VIA Padlock and our intrinsics-based implementation of AESNI require
1021
 * the round keys to be aligned on a 16-byte boundary. We take care of this
1022
 * before creating them, but the AES context may have moved (this can happen
1023
 * if the library is called from a language with managed memory), and in later
1024
 * calls it might have a different alignment with respect to 16-byte memory.
1025
 * So we may need to realign.
1026
 * NOTE: In the LTS branch, the context contains a pointer to within itself,
1027
 * so if it has been moved, things will probably go pear-shaped. We keep this
1028
 * code for compatibility with the development branch, in case of future changes.
1029
 */
1030
static void aes_maybe_realign(mbedtls_aes_context *ctx)
1031
{
1032
    unsigned current_offset = (unsigned) (ctx->rk - ctx->buf);
1033
    unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
1034
    if (new_offset != current_offset) {
1035
        memmove(ctx->buf + new_offset,     // new address
1036
                ctx->buf + current_offset, // current address
1037
                (ctx->nr + 1) * 16);       // number of round keys * bytes per rk
1038
        ctx->rk = ctx->buf + new_offset;
1039
    }
1040
}
1041
#endif
1042
1043
/*
1044
 * AES-ECB block encryption/decryption
1045
 */
1046
int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
1047
                          int mode,
1048
                          const unsigned char input[16],
1049
                          unsigned char output[16])
1050
0
{
1051
0
    AES_VALIDATE_RET(ctx != NULL);
1052
0
    AES_VALIDATE_RET(input != NULL);
1053
0
    AES_VALIDATE_RET(output != NULL);
1054
0
    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1055
0
                     mode == MBEDTLS_AES_DECRYPT);
1056
1057
#if defined(MAY_NEED_TO_ALIGN)
1058
    aes_maybe_realign(ctx);
1059
#endif
1060
1061
#if defined(MBEDTLS_AESNI_HAVE_CODE)
1062
    if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1063
        return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
1064
    }
1065
#endif
1066
1067
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1068
    if (aes_padlock_ace) {
1069
        return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
1070
    }
1071
#endif
1072
1073
0
    if (mode == MBEDTLS_AES_ENCRYPT) {
1074
0
        return mbedtls_internal_aes_encrypt(ctx, input, output);
1075
0
    } else {
1076
0
        return mbedtls_internal_aes_decrypt(ctx, input, output);
1077
0
    }
1078
0
}
1079
1080
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1081
/*
1082
 * AES-CBC buffer encryption/decryption
1083
 */
1084
int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
1085
                          int mode,
1086
                          size_t length,
1087
                          unsigned char iv[16],
1088
                          const unsigned char *input,
1089
                          unsigned char *output)
1090
0
{
1091
0
    int i;
1092
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1093
0
    unsigned char temp[16];
1094
1095
0
    AES_VALIDATE_RET(ctx != NULL);
1096
0
    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1097
0
                     mode == MBEDTLS_AES_DECRYPT);
1098
0
    AES_VALIDATE_RET(iv != NULL);
1099
0
    AES_VALIDATE_RET(input != NULL);
1100
0
    AES_VALIDATE_RET(output != NULL);
1101
1102
0
    if (length % 16) {
1103
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1104
0
    }
1105
1106
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1107
    if (aes_padlock_ace) {
1108
        if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1109
            return 0;
1110
        }
1111
1112
        // If padlock data misaligned, we just fall back to
1113
        // unaccelerated mode
1114
        //
1115
    }
1116
#endif
1117
1118
0
    if (mode == MBEDTLS_AES_DECRYPT) {
1119
0
        while (length > 0) {
1120
0
            memcpy(temp, input, 16);
1121
0
            ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output);
1122
0
            if (ret != 0) {
1123
0
                goto exit;
1124
0
            }
1125
1126
0
            for (i = 0; i < 16; i++) {
1127
0
                output[i] = (unsigned char) (output[i] ^ iv[i]);
1128
0
            }
1129
1130
0
            memcpy(iv, temp, 16);
1131
1132
0
            input  += 16;
1133
0
            output += 16;
1134
0
            length -= 16;
1135
0
        }
1136
0
    } else {
1137
0
        while (length > 0) {
1138
0
            for (i = 0; i < 16; i++) {
1139
0
                output[i] = (unsigned char) (input[i] ^ iv[i]);
1140
0
            }
1141
1142
0
            ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output);
1143
0
            if (ret != 0) {
1144
0
                goto exit;
1145
0
            }
1146
0
            memcpy(iv, output, 16);
1147
1148
0
            input  += 16;
1149
0
            output += 16;
1150
0
            length -= 16;
1151
0
        }
1152
0
    }
1153
0
    ret = 0;
1154
1155
0
exit:
1156
0
    return ret;
1157
0
}
1158
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1159
1160
#if defined(MBEDTLS_CIPHER_MODE_XTS)
1161
1162
typedef unsigned char mbedtls_be128[16];
1163
1164
/*
1165
 * GF(2^128) multiplication function
1166
 *
1167
 * This function multiplies a field element by x in the polynomial field
1168
 * representation. It uses 64-bit word operations to gain speed but compensates
1169
 * for machine endianness and hence works correctly on both big and little
1170
 * endian machines.
1171
 */
1172
static void mbedtls_gf128mul_x_ble(unsigned char r[16],
1173
                                   const unsigned char x[16])
1174
0
{
1175
0
    uint64_t a, b, ra, rb;
1176
1177
0
    a = MBEDTLS_GET_UINT64_LE(x, 0);
1178
0
    b = MBEDTLS_GET_UINT64_LE(x, 8);
1179
1180
0
    ra = (a << 1)  ^ 0x0087 >> (8 - ((b >> 63) << 3));
1181
0
    rb = (a >> 63) | (b << 1);
1182
1183
0
    MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1184
0
    MBEDTLS_PUT_UINT64_LE(rb, r, 8);
1185
0
}
1186
1187
/*
1188
 * AES-XTS buffer encryption/decryption
1189
 */
1190
int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1191
                          int mode,
1192
                          size_t length,
1193
                          const unsigned char data_unit[16],
1194
                          const unsigned char *input,
1195
                          unsigned char *output)
1196
0
{
1197
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1198
0
    size_t blocks = length / 16;
1199
0
    size_t leftover = length % 16;
1200
0
    unsigned char tweak[16];
1201
0
    unsigned char prev_tweak[16];
1202
0
    unsigned char tmp[16];
1203
1204
0
    AES_VALIDATE_RET(ctx != NULL);
1205
0
    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1206
0
                     mode == MBEDTLS_AES_DECRYPT);
1207
0
    AES_VALIDATE_RET(data_unit != NULL);
1208
0
    AES_VALIDATE_RET(input != NULL);
1209
0
    AES_VALIDATE_RET(output != NULL);
1210
1211
    /* Data units must be at least 16 bytes long. */
1212
0
    if (length < 16) {
1213
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1214
0
    }
1215
1216
    /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1217
0
    if (length > (1 << 20) * 16) {
1218
0
        return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1219
0
    }
1220
1221
    /* Compute the tweak. */
1222
0
    ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT,
1223
0
                                data_unit, tweak);
1224
0
    if (ret != 0) {
1225
0
        return ret;
1226
0
    }
1227
1228
0
    while (blocks--) {
1229
0
        size_t i;
1230
1231
0
        if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
1232
            /* We are on the last block in a decrypt operation that has
1233
             * leftover bytes, so we need to use the next tweak for this block,
1234
             * and this tweak for the leftover bytes. Save the current tweak for
1235
             * the leftovers and then update the current tweak for use on this,
1236
             * the last full block. */
1237
0
            memcpy(prev_tweak, tweak, sizeof(tweak));
1238
0
            mbedtls_gf128mul_x_ble(tweak, tweak);
1239
0
        }
1240
1241
0
        for (i = 0; i < 16; i++) {
1242
0
            tmp[i] = input[i] ^ tweak[i];
1243
0
        }
1244
1245
0
        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1246
0
        if (ret != 0) {
1247
0
            return ret;
1248
0
        }
1249
1250
0
        for (i = 0; i < 16; i++) {
1251
0
            output[i] = tmp[i] ^ tweak[i];
1252
0
        }
1253
1254
        /* Update the tweak for the next block. */
1255
0
        mbedtls_gf128mul_x_ble(tweak, tweak);
1256
1257
0
        output += 16;
1258
0
        input += 16;
1259
0
    }
1260
1261
0
    if (leftover) {
1262
        /* If we are on the leftover bytes in a decrypt operation, we need to
1263
         * use the previous tweak for these bytes (as saved in prev_tweak). */
1264
0
        unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1265
1266
        /* We are now on the final part of the data unit, which doesn't divide
1267
         * evenly by 16. It's time for ciphertext stealing. */
1268
0
        size_t i;
1269
0
        unsigned char *prev_output = output - 16;
1270
1271
        /* Copy ciphertext bytes from the previous block to our output for each
1272
         * byte of ciphertext we won't steal. At the same time, copy the
1273
         * remainder of the input for this final round (since the loop bounds
1274
         * are the same). */
1275
0
        for (i = 0; i < leftover; i++) {
1276
0
            output[i] = prev_output[i];
1277
0
            tmp[i] = input[i] ^ t[i];
1278
0
        }
1279
1280
        /* Copy ciphertext bytes from the previous block for input in this
1281
         * round. */
1282
0
        for (; i < 16; i++) {
1283
0
            tmp[i] = prev_output[i] ^ t[i];
1284
0
        }
1285
1286
0
        ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1287
0
        if (ret != 0) {
1288
0
            return ret;
1289
0
        }
1290
1291
        /* Write the result back to the previous block, overriding the previous
1292
         * output we copied. */
1293
0
        for (i = 0; i < 16; i++) {
1294
0
            prev_output[i] = tmp[i] ^ t[i];
1295
0
        }
1296
0
    }
1297
1298
0
    return 0;
1299
0
}
1300
#endif /* MBEDTLS_CIPHER_MODE_XTS */
1301
1302
#if defined(MBEDTLS_CIPHER_MODE_CFB)
1303
/*
1304
 * AES-CFB128 buffer encryption/decryption
1305
 */
1306
int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx,
1307
                             int mode,
1308
                             size_t length,
1309
                             size_t *iv_off,
1310
                             unsigned char iv[16],
1311
                             const unsigned char *input,
1312
                             unsigned char *output)
1313
0
{
1314
0
    int c;
1315
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1316
0
    size_t n;
1317
1318
0
    AES_VALIDATE_RET(ctx != NULL);
1319
0
    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1320
0
                     mode == MBEDTLS_AES_DECRYPT);
1321
0
    AES_VALIDATE_RET(iv_off != NULL);
1322
0
    AES_VALIDATE_RET(iv != NULL);
1323
0
    AES_VALIDATE_RET(input != NULL);
1324
0
    AES_VALIDATE_RET(output != NULL);
1325
1326
0
    n = *iv_off;
1327
1328
0
    if (n > 15) {
1329
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1330
0
    }
1331
1332
0
    if (mode == MBEDTLS_AES_DECRYPT) {
1333
0
        while (length--) {
1334
0
            if (n == 0) {
1335
0
                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1336
0
                if (ret != 0) {
1337
0
                    goto exit;
1338
0
                }
1339
0
            }
1340
1341
0
            c = *input++;
1342
0
            *output++ = (unsigned char) (c ^ iv[n]);
1343
0
            iv[n] = (unsigned char) c;
1344
1345
0
            n = (n + 1) & 0x0F;
1346
0
        }
1347
0
    } else {
1348
0
        while (length--) {
1349
0
            if (n == 0) {
1350
0
                ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1351
0
                if (ret != 0) {
1352
0
                    goto exit;
1353
0
                }
1354
0
            }
1355
1356
0
            iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
1357
1358
0
            n = (n + 1) & 0x0F;
1359
0
        }
1360
0
    }
1361
1362
0
    *iv_off = n;
1363
0
    ret = 0;
1364
1365
0
exit:
1366
0
    return ret;
1367
0
}
1368
1369
/*
1370
 * AES-CFB8 buffer encryption/decryption
1371
 */
1372
int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx,
1373
                           int mode,
1374
                           size_t length,
1375
                           unsigned char iv[16],
1376
                           const unsigned char *input,
1377
                           unsigned char *output)
1378
0
{
1379
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1380
0
    unsigned char c;
1381
0
    unsigned char ov[17];
1382
1383
0
    AES_VALIDATE_RET(ctx != NULL);
1384
0
    AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
1385
0
                     mode == MBEDTLS_AES_DECRYPT);
1386
0
    AES_VALIDATE_RET(iv != NULL);
1387
0
    AES_VALIDATE_RET(input != NULL);
1388
0
    AES_VALIDATE_RET(output != NULL);
1389
0
    while (length--) {
1390
0
        memcpy(ov, iv, 16);
1391
0
        ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1392
0
        if (ret != 0) {
1393
0
            goto exit;
1394
0
        }
1395
1396
0
        if (mode == MBEDTLS_AES_DECRYPT) {
1397
0
            ov[16] = *input;
1398
0
        }
1399
1400
0
        c = *output++ = (unsigned char) (iv[0] ^ *input++);
1401
1402
0
        if (mode == MBEDTLS_AES_ENCRYPT) {
1403
0
            ov[16] = c;
1404
0
        }
1405
1406
0
        memcpy(iv, ov + 1, 16);
1407
0
    }
1408
0
    ret = 0;
1409
1410
0
exit:
1411
0
    return ret;
1412
0
}
1413
#endif /* MBEDTLS_CIPHER_MODE_CFB */
1414
1415
#if defined(MBEDTLS_CIPHER_MODE_OFB)
1416
/*
1417
 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1418
 */
1419
int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx,
1420
                          size_t length,
1421
                          size_t *iv_off,
1422
                          unsigned char iv[16],
1423
                          const unsigned char *input,
1424
                          unsigned char *output)
1425
0
{
1426
0
    int ret = 0;
1427
0
    size_t n;
1428
1429
0
    AES_VALIDATE_RET(ctx != NULL);
1430
0
    AES_VALIDATE_RET(iv_off != NULL);
1431
0
    AES_VALIDATE_RET(iv != NULL);
1432
0
    AES_VALIDATE_RET(input != NULL);
1433
0
    AES_VALIDATE_RET(output != NULL);
1434
1435
0
    n = *iv_off;
1436
1437
0
    if (n > 15) {
1438
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1439
0
    }
1440
1441
0
    while (length--) {
1442
0
        if (n == 0) {
1443
0
            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1444
0
            if (ret != 0) {
1445
0
                goto exit;
1446
0
            }
1447
0
        }
1448
0
        *output++ =  *input++ ^ iv[n];
1449
1450
0
        n = (n + 1) & 0x0F;
1451
0
    }
1452
1453
0
    *iv_off = n;
1454
1455
0
exit:
1456
0
    return ret;
1457
0
}
1458
#endif /* MBEDTLS_CIPHER_MODE_OFB */
1459
1460
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1461
/*
1462
 * AES-CTR buffer encryption/decryption
1463
 */
1464
int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx,
1465
                          size_t length,
1466
                          size_t *nc_off,
1467
                          unsigned char nonce_counter[16],
1468
                          unsigned char stream_block[16],
1469
                          const unsigned char *input,
1470
                          unsigned char *output)
1471
0
{
1472
0
    int c, i;
1473
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1474
0
    size_t n;
1475
1476
0
    AES_VALIDATE_RET(ctx != NULL);
1477
0
    AES_VALIDATE_RET(nc_off != NULL);
1478
0
    AES_VALIDATE_RET(nonce_counter != NULL);
1479
0
    AES_VALIDATE_RET(stream_block != NULL);
1480
0
    AES_VALIDATE_RET(input != NULL);
1481
0
    AES_VALIDATE_RET(output != NULL);
1482
1483
0
    n = *nc_off;
1484
1485
0
    if (n > 0x0F) {
1486
0
        return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
1487
0
    }
1488
1489
0
    while (length--) {
1490
0
        if (n == 0) {
1491
0
            ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1492
0
            if (ret != 0) {
1493
0
                goto exit;
1494
0
            }
1495
1496
0
            for (i = 16; i > 0; i--) {
1497
0
                if (++nonce_counter[i - 1] != 0) {
1498
0
                    break;
1499
0
                }
1500
0
            }
1501
0
        }
1502
0
        c = *input++;
1503
0
        *output++ = (unsigned char) (c ^ stream_block[n]);
1504
1505
0
        n = (n + 1) & 0x0F;
1506
0
    }
1507
1508
0
    *nc_off = n;
1509
0
    ret = 0;
1510
1511
0
exit:
1512
0
    return ret;
1513
0
}
1514
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1515
1516
#endif /* !MBEDTLS_AES_ALT */
1517
1518
#if defined(MBEDTLS_SELF_TEST)
1519
/*
1520
 * AES test vectors from:
1521
 *
1522
 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1523
 */
1524
static const unsigned char aes_test_ecb_dec[3][16] =
1525
{
1526
    { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1527
      0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1528
    { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1529
      0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1530
    { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1531
      0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1532
};
1533
1534
static const unsigned char aes_test_ecb_enc[3][16] =
1535
{
1536
    { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1537
      0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1538
    { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1539
      0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1540
    { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1541
      0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1542
};
1543
1544
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1545
static const unsigned char aes_test_cbc_dec[3][16] =
1546
{
1547
    { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1548
      0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1549
    { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1550
      0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1551
    { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1552
      0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1553
};
1554
1555
static const unsigned char aes_test_cbc_enc[3][16] =
1556
{
1557
    { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1558
      0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1559
    { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1560
      0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1561
    { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1562
      0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1563
};
1564
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1565
1566
#if defined(MBEDTLS_CIPHER_MODE_CFB)
1567
/*
1568
 * AES-CFB128 test vectors from:
1569
 *
1570
 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1571
 */
1572
static const unsigned char aes_test_cfb128_key[3][32] =
1573
{
1574
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1575
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1576
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1577
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1578
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1579
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1580
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1581
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1582
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1583
};
1584
1585
static const unsigned char aes_test_cfb128_iv[16] =
1586
{
1587
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1588
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1589
};
1590
1591
static const unsigned char aes_test_cfb128_pt[64] =
1592
{
1593
    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1594
    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1595
    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1596
    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1597
    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1598
    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1599
    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1600
    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1601
};
1602
1603
static const unsigned char aes_test_cfb128_ct[3][64] =
1604
{
1605
    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1606
      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1607
      0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1608
      0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1609
      0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1610
      0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1611
      0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1612
      0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1613
    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1614
      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1615
      0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1616
      0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1617
      0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1618
      0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1619
      0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1620
      0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1621
    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1622
      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1623
      0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1624
      0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1625
      0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1626
      0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1627
      0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1628
      0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1629
};
1630
#endif /* MBEDTLS_CIPHER_MODE_CFB */
1631
1632
#if defined(MBEDTLS_CIPHER_MODE_OFB)
1633
/*
1634
 * AES-OFB test vectors from:
1635
 *
1636
 * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1637
 */
1638
static const unsigned char aes_test_ofb_key[3][32] =
1639
{
1640
    { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1641
      0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1642
    { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1643
      0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1644
      0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1645
    { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1646
      0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1647
      0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1648
      0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1649
};
1650
1651
static const unsigned char aes_test_ofb_iv[16] =
1652
{
1653
    0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1654
    0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1655
};
1656
1657
static const unsigned char aes_test_ofb_pt[64] =
1658
{
1659
    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1660
    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1661
    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1662
    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1663
    0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1664
    0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1665
    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1666
    0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1667
};
1668
1669
static const unsigned char aes_test_ofb_ct[3][64] =
1670
{
1671
    { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1672
      0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1673
      0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1674
      0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1675
      0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1676
      0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1677
      0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1678
      0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1679
    { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1680
      0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1681
      0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1682
      0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1683
      0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1684
      0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1685
      0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1686
      0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1687
    { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1688
      0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1689
      0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1690
      0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1691
      0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1692
      0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1693
      0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1694
      0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1695
};
1696
#endif /* MBEDTLS_CIPHER_MODE_OFB */
1697
1698
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1699
/*
1700
 * AES-CTR test vectors from:
1701
 *
1702
 * http://www.faqs.org/rfcs/rfc3686.html
1703
 */
1704
1705
static const unsigned char aes_test_ctr_key[3][16] =
1706
{
1707
    { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1708
      0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1709
    { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1710
      0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1711
    { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1712
      0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1713
};
1714
1715
static const unsigned char aes_test_ctr_nonce_counter[3][16] =
1716
{
1717
    { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1718
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1719
    { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1720
      0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1721
    { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1722
      0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1723
};
1724
1725
static const unsigned char aes_test_ctr_pt[3][48] =
1726
{
1727
    { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1728
      0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1729
1730
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1731
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1732
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1733
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1734
1735
    { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1736
      0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1737
      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1738
      0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1739
      0x20, 0x21, 0x22, 0x23 }
1740
};
1741
1742
static const unsigned char aes_test_ctr_ct[3][48] =
1743
{
1744
    { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1745
      0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1746
    { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1747
      0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1748
      0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1749
      0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1750
    { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1751
      0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1752
      0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1753
      0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1754
      0x25, 0xB2, 0x07, 0x2F }
1755
};
1756
1757
static const int aes_test_ctr_len[3] =
1758
{ 16, 32, 36 };
1759
#endif /* MBEDTLS_CIPHER_MODE_CTR */
1760
1761
#if defined(MBEDTLS_CIPHER_MODE_XTS)
1762
/*
1763
 * AES-XTS test vectors from:
1764
 *
1765
 * IEEE P1619/D16 Annex B
1766
 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1767
 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1768
 */
1769
static const unsigned char aes_test_xts_key[][32] =
1770
{
1771
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1772
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1775
    { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1776
      0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1777
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1778
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1779
    { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1780
      0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1781
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1782
      0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1783
};
1784
1785
static const unsigned char aes_test_xts_pt32[][32] =
1786
{
1787
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1788
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1789
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1790
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1791
    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1792
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1793
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1794
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1795
    { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1796
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1797
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1798
      0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1799
};
1800
1801
static const unsigned char aes_test_xts_ct32[][32] =
1802
{
1803
    { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1804
      0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1805
      0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1806
      0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1807
    { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1808
      0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1809
      0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1810
      0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1811
    { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1812
      0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1813
      0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1814
      0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1815
};
1816
1817
static const unsigned char aes_test_xts_data_unit[][16] =
1818
{
1819
    { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1820
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1821
    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1822
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1823
    { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1824
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1825
};
1826
1827
#endif /* MBEDTLS_CIPHER_MODE_XTS */
1828
1829
/*
1830
 * Checkup routine
1831
 */
1832
int mbedtls_aes_self_test(int verbose)
1833
0
{
1834
0
    int ret = 0, i, j, u, mode;
1835
0
    unsigned int keybits;
1836
0
    unsigned char key[32];
1837
0
    unsigned char buf[64];
1838
0
    const unsigned char *aes_tests;
1839
0
#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1840
0
    defined(MBEDTLS_CIPHER_MODE_OFB)
1841
0
    unsigned char iv[16];
1842
0
#endif
1843
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1844
0
    unsigned char prv[16];
1845
0
#endif
1846
0
#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1847
0
    defined(MBEDTLS_CIPHER_MODE_OFB)
1848
0
    size_t offset;
1849
0
#endif
1850
0
#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1851
0
    int len;
1852
0
#endif
1853
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
1854
0
    unsigned char nonce_counter[16];
1855
0
    unsigned char stream_block[16];
1856
0
#endif
1857
0
    mbedtls_aes_context ctx;
1858
1859
0
    memset(key, 0, 32);
1860
0
    mbedtls_aes_init(&ctx);
1861
1862
0
    if (verbose != 0) {
1863
#if defined(MBEDTLS_AES_ALT)
1864
        mbedtls_printf("  AES note: alternative implementation.\n");
1865
#else /* MBEDTLS_AES_ALT */
1866
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1867
        if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
1868
            mbedtls_printf("  AES note: using VIA Padlock.\n");
1869
        } else
1870
#endif
1871
#if defined(MBEDTLS_AESNI_HAVE_CODE)
1872
        if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
1873
            mbedtls_printf("  AES note: using AESNI via ");
1874
#if MBEDTLS_AESNI_HAVE_CODE == 1
1875
            mbedtls_printf("assembly");
1876
#elif MBEDTLS_AESNI_HAVE_CODE == 2
1877
            mbedtls_printf("intrinsics");
1878
#else
1879
            mbedtls_printf("(unknown)");
1880
#endif
1881
            mbedtls_printf(".\n");
1882
        } else
1883
#endif
1884
0
        mbedtls_printf("  AES note: built-in implementation.\n");
1885
0
#endif /* MBEDTLS_AES_ALT */
1886
0
    }
1887
1888
    /*
1889
     * ECB mode
1890
     */
1891
0
    for (i = 0; i < 6; i++) {
1892
0
        u = i >> 1;
1893
0
        keybits = 128 + u * 64;
1894
0
        mode = i & 1;
1895
1896
0
        if (verbose != 0) {
1897
0
            mbedtls_printf("  AES-ECB-%3u (%s): ", keybits,
1898
0
                           (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1899
0
        }
1900
1901
0
        memset(buf, 0, 16);
1902
1903
0
        if (mode == MBEDTLS_AES_DECRYPT) {
1904
0
            ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1905
0
            aes_tests = aes_test_ecb_dec[u];
1906
0
        } else {
1907
0
            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1908
0
            aes_tests = aes_test_ecb_enc[u];
1909
0
        }
1910
1911
        /*
1912
         * AES-192 is an optional feature that may be unavailable when
1913
         * there is an alternative underlying implementation i.e. when
1914
         * MBEDTLS_AES_ALT is defined.
1915
         */
1916
0
        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1917
0
            mbedtls_printf("skipped\n");
1918
0
            continue;
1919
0
        } else if (ret != 0) {
1920
0
            goto exit;
1921
0
        }
1922
1923
0
        for (j = 0; j < 10000; j++) {
1924
0
            ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1925
0
            if (ret != 0) {
1926
0
                goto exit;
1927
0
            }
1928
0
        }
1929
1930
0
        if (memcmp(buf, aes_tests, 16) != 0) {
1931
0
            ret = 1;
1932
0
            goto exit;
1933
0
        }
1934
1935
0
        if (verbose != 0) {
1936
0
            mbedtls_printf("passed\n");
1937
0
        }
1938
0
    }
1939
1940
0
    if (verbose != 0) {
1941
0
        mbedtls_printf("\n");
1942
0
    }
1943
1944
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
1945
    /*
1946
     * CBC mode
1947
     */
1948
0
    for (i = 0; i < 6; i++) {
1949
0
        u = i >> 1;
1950
0
        keybits = 128 + u * 64;
1951
0
        mode = i & 1;
1952
1953
0
        if (verbose != 0) {
1954
0
            mbedtls_printf("  AES-CBC-%3u (%s): ", keybits,
1955
0
                           (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1956
0
        }
1957
1958
0
        memset(iv, 0, 16);
1959
0
        memset(prv, 0, 16);
1960
0
        memset(buf, 0, 16);
1961
1962
0
        if (mode == MBEDTLS_AES_DECRYPT) {
1963
0
            ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1964
0
            aes_tests = aes_test_cbc_dec[u];
1965
0
        } else {
1966
0
            ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1967
0
            aes_tests = aes_test_cbc_enc[u];
1968
0
        }
1969
1970
        /*
1971
         * AES-192 is an optional feature that may be unavailable when
1972
         * there is an alternative underlying implementation i.e. when
1973
         * MBEDTLS_AES_ALT is defined.
1974
         */
1975
0
        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1976
0
            mbedtls_printf("skipped\n");
1977
0
            continue;
1978
0
        } else if (ret != 0) {
1979
0
            goto exit;
1980
0
        }
1981
1982
0
        for (j = 0; j < 10000; j++) {
1983
0
            if (mode == MBEDTLS_AES_ENCRYPT) {
1984
0
                unsigned char tmp[16];
1985
1986
0
                memcpy(tmp, prv, 16);
1987
0
                memcpy(prv, buf, 16);
1988
0
                memcpy(buf, tmp, 16);
1989
0
            }
1990
1991
0
            ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
1992
0
            if (ret != 0) {
1993
0
                goto exit;
1994
0
            }
1995
1996
0
        }
1997
1998
0
        if (memcmp(buf, aes_tests, 16) != 0) {
1999
0
            ret = 1;
2000
0
            goto exit;
2001
0
        }
2002
2003
0
        if (verbose != 0) {
2004
0
            mbedtls_printf("passed\n");
2005
0
        }
2006
0
    }
2007
2008
0
    if (verbose != 0) {
2009
0
        mbedtls_printf("\n");
2010
0
    }
2011
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
2012
2013
0
#if defined(MBEDTLS_CIPHER_MODE_CFB)
2014
    /*
2015
     * CFB128 mode
2016
     */
2017
0
    for (i = 0; i < 6; i++) {
2018
0
        u = i >> 1;
2019
0
        keybits = 128 + u * 64;
2020
0
        mode = i & 1;
2021
2022
0
        if (verbose != 0) {
2023
0
            mbedtls_printf("  AES-CFB128-%3u (%s): ", keybits,
2024
0
                           (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2025
0
        }
2026
2027
0
        memcpy(iv,  aes_test_cfb128_iv, 16);
2028
0
        memcpy(key, aes_test_cfb128_key[u], keybits / 8);
2029
2030
0
        offset = 0;
2031
0
        ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2032
        /*
2033
         * AES-192 is an optional feature that may be unavailable when
2034
         * there is an alternative underlying implementation i.e. when
2035
         * MBEDTLS_AES_ALT is defined.
2036
         */
2037
0
        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2038
0
            mbedtls_printf("skipped\n");
2039
0
            continue;
2040
0
        } else if (ret != 0) {
2041
0
            goto exit;
2042
0
        }
2043
2044
0
        if (mode == MBEDTLS_AES_DECRYPT) {
2045
0
            memcpy(buf, aes_test_cfb128_ct[u], 64);
2046
0
            aes_tests = aes_test_cfb128_pt;
2047
0
        } else {
2048
0
            memcpy(buf, aes_test_cfb128_pt, 64);
2049
0
            aes_tests = aes_test_cfb128_ct[u];
2050
0
        }
2051
2052
0
        ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
2053
0
        if (ret != 0) {
2054
0
            goto exit;
2055
0
        }
2056
2057
0
        if (memcmp(buf, aes_tests, 64) != 0) {
2058
0
            ret = 1;
2059
0
            goto exit;
2060
0
        }
2061
2062
0
        if (verbose != 0) {
2063
0
            mbedtls_printf("passed\n");
2064
0
        }
2065
0
    }
2066
2067
0
    if (verbose != 0) {
2068
0
        mbedtls_printf("\n");
2069
0
    }
2070
0
#endif /* MBEDTLS_CIPHER_MODE_CFB */
2071
2072
0
#if defined(MBEDTLS_CIPHER_MODE_OFB)
2073
    /*
2074
     * OFB mode
2075
     */
2076
0
    for (i = 0; i < 6; i++) {
2077
0
        u = i >> 1;
2078
0
        keybits = 128 + u * 64;
2079
0
        mode = i & 1;
2080
2081
0
        if (verbose != 0) {
2082
0
            mbedtls_printf("  AES-OFB-%3u (%s): ", keybits,
2083
0
                           (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2084
0
        }
2085
2086
0
        memcpy(iv,  aes_test_ofb_iv, 16);
2087
0
        memcpy(key, aes_test_ofb_key[u], keybits / 8);
2088
2089
0
        offset = 0;
2090
0
        ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2091
        /*
2092
         * AES-192 is an optional feature that may be unavailable when
2093
         * there is an alternative underlying implementation i.e. when
2094
         * MBEDTLS_AES_ALT is defined.
2095
         */
2096
0
        if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2097
0
            mbedtls_printf("skipped\n");
2098
0
            continue;
2099
0
        } else if (ret != 0) {
2100
0
            goto exit;
2101
0
        }
2102
2103
0
        if (mode == MBEDTLS_AES_DECRYPT) {
2104
0
            memcpy(buf, aes_test_ofb_ct[u], 64);
2105
0
            aes_tests = aes_test_ofb_pt;
2106
0
        } else {
2107
0
            memcpy(buf, aes_test_ofb_pt, 64);
2108
0
            aes_tests = aes_test_ofb_ct[u];
2109
0
        }
2110
2111
0
        ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2112
0
        if (ret != 0) {
2113
0
            goto exit;
2114
0
        }
2115
2116
0
        if (memcmp(buf, aes_tests, 64) != 0) {
2117
0
            ret = 1;
2118
0
            goto exit;
2119
0
        }
2120
2121
0
        if (verbose != 0) {
2122
0
            mbedtls_printf("passed\n");
2123
0
        }
2124
0
    }
2125
2126
0
    if (verbose != 0) {
2127
0
        mbedtls_printf("\n");
2128
0
    }
2129
0
#endif /* MBEDTLS_CIPHER_MODE_OFB */
2130
2131
0
#if defined(MBEDTLS_CIPHER_MODE_CTR)
2132
    /*
2133
     * CTR mode
2134
     */
2135
0
    for (i = 0; i < 6; i++) {
2136
0
        u = i >> 1;
2137
0
        mode = i & 1;
2138
2139
0
        if (verbose != 0) {
2140
0
            mbedtls_printf("  AES-CTR-128 (%s): ",
2141
0
                           (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2142
0
        }
2143
2144
0
        memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2145
0
        memcpy(key, aes_test_ctr_key[u], 16);
2146
2147
0
        offset = 0;
2148
0
        if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
2149
0
            goto exit;
2150
0
        }
2151
2152
0
        len = aes_test_ctr_len[u];
2153
2154
0
        if (mode == MBEDTLS_AES_DECRYPT) {
2155
0
            memcpy(buf, aes_test_ctr_ct[u], len);
2156
0
            aes_tests = aes_test_ctr_pt[u];
2157
0
        } else {
2158
0
            memcpy(buf, aes_test_ctr_pt[u], len);
2159
0
            aes_tests = aes_test_ctr_ct[u];
2160
0
        }
2161
2162
0
        ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2163
0
                                    stream_block, buf, buf);
2164
0
        if (ret != 0) {
2165
0
            goto exit;
2166
0
        }
2167
2168
0
        if (memcmp(buf, aes_tests, len) != 0) {
2169
0
            ret = 1;
2170
0
            goto exit;
2171
0
        }
2172
2173
0
        if (verbose != 0) {
2174
0
            mbedtls_printf("passed\n");
2175
0
        }
2176
0
    }
2177
2178
0
    if (verbose != 0) {
2179
0
        mbedtls_printf("\n");
2180
0
    }
2181
0
#endif /* MBEDTLS_CIPHER_MODE_CTR */
2182
2183
0
#if defined(MBEDTLS_CIPHER_MODE_XTS)
2184
0
    {
2185
0
        static const int num_tests =
2186
0
            sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2187
0
        mbedtls_aes_xts_context ctx_xts;
2188
2189
        /*
2190
         * XTS mode
2191
         */
2192
0
        mbedtls_aes_xts_init(&ctx_xts);
2193
2194
0
        for (i = 0; i < num_tests << 1; i++) {
2195
0
            const unsigned char *data_unit;
2196
0
            u = i >> 1;
2197
0
            mode = i & 1;
2198
2199
0
            if (verbose != 0) {
2200
0
                mbedtls_printf("  AES-XTS-128 (%s): ",
2201
0
                               (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2202
0
            }
2203
2204
0
            memset(key, 0, sizeof(key));
2205
0
            memcpy(key, aes_test_xts_key[u], 32);
2206
0
            data_unit = aes_test_xts_data_unit[u];
2207
2208
0
            len = sizeof(*aes_test_xts_ct32);
2209
2210
0
            if (mode == MBEDTLS_AES_DECRYPT) {
2211
0
                ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2212
0
                if (ret != 0) {
2213
0
                    goto exit;
2214
0
                }
2215
0
                memcpy(buf, aes_test_xts_ct32[u], len);
2216
0
                aes_tests = aes_test_xts_pt32[u];
2217
0
            } else {
2218
0
                ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2219
0
                if (ret != 0) {
2220
0
                    goto exit;
2221
0
                }
2222
0
                memcpy(buf, aes_test_xts_pt32[u], len);
2223
0
                aes_tests = aes_test_xts_ct32[u];
2224
0
            }
2225
2226
2227
0
            ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2228
0
                                        buf, buf);
2229
0
            if (ret != 0) {
2230
0
                goto exit;
2231
0
            }
2232
2233
0
            if (memcmp(buf, aes_tests, len) != 0) {
2234
0
                ret = 1;
2235
0
                goto exit;
2236
0
            }
2237
2238
0
            if (verbose != 0) {
2239
0
                mbedtls_printf("passed\n");
2240
0
            }
2241
0
        }
2242
2243
0
        if (verbose != 0) {
2244
0
            mbedtls_printf("\n");
2245
0
        }
2246
2247
0
        mbedtls_aes_xts_free(&ctx_xts);
2248
0
    }
2249
0
#endif /* MBEDTLS_CIPHER_MODE_XTS */
2250
2251
0
    ret = 0;
2252
2253
0
exit:
2254
0
    if (ret != 0 && verbose != 0) {
2255
0
        mbedtls_printf("failed\n");
2256
0
    }
2257
2258
0
    mbedtls_aes_free(&ctx);
2259
2260
0
    return ret;
2261
0
}
2262
2263
#endif /* MBEDTLS_SELF_TEST */
2264
2265
#endif /* MBEDTLS_AES_C */