/* aes.c

 *

 * Copyright (C) 2006-2025 wolfSSL Inc.

 *

 * This file is part of wolfSSL.

 *

 * wolfSSL is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * wolfSSL is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA

 */

/*

DESCRIPTION

This library provides the interfaces to the Advanced Encryption Standard (AES)

for encrypting and decrypting data. AES is the standard known for a symmetric

block cipher mechanism that uses n-bit binary string parameter key with 128-bits,

192-bits, and 256-bits of key sizes.

*/

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

#if !defined(NO_AES)

/* Tip: Locate the software cipher modes by searching for "Software AES" */

#if FIPS_VERSION3_GE(2,0,0)

    /* set NO_WRAPPERS before headers, use direct internal f()s not wrappers */

    #define FIPS_NO_WRAPPERS

    #ifdef USE_WINDOWS_API

        #pragma code_seg(".fipsA$b")

        #pragma const_seg(".fipsB$b")

    #endif

#endif

#include <wolfssl/wolfcrypt/aes.h>

#ifdef WOLFSSL_AESNI

#include <wmmintrin.h>

#include <emmintrin.h>

#include <smmintrin.h>

#endif /* WOLFSSL_AESNI */

#include <wolfssl/wolfcrypt/cpuid.h>

#ifdef WOLF_CRYPTO_CB

    #include <wolfssl/wolfcrypt/cryptocb.h>

#endif

#ifdef WOLFSSL_SECO_CAAM

#include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>

#endif

#ifdef WOLFSSL_IMXRT_DCP

    #include <wolfssl/wolfcrypt/port/nxp/dcp_port.h>

#endif

#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_CRYPT)

    #include <wolfssl/wolfcrypt/port/nxp/se050_port.h>

#endif

#if defined(WOLFSSL_AES_SIV)

    #include <wolfssl/wolfcrypt/cmac.h>

#endif /* WOLFSSL_AES_SIV */

#if defined(WOLFSSL_HAVE_PSA) && !defined(WOLFSSL_PSA_NO_AES)

    #include <wolfssl/wolfcrypt/port/psa/psa.h>

#endif

#if defined(WOLFSSL_MAX3266X) || defined(WOLFSSL_MAX3266X_OLD)

    #include <wolfssl/wolfcrypt/port/maxim/max3266x.h>

#ifdef MAX3266X_CB

    /* Revert back to SW so HW CB works */

    /* HW only works for AES: ECB, CBC, and partial via ECB for other modes */

    #include <wolfssl/wolfcrypt/port/maxim/max3266x-cryptocb.h>

    /* Turn off MAX3266X_AES in the context of this file when using CB */

    #undef MAX3266X_AES

#endif

#endif

#if defined(WOLFSSL_TI_CRYPT)

    #include <wolfcrypt/src/port/ti/ti-aes.c>

#else

#if defined(WOLFSSL_PSOC6_CRYPTO)

    #include <wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h>

#endif /* WOLFSSL_PSOC6_CRYPTO */

#ifdef NO_INLINE

    #include <wolfssl/wolfcrypt/misc.h>

#else

    #define WOLFSSL_MISC_INCLUDED

    #include <wolfcrypt/src/misc.c>

#endif

#if !defined(WOLFSSL_RISCV_ASM)

#ifdef WOLFSSL_IMX6_CAAM_BLOB

    /* case of possibly not using hardware acceleration for AES but using key

       blobs */

    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>

#endif

#ifdef DEBUG_AESNI

    #include <stdio.h>

#endif

#ifdef _MSC_VER

    /* 4127 warning constant while(1)  */

    #pragma warning(disable: 4127)

#endif

#if (!defined(WOLFSSL_ARMASM) && FIPS_VERSION3_GE(6,0,0)) || \

    FIPS_VERSION3_GE(7,0,0)

    const unsigned int wolfCrypt_FIPS_aes_ro_sanity[2] =

                                                     { 0x1a2b3c4d, 0x00000002 };

    int wolfCrypt_FIPS_AES_sanity(void)

    {

        return 0;

    }

#endif

/* Define AES implementation includes and functions */

#if defined(STM32_CRYPTO)

     /* STM32F2/F4/F7/L4/L5/H7/WB55 hardware AES support for ECB, CBC, CTR and GCM modes */

#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESGCM) || defined(HAVE_AESCCM)

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

        int ret = 0;

    #ifdef WOLFSSL_STM32_CUBEMX

        CRYP_HandleTypeDef hcryp;

    #else

        CRYP_InitTypeDef cryptInit;

        CRYP_KeyInitTypeDef keyInit;

    #endif

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

        if (ret < 0)

            return ret;

#endif

    #ifdef WOLFSSL_STM32U5_DHUK

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

        /* Handle making use of wrapped key */

        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {

            CRYP_ConfigTypeDef Config = {0};

            ret = wc_Stm32_Aes_UnWrap(aes, &hcryp, (const byte*)aes->key,

                aes->keylen, aes->dhukIV, aes->dhukIVLen);

            if (ret != HAL_OK) {

                WOLFSSL_MSG("Error with DHUK key unwrap");

                ret = BAD_FUNC_ARG;

            }

            /* reconfigure for using unwrapped key now */

            HAL_CRYP_GetConfig(&hcryp, &Config);

            Config.KeyMode   = CRYP_KEYMODE_NORMAL;

            Config.KeySelect = CRYP_KEYSEL_NORMAL;

            Config.Algorithm = CRYP_AES_ECB;

            Config.DataType  = CRYP_DATATYPE_8B;

            Config.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;

            HAL_CRYP_SetConfig(&hcryp, &Config);

        }

        else {

            ret = wc_Stm32_Aes_Init(aes, &hcryp, 1);

            if (ret == 0) {

                hcryp.Init.Algorithm  = CRYP_AES_ECB;

                ret = HAL_CRYP_Init(&hcryp);

                if (ret != HAL_OK) {

                    ret = BAD_FUNC_ARG;

                }

            }

        }

        if (ret == HAL_OK) {

            ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, WC_AES_BLOCK_SIZE,

                    (uint32_t*)outBlock, STM32_HAL_TIMEOUT);

            if (ret != HAL_OK) {

                ret = WC_TIMEOUT_E;

            }

        }

        HAL_CRYP_DeInit(&hcryp);

    #elif defined(WOLFSSL_STM32_CUBEMX)

        ret = wc_Stm32_Aes_Init(aes, &hcryp, 0);

        if (ret != 0)

            return ret;

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

    #if defined(STM32_HAL_V2)

        hcryp.Init.Algorithm  = CRYP_AES_ECB;

    #elif defined(STM32_CRYPTO_AES_ONLY)

        hcryp.Init.OperatingMode = CRYP_ALGOMODE_ENCRYPT;

        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_ECB;

        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;

    #endif

        if (HAL_CRYP_Init(&hcryp) != HAL_OK) {

            ret = BAD_FUNC_ARG;

        }

        if (ret == 0) {

        #if defined(STM32_HAL_V2)

            ret = HAL_CRYP_Encrypt(&hcryp, (uint32_t*)inBlock, WC_AES_BLOCK_SIZE,

                (uint32_t*)outBlock, STM32_HAL_TIMEOUT);

        #elif defined(STM32_CRYPTO_AES_ONLY)

            ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, WC_AES_BLOCK_SIZE,

                outBlock, STM32_HAL_TIMEOUT);

        #else

            ret = HAL_CRYP_AESECB_Encrypt(&hcryp, (uint8_t*)inBlock, WC_AES_BLOCK_SIZE,

                outBlock, STM32_HAL_TIMEOUT);

        #endif

            if (ret != HAL_OK) {

                ret = WC_TIMEOUT_E;

            }

            HAL_CRYP_DeInit(&hcryp);

        }

    #else /* Standard Peripheral Library */

        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);

        if (ret != 0)

            return ret;

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

        /* reset registers to their default values */

        CRYP_DeInit();

        /* setup key */

        CRYP_KeyInit(&keyInit);

        /* set direction and mode */

        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Encrypt;

        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;

        CRYP_Init(&cryptInit);

        /* enable crypto processor */

        CRYP_Cmd(ENABLE);

        /* flush IN/OUT FIFOs */

        CRYP_FIFOFlush();

        CRYP_DataIn(*(uint32_t*)&inBlock[0]);

        CRYP_DataIn(*(uint32_t*)&inBlock[4]);

        CRYP_DataIn(*(uint32_t*)&inBlock[8]);

        CRYP_DataIn(*(uint32_t*)&inBlock[12]);

        /* wait until the complete message has been processed */

        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}

        *(uint32_t*)&outBlock[0]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[4]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[8]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[12] = CRYP_DataOut();

        /* disable crypto processor */

        CRYP_Cmd(DISABLE);

    #endif /* WOLFSSL_STM32_CUBEMX */

        wolfSSL_CryptHwMutexUnLock();

        wc_Stm32_Aes_Cleanup();

        return ret;

    }

#endif /* WOLFSSL_AES_DIRECT || HAVE_AESGCM || HAVE_AESCCM */

#ifdef HAVE_AES_DECRYPT

    #if defined(WOLFSSL_AES_DIRECT)

    static WARN_UNUSED_RESULT int wc_AesDecrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

        int ret = 0;

    #ifdef WOLFSSL_STM32_CUBEMX

        CRYP_HandleTypeDef hcryp;

    #else

        CRYP_InitTypeDef cryptInit;

        CRYP_KeyInitTypeDef keyInit;

    #endif

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

        if (ret < 0)

            return ret;

#endif

    #ifdef WOLFSSL_STM32U5_DHUK

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

        /* Handle making use of wrapped key */

        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {

            CRYP_ConfigTypeDef Config;

            XMEMSET(&Config, 0, sizeof(Config));

            ret = wc_Stm32_Aes_UnWrap(aes, &hcryp, (const byte*)aes->key,

                aes->keylen, aes->dhukIV, aes->dhukIVLen);

            if (ret != HAL_OK) {

                WOLFSSL_MSG("Error with DHUK unwrap");

                ret = BAD_FUNC_ARG;

            }

            /* reconfigure for using unwrapped key now */

            HAL_CRYP_GetConfig(&hcryp, &Config);

            Config.KeyMode   = CRYP_KEYMODE_NORMAL;

            Config.KeySelect = CRYP_KEYSEL_NORMAL;

            Config.Algorithm = CRYP_AES_ECB;

            Config.DataType  = CRYP_DATATYPE_8B;

            Config.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;

            HAL_CRYP_SetConfig(&hcryp, &Config);

        }

        else {

            ret = wc_Stm32_Aes_Init(aes, &hcryp, 1);

            if (ret == 0) {

                hcryp.Init.Algorithm  = CRYP_AES_ECB;

                ret = HAL_CRYP_Init(&hcryp);

                if (ret != HAL_OK) {

                    ret = BAD_FUNC_ARG;

                }

            }

        }

        if (ret == HAL_OK) {

            ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, WC_AES_BLOCK_SIZE,

                    (uint32_t*)outBlock, STM32_HAL_TIMEOUT);

            if (ret != HAL_OK) {

                ret = WC_TIMEOUT_E;

            }

        }

        HAL_CRYP_DeInit(&hcryp);

    #elif defined(WOLFSSL_STM32_CUBEMX)

        ret = wc_Stm32_Aes_Init(aes, &hcryp, 0);

        if (ret != 0)

            return ret;

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

    #if defined(STM32_HAL_V2)

        hcryp.Init.Algorithm  = CRYP_AES_ECB;

    #elif defined(STM32_CRYPTO_AES_ONLY)

        hcryp.Init.OperatingMode = CRYP_ALGOMODE_KEYDERIVATION_DECRYPT;

        hcryp.Init.ChainingMode  = CRYP_CHAINMODE_AES_ECB;

        hcryp.Init.KeyWriteFlag  = CRYP_KEY_WRITE_ENABLE;

    #endif

        HAL_CRYP_Init(&hcryp);

    #if defined(STM32_HAL_V2)

        ret = HAL_CRYP_Decrypt(&hcryp, (uint32_t*)inBlock, WC_AES_BLOCK_SIZE,

            (uint32_t*)outBlock, STM32_HAL_TIMEOUT);

    #elif defined(STM32_CRYPTO_AES_ONLY)

        ret = HAL_CRYPEx_AES(&hcryp, (uint8_t*)inBlock, WC_AES_BLOCK_SIZE,

            outBlock, STM32_HAL_TIMEOUT);

    #else

        ret = HAL_CRYP_AESECB_Decrypt(&hcryp, (uint8_t*)inBlock, WC_AES_BLOCK_SIZE,

            outBlock, STM32_HAL_TIMEOUT);

    #endif

        if (ret != HAL_OK) {

            ret = WC_TIMEOUT_E;

        }

        HAL_CRYP_DeInit(&hcryp);

    #else /* Standard Peripheral Library */

        ret = wc_Stm32_Aes_Init(aes, &cryptInit, &keyInit);

        if (ret != 0)

            return ret;

        ret = wolfSSL_CryptHwMutexLock();

        if (ret != 0)

            return ret;

        /* reset registers to their default values */

        CRYP_DeInit();

        /* set direction and key */

        CRYP_KeyInit(&keyInit);

        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;

        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_Key;

        CRYP_Init(&cryptInit);

        /* enable crypto processor */

        CRYP_Cmd(ENABLE);

        /* wait until decrypt key has been initialized */

        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}

        /* set direction and mode */

        cryptInit.CRYP_AlgoDir  = CRYP_AlgoDir_Decrypt;

        cryptInit.CRYP_AlgoMode = CRYP_AlgoMode_AES_ECB;

        CRYP_Init(&cryptInit);

        /* enable crypto processor */

        CRYP_Cmd(ENABLE);

        /* flush IN/OUT FIFOs */

        CRYP_FIFOFlush();

        CRYP_DataIn(*(uint32_t*)&inBlock[0]);

        CRYP_DataIn(*(uint32_t*)&inBlock[4]);

        CRYP_DataIn(*(uint32_t*)&inBlock[8]);

        CRYP_DataIn(*(uint32_t*)&inBlock[12]);

        /* wait until the complete message has been processed */

        while (CRYP_GetFlagStatus(CRYP_FLAG_BUSY) != RESET) {}

        *(uint32_t*)&outBlock[0]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[4]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[8]  = CRYP_DataOut();

        *(uint32_t*)&outBlock[12] = CRYP_DataOut();

        /* disable crypto processor */

        CRYP_Cmd(DISABLE);

    #endif /* WOLFSSL_STM32_CUBEMX */

        wolfSSL_CryptHwMutexUnLock();

        wc_Stm32_Aes_Cleanup();

        return ret;

    }

    #endif /* WOLFSSL_AES_DIRECT */

#endif /* HAVE_AES_DECRYPT */

#elif defined(HAVE_COLDFIRE_SEC)

    /* Freescale Coldfire SEC support for CBC mode.

     * NOTE: no support for AES-CTR/GCM/CCM/Direct */

    #include "sec.h"

    #include "mcf5475_sec.h"

    #include "mcf5475_siu.h"

#elif defined(FREESCALE_LTC)

    #include "fsl_ltc.h"

    #if defined(FREESCALE_LTC_AES_GCM)

        #undef NEED_AES_TABLES

        #undef GCM_TABLE

    #endif

        /* if LTC doesn't have GCM, use software with LTC AES ECB mode */

        static WARN_UNUSED_RESULT int wc_AesEncrypt(

            Aes* aes, const byte* inBlock, byte* outBlock)

        {

            word32 keySize = 0;

            byte* key = (byte*)aes->key;

            int ret = wc_AesGetKeySize(aes, &keySize);

            if (ret != 0)

                return ret;

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

            ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

#endif

            if (wolfSSL_CryptHwMutexLock() == 0) {

                LTC_AES_EncryptEcb(LTC_BASE, inBlock, outBlock, WC_AES_BLOCK_SIZE,

                    key, keySize);

                wolfSSL_CryptHwMutexUnLock();

            }

            return 0;

        }

        #ifdef HAVE_AES_DECRYPT

        static WARN_UNUSED_RESULT int wc_AesDecrypt(

            Aes* aes, const byte* inBlock, byte* outBlock)

        {

            word32 keySize = 0;

            byte* key = (byte*)aes->key;

            int ret = wc_AesGetKeySize(aes, &keySize);

            if (ret != 0)

                return ret;

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

            ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

#endif

            if (wolfSSL_CryptHwMutexLock() == 0) {

                LTC_AES_DecryptEcb(LTC_BASE, inBlock, outBlock, WC_AES_BLOCK_SIZE,

                    key, keySize, kLTC_EncryptKey);

                wolfSSL_CryptHwMutexUnLock();

            }

            return 0;

        }

        #endif

#elif defined(WOLFSSL_PIC32MZ_CRYPT)

    #include <wolfssl/wolfcrypt/port/pic32/pic32mz-crypt.h>

    #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        /* Thread mutex protection handled in Pic32Crypto */

        return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,

            outBlock, inBlock, WC_AES_BLOCK_SIZE,

            PIC32_ENCRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);

    }

    #endif

    #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)

    static WARN_UNUSED_RESULT int wc_AesDecrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        /* Thread mutex protection handled in Pic32Crypto */

        return wc_Pic32AesCrypt(aes->key, aes->keylen, NULL, 0,

            outBlock, inBlock, WC_AES_BLOCK_SIZE,

            PIC32_DECRYPTION, PIC32_ALGO_AES, PIC32_CRYPTOALGO_RECB);

    }

    #endif

#elif defined(WOLFSSL_NRF51_AES)

    /* Use built-in AES hardware - AES 128 ECB Encrypt Only */

    #include "wolfssl/wolfcrypt/port/nrf51.h"

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

        int ret;

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

        if (ret < 0)

            return ret;

#endif

        ret = wolfSSL_CryptHwMutexLock();

        if (ret == 0) {

            ret = nrf51_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds,

                                    outBlock);

            wolfSSL_CryptHwMutexUnLock();

        }

        return ret;

    }

    #ifdef HAVE_AES_DECRYPT

        #error nRF51 AES Hardware does not support decrypt

    #endif /* HAVE_AES_DECRYPT */

#elif defined(WOLFSSL_ESP32_CRYPT) && \

     !defined(NO_WOLFSSL_ESP32_CRYPT_AES)

    #include <esp_log.h>

    #include <wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h>

    #define TAG "aes"

    /* We'll use SW for fallback:

     *   unsupported key lengths. (e.g. ESP32-S3)

     *   chipsets not implemented.

     *   hardware busy. */

    #define NEED_AES_TABLES

    #define NEED_AES_HW_FALLBACK

    #define NEED_SOFTWARE_AES_SETKEY

    #undef  WOLFSSL_AES_DIRECT

    #define WOLFSSL_AES_DIRECT

    /* Encrypt: If we choose to never have a fallback to SW: */

    #if !defined(NEED_AES_HW_FALLBACK) && \

        (defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT))

    /* calling this one when NO_AES_192 is defined */

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

        int ret;

    #ifdef WC_DEBUG_CIPHER_LIFECYCLE

        ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

        if (ret < 0)

            return ret;

    #endif

        /* Thread mutex protection handled in esp_aes_hw_InUse */

    #ifdef NEED_AES_HW_FALLBACK

        if (wc_esp32AesSupportedKeyLen(aes)) {

            ret = wc_esp32AesEncrypt(aes, inBlock, outBlock);

        }

    #else

        ret = wc_esp32AesEncrypt(aes, inBlock, outBlock);

    #endif

        return ret;

    }

    #endif

    /* Decrypt: If we choose to never have a fallback to SW: */

    #if !defined(NEED_AES_HW_FALLBACK) && \

        (defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT))

    static WARN_UNUSED_RESULT int wc_AesDecrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

        int ret = 0;

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

        if (ret < 0)

            return ret;

#endif

        /* Thread mutex protection handled in esp_aes_hw_InUse */

    #ifdef NEED_AES_HW_FALLBACK

        if (wc_esp32AesSupportedKeyLen(aes)) {

            ret = wc_esp32AesDecrypt(aes, inBlock, outBlock);

        }

        else {

            ret = wc_AesDecrypt_SW(aes, inBlock, outBlock);

        }

    #else

        /* if we don't need fallback, always use HW */

        ret = wc_esp32AesDecrypt(aes, inBlock, outBlock);

    #endif

        return ret;

    }

    #endif

#elif defined(WOLFSSL_AESNI)

    #define NEED_AES_TABLES

    /* Each platform needs to query info type 1 from cpuid to see if aesni is

     * supported. Also, let's setup a macro for proper linkage w/o ABI conflicts

     */

    #ifndef AESNI_ALIGN

        #define AESNI_ALIGN 16

    #endif

    /* note that all write access to these static variables must be idempotent,

     * as arranged by Check_CPU_support_AES(), else they will be susceptible to

     * data races.

     */

    static int checkedAESNI = 0;

    static int haveAESNI  = 0;

    static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;

    static WARN_UNUSED_RESULT int Check_CPU_support_AES(void)

    {

        cpuid_get_flags_ex(&intel_flags);

        return IS_INTEL_AESNI(intel_flags) != 0;

    }

    /* tell C compiler these are asm functions in case any mix up of ABI underscore

       prefix between clang/gcc/llvm etc */

    #ifdef HAVE_AES_CBC

        void AES_CBC_encrypt_AESNI(const unsigned char* in, unsigned char* out,

                             unsigned char* ivec, unsigned long length,

                             const unsigned char* KS, int nr)

                             XASM_LINK("AES_CBC_encrypt_AESNI");

        #ifdef HAVE_AES_DECRYPT

            #if defined(WOLFSSL_AESNI_BY4) || defined(WOLFSSL_X86_BUILD)

                void AES_CBC_decrypt_AESNI_by4(const unsigned char* in, unsigned char* out,

                                         unsigned char* ivec, unsigned long length,

                                         const unsigned char* KS, int nr)

                                         XASM_LINK("AES_CBC_decrypt_AESNI_by4");

            #elif defined(WOLFSSL_AESNI_BY6)

                void AES_CBC_decrypt_AESNI_by6(const unsigned char* in, unsigned char* out,

                                         unsigned char* ivec, unsigned long length,

                                         const unsigned char* KS, int nr)

                                         XASM_LINK("AES_CBC_decrypt_AESNI_by6");

            #else /* WOLFSSL_AESNI_BYx */

                void AES_CBC_decrypt_AESNI_by8(const unsigned char* in, unsigned char* out,

                                         unsigned char* ivec, unsigned long length,

                                         const unsigned char* KS, int nr)

                                         XASM_LINK("AES_CBC_decrypt_AESNI_by8");

            #endif /* WOLFSSL_AESNI_BYx */

        #endif /* HAVE_AES_DECRYPT */

    #endif /* HAVE_AES_CBC */

    void AES_ECB_encrypt_AESNI(const unsigned char* in, unsigned char* out,

                         unsigned long length, const unsigned char* KS, int nr)

                         XASM_LINK("AES_ECB_encrypt_AESNI");

    #ifdef HAVE_AES_DECRYPT

        void AES_ECB_decrypt_AESNI(const unsigned char* in, unsigned char* out,

                             unsigned long length, const unsigned char* KS, int nr)

                             XASM_LINK("AES_ECB_decrypt_AESNI");

    #endif

    void AES_128_Key_Expansion_AESNI(const unsigned char* userkey,

                               unsigned char* key_schedule)

                               XASM_LINK("AES_128_Key_Expansion_AESNI");

    void AES_192_Key_Expansion_AESNI(const unsigned char* userkey,

                               unsigned char* key_schedule)

                               XASM_LINK("AES_192_Key_Expansion_AESNI");

    void AES_256_Key_Expansion_AESNI(const unsigned char* userkey,

                               unsigned char* key_schedule)

                               XASM_LINK("AES_256_Key_Expansion_AESNI");

    static WARN_UNUSED_RESULT int AES_set_encrypt_key_AESNI(

        const unsigned char *userKey, const int bits, Aes* aes)

    {

        int ret;

        ASSERT_SAVED_VECTOR_REGISTERS();

        if (!userKey || !aes)

            return BAD_FUNC_ARG;

        switch (bits) {

            case 128:

               AES_128_Key_Expansion_AESNI (userKey,(byte*)aes->key); aes->rounds = 10;

               return 0;

            case 192:

               AES_192_Key_Expansion_AESNI (userKey,(byte*)aes->key); aes->rounds = 12;

               return 0;

            case 256:

               AES_256_Key_Expansion_AESNI (userKey,(byte*)aes->key); aes->rounds = 14;

               return 0;

            default:

                ret = BAD_FUNC_ARG;

        }

        return ret;

    }

    #ifdef HAVE_AES_DECRYPT

        static WARN_UNUSED_RESULT int AES_set_decrypt_key_AESNI(

            const unsigned char* userKey, const int bits, Aes* aes)

        {

            word32 nr;

            WC_DECLARE_VAR(temp_key, Aes, 1, 0);

            __m128i *Key_Schedule;

            __m128i *Temp_Key_Schedule;

            ASSERT_SAVED_VECTOR_REGISTERS();

            if (!userKey || !aes)

                return BAD_FUNC_ARG;

#ifdef WOLFSSL_SMALL_STACK

            if ((temp_key = (Aes *)XMALLOC(sizeof *aes, aes->heap,

                                           DYNAMIC_TYPE_AES)) == NULL)

                return MEMORY_E;

#endif

            if (AES_set_encrypt_key_AESNI(userKey,bits,temp_key)

                == WC_NO_ERR_TRACE(BAD_FUNC_ARG)) {

                WC_FREE_VAR_EX(temp_key, aes->heap, DYNAMIC_TYPE_AES);

                return BAD_FUNC_ARG;

            }

            Key_Schedule = (__m128i*)aes->key;

            Temp_Key_Schedule = (__m128i*)temp_key->key;

            nr = temp_key->rounds;

            aes->rounds = nr;

            Key_Schedule[nr] = Temp_Key_Schedule[0];

            Key_Schedule[nr-1] = _mm_aesimc_si128(Temp_Key_Schedule[1]);

            Key_Schedule[nr-2] = _mm_aesimc_si128(Temp_Key_Schedule[2]);

            Key_Schedule[nr-3] = _mm_aesimc_si128(Temp_Key_Schedule[3]);

            Key_Schedule[nr-4] = _mm_aesimc_si128(Temp_Key_Schedule[4]);

            Key_Schedule[nr-5] = _mm_aesimc_si128(Temp_Key_Schedule[5]);

            Key_Schedule[nr-6] = _mm_aesimc_si128(Temp_Key_Schedule[6]);

            Key_Schedule[nr-7] = _mm_aesimc_si128(Temp_Key_Schedule[7]);

            Key_Schedule[nr-8] = _mm_aesimc_si128(Temp_Key_Schedule[8]);

            Key_Schedule[nr-9] = _mm_aesimc_si128(Temp_Key_Schedule[9]);

            if (nr>10) {

                Key_Schedule[nr-10] = _mm_aesimc_si128(Temp_Key_Schedule[10]);

                Key_Schedule[nr-11] = _mm_aesimc_si128(Temp_Key_Schedule[11]);

            }

            if (nr>12) {

                Key_Schedule[nr-12] = _mm_aesimc_si128(Temp_Key_Schedule[12]);

                Key_Schedule[nr-13] = _mm_aesimc_si128(Temp_Key_Schedule[13]);

            }

            Key_Schedule[0] = Temp_Key_Schedule[nr];

            WC_FREE_VAR_EX(temp_key, aes->heap, DYNAMIC_TYPE_AES);

            return 0;

        }

    #endif /* HAVE_AES_DECRYPT */

#elif defined(WOLFSSL_ARMASM)

#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)

static cpuid_flags_t cpuid_flags = WC_CPUID_INITIALIZER;

static void Check_CPU_support_HwCrypto(Aes* aes)

{

    cpuid_get_flags_ex(&cpuid_flags);

    aes->use_aes_hw_crypto = IS_AARCH64_AES(cpuid_flags);

#ifdef HAVE_AESGCM

    aes->use_pmull_hw_crypto = IS_AARCH64_PMULL(cpuid_flags);

    aes->use_sha3_hw_crypto = IS_AARCH64_SHA3(cpuid_flags);

#endif

}

#endif /* __aarch64__ && !WOLFSSL_ARMASM_NO_HW_CRYPTO */

#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM) || \

    defined(WOLFSSL_AESGCM_STREAM)

static WARN_UNUSED_RESULT int wc_AesEncrypt(Aes* aes, const byte* inBlock,

    byte* outBlock)

{

#ifndef WOLFSSL_ARMASM_NO_HW_CRYPTO

#if !defined(__aarch64__)

    AES_encrypt_AARCH32(inBlock, outBlock, (byte*)aes->key, (int)aes->rounds);

#else

    if (aes->use_aes_hw_crypto) {

        AES_encrypt_AARCH64(inBlock, outBlock, (byte*)aes->key,

           (int)aes->rounds);

    }

    else

#endif /* !__aarch64__ */

#endif /* !WOLFSSL_ARMASM_NO_HW_CRYPTO */

#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_NEON) && \

    defined(WOLFSSL_ARMASM_NEON_NO_TABLE_LOOKUP)

    {

        AES_ECB_encrypt_NEON(inBlock, outBlock, WC_AES_BLOCK_SIZE,

            (const unsigned char*)aes->key, aes->rounds);

    }

#elif defined(__aarch64__) || defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)

    {

        AES_ECB_encrypt(inBlock, outBlock, WC_AES_BLOCK_SIZE, (byte*)aes->key,

            (int)aes->rounds);

    }

#endif

    return 0;

}

#endif

#if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)

static WARN_UNUSED_RESULT int wc_AesDecrypt(Aes* aes, const byte* inBlock,

    byte* outBlock)

{

#ifndef WOLFSSL_ARMASM_NO_HW_CRYPTO

#if !defined(__aarch64__)

    AES_decrypt_AARCH32(inBlock, outBlock, (byte*)aes->key, (int)aes->rounds);

#else

    if (aes->use_aes_hw_crypto) {

        AES_decrypt_AARCH64(inBlock, outBlock, (byte*)aes->key,

            (int)aes->rounds);

    }

    else

#endif /* !__aarch64__ */

#endif /* !WOLFSSL_ARMASM_NO_HW_CRYPTO */

#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_NEON) && \

    defined(WOLFSSL_ARMASM_NEON_NO_TABLE_LOOKUP)

    {

        AES_ECB_decrypt_NEON(inBlock, outBlock, WC_AES_BLOCK_SIZE,

            (byte*)aes->key, (int)aes->rounds);

    }

#elif defined(__aarch64__) || defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)

    {

        AES_ECB_decrypt(inBlock, outBlock, WC_AES_BLOCK_SIZE, (byte*)aes->key,

            (int)aes->rounds);

    }

#endif

    return 0;

}

#endif /* HAVE_AES_DECRYPT && WOLFSSL_AES_DIRECT */

#elif defined(FREESCALE_MMCAU)

    /* Freescale mmCAU hardware AES support for Direct, CBC, CCM, GCM modes

     * through the CAU/mmCAU library. Documentation located in

     * ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library User

     * Guide (See note in README). */

    #ifdef FREESCALE_MMCAU_CLASSIC

        /* MMCAU 1.4 library used with non-KSDK / classic MQX builds */

        #include "cau_api.h"

    #else

        #include "fsl_mmcau.h"

    #endif

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        if (wolfSSL_CryptHwMutexLock() == 0) {

        #ifdef FREESCALE_MMCAU_CLASSIC

            if ((wc_ptr_t)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {

                WOLFSSL_MSG("Bad cau_aes_encrypt alignment");

                return BAD_ALIGN_E;

            }

            cau_aes_encrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);

        #else

            MMCAU_AES_EncryptEcb(inBlock, (byte*)aes->key, aes->rounds,

                                 outBlock);

        #endif

            wolfSSL_CryptHwMutexUnLock();

        }

        return 0;

    }

    #ifdef HAVE_AES_DECRYPT

    static WARN_UNUSED_RESULT int wc_AesDecrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        if (wolfSSL_CryptHwMutexLock() == 0) {

        #ifdef FREESCALE_MMCAU_CLASSIC

            if ((wc_ptr_t)outBlock % WOLFSSL_MMCAU_ALIGNMENT) {

                WOLFSSL_MSG("Bad cau_aes_decrypt alignment");

                return BAD_ALIGN_E;

            }

            cau_aes_decrypt(inBlock, (byte*)aes->key, aes->rounds, outBlock);

        #else

            MMCAU_AES_DecryptEcb(inBlock, (byte*)aes->key, aes->rounds,

                                 outBlock);

        #endif

            wolfSSL_CryptHwMutexUnLock();

        }

        return 0;

    }

    #endif /* HAVE_AES_DECRYPT */

#elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) \

        && !defined(WOLFSSL_QNX_CAAM)) || \

      ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \

        defined(HAVE_AESCCM))

        static WARN_UNUSED_RESULT int wc_AesEncrypt(

            Aes* aes, const byte* inBlock, byte* outBlock)

        {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

            {

                int ret =

                    wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

                if (ret < 0)

                    return ret;

            }

#endif

            return wc_AesEncryptDirect(aes, outBlock, inBlock);

        }

#elif defined(WOLFSSL_AFALG)

    /* implemented in wolfcrypt/src/port/af_alg/afalg_aes.c */

#elif defined(WOLFSSL_DEVCRYPTO_AES)

    /* implemented in wolfcrypt/src/port/devcrypto/devcrypto_aes.c */

#elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_AES)

    #include "hal_data.h"

    #ifndef WOLFSSL_SCE_AES256_HANDLE

        #define WOLFSSL_SCE_AES256_HANDLE g_sce_aes_256

    #endif

    #ifndef WOLFSSL_SCE_AES192_HANDLE

        #define WOLFSSL_SCE_AES192_HANDLE g_sce_aes_192

    #endif

    #ifndef WOLFSSL_SCE_AES128_HANDLE

        #define WOLFSSL_SCE_AES128_HANDLE g_sce_aes_128

    #endif

    static WARN_UNUSED_RESULT int AES_ECB_encrypt(

        Aes* aes, const byte* inBlock, byte* outBlock, int sz)

    {

        word32 ret;

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_BIG) {

            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);

        }

        switch (aes->keylen) {

        #ifdef WOLFSSL_AES_128

            case AES_128_KEY_SIZE:

                ret = WOLFSSL_SCE_AES128_HANDLE.p_api->encrypt(

                        WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key,

                        NULL, (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

        #ifdef WOLFSSL_AES_192

            case AES_192_KEY_SIZE:

                ret = WOLFSSL_SCE_AES192_HANDLE.p_api->encrypt(

                        WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key,

                        NULL, (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

        #ifdef WOLFSSL_AES_256

            case AES_256_KEY_SIZE:

                ret = WOLFSSL_SCE_AES256_HANDLE.p_api->encrypt(

                        WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key,

                        NULL, (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

            default:

                WOLFSSL_MSG("Unknown key size");

                return BAD_FUNC_ARG;

        }

        if (ret != SSP_SUCCESS) {

            /* revert input */

            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);

            return WC_HW_E;

        }

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_BIG) {

            ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);

            if (inBlock != outBlock) {

                /* revert input */

                ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);

            }

        }

        return 0;

    }

    #if defined(HAVE_AES_DECRYPT)

    static WARN_UNUSED_RESULT int AES_ECB_decrypt(

        Aes* aes, const byte* inBlock, byte* outBlock, int sz)

    {

        word32 ret;

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_BIG) {

            ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);

        }

        switch (aes->keylen) {

        #ifdef WOLFSSL_AES_128

            case AES_128_KEY_SIZE:

                ret = WOLFSSL_SCE_AES128_HANDLE.p_api->decrypt(

                        WOLFSSL_SCE_AES128_HANDLE.p_ctrl, aes->key, aes->reg,

                        (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

        #ifdef WOLFSSL_AES_192

            case AES_192_KEY_SIZE:

                ret = WOLFSSL_SCE_AES192_HANDLE.p_api->decrypt(

                        WOLFSSL_SCE_AES192_HANDLE.p_ctrl, aes->key, aes->reg,

                        (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

        #ifdef WOLFSSL_AES_256

            case AES_256_KEY_SIZE:

                ret = WOLFSSL_SCE_AES256_HANDLE.p_api->decrypt(

                        WOLFSSL_SCE_AES256_HANDLE.p_ctrl, aes->key, aes->reg,

                        (sz / sizeof(word32)), (word32*)inBlock,

                        (word32*)outBlock);

                break;

        #endif

            default:

                WOLFSSL_MSG("Unknown key size");

                return BAD_FUNC_ARG;

        }

        if (ret != SSP_SUCCESS) {

            return WC_HW_E;

        }

        if (WOLFSSL_SCE_GSCE_HANDLE.p_cfg->endian_flag ==

                CRYPTO_WORD_ENDIAN_BIG) {

            ByteReverseWords((word32*)outBlock, (word32*)outBlock, sz);

            if (inBlock != outBlock) {

                /* revert input */

                ByteReverseWords((word32*)inBlock, (word32*)inBlock, sz);

            }

        }

        return 0;

    }

    #endif /* HAVE_AES_DECRYPT */

    #if defined(HAVE_AESGCM) || defined(WOLFSSL_AES_DIRECT)

    static WARN_UNUSED_RESULT int wc_AesEncrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        return AES_ECB_encrypt(aes, inBlock, outBlock, WC_AES_BLOCK_SIZE);

    }

    #endif

    #if defined(HAVE_AES_DECRYPT) && defined(WOLFSSL_AES_DIRECT)

    static WARN_UNUSED_RESULT int wc_AesDecrypt(

        Aes* aes, const byte* inBlock, byte* outBlock)

    {

#ifdef WC_DEBUG_CIPHER_LIFECYCLE

        {

            int ret = wc_debug_CipherLifecycleCheck(aes->CipherLifecycleTag, 0);

            if (ret < 0)

                return ret;

        }

#endif

        return AES_ECB_decrypt(aes, inBlock, outBlock, WC_AES_BLOCK_SIZE);

    }

    #endif

#elif defined(WOLFSSL_KCAPI_AES)

    /* Only CBC and GCM are in wolfcrypt/src/port/kcapi/kcapi_aes.c */

    #if defined(WOLFSSL_AES_COUNTER) || defined(HAVE_AESCCM) || \

        defined(WOLFSSL_CMAC) || defined(WOLFSSL_AES_OFB) || \