Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
aes.c
00001 /* 00002 * FIPS-197 compliant AES implementation 00003 * 00004 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 00005 * SPDX-License-Identifier: Apache-2.0 00006 * 00007 * Licensed under the Apache License, Version 2.0 (the "License"); you may 00008 * not use this file except in compliance with the License. 00009 * You may obtain a copy of the License at 00010 * 00011 * http://www.apache.org/licenses/LICENSE-2.0 00012 * 00013 * Unless required by applicable law or agreed to in writing, software 00014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 00015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00016 * See the License for the specific language governing permissions and 00017 * limitations under the License. 00018 * 00019 * This file is part of mbed TLS (https://tls.mbed.org) 00020 */ 00021 /* 00022 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 00023 * 00024 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf 00025 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 00026 */ 00027 00028 #if !defined(MBEDTLS_CONFIG_FILE) 00029 #include "mbedtls/config.h" 00030 #else 00031 #include MBEDTLS_CONFIG_FILE 00032 #endif 00033 00034 #if defined(MBEDTLS_AES_C) 00035 00036 #include <string.h> 00037 00038 #include "mbedtls/aes.h" 00039 #include "mbedtls/platform.h" 00040 #include "mbedtls/platform_util.h" 00041 #if defined(MBEDTLS_PADLOCK_C) 00042 #include "mbedtls/padlock.h" 00043 #endif 00044 #if defined(MBEDTLS_AESNI_C) 00045 #include "mbedtls/aesni.h" 00046 #endif 00047 00048 #if defined(MBEDTLS_SELF_TEST) 00049 #if defined(MBEDTLS_PLATFORM_C) 00050 #include "mbedtls/platform.h" 00051 #else 00052 #include <stdio.h> 00053 #define mbedtls_printf printf 00054 #endif /* MBEDTLS_PLATFORM_C */ 00055 #endif /* MBEDTLS_SELF_TEST */ 00056 00057 #if !defined(MBEDTLS_AES_ALT) 00058 00059 /* Parameter validation macros based on platform_util.h */ 00060 #define AES_VALIDATE_RET( cond ) \ 00061 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA ) 00062 #define AES_VALIDATE( cond ) \ 00063 MBEDTLS_INTERNAL_VALIDATE( cond ) 00064 00065 /* 00066 * 32-bit integer manipulation macros (little endian) 00067 */ 00068 #ifndef GET_UINT32_LE 00069 #define GET_UINT32_LE(n,b,i) \ 00070 { \ 00071 (n) = ( (uint32_t) (b)[(i) ] ) \ 00072 | ( (uint32_t) (b)[(i) + 1] << 8 ) \ 00073 | ( (uint32_t) (b)[(i) + 2] << 16 ) \ 00074 | ( (uint32_t) (b)[(i) + 3] << 24 ); \ 00075 } 00076 #endif 00077 00078 #ifndef PUT_UINT32_LE 00079 #define PUT_UINT32_LE(n,b,i) \ 00080 { \ 00081 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \ 00082 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \ 00083 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \ 00084 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \ 00085 } 00086 #endif 00087 00088 #if defined(MBEDTLS_PADLOCK_C) && \ 00089 ( defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16) ) 00090 static int aes_padlock_ace = -1; 00091 #endif 00092 00093 #if defined(MBEDTLS_AES_ROM_TABLES) 00094 /* 00095 * Forward S-box 00096 */ 00097 static const unsigned char FSb[256] = 00098 { 00099 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 00100 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 00101 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 00102 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 00103 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 00104 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 00105 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 00106 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 00107 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 00108 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 00109 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 00110 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 00111 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 00112 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 00113 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 00114 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 00115 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 00116 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 00117 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 00118 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 00119 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 00120 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 00121 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 00122 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 00123 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 00124 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 00125 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 00126 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 00127 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 00128 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 00129 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 00130 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 00131 }; 00132 00133 /* 00134 * Forward tables 00135 */ 00136 #define FT \ 00137 \ 00138 V(A5,63,63,C6), V(84,7C,7C,F8), V(99,77,77,EE), V(8D,7B,7B,F6), \ 00139 V(0D,F2,F2,FF), V(BD,6B,6B,D6), V(B1,6F,6F,DE), V(54,C5,C5,91), \ 00140 V(50,30,30,60), V(03,01,01,02), V(A9,67,67,CE), V(7D,2B,2B,56), \ 00141 V(19,FE,FE,E7), V(62,D7,D7,B5), V(E6,AB,AB,4D), V(9A,76,76,EC), \ 00142 V(45,CA,CA,8F), V(9D,82,82,1F), V(40,C9,C9,89), V(87,7D,7D,FA), \ 00143 V(15,FA,FA,EF), V(EB,59,59,B2), V(C9,47,47,8E), V(0B,F0,F0,FB), \ 00144 V(EC,AD,AD,41), V(67,D4,D4,B3), V(FD,A2,A2,5F), V(EA,AF,AF,45), \ 00145 V(BF,9C,9C,23), V(F7,A4,A4,53), V(96,72,72,E4), V(5B,C0,C0,9B), \ 00146 V(C2,B7,B7,75), V(1C,FD,FD,E1), V(AE,93,93,3D), V(6A,26,26,4C), \ 00147 V(5A,36,36,6C), V(41,3F,3F,7E), V(02,F7,F7,F5), V(4F,CC,CC,83), \ 00148 V(5C,34,34,68), V(F4,A5,A5,51), V(34,E5,E5,D1), V(08,F1,F1,F9), \ 00149 V(93,71,71,E2), V(73,D8,D8,AB), V(53,31,31,62), V(3F,15,15,2A), \ 00150 V(0C,04,04,08), V(52,C7,C7,95), V(65,23,23,46), V(5E,C3,C3,9D), \ 00151 V(28,18,18,30), V(A1,96,96,37), V(0F,05,05,0A), V(B5,9A,9A,2F), \ 00152 V(09,07,07,0E), V(36,12,12,24), V(9B,80,80,1B), V(3D,E2,E2,DF), \ 00153 V(26,EB,EB,CD), V(69,27,27,4E), V(CD,B2,B2,7F), V(9F,75,75,EA), \ 00154 V(1B,09,09,12), V(9E,83,83,1D), V(74,2C,2C,58), V(2E,1A,1A,34), \ 00155 V(2D,1B,1B,36), V(B2,6E,6E,DC), V(EE,5A,5A,B4), V(FB,A0,A0,5B), \ 00156 V(F6,52,52,A4), V(4D,3B,3B,76), V(61,D6,D6,B7), V(CE,B3,B3,7D), \ 00157 V(7B,29,29,52), V(3E,E3,E3,DD), V(71,2F,2F,5E), V(97,84,84,13), \ 00158 V(F5,53,53,A6), V(68,D1,D1,B9), V(00,00,00,00), V(2C,ED,ED,C1), \ 00159 V(60,20,20,40), V(1F,FC,FC,E3), V(C8,B1,B1,79), V(ED,5B,5B,B6), \ 00160 V(BE,6A,6A,D4), V(46,CB,CB,8D), V(D9,BE,BE,67), V(4B,39,39,72), \ 00161 V(DE,4A,4A,94), V(D4,4C,4C,98), V(E8,58,58,B0), V(4A,CF,CF,85), \ 00162 V(6B,D0,D0,BB), V(2A,EF,EF,C5), V(E5,AA,AA,4F), V(16,FB,FB,ED), \ 00163 V(C5,43,43,86), V(D7,4D,4D,9A), V(55,33,33,66), V(94,85,85,11), \ 00164 V(CF,45,45,8A), V(10,F9,F9,E9), V(06,02,02,04), V(81,7F,7F,FE), \ 00165 V(F0,50,50,A0), V(44,3C,3C,78), V(BA,9F,9F,25), V(E3,A8,A8,4B), \ 00166 V(F3,51,51,A2), V(FE,A3,A3,5D), V(C0,40,40,80), V(8A,8F,8F,05), \ 00167 V(AD,92,92,3F), V(BC,9D,9D,21), V(48,38,38,70), V(04,F5,F5,F1), \ 00168 V(DF,BC,BC,63), V(C1,B6,B6,77), V(75,DA,DA,AF), V(63,21,21,42), \ 00169 V(30,10,10,20), V(1A,FF,FF,E5), V(0E,F3,F3,FD), V(6D,D2,D2,BF), \ 00170 V(4C,CD,CD,81), V(14,0C,0C,18), V(35,13,13,26), V(2F,EC,EC,C3), \ 00171 V(E1,5F,5F,BE), V(A2,97,97,35), V(CC,44,44,88), V(39,17,17,2E), \ 00172 V(57,C4,C4,93), V(F2,A7,A7,55), V(82,7E,7E,FC), V(47,3D,3D,7A), \ 00173 V(AC,64,64,C8), V(E7,5D,5D,BA), V(2B,19,19,32), V(95,73,73,E6), \ 00174 V(A0,60,60,C0), V(98,81,81,19), V(D1,4F,4F,9E), V(7F,DC,DC,A3), \ 00175 V(66,22,22,44), V(7E,2A,2A,54), V(AB,90,90,3B), V(83,88,88,0B), \ 00176 V(CA,46,46,8C), V(29,EE,EE,C7), V(D3,B8,B8,6B), V(3C,14,14,28), \ 00177 V(79,DE,DE,A7), V(E2,5E,5E,BC), V(1D,0B,0B,16), V(76,DB,DB,AD), \ 00178 V(3B,E0,E0,DB), V(56,32,32,64), V(4E,3A,3A,74), V(1E,0A,0A,14), \ 00179 V(DB,49,49,92), V(0A,06,06,0C), V(6C,24,24,48), V(E4,5C,5C,B8), \ 00180 V(5D,C2,C2,9F), V(6E,D3,D3,BD), V(EF,AC,AC,43), V(A6,62,62,C4), \ 00181 V(A8,91,91,39), V(A4,95,95,31), V(37,E4,E4,D3), V(8B,79,79,F2), \ 00182 V(32,E7,E7,D5), V(43,C8,C8,8B), V(59,37,37,6E), V(B7,6D,6D,DA), \ 00183 V(8C,8D,8D,01), V(64,D5,D5,B1), V(D2,4E,4E,9C), V(E0,A9,A9,49), \ 00184 V(B4,6C,6C,D8), V(FA,56,56,AC), V(07,F4,F4,F3), V(25,EA,EA,CF), \ 00185 V(AF,65,65,CA), V(8E,7A,7A,F4), V(E9,AE,AE,47), V(18,08,08,10), \ 00186 V(D5,BA,BA,6F), V(88,78,78,F0), V(6F,25,25,4A), V(72,2E,2E,5C), \ 00187 V(24,1C,1C,38), V(F1,A6,A6,57), V(C7,B4,B4,73), V(51,C6,C6,97), \ 00188 V(23,E8,E8,CB), V(7C,DD,DD,A1), V(9C,74,74,E8), V(21,1F,1F,3E), \ 00189 V(DD,4B,4B,96), V(DC,BD,BD,61), V(86,8B,8B,0D), V(85,8A,8A,0F), \ 00190 V(90,70,70,E0), V(42,3E,3E,7C), V(C4,B5,B5,71), V(AA,66,66,CC), \ 00191 V(D8,48,48,90), V(05,03,03,06), V(01,F6,F6,F7), V(12,0E,0E,1C), \ 00192 V(A3,61,61,C2), V(5F,35,35,6A), V(F9,57,57,AE), V(D0,B9,B9,69), \ 00193 V(91,86,86,17), V(58,C1,C1,99), V(27,1D,1D,3A), V(B9,9E,9E,27), \ 00194 V(38,E1,E1,D9), V(13,F8,F8,EB), V(B3,98,98,2B), V(33,11,11,22), \ 00195 V(BB,69,69,D2), V(70,D9,D9,A9), V(89,8E,8E,07), V(A7,94,94,33), \ 00196 V(B6,9B,9B,2D), V(22,1E,1E,3C), V(92,87,87,15), V(20,E9,E9,C9), \ 00197 V(49,CE,CE,87), V(FF,55,55,AA), V(78,28,28,50), V(7A,DF,DF,A5), \ 00198 V(8F,8C,8C,03), V(F8,A1,A1,59), V(80,89,89,09), V(17,0D,0D,1A), \ 00199 V(DA,BF,BF,65), V(31,E6,E6,D7), V(C6,42,42,84), V(B8,68,68,D0), \ 00200 V(C3,41,41,82), V(B0,99,99,29), V(77,2D,2D,5A), V(11,0F,0F,1E), \ 00201 V(CB,B0,B0,7B), V(FC,54,54,A8), V(D6,BB,BB,6D), V(3A,16,16,2C) 00202 00203 #define V(a,b,c,d) 0x##a##b##c##d 00204 static const uint32_t FT0[256] = { FT }; 00205 #undef V 00206 00207 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00208 00209 #define V(a,b,c,d) 0x##b##c##d##a 00210 static const uint32_t FT1[256] = { FT }; 00211 #undef V 00212 00213 #define V(a,b,c,d) 0x##c##d##a##b 00214 static const uint32_t FT2[256] = { FT }; 00215 #undef V 00216 00217 #define V(a,b,c,d) 0x##d##a##b##c 00218 static const uint32_t FT3[256] = { FT }; 00219 #undef V 00220 00221 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00222 00223 #undef FT 00224 00225 /* 00226 * Reverse S-box 00227 */ 00228 static const unsigned char RSb[256] = 00229 { 00230 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 00231 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 00232 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 00233 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 00234 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 00235 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 00236 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 00237 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 00238 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 00239 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 00240 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 00241 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 00242 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 00243 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 00244 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 00245 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 00246 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 00247 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 00248 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 00249 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 00250 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 00251 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 00252 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 00253 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 00254 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 00255 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 00256 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 00257 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 00258 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 00259 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 00260 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 00261 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 00262 }; 00263 00264 /* 00265 * Reverse tables 00266 */ 00267 #define RT \ 00268 \ 00269 V(50,A7,F4,51), V(53,65,41,7E), V(C3,A4,17,1A), V(96,5E,27,3A), \ 00270 V(CB,6B,AB,3B), V(F1,45,9D,1F), V(AB,58,FA,AC), V(93,03,E3,4B), \ 00271 V(55,FA,30,20), V(F6,6D,76,AD), V(91,76,CC,88), V(25,4C,02,F5), \ 00272 V(FC,D7,E5,4F), V(D7,CB,2A,C5), V(80,44,35,26), V(8F,A3,62,B5), \ 00273 V(49,5A,B1,DE), V(67,1B,BA,25), V(98,0E,EA,45), V(E1,C0,FE,5D), \ 00274 V(02,75,2F,C3), V(12,F0,4C,81), V(A3,97,46,8D), V(C6,F9,D3,6B), \ 00275 V(E7,5F,8F,03), V(95,9C,92,15), V(EB,7A,6D,BF), V(DA,59,52,95), \ 00276 V(2D,83,BE,D4), V(D3,21,74,58), V(29,69,E0,49), V(44,C8,C9,8E), \ 00277 V(6A,89,C2,75), V(78,79,8E,F4), V(6B,3E,58,99), V(DD,71,B9,27), \ 00278 V(B6,4F,E1,BE), V(17,AD,88,F0), V(66,AC,20,C9), V(B4,3A,CE,7D), \ 00279 V(18,4A,DF,63), V(82,31,1A,E5), V(60,33,51,97), V(45,7F,53,62), \ 00280 V(E0,77,64,B1), V(84,AE,6B,BB), V(1C,A0,81,FE), V(94,2B,08,F9), \ 00281 V(58,68,48,70), V(19,FD,45,8F), V(87,6C,DE,94), V(B7,F8,7B,52), \ 00282 V(23,D3,73,AB), V(E2,02,4B,72), V(57,8F,1F,E3), V(2A,AB,55,66), \ 00283 V(07,28,EB,B2), V(03,C2,B5,2F), V(9A,7B,C5,86), V(A5,08,37,D3), \ 00284 V(F2,87,28,30), V(B2,A5,BF,23), V(BA,6A,03,02), V(5C,82,16,ED), \ 00285 V(2B,1C,CF,8A), V(92,B4,79,A7), V(F0,F2,07,F3), V(A1,E2,69,4E), \ 00286 V(CD,F4,DA,65), V(D5,BE,05,06), V(1F,62,34,D1), V(8A,FE,A6,C4), \ 00287 V(9D,53,2E,34), V(A0,55,F3,A2), V(32,E1,8A,05), V(75,EB,F6,A4), \ 00288 V(39,EC,83,0B), V(AA,EF,60,40), V(06,9F,71,5E), V(51,10,6E,BD), \ 00289 V(F9,8A,21,3E), V(3D,06,DD,96), V(AE,05,3E,DD), V(46,BD,E6,4D), \ 00290 V(B5,8D,54,91), V(05,5D,C4,71), V(6F,D4,06,04), V(FF,15,50,60), \ 00291 V(24,FB,98,19), V(97,E9,BD,D6), V(CC,43,40,89), V(77,9E,D9,67), \ 00292 V(BD,42,E8,B0), V(88,8B,89,07), V(38,5B,19,E7), V(DB,EE,C8,79), \ 00293 V(47,0A,7C,A1), V(E9,0F,42,7C), V(C9,1E,84,F8), V(00,00,00,00), \ 00294 V(83,86,80,09), V(48,ED,2B,32), V(AC,70,11,1E), V(4E,72,5A,6C), \ 00295 V(FB,FF,0E,FD), V(56,38,85,0F), V(1E,D5,AE,3D), V(27,39,2D,36), \ 00296 V(64,D9,0F,0A), V(21,A6,5C,68), V(D1,54,5B,9B), V(3A,2E,36,24), \ 00297 V(B1,67,0A,0C), V(0F,E7,57,93), V(D2,96,EE,B4), V(9E,91,9B,1B), \ 00298 V(4F,C5,C0,80), V(A2,20,DC,61), V(69,4B,77,5A), V(16,1A,12,1C), \ 00299 V(0A,BA,93,E2), V(E5,2A,A0,C0), V(43,E0,22,3C), V(1D,17,1B,12), \ 00300 V(0B,0D,09,0E), V(AD,C7,8B,F2), V(B9,A8,B6,2D), V(C8,A9,1E,14), \ 00301 V(85,19,F1,57), V(4C,07,75,AF), V(BB,DD,99,EE), V(FD,60,7F,A3), \ 00302 V(9F,26,01,F7), V(BC,F5,72,5C), V(C5,3B,66,44), V(34,7E,FB,5B), \ 00303 V(76,29,43,8B), V(DC,C6,23,CB), V(68,FC,ED,B6), V(63,F1,E4,B8), \ 00304 V(CA,DC,31,D7), V(10,85,63,42), V(40,22,97,13), V(20,11,C6,84), \ 00305 V(7D,24,4A,85), V(F8,3D,BB,D2), V(11,32,F9,AE), V(6D,A1,29,C7), \ 00306 V(4B,2F,9E,1D), V(F3,30,B2,DC), V(EC,52,86,0D), V(D0,E3,C1,77), \ 00307 V(6C,16,B3,2B), V(99,B9,70,A9), V(FA,48,94,11), V(22,64,E9,47), \ 00308 V(C4,8C,FC,A8), V(1A,3F,F0,A0), V(D8,2C,7D,56), V(EF,90,33,22), \ 00309 V(C7,4E,49,87), V(C1,D1,38,D9), V(FE,A2,CA,8C), V(36,0B,D4,98), \ 00310 V(CF,81,F5,A6), V(28,DE,7A,A5), V(26,8E,B7,DA), V(A4,BF,AD,3F), \ 00311 V(E4,9D,3A,2C), V(0D,92,78,50), V(9B,CC,5F,6A), V(62,46,7E,54), \ 00312 V(C2,13,8D,F6), V(E8,B8,D8,90), V(5E,F7,39,2E), V(F5,AF,C3,82), \ 00313 V(BE,80,5D,9F), V(7C,93,D0,69), V(A9,2D,D5,6F), V(B3,12,25,CF), \ 00314 V(3B,99,AC,C8), V(A7,7D,18,10), V(6E,63,9C,E8), V(7B,BB,3B,DB), \ 00315 V(09,78,26,CD), V(F4,18,59,6E), V(01,B7,9A,EC), V(A8,9A,4F,83), \ 00316 V(65,6E,95,E6), V(7E,E6,FF,AA), V(08,CF,BC,21), V(E6,E8,15,EF), \ 00317 V(D9,9B,E7,BA), V(CE,36,6F,4A), V(D4,09,9F,EA), V(D6,7C,B0,29), \ 00318 V(AF,B2,A4,31), V(31,23,3F,2A), V(30,94,A5,C6), V(C0,66,A2,35), \ 00319 V(37,BC,4E,74), V(A6,CA,82,FC), V(B0,D0,90,E0), V(15,D8,A7,33), \ 00320 V(4A,98,04,F1), V(F7,DA,EC,41), V(0E,50,CD,7F), V(2F,F6,91,17), \ 00321 V(8D,D6,4D,76), V(4D,B0,EF,43), V(54,4D,AA,CC), V(DF,04,96,E4), \ 00322 V(E3,B5,D1,9E), V(1B,88,6A,4C), V(B8,1F,2C,C1), V(7F,51,65,46), \ 00323 V(04,EA,5E,9D), V(5D,35,8C,01), V(73,74,87,FA), V(2E,41,0B,FB), \ 00324 V(5A,1D,67,B3), V(52,D2,DB,92), V(33,56,10,E9), V(13,47,D6,6D), \ 00325 V(8C,61,D7,9A), V(7A,0C,A1,37), V(8E,14,F8,59), V(89,3C,13,EB), \ 00326 V(EE,27,A9,CE), V(35,C9,61,B7), V(ED,E5,1C,E1), V(3C,B1,47,7A), \ 00327 V(59,DF,D2,9C), V(3F,73,F2,55), V(79,CE,14,18), V(BF,37,C7,73), \ 00328 V(EA,CD,F7,53), V(5B,AA,FD,5F), V(14,6F,3D,DF), V(86,DB,44,78), \ 00329 V(81,F3,AF,CA), V(3E,C4,68,B9), V(2C,34,24,38), V(5F,40,A3,C2), \ 00330 V(72,C3,1D,16), V(0C,25,E2,BC), V(8B,49,3C,28), V(41,95,0D,FF), \ 00331 V(71,01,A8,39), V(DE,B3,0C,08), V(9C,E4,B4,D8), V(90,C1,56,64), \ 00332 V(61,84,CB,7B), V(70,B6,32,D5), V(74,5C,6C,48), V(42,57,B8,D0) 00333 00334 #define V(a,b,c,d) 0x##a##b##c##d 00335 static const uint32_t RT0[256] = { RT }; 00336 #undef V 00337 00338 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00339 00340 #define V(a,b,c,d) 0x##b##c##d##a 00341 static const uint32_t RT1[256] = { RT }; 00342 #undef V 00343 00344 #define V(a,b,c,d) 0x##c##d##a##b 00345 static const uint32_t RT2[256] = { RT }; 00346 #undef V 00347 00348 #define V(a,b,c,d) 0x##d##a##b##c 00349 static const uint32_t RT3[256] = { RT }; 00350 #undef V 00351 00352 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00353 00354 #undef RT 00355 00356 /* 00357 * Round constants 00358 */ 00359 static const uint32_t RCON[10] = 00360 { 00361 0x00000001, 0x00000002, 0x00000004, 0x00000008, 00362 0x00000010, 0x00000020, 0x00000040, 0x00000080, 00363 0x0000001B, 0x00000036 00364 }; 00365 00366 #else /* MBEDTLS_AES_ROM_TABLES */ 00367 00368 /* 00369 * Forward S-box & tables 00370 */ 00371 static unsigned char FSb[256]; 00372 static uint32_t FT0[256]; 00373 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00374 static uint32_t FT1[256]; 00375 static uint32_t FT2[256]; 00376 static uint32_t FT3[256]; 00377 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00378 00379 /* 00380 * Reverse S-box & tables 00381 */ 00382 static unsigned char RSb[256]; 00383 static uint32_t RT0[256]; 00384 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00385 static uint32_t RT1[256]; 00386 static uint32_t RT2[256]; 00387 static uint32_t RT3[256]; 00388 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00389 00390 /* 00391 * Round constants 00392 */ 00393 static uint32_t RCON[10]; 00394 00395 /* 00396 * Tables generation code 00397 */ 00398 #define ROTL8(x) ( ( (x) << 8 ) & 0xFFFFFFFF ) | ( (x) >> 24 ) 00399 #define XTIME(x) ( ( (x) << 1 ) ^ ( ( (x) & 0x80 ) ? 0x1B : 0x00 ) ) 00400 #define MUL(x,y) ( ( (x) && (y) ) ? pow[(log[(x)]+log[(y)]) % 255] : 0 ) 00401 00402 static int aes_init_done = 0; 00403 00404 static void aes_gen_tables( void ) 00405 { 00406 int i, x, y, z; 00407 int pow[256]; 00408 int log[256]; 00409 00410 /* 00411 * compute pow and log tables over GF(2^8) 00412 */ 00413 for( i = 0, x = 1; i < 256; i++ ) 00414 { 00415 pow[i] = x; 00416 log[x] = i; 00417 x = ( x ^ XTIME( x ) ) & 0xFF; 00418 } 00419 00420 /* 00421 * calculate the round constants 00422 */ 00423 for( i = 0, x = 1; i < 10; i++ ) 00424 { 00425 RCON[i] = (uint32_t) x; 00426 x = XTIME( x ) & 0xFF; 00427 } 00428 00429 /* 00430 * generate the forward and reverse S-boxes 00431 */ 00432 FSb[0x00] = 0x63; 00433 RSb[0x63] = 0x00; 00434 00435 for( i = 1; i < 256; i++ ) 00436 { 00437 x = pow[255 - log[i]]; 00438 00439 y = x; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00440 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00441 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00442 x ^= y; y = ( ( y << 1 ) | ( y >> 7 ) ) & 0xFF; 00443 x ^= y ^ 0x63; 00444 00445 FSb[i] = (unsigned char) x; 00446 RSb[x] = (unsigned char) i; 00447 } 00448 00449 /* 00450 * generate the forward and reverse tables 00451 */ 00452 for( i = 0; i < 256; i++ ) 00453 { 00454 x = FSb[i]; 00455 y = XTIME( x ) & 0xFF; 00456 z = ( y ^ x ) & 0xFF; 00457 00458 FT0[i] = ( (uint32_t) y ) ^ 00459 ( (uint32_t) x << 8 ) ^ 00460 ( (uint32_t) x << 16 ) ^ 00461 ( (uint32_t) z << 24 ); 00462 00463 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00464 FT1[i] = ROTL8( FT0[i] ); 00465 FT2[i] = ROTL8( FT1[i] ); 00466 FT3[i] = ROTL8( FT2[i] ); 00467 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00468 00469 x = RSb[i]; 00470 00471 RT0[i] = ( (uint32_t) MUL( 0x0E, x ) ) ^ 00472 ( (uint32_t) MUL( 0x09, x ) << 8 ) ^ 00473 ( (uint32_t) MUL( 0x0D, x ) << 16 ) ^ 00474 ( (uint32_t) MUL( 0x0B, x ) << 24 ); 00475 00476 #if !defined(MBEDTLS_AES_FEWER_TABLES) 00477 RT1[i] = ROTL8( RT0[i] ); 00478 RT2[i] = ROTL8( RT1[i] ); 00479 RT3[i] = ROTL8( RT2[i] ); 00480 #endif /* !MBEDTLS_AES_FEWER_TABLES */ 00481 } 00482 } 00483 00484 #undef ROTL8 00485 00486 #endif /* MBEDTLS_AES_ROM_TABLES */ 00487 00488 #if defined(MBEDTLS_AES_FEWER_TABLES) 00489 00490 #define ROTL8(x) ( (uint32_t)( ( x ) << 8 ) + (uint32_t)( ( x ) >> 24 ) ) 00491 #define ROTL16(x) ( (uint32_t)( ( x ) << 16 ) + (uint32_t)( ( x ) >> 16 ) ) 00492 #define ROTL24(x) ( (uint32_t)( ( x ) << 24 ) + (uint32_t)( ( x ) >> 8 ) ) 00493 00494 #define AES_RT0(idx) RT0[idx] 00495 #define AES_RT1(idx) ROTL8( RT0[idx] ) 00496 #define AES_RT2(idx) ROTL16( RT0[idx] ) 00497 #define AES_RT3(idx) ROTL24( RT0[idx] ) 00498 00499 #define AES_FT0(idx) FT0[idx] 00500 #define AES_FT1(idx) ROTL8( FT0[idx] ) 00501 #define AES_FT2(idx) ROTL16( FT0[idx] ) 00502 #define AES_FT3(idx) ROTL24( FT0[idx] ) 00503 00504 #else /* MBEDTLS_AES_FEWER_TABLES */ 00505 00506 #define AES_RT0(idx) RT0[idx] 00507 #define AES_RT1(idx) RT1[idx] 00508 #define AES_RT2(idx) RT2[idx] 00509 #define AES_RT3(idx) RT3[idx] 00510 00511 #define AES_FT0(idx) FT0[idx] 00512 #define AES_FT1(idx) FT1[idx] 00513 #define AES_FT2(idx) FT2[idx] 00514 #define AES_FT3(idx) FT3[idx] 00515 00516 #endif /* MBEDTLS_AES_FEWER_TABLES */ 00517 00518 void mbedtls_aes_init( mbedtls_aes_context *ctx ) 00519 { 00520 AES_VALIDATE( ctx != NULL ); 00521 00522 memset( ctx, 0, sizeof( mbedtls_aes_context ) ); 00523 } 00524 00525 void mbedtls_aes_free( mbedtls_aes_context *ctx ) 00526 { 00527 if( ctx == NULL ) 00528 return; 00529 00530 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); 00531 } 00532 00533 #if defined(MBEDTLS_CIPHER_MODE_XTS) 00534 void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx ) 00535 { 00536 AES_VALIDATE( ctx != NULL ); 00537 00538 mbedtls_aes_init( &ctx->crypt ); 00539 mbedtls_aes_init( &ctx->tweak ); 00540 } 00541 00542 void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx ) 00543 { 00544 if( ctx == NULL ) 00545 return; 00546 00547 mbedtls_aes_free( &ctx->crypt ); 00548 mbedtls_aes_free( &ctx->tweak ); 00549 } 00550 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 00551 00552 /* 00553 * AES key schedule (encryption) 00554 */ 00555 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 00556 int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, 00557 unsigned int keybits ) 00558 { 00559 unsigned int i; 00560 uint32_t *RK; 00561 00562 AES_VALIDATE_RET( ctx != NULL ); 00563 AES_VALIDATE_RET( key != NULL ); 00564 00565 switch( keybits ) 00566 { 00567 case 128: ctx->nr = 10; break; 00568 case 192: ctx->nr = 12; break; 00569 case 256: ctx->nr = 14; break; 00570 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00571 } 00572 00573 #if !defined(MBEDTLS_AES_ROM_TABLES) 00574 if( aes_init_done == 0 ) 00575 { 00576 aes_gen_tables(); 00577 aes_init_done = 1; 00578 } 00579 #endif 00580 00581 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00582 if( aes_padlock_ace == -1 ) 00583 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00584 00585 if( aes_padlock_ace ) 00586 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00587 else 00588 #endif 00589 ctx->rk = RK = ctx->buf ; 00590 00591 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00592 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00593 return( mbedtls_aesni_setkey_enc( (unsigned char *) ctx->rk , key, keybits ) ); 00594 #endif 00595 00596 for( i = 0; i < ( keybits >> 5 ); i++ ) 00597 { 00598 GET_UINT32_LE( RK[i], key, i << 2 ); 00599 } 00600 00601 switch( ctx->nr ) 00602 { 00603 case 10: 00604 00605 for( i = 0; i < 10; i++, RK += 4 ) 00606 { 00607 RK[4] = RK[0] ^ RCON[i] ^ 00608 ( (uint32_t) FSb[ ( RK[3] >> 8 ) & 0xFF ] ) ^ 00609 ( (uint32_t) FSb[ ( RK[3] >> 16 ) & 0xFF ] << 8 ) ^ 00610 ( (uint32_t) FSb[ ( RK[3] >> 24 ) & 0xFF ] << 16 ) ^ 00611 ( (uint32_t) FSb[ ( RK[3] ) & 0xFF ] << 24 ); 00612 00613 RK[5] = RK[1] ^ RK[4]; 00614 RK[6] = RK[2] ^ RK[5]; 00615 RK[7] = RK[3] ^ RK[6]; 00616 } 00617 break; 00618 00619 case 12: 00620 00621 for( i = 0; i < 8; i++, RK += 6 ) 00622 { 00623 RK[6] = RK[0] ^ RCON[i] ^ 00624 ( (uint32_t) FSb[ ( RK[5] >> 8 ) & 0xFF ] ) ^ 00625 ( (uint32_t) FSb[ ( RK[5] >> 16 ) & 0xFF ] << 8 ) ^ 00626 ( (uint32_t) FSb[ ( RK[5] >> 24 ) & 0xFF ] << 16 ) ^ 00627 ( (uint32_t) FSb[ ( RK[5] ) & 0xFF ] << 24 ); 00628 00629 RK[7] = RK[1] ^ RK[6]; 00630 RK[8] = RK[2] ^ RK[7]; 00631 RK[9] = RK[3] ^ RK[8]; 00632 RK[10] = RK[4] ^ RK[9]; 00633 RK[11] = RK[5] ^ RK[10]; 00634 } 00635 break; 00636 00637 case 14: 00638 00639 for( i = 0; i < 7; i++, RK += 8 ) 00640 { 00641 RK[8] = RK[0] ^ RCON[i] ^ 00642 ( (uint32_t) FSb[ ( RK[7] >> 8 ) & 0xFF ] ) ^ 00643 ( (uint32_t) FSb[ ( RK[7] >> 16 ) & 0xFF ] << 8 ) ^ 00644 ( (uint32_t) FSb[ ( RK[7] >> 24 ) & 0xFF ] << 16 ) ^ 00645 ( (uint32_t) FSb[ ( RK[7] ) & 0xFF ] << 24 ); 00646 00647 RK[9] = RK[1] ^ RK[8]; 00648 RK[10] = RK[2] ^ RK[9]; 00649 RK[11] = RK[3] ^ RK[10]; 00650 00651 RK[12] = RK[4] ^ 00652 ( (uint32_t) FSb[ ( RK[11] ) & 0xFF ] ) ^ 00653 ( (uint32_t) FSb[ ( RK[11] >> 8 ) & 0xFF ] << 8 ) ^ 00654 ( (uint32_t) FSb[ ( RK[11] >> 16 ) & 0xFF ] << 16 ) ^ 00655 ( (uint32_t) FSb[ ( RK[11] >> 24 ) & 0xFF ] << 24 ); 00656 00657 RK[13] = RK[5] ^ RK[12]; 00658 RK[14] = RK[6] ^ RK[13]; 00659 RK[15] = RK[7] ^ RK[14]; 00660 } 00661 break; 00662 } 00663 00664 return( 0 ); 00665 } 00666 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 00667 00668 /* 00669 * AES key schedule (decryption) 00670 */ 00671 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) 00672 int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, 00673 unsigned int keybits ) 00674 { 00675 int i, j, ret; 00676 mbedtls_aes_context cty; 00677 uint32_t *RK; 00678 uint32_t *SK; 00679 00680 AES_VALIDATE_RET( ctx != NULL ); 00681 AES_VALIDATE_RET( key != NULL ); 00682 00683 mbedtls_aes_init( &cty ); 00684 00685 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16) 00686 if( aes_padlock_ace == -1 ) 00687 aes_padlock_ace = mbedtls_padlock_has_support( MBEDTLS_PADLOCK_ACE ); 00688 00689 if( aes_padlock_ace ) 00690 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16( ctx->buf ); 00691 else 00692 #endif 00693 ctx->rk = RK = ctx->buf ; 00694 00695 /* Also checks keybits */ 00696 if( ( ret = mbedtls_aes_setkey_enc( &cty, key, keybits ) ) != 0 ) 00697 goto exit; 00698 00699 ctx->nr = cty.nr ; 00700 00701 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 00702 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 00703 { 00704 mbedtls_aesni_inverse_key( (unsigned char *) ctx->rk , 00705 (const unsigned char *) cty.rk , ctx->nr ); 00706 goto exit; 00707 } 00708 #endif 00709 00710 SK = cty.rk + cty.nr * 4; 00711 00712 *RK++ = *SK++; 00713 *RK++ = *SK++; 00714 *RK++ = *SK++; 00715 *RK++ = *SK++; 00716 00717 for( i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8 ) 00718 { 00719 for( j = 0; j < 4; j++, SK++ ) 00720 { 00721 *RK++ = AES_RT0( FSb[ ( *SK ) & 0xFF ] ) ^ 00722 AES_RT1( FSb[ ( *SK >> 8 ) & 0xFF ] ) ^ 00723 AES_RT2( FSb[ ( *SK >> 16 ) & 0xFF ] ) ^ 00724 AES_RT3( FSb[ ( *SK >> 24 ) & 0xFF ] ); 00725 } 00726 } 00727 00728 *RK++ = *SK++; 00729 *RK++ = *SK++; 00730 *RK++ = *SK++; 00731 *RK++ = *SK++; 00732 00733 exit: 00734 mbedtls_aes_free( &cty ); 00735 00736 return( ret ); 00737 } 00738 00739 #if defined(MBEDTLS_CIPHER_MODE_XTS) 00740 static int mbedtls_aes_xts_decode_keys( const unsigned char *key, 00741 unsigned int keybits, 00742 const unsigned char **key1, 00743 unsigned int *key1bits, 00744 const unsigned char **key2, 00745 unsigned int *key2bits ) 00746 { 00747 const unsigned int half_keybits = keybits / 2; 00748 const unsigned int half_keybytes = half_keybits / 8; 00749 00750 switch( keybits ) 00751 { 00752 case 256: break; 00753 case 512: break; 00754 default : return( MBEDTLS_ERR_AES_INVALID_KEY_LENGTH ); 00755 } 00756 00757 *key1bits = half_keybits; 00758 *key2bits = half_keybits; 00759 *key1 = &key[0]; 00760 *key2 = &key[half_keybytes]; 00761 00762 return 0; 00763 } 00764 00765 int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx, 00766 const unsigned char *key, 00767 unsigned int keybits) 00768 { 00769 int ret; 00770 const unsigned char *key1, *key2; 00771 unsigned int key1bits, key2bits; 00772 00773 AES_VALIDATE_RET( ctx != NULL ); 00774 AES_VALIDATE_RET( key != NULL ); 00775 00776 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 00777 &key2, &key2bits ); 00778 if( ret != 0 ) 00779 return( ret ); 00780 00781 /* Set the tweak key. Always set tweak key for the encryption mode. */ 00782 ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits ); 00783 if( ret != 0 ) 00784 return( ret ); 00785 00786 /* Set crypt key for encryption. */ 00787 return mbedtls_aes_setkey_enc( &ctx->crypt , key1, key1bits ); 00788 } 00789 00790 int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx, 00791 const unsigned char *key, 00792 unsigned int keybits) 00793 { 00794 int ret; 00795 const unsigned char *key1, *key2; 00796 unsigned int key1bits, key2bits; 00797 00798 AES_VALIDATE_RET( ctx != NULL ); 00799 AES_VALIDATE_RET( key != NULL ); 00800 00801 ret = mbedtls_aes_xts_decode_keys( key, keybits, &key1, &key1bits, 00802 &key2, &key2bits ); 00803 if( ret != 0 ) 00804 return( ret ); 00805 00806 /* Set the tweak key. Always set tweak key for encryption. */ 00807 ret = mbedtls_aes_setkey_enc( &ctx->tweak , key2, key2bits ); 00808 if( ret != 0 ) 00809 return( ret ); 00810 00811 /* Set crypt key for decryption. */ 00812 return mbedtls_aes_setkey_dec( &ctx->crypt , key1, key1bits ); 00813 } 00814 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 00815 00816 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ 00817 00818 #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00819 do \ 00820 { \ 00821 (X0) = *RK++ ^ AES_FT0( ( (Y0) ) & 0xFF ) ^ \ 00822 AES_FT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 00823 AES_FT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 00824 AES_FT3( ( (Y3) >> 24 ) & 0xFF ); \ 00825 \ 00826 (X1) = *RK++ ^ AES_FT0( ( (Y1) ) & 0xFF ) ^ \ 00827 AES_FT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 00828 AES_FT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 00829 AES_FT3( ( (Y0) >> 24 ) & 0xFF ); \ 00830 \ 00831 (X2) = *RK++ ^ AES_FT0( ( (Y2) ) & 0xFF ) ^ \ 00832 AES_FT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 00833 AES_FT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 00834 AES_FT3( ( (Y1) >> 24 ) & 0xFF ); \ 00835 \ 00836 (X3) = *RK++ ^ AES_FT0( ( (Y3) ) & 0xFF ) ^ \ 00837 AES_FT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 00838 AES_FT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 00839 AES_FT3( ( (Y2) >> 24 ) & 0xFF ); \ 00840 } while( 0 ) 00841 00842 #define AES_RROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ 00843 do \ 00844 { \ 00845 (X0) = *RK++ ^ AES_RT0( ( (Y0) ) & 0xFF ) ^ \ 00846 AES_RT1( ( (Y3) >> 8 ) & 0xFF ) ^ \ 00847 AES_RT2( ( (Y2) >> 16 ) & 0xFF ) ^ \ 00848 AES_RT3( ( (Y1) >> 24 ) & 0xFF ); \ 00849 \ 00850 (X1) = *RK++ ^ AES_RT0( ( (Y1) ) & 0xFF ) ^ \ 00851 AES_RT1( ( (Y0) >> 8 ) & 0xFF ) ^ \ 00852 AES_RT2( ( (Y3) >> 16 ) & 0xFF ) ^ \ 00853 AES_RT3( ( (Y2) >> 24 ) & 0xFF ); \ 00854 \ 00855 (X2) = *RK++ ^ AES_RT0( ( (Y2) ) & 0xFF ) ^ \ 00856 AES_RT1( ( (Y1) >> 8 ) & 0xFF ) ^ \ 00857 AES_RT2( ( (Y0) >> 16 ) & 0xFF ) ^ \ 00858 AES_RT3( ( (Y3) >> 24 ) & 0xFF ); \ 00859 \ 00860 (X3) = *RK++ ^ AES_RT0( ( (Y3) ) & 0xFF ) ^ \ 00861 AES_RT1( ( (Y2) >> 8 ) & 0xFF ) ^ \ 00862 AES_RT2( ( (Y1) >> 16 ) & 0xFF ) ^ \ 00863 AES_RT3( ( (Y0) >> 24 ) & 0xFF ); \ 00864 } while( 0 ) 00865 00866 /* 00867 * AES-ECB block encryption 00868 */ 00869 #if !defined(MBEDTLS_AES_ENCRYPT_ALT) 00870 int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, 00871 const unsigned char input[16], 00872 unsigned char output[16] ) 00873 { 00874 int i; 00875 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00876 00877 RK = ctx->rk ; 00878 00879 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00880 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00881 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00882 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00883 00884 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00885 { 00886 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00887 AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00888 } 00889 00890 AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00891 00892 X0 = *RK++ ^ \ 00893 ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^ 00894 ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00895 ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00896 ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00897 00898 X1 = *RK++ ^ \ 00899 ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^ 00900 ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00901 ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00902 ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00903 00904 X2 = *RK++ ^ \ 00905 ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^ 00906 ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00907 ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00908 ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00909 00910 X3 = *RK++ ^ \ 00911 ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^ 00912 ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00913 ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00914 ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00915 00916 PUT_UINT32_LE( X0, output, 0 ); 00917 PUT_UINT32_LE( X1, output, 4 ); 00918 PUT_UINT32_LE( X2, output, 8 ); 00919 PUT_UINT32_LE( X3, output, 12 ); 00920 00921 return( 0 ); 00922 } 00923 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 00924 00925 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00926 void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, 00927 const unsigned char input[16], 00928 unsigned char output[16] ) 00929 { 00930 mbedtls_internal_aes_encrypt( ctx, input, output ); 00931 } 00932 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 00933 00934 /* 00935 * AES-ECB block decryption 00936 */ 00937 #if !defined(MBEDTLS_AES_DECRYPT_ALT) 00938 int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, 00939 const unsigned char input[16], 00940 unsigned char output[16] ) 00941 { 00942 int i; 00943 uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; 00944 00945 RK = ctx->rk ; 00946 00947 GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++; 00948 GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++; 00949 GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++; 00950 GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++; 00951 00952 for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- ) 00953 { 00954 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00955 AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 ); 00956 } 00957 00958 AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 ); 00959 00960 X0 = *RK++ ^ \ 00961 ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^ 00962 ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^ 00963 ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^ 00964 ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 ); 00965 00966 X1 = *RK++ ^ \ 00967 ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^ 00968 ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^ 00969 ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^ 00970 ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 ); 00971 00972 X2 = *RK++ ^ \ 00973 ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^ 00974 ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^ 00975 ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^ 00976 ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 ); 00977 00978 X3 = *RK++ ^ \ 00979 ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^ 00980 ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^ 00981 ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^ 00982 ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 ); 00983 00984 PUT_UINT32_LE( X0, output, 0 ); 00985 PUT_UINT32_LE( X1, output, 4 ); 00986 PUT_UINT32_LE( X2, output, 8 ); 00987 PUT_UINT32_LE( X3, output, 12 ); 00988 00989 return( 0 ); 00990 } 00991 #endif /* !MBEDTLS_AES_DECRYPT_ALT */ 00992 00993 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 00994 void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, 00995 const unsigned char input[16], 00996 unsigned char output[16] ) 00997 { 00998 mbedtls_internal_aes_decrypt( ctx, input, output ); 00999 } 01000 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 01001 01002 /* 01003 * AES-ECB block encryption/decryption 01004 */ 01005 int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, 01006 int mode, 01007 const unsigned char input[16], 01008 unsigned char output[16] ) 01009 { 01010 AES_VALIDATE_RET( ctx != NULL ); 01011 AES_VALIDATE_RET( input != NULL ); 01012 AES_VALIDATE_RET( output != NULL ); 01013 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 01014 mode == MBEDTLS_AES_DECRYPT ); 01015 01016 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) 01017 if( mbedtls_aesni_has_support( MBEDTLS_AESNI_AES ) ) 01018 return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); 01019 #endif 01020 01021 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 01022 if( aes_padlock_ace ) 01023 { 01024 if( mbedtls_padlock_xcryptecb( ctx, mode, input, output ) == 0 ) 01025 return( 0 ); 01026 01027 // If padlock data misaligned, we just fall back to 01028 // unaccelerated mode 01029 // 01030 } 01031 #endif 01032 01033 if( mode == MBEDTLS_AES_ENCRYPT ) 01034 return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); 01035 else 01036 return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); 01037 } 01038 01039 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01040 /* 01041 * AES-CBC buffer encryption/decryption 01042 */ 01043 int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, 01044 int mode, 01045 size_t length, 01046 unsigned char iv[16], 01047 const unsigned char *input, 01048 unsigned char *output ) 01049 { 01050 int i; 01051 unsigned char temp[16]; 01052 01053 AES_VALIDATE_RET( ctx != NULL ); 01054 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 01055 mode == MBEDTLS_AES_DECRYPT ); 01056 AES_VALIDATE_RET( iv != NULL ); 01057 AES_VALIDATE_RET( input != NULL ); 01058 AES_VALIDATE_RET( output != NULL ); 01059 01060 if( length % 16 ) 01061 return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH ); 01062 01063 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) 01064 if( aes_padlock_ace ) 01065 { 01066 if( mbedtls_padlock_xcryptcbc( ctx, mode, length, iv, input, output ) == 0 ) 01067 return( 0 ); 01068 01069 // If padlock data misaligned, we just fall back to 01070 // unaccelerated mode 01071 // 01072 } 01073 #endif 01074 01075 if( mode == MBEDTLS_AES_DECRYPT ) 01076 { 01077 while( length > 0 ) 01078 { 01079 memcpy( temp, input, 16 ); 01080 mbedtls_aes_crypt_ecb( ctx, mode, input, output ); 01081 01082 for( i = 0; i < 16; i++ ) 01083 output[i] = (unsigned char)( output[i] ^ iv[i] ); 01084 01085 memcpy( iv, temp, 16 ); 01086 01087 input += 16; 01088 output += 16; 01089 length -= 16; 01090 } 01091 } 01092 else 01093 { 01094 while( length > 0 ) 01095 { 01096 for( i = 0; i < 16; i++ ) 01097 output[i] = (unsigned char)( input[i] ^ iv[i] ); 01098 01099 mbedtls_aes_crypt_ecb( ctx, mode, output, output ); 01100 memcpy( iv, output, 16 ); 01101 01102 input += 16; 01103 output += 16; 01104 length -= 16; 01105 } 01106 } 01107 01108 return( 0 ); 01109 } 01110 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01111 01112 #if defined(MBEDTLS_CIPHER_MODE_XTS) 01113 01114 /* Endianess with 64 bits values */ 01115 #ifndef GET_UINT64_LE 01116 #define GET_UINT64_LE(n,b,i) \ 01117 { \ 01118 (n) = ( (uint64_t) (b)[(i) + 7] << 56 ) \ 01119 | ( (uint64_t) (b)[(i) + 6] << 48 ) \ 01120 | ( (uint64_t) (b)[(i) + 5] << 40 ) \ 01121 | ( (uint64_t) (b)[(i) + 4] << 32 ) \ 01122 | ( (uint64_t) (b)[(i) + 3] << 24 ) \ 01123 | ( (uint64_t) (b)[(i) + 2] << 16 ) \ 01124 | ( (uint64_t) (b)[(i) + 1] << 8 ) \ 01125 | ( (uint64_t) (b)[(i) ] ); \ 01126 } 01127 #endif 01128 01129 #ifndef PUT_UINT64_LE 01130 #define PUT_UINT64_LE(n,b,i) \ 01131 { \ 01132 (b)[(i) + 7] = (unsigned char) ( (n) >> 56 ); \ 01133 (b)[(i) + 6] = (unsigned char) ( (n) >> 48 ); \ 01134 (b)[(i) + 5] = (unsigned char) ( (n) >> 40 ); \ 01135 (b)[(i) + 4] = (unsigned char) ( (n) >> 32 ); \ 01136 (b)[(i) + 3] = (unsigned char) ( (n) >> 24 ); \ 01137 (b)[(i) + 2] = (unsigned char) ( (n) >> 16 ); \ 01138 (b)[(i) + 1] = (unsigned char) ( (n) >> 8 ); \ 01139 (b)[(i) ] = (unsigned char) ( (n) ); \ 01140 } 01141 #endif 01142 01143 typedef unsigned char mbedtls_be128[16]; 01144 01145 /* 01146 * GF(2^128) multiplication function 01147 * 01148 * This function multiplies a field element by x in the polynomial field 01149 * representation. It uses 64-bit word operations to gain speed but compensates 01150 * for machine endianess and hence works correctly on both big and little 01151 * endian machines. 01152 */ 01153 static void mbedtls_gf128mul_x_ble( unsigned char r[16], 01154 const unsigned char x[16] ) 01155 { 01156 uint64_t a, b, ra, rb; 01157 01158 GET_UINT64_LE( a, x, 0 ); 01159 GET_UINT64_LE( b, x, 8 ); 01160 01161 ra = ( a << 1 ) ^ 0x0087 >> ( 8 - ( ( b >> 63 ) << 3 ) ); 01162 rb = ( a >> 63 ) | ( b << 1 ); 01163 01164 PUT_UINT64_LE( ra, r, 0 ); 01165 PUT_UINT64_LE( rb, r, 8 ); 01166 } 01167 01168 /* 01169 * AES-XTS buffer encryption/decryption 01170 */ 01171 int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx, 01172 int mode, 01173 size_t length, 01174 const unsigned char data_unit[16], 01175 const unsigned char *input, 01176 unsigned char *output ) 01177 { 01178 int ret; 01179 size_t blocks = length / 16; 01180 size_t leftover = length % 16; 01181 unsigned char tweak[16]; 01182 unsigned char prev_tweak[16]; 01183 unsigned char tmp[16]; 01184 01185 AES_VALIDATE_RET( ctx != NULL ); 01186 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 01187 mode == MBEDTLS_AES_DECRYPT ); 01188 AES_VALIDATE_RET( data_unit != NULL ); 01189 AES_VALIDATE_RET( input != NULL ); 01190 AES_VALIDATE_RET( output != NULL ); 01191 01192 /* Data units must be at least 16 bytes long. */ 01193 if( length < 16 ) 01194 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 01195 01196 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 01197 if( length > ( 1 << 20 ) * 16 ) 01198 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 01199 01200 /* Compute the tweak. */ 01201 ret = mbedtls_aes_crypt_ecb( &ctx->tweak , MBEDTLS_AES_ENCRYPT, 01202 data_unit, tweak ); 01203 if( ret != 0 ) 01204 return( ret ); 01205 01206 while( blocks-- ) 01207 { 01208 size_t i; 01209 01210 if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 ) 01211 { 01212 /* We are on the last block in a decrypt operation that has 01213 * leftover bytes, so we need to use the next tweak for this block, 01214 * and this tweak for the lefover bytes. Save the current tweak for 01215 * the leftovers and then update the current tweak for use on this, 01216 * the last full block. */ 01217 memcpy( prev_tweak, tweak, sizeof( tweak ) ); 01218 mbedtls_gf128mul_x_ble( tweak, tweak ); 01219 } 01220 01221 for( i = 0; i < 16; i++ ) 01222 tmp[i] = input[i] ^ tweak[i]; 01223 01224 ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp ); 01225 if( ret != 0 ) 01226 return( ret ); 01227 01228 for( i = 0; i < 16; i++ ) 01229 output[i] = tmp[i] ^ tweak[i]; 01230 01231 /* Update the tweak for the next block. */ 01232 mbedtls_gf128mul_x_ble( tweak, tweak ); 01233 01234 output += 16; 01235 input += 16; 01236 } 01237 01238 if( leftover ) 01239 { 01240 /* If we are on the leftover bytes in a decrypt operation, we need to 01241 * use the previous tweak for these bytes (as saved in prev_tweak). */ 01242 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 01243 01244 /* We are now on the final part of the data unit, which doesn't divide 01245 * evenly by 16. It's time for ciphertext stealing. */ 01246 size_t i; 01247 unsigned char *prev_output = output - 16; 01248 01249 /* Copy ciphertext bytes from the previous block to our output for each 01250 * byte of cyphertext we won't steal. At the same time, copy the 01251 * remainder of the input for this final round (since the loop bounds 01252 * are the same). */ 01253 for( i = 0; i < leftover; i++ ) 01254 { 01255 output[i] = prev_output[i]; 01256 tmp[i] = input[i] ^ t[i]; 01257 } 01258 01259 /* Copy ciphertext bytes from the previous block for input in this 01260 * round. */ 01261 for( ; i < 16; i++ ) 01262 tmp[i] = prev_output[i] ^ t[i]; 01263 01264 ret = mbedtls_aes_crypt_ecb( &ctx->crypt , mode, tmp, tmp ); 01265 if( ret != 0 ) 01266 return ret; 01267 01268 /* Write the result back to the previous block, overriding the previous 01269 * output we copied. */ 01270 for( i = 0; i < 16; i++ ) 01271 prev_output[i] = tmp[i] ^ t[i]; 01272 } 01273 01274 return( 0 ); 01275 } 01276 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 01277 01278 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01279 /* 01280 * AES-CFB128 buffer encryption/decryption 01281 */ 01282 int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, 01283 int mode, 01284 size_t length, 01285 size_t *iv_off, 01286 unsigned char iv[16], 01287 const unsigned char *input, 01288 unsigned char *output ) 01289 { 01290 int c; 01291 size_t n; 01292 01293 AES_VALIDATE_RET( ctx != NULL ); 01294 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 01295 mode == MBEDTLS_AES_DECRYPT ); 01296 AES_VALIDATE_RET( iv_off != NULL ); 01297 AES_VALIDATE_RET( iv != NULL ); 01298 AES_VALIDATE_RET( input != NULL ); 01299 AES_VALIDATE_RET( output != NULL ); 01300 01301 n = *iv_off; 01302 01303 if( n > 15 ) 01304 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 01305 01306 if( mode == MBEDTLS_AES_DECRYPT ) 01307 { 01308 while( length-- ) 01309 { 01310 if( n == 0 ) 01311 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01312 01313 c = *input++; 01314 *output++ = (unsigned char)( c ^ iv[n] ); 01315 iv[n] = (unsigned char) c; 01316 01317 n = ( n + 1 ) & 0x0F; 01318 } 01319 } 01320 else 01321 { 01322 while( length-- ) 01323 { 01324 if( n == 0 ) 01325 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01326 01327 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ ); 01328 01329 n = ( n + 1 ) & 0x0F; 01330 } 01331 } 01332 01333 *iv_off = n; 01334 01335 return( 0 ); 01336 } 01337 01338 /* 01339 * AES-CFB8 buffer encryption/decryption 01340 */ 01341 int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, 01342 int mode, 01343 size_t length, 01344 unsigned char iv[16], 01345 const unsigned char *input, 01346 unsigned char *output ) 01347 { 01348 unsigned char c; 01349 unsigned char ov[17]; 01350 01351 AES_VALIDATE_RET( ctx != NULL ); 01352 AES_VALIDATE_RET( mode == MBEDTLS_AES_ENCRYPT || 01353 mode == MBEDTLS_AES_DECRYPT ); 01354 AES_VALIDATE_RET( iv != NULL ); 01355 AES_VALIDATE_RET( input != NULL ); 01356 AES_VALIDATE_RET( output != NULL ); 01357 while( length-- ) 01358 { 01359 memcpy( ov, iv, 16 ); 01360 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01361 01362 if( mode == MBEDTLS_AES_DECRYPT ) 01363 ov[16] = *input; 01364 01365 c = *output++ = (unsigned char)( iv[0] ^ *input++ ); 01366 01367 if( mode == MBEDTLS_AES_ENCRYPT ) 01368 ov[16] = c; 01369 01370 memcpy( iv, ov + 1, 16 ); 01371 } 01372 01373 return( 0 ); 01374 } 01375 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01376 01377 #if defined(MBEDTLS_CIPHER_MODE_OFB) 01378 /* 01379 * AES-OFB (Output Feedback Mode) buffer encryption/decryption 01380 */ 01381 int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx, 01382 size_t length, 01383 size_t *iv_off, 01384 unsigned char iv[16], 01385 const unsigned char *input, 01386 unsigned char *output ) 01387 { 01388 int ret = 0; 01389 size_t n; 01390 01391 AES_VALIDATE_RET( ctx != NULL ); 01392 AES_VALIDATE_RET( iv_off != NULL ); 01393 AES_VALIDATE_RET( iv != NULL ); 01394 AES_VALIDATE_RET( input != NULL ); 01395 AES_VALIDATE_RET( output != NULL ); 01396 01397 n = *iv_off; 01398 01399 if( n > 15 ) 01400 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 01401 01402 while( length-- ) 01403 { 01404 if( n == 0 ) 01405 { 01406 ret = mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); 01407 if( ret != 0 ) 01408 goto exit; 01409 } 01410 *output++ = *input++ ^ iv[n]; 01411 01412 n = ( n + 1 ) & 0x0F; 01413 } 01414 01415 *iv_off = n; 01416 01417 exit: 01418 return( ret ); 01419 } 01420 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 01421 01422 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01423 /* 01424 * AES-CTR buffer encryption/decryption 01425 */ 01426 int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, 01427 size_t length, 01428 size_t *nc_off, 01429 unsigned char nonce_counter[16], 01430 unsigned char stream_block[16], 01431 const unsigned char *input, 01432 unsigned char *output ) 01433 { 01434 int c, i; 01435 size_t n; 01436 01437 AES_VALIDATE_RET( ctx != NULL ); 01438 AES_VALIDATE_RET( nc_off != NULL ); 01439 AES_VALIDATE_RET( nonce_counter != NULL ); 01440 AES_VALIDATE_RET( stream_block != NULL ); 01441 AES_VALIDATE_RET( input != NULL ); 01442 AES_VALIDATE_RET( output != NULL ); 01443 01444 n = *nc_off; 01445 01446 if ( n > 0x0F ) 01447 return( MBEDTLS_ERR_AES_BAD_INPUT_DATA ); 01448 01449 while( length-- ) 01450 { 01451 if( n == 0 ) { 01452 mbedtls_aes_crypt_ecb( ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block ); 01453 01454 for( i = 16; i > 0; i-- ) 01455 if( ++nonce_counter[i - 1] != 0 ) 01456 break; 01457 } 01458 c = *input++; 01459 *output++ = (unsigned char)( c ^ stream_block[n] ); 01460 01461 n = ( n + 1 ) & 0x0F; 01462 } 01463 01464 *nc_off = n; 01465 01466 return( 0 ); 01467 } 01468 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01469 01470 #endif /* !MBEDTLS_AES_ALT */ 01471 01472 #if defined(MBEDTLS_SELF_TEST) 01473 /* 01474 * AES test vectors from: 01475 * 01476 * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 01477 */ 01478 static const unsigned char aes_test_ecb_dec[3][16] = 01479 { 01480 { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 01481 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 01482 { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 01483 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 01484 { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 01485 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 01486 }; 01487 01488 static const unsigned char aes_test_ecb_enc[3][16] = 01489 { 01490 { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 01491 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 01492 { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 01493 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 01494 { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 01495 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 01496 }; 01497 01498 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01499 static const unsigned char aes_test_cbc_dec[3][16] = 01500 { 01501 { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 01502 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 01503 { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 01504 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 01505 { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 01506 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 01507 }; 01508 01509 static const unsigned char aes_test_cbc_enc[3][16] = 01510 { 01511 { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 01512 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 01513 { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 01514 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 01515 { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 01516 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 01517 }; 01518 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01519 01520 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01521 /* 01522 * AES-CFB128 test vectors from: 01523 * 01524 * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 01525 */ 01526 static const unsigned char aes_test_cfb128_key[3][32] = 01527 { 01528 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 01529 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 01530 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 01531 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 01532 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 01533 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 01534 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 01535 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 01536 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 01537 }; 01538 01539 static const unsigned char aes_test_cfb128_iv[16] = 01540 { 01541 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01542 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 01543 }; 01544 01545 static const unsigned char aes_test_cfb128_pt[64] = 01546 { 01547 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 01548 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 01549 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 01550 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 01551 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 01552 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 01553 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 01554 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 01555 }; 01556 01557 static const unsigned char aes_test_cfb128_ct[3][64] = 01558 { 01559 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 01560 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 01561 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 01562 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 01563 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 01564 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 01565 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 01566 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 01567 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 01568 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 01569 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 01570 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 01571 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 01572 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 01573 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 01574 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 01575 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 01576 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 01577 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 01578 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 01579 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 01580 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 01581 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 01582 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 01583 }; 01584 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 01585 01586 #if defined(MBEDTLS_CIPHER_MODE_OFB) 01587 /* 01588 * AES-OFB test vectors from: 01589 * 01590 * https://csrc.nist.gov/publications/detail/sp/800-38a/final 01591 */ 01592 static const unsigned char aes_test_ofb_key[3][32] = 01593 { 01594 { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 01595 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 01596 { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 01597 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 01598 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 01599 { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 01600 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 01601 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 01602 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 01603 }; 01604 01605 static const unsigned char aes_test_ofb_iv[16] = 01606 { 01607 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01608 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 01609 }; 01610 01611 static const unsigned char aes_test_ofb_pt[64] = 01612 { 01613 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 01614 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 01615 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 01616 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 01617 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 01618 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 01619 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 01620 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 01621 }; 01622 01623 static const unsigned char aes_test_ofb_ct[3][64] = 01624 { 01625 { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 01626 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 01627 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 01628 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 01629 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 01630 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 01631 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 01632 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 01633 { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 01634 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 01635 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 01636 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 01637 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 01638 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 01639 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 01640 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 01641 { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 01642 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 01643 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 01644 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 01645 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 01646 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 01647 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 01648 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 01649 }; 01650 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 01651 01652 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01653 /* 01654 * AES-CTR test vectors from: 01655 * 01656 * http://www.faqs.org/rfcs/rfc3686.html 01657 */ 01658 01659 static const unsigned char aes_test_ctr_key[3][16] = 01660 { 01661 { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 01662 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 01663 { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 01664 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 01665 { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 01666 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 01667 }; 01668 01669 static const unsigned char aes_test_ctr_nonce_counter[3][16] = 01670 { 01671 { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 01672 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 01673 { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 01674 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 01675 { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 01676 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 01677 }; 01678 01679 static const unsigned char aes_test_ctr_pt[3][48] = 01680 { 01681 { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 01682 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 01683 01684 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01685 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01686 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01687 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 01688 01689 { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 01690 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 01691 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 01692 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 01693 0x20, 0x21, 0x22, 0x23 } 01694 }; 01695 01696 static const unsigned char aes_test_ctr_ct[3][48] = 01697 { 01698 { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 01699 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 01700 { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 01701 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 01702 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 01703 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 01704 { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 01705 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 01706 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 01707 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 01708 0x25, 0xB2, 0x07, 0x2F } 01709 }; 01710 01711 static const int aes_test_ctr_len[3] = 01712 { 16, 32, 36 }; 01713 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 01714 01715 #if defined(MBEDTLS_CIPHER_MODE_XTS) 01716 /* 01717 * AES-XTS test vectors from: 01718 * 01719 * IEEE P1619/D16 Annex B 01720 * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 01721 * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 01722 */ 01723 static const unsigned char aes_test_xts_key[][32] = 01724 { 01725 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01726 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01729 { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 01730 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 01731 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 01732 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 01733 { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 01734 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 01735 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 01736 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 01737 }; 01738 01739 static const unsigned char aes_test_xts_pt32[][32] = 01740 { 01741 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01744 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01745 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01746 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01747 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01748 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 01749 { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01750 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01751 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 01752 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 01753 }; 01754 01755 static const unsigned char aes_test_xts_ct32[][32] = 01756 { 01757 { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 01758 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 01759 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 01760 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 01761 { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 01762 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 01763 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 01764 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 01765 { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 01766 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 01767 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 01768 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 01769 }; 01770 01771 static const unsigned char aes_test_xts_data_unit[][16] = 01772 { 01773 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 01774 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01775 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 01776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01777 { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 01778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 01779 }; 01780 01781 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 01782 01783 /* 01784 * Checkup routine 01785 */ 01786 int mbedtls_aes_self_test( int verbose ) 01787 { 01788 int ret = 0, i, j, u, mode; 01789 unsigned int keybits; 01790 unsigned char key[32]; 01791 unsigned char buf[64]; 01792 const unsigned char *aes_tests; 01793 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) 01794 unsigned char iv[16]; 01795 #endif 01796 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01797 unsigned char prv[16]; 01798 #endif 01799 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 01800 defined(MBEDTLS_CIPHER_MODE_OFB) 01801 size_t offset; 01802 #endif 01803 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 01804 int len; 01805 #endif 01806 #if defined(MBEDTLS_CIPHER_MODE_CTR) 01807 unsigned char nonce_counter[16]; 01808 unsigned char stream_block[16]; 01809 #endif 01810 mbedtls_aes_context ctx; 01811 01812 memset( key, 0, 32 ); 01813 mbedtls_aes_init( &ctx ); 01814 01815 /* 01816 * ECB mode 01817 */ 01818 for( i = 0; i < 6; i++ ) 01819 { 01820 u = i >> 1; 01821 keybits = 128 + u * 64; 01822 mode = i & 1; 01823 01824 if( verbose != 0 ) 01825 mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, 01826 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01827 01828 memset( buf, 0, 16 ); 01829 01830 if( mode == MBEDTLS_AES_DECRYPT ) 01831 { 01832 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01833 aes_tests = aes_test_ecb_dec[u]; 01834 } 01835 else 01836 { 01837 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01838 aes_tests = aes_test_ecb_enc[u]; 01839 } 01840 01841 /* 01842 * AES-192 is an optional feature that may be unavailable when 01843 * there is an alternative underlying implementation i.e. when 01844 * MBEDTLS_AES_ALT is defined. 01845 */ 01846 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 01847 { 01848 mbedtls_printf( "skipped\n" ); 01849 continue; 01850 } 01851 else if( ret != 0 ) 01852 { 01853 goto exit; 01854 } 01855 01856 for( j = 0; j < 10000; j++ ) 01857 { 01858 ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); 01859 if( ret != 0 ) 01860 goto exit; 01861 } 01862 01863 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01864 { 01865 ret = 1; 01866 goto exit; 01867 } 01868 01869 if( verbose != 0 ) 01870 mbedtls_printf( "passed\n" ); 01871 } 01872 01873 if( verbose != 0 ) 01874 mbedtls_printf( "\n" ); 01875 01876 #if defined(MBEDTLS_CIPHER_MODE_CBC) 01877 /* 01878 * CBC mode 01879 */ 01880 for( i = 0; i < 6; i++ ) 01881 { 01882 u = i >> 1; 01883 keybits = 128 + u * 64; 01884 mode = i & 1; 01885 01886 if( verbose != 0 ) 01887 mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, 01888 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01889 01890 memset( iv , 0, 16 ); 01891 memset( prv, 0, 16 ); 01892 memset( buf, 0, 16 ); 01893 01894 if( mode == MBEDTLS_AES_DECRYPT ) 01895 { 01896 ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); 01897 aes_tests = aes_test_cbc_dec[u]; 01898 } 01899 else 01900 { 01901 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01902 aes_tests = aes_test_cbc_enc[u]; 01903 } 01904 01905 /* 01906 * AES-192 is an optional feature that may be unavailable when 01907 * there is an alternative underlying implementation i.e. when 01908 * MBEDTLS_AES_ALT is defined. 01909 */ 01910 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 01911 { 01912 mbedtls_printf( "skipped\n" ); 01913 continue; 01914 } 01915 else if( ret != 0 ) 01916 { 01917 goto exit; 01918 } 01919 01920 for( j = 0; j < 10000; j++ ) 01921 { 01922 if( mode == MBEDTLS_AES_ENCRYPT ) 01923 { 01924 unsigned char tmp[16]; 01925 01926 memcpy( tmp, prv, 16 ); 01927 memcpy( prv, buf, 16 ); 01928 memcpy( buf, tmp, 16 ); 01929 } 01930 01931 ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); 01932 if( ret != 0 ) 01933 goto exit; 01934 01935 } 01936 01937 if( memcmp( buf, aes_tests, 16 ) != 0 ) 01938 { 01939 ret = 1; 01940 goto exit; 01941 } 01942 01943 if( verbose != 0 ) 01944 mbedtls_printf( "passed\n" ); 01945 } 01946 01947 if( verbose != 0 ) 01948 mbedtls_printf( "\n" ); 01949 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 01950 01951 #if defined(MBEDTLS_CIPHER_MODE_CFB) 01952 /* 01953 * CFB128 mode 01954 */ 01955 for( i = 0; i < 6; i++ ) 01956 { 01957 u = i >> 1; 01958 keybits = 128 + u * 64; 01959 mode = i & 1; 01960 01961 if( verbose != 0 ) 01962 mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, 01963 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 01964 01965 memcpy( iv, aes_test_cfb128_iv, 16 ); 01966 memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); 01967 01968 offset = 0; 01969 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 01970 /* 01971 * AES-192 is an optional feature that may be unavailable when 01972 * there is an alternative underlying implementation i.e. when 01973 * MBEDTLS_AES_ALT is defined. 01974 */ 01975 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 01976 { 01977 mbedtls_printf( "skipped\n" ); 01978 continue; 01979 } 01980 else if( ret != 0 ) 01981 { 01982 goto exit; 01983 } 01984 01985 if( mode == MBEDTLS_AES_DECRYPT ) 01986 { 01987 memcpy( buf, aes_test_cfb128_ct[u], 64 ); 01988 aes_tests = aes_test_cfb128_pt; 01989 } 01990 else 01991 { 01992 memcpy( buf, aes_test_cfb128_pt, 64 ); 01993 aes_tests = aes_test_cfb128_ct[u]; 01994 } 01995 01996 ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); 01997 if( ret != 0 ) 01998 goto exit; 01999 02000 if( memcmp( buf, aes_tests, 64 ) != 0 ) 02001 { 02002 ret = 1; 02003 goto exit; 02004 } 02005 02006 if( verbose != 0 ) 02007 mbedtls_printf( "passed\n" ); 02008 } 02009 02010 if( verbose != 0 ) 02011 mbedtls_printf( "\n" ); 02012 #endif /* MBEDTLS_CIPHER_MODE_CFB */ 02013 02014 #if defined(MBEDTLS_CIPHER_MODE_OFB) 02015 /* 02016 * OFB mode 02017 */ 02018 for( i = 0; i < 6; i++ ) 02019 { 02020 u = i >> 1; 02021 keybits = 128 + u * 64; 02022 mode = i & 1; 02023 02024 if( verbose != 0 ) 02025 mbedtls_printf( " AES-OFB-%3d (%s): ", keybits, 02026 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 02027 02028 memcpy( iv, aes_test_ofb_iv, 16 ); 02029 memcpy( key, aes_test_ofb_key[u], keybits / 8 ); 02030 02031 offset = 0; 02032 ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); 02033 /* 02034 * AES-192 is an optional feature that may be unavailable when 02035 * there is an alternative underlying implementation i.e. when 02036 * MBEDTLS_AES_ALT is defined. 02037 */ 02038 if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192 ) 02039 { 02040 mbedtls_printf( "skipped\n" ); 02041 continue; 02042 } 02043 else if( ret != 0 ) 02044 { 02045 goto exit; 02046 } 02047 02048 if( mode == MBEDTLS_AES_DECRYPT ) 02049 { 02050 memcpy( buf, aes_test_ofb_ct[u], 64 ); 02051 aes_tests = aes_test_ofb_pt; 02052 } 02053 else 02054 { 02055 memcpy( buf, aes_test_ofb_pt, 64 ); 02056 aes_tests = aes_test_ofb_ct[u]; 02057 } 02058 02059 ret = mbedtls_aes_crypt_ofb( &ctx, 64, &offset, iv, buf, buf ); 02060 if( ret != 0 ) 02061 goto exit; 02062 02063 if( memcmp( buf, aes_tests, 64 ) != 0 ) 02064 { 02065 ret = 1; 02066 goto exit; 02067 } 02068 02069 if( verbose != 0 ) 02070 mbedtls_printf( "passed\n" ); 02071 } 02072 02073 if( verbose != 0 ) 02074 mbedtls_printf( "\n" ); 02075 #endif /* MBEDTLS_CIPHER_MODE_OFB */ 02076 02077 #if defined(MBEDTLS_CIPHER_MODE_CTR) 02078 /* 02079 * CTR mode 02080 */ 02081 for( i = 0; i < 6; i++ ) 02082 { 02083 u = i >> 1; 02084 mode = i & 1; 02085 02086 if( verbose != 0 ) 02087 mbedtls_printf( " AES-CTR-128 (%s): ", 02088 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 02089 02090 memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); 02091 memcpy( key, aes_test_ctr_key[u], 16 ); 02092 02093 offset = 0; 02094 if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) 02095 goto exit; 02096 02097 len = aes_test_ctr_len[u]; 02098 02099 if( mode == MBEDTLS_AES_DECRYPT ) 02100 { 02101 memcpy( buf, aes_test_ctr_ct[u], len ); 02102 aes_tests = aes_test_ctr_pt[u]; 02103 } 02104 else 02105 { 02106 memcpy( buf, aes_test_ctr_pt[u], len ); 02107 aes_tests = aes_test_ctr_ct[u]; 02108 } 02109 02110 ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, 02111 stream_block, buf, buf ); 02112 if( ret != 0 ) 02113 goto exit; 02114 02115 if( memcmp( buf, aes_tests, len ) != 0 ) 02116 { 02117 ret = 1; 02118 goto exit; 02119 } 02120 02121 if( verbose != 0 ) 02122 mbedtls_printf( "passed\n" ); 02123 } 02124 02125 if( verbose != 0 ) 02126 mbedtls_printf( "\n" ); 02127 #endif /* MBEDTLS_CIPHER_MODE_CTR */ 02128 02129 #if defined(MBEDTLS_CIPHER_MODE_XTS) 02130 { 02131 static const int num_tests = 02132 sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 02133 mbedtls_aes_xts_context ctx_xts; 02134 02135 /* 02136 * XTS mode 02137 */ 02138 mbedtls_aes_xts_init( &ctx_xts ); 02139 02140 for( i = 0; i < num_tests << 1; i++ ) 02141 { 02142 const unsigned char *data_unit; 02143 u = i >> 1; 02144 mode = i & 1; 02145 02146 if( verbose != 0 ) 02147 mbedtls_printf( " AES-XTS-128 (%s): ", 02148 ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); 02149 02150 memset( key, 0, sizeof( key ) ); 02151 memcpy( key, aes_test_xts_key[u], 32 ); 02152 data_unit = aes_test_xts_data_unit[u]; 02153 02154 len = sizeof( *aes_test_xts_ct32 ); 02155 02156 if( mode == MBEDTLS_AES_DECRYPT ) 02157 { 02158 ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 ); 02159 if( ret != 0) 02160 goto exit; 02161 memcpy( buf, aes_test_xts_ct32[u], len ); 02162 aes_tests = aes_test_xts_pt32[u]; 02163 } 02164 else 02165 { 02166 ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 ); 02167 if( ret != 0) 02168 goto exit; 02169 memcpy( buf, aes_test_xts_pt32[u], len ); 02170 aes_tests = aes_test_xts_ct32[u]; 02171 } 02172 02173 02174 ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit, 02175 buf, buf ); 02176 if( ret != 0 ) 02177 goto exit; 02178 02179 if( memcmp( buf, aes_tests, len ) != 0 ) 02180 { 02181 ret = 1; 02182 goto exit; 02183 } 02184 02185 if( verbose != 0 ) 02186 mbedtls_printf( "passed\n" ); 02187 } 02188 02189 if( verbose != 0 ) 02190 mbedtls_printf( "\n" ); 02191 02192 mbedtls_aes_xts_free( &ctx_xts ); 02193 } 02194 #endif /* MBEDTLS_CIPHER_MODE_XTS */ 02195 02196 ret = 0; 02197 02198 exit: 02199 if( ret != 0 && verbose != 0 ) 02200 mbedtls_printf( "failed\n" ); 02201 02202 mbedtls_aes_free( &ctx ); 02203 02204 return( ret ); 02205 } 02206 02207 #endif /* MBEDTLS_SELF_TEST */ 02208 02209 #endif /* MBEDTLS_AES_C */
Generated on Tue Jul 12 2022 13:54:00 by
