1 /*
2 * Copyright The Mbed TLS Contributors
3 * SPDX-License-Identifier: Apache-2.0
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License"); you may
6 * not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 * Copyright (c) 2023 Telink Semiconductor (Shanghai) Co., Ltd. ("TELINK")
17 */
18 /*
19 * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
20 *
21 * http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
22 * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
23 */
24
25 #include "../common.h"
26
27 #if defined(MBEDTLS_AES_C)
28
29 #include <string.h>
30
31 #include "mbedtls/aes.h"
32 #include "mbedtls/error.h"
33 #include "mbedtls/platform.h"
34 #include "mbedtls/platform_util.h"
35 #if defined(MBEDTLS_PADLOCK_C)
36 #include "padlock.h"
37 #endif
38 #if defined(MBEDTLS_AESNI_C)
39 #include "aesni.h"
40 #endif
41
42 #if defined(MBEDTLS_SELF_TEST)
43 #if defined(MBEDTLS_PLATFORM_C)
44 #include "mbedtls/platform.h"
45 #else
46 #include <stdio.h>
47 #define mbedtls_printf printf
48 #endif /* MBEDTLS_PLATFORM_C */
49 #endif /* MBEDTLS_SELF_TEST */
50
51 #if defined(MBEDTLS_AES_ALT)
52
53 #include "../multithread.h"
54 #include "aes.h"
55
56 /* Parameter validation macros based on platform_util.h */
57 #define AES_VALIDATE_RET(cond) MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_AES_BAD_INPUT_DATA)
58 #define AES_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE(cond)
59
60 /*
61 * 32-bit integer manipulation macros (little endian)
62 */
63 #ifndef GET_UINT32_LE
64 #define GET_UINT32_LE(n, b, i) \
65 { \
66 (n) = ((uint32_t)(b)[(i)]) | ((uint32_t)(b)[(i) + 1] << 8) | ((uint32_t)(b)[(i) + 2] << 16) | \
67 ((uint32_t)(b)[(i) + 3] << 24); \
68 }
69 #endif
70
71 #ifndef PUT_UINT32_LE
72 #define PUT_UINT32_LE(n, b, i) \
73 { \
74 (b)[(i)] = (unsigned char)(((n)) & 0xFF); \
75 (b)[(i) + 1] = (unsigned char)(((n) >> 8) & 0xFF); \
76 (b)[(i) + 2] = (unsigned char)(((n) >> 16) & 0xFF); \
77 (b)[(i) + 3] = (unsigned char)(((n) >> 24) & 0xFF); \
78 }
79 #endif
80
81 #if defined(MBEDTLS_PADLOCK_C) && (defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16))
82 static int aes_padlock_ace = -1;
83 #endif
84
85 #if defined(MBEDTLS_AES_ROM_TABLES)
86 /*
87 * Forward S-box
88 */
89 static const unsigned char FSb[256] = {0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE,
90 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
91 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23,
92 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E,
93 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A,
94 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
95 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3,
96 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81,
97 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49,
98 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
99 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74,
100 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1,
101 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C,
102 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16};
103
104 /*
105 * Forward tables
106 */
107 #define FT \
108 \
109 V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), V(0D, F2, F2, FF), \
110 V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), V(50, 30, 30, 60), V(03, 01, 01, 02), \
111 V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), \
112 V(9A, 76, 76, EC), V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
113 V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), V(EC, AD, AD, 41), \
114 V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), \
115 V(96, 72, 72, E4), V(5B, C0, C0, 9B), V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), \
116 V(6A, 26, 26, 4C), V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
117 V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), V(93, 71, 71, E2), \
118 V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), V(0C, 04, 04, 08), V(52, C7, C7, 95), \
119 V(65, 23, 23, 46), V(5E, C3, C3, 9D), V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), \
120 V(B5, 9A, 9A, 2F), V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
121 V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), V(1B, 09, 09, 12), \
122 V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), \
123 V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), \
124 V(CE, B3, B3, 7D), V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
125 V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), V(60, 20, 20, 40), \
126 V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), \
127 V(D9, BE, BE, 67), V(4B, 39, 39, 72), V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), \
128 V(4A, CF, CF, 85), V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
129 V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), V(CF, 45, 45, 8A), \
130 V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), V(F0, 50, 50, A0), V(44, 3C, 3C, 78), \
131 V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), \
132 V(8A, 8F, 8F, 05), V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
133 V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), V(30, 10, 10, 20), \
134 V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), V(4C, CD, CD, 81), V(14, 0C, 0C, 18), \
135 V(35, 13, 13, 26), V(2F, EC, EC, C3), V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), \
136 V(39, 17, 17, 2E), V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
137 V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), V(A0, 60, 60, C0), \
138 V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), V(66, 22, 22, 44), V(7E, 2A, 2A, 54), \
139 V(AB, 90, 90, 3B), V(83, 88, 88, 0B), V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), \
140 V(3C, 14, 14, 28), V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
141 V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), V(DB, 49, 49, 92), \
142 V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), V(5D, C2, C2, 9F), V(6E, D3, D3, BD), \
143 V(EF, AC, AC, 43), V(A6, 62, 62, C4), V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), \
144 V(8B, 79, 79, F2), V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
145 V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), V(B4, 6C, 6C, D8), \
146 V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), \
147 V(E9, AE, AE, 47), V(18, 08, 08, 10), V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), \
148 V(72, 2E, 2E, 5C), V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
149 V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), V(DD, 4B, 4B, 96), \
150 V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), V(90, 70, 70, E0), V(42, 3E, 3E, 7C), \
151 V(C4, B5, B5, 71), V(AA, 66, 66, CC), V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), \
152 V(12, 0E, 0E, 1C), V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
153 V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), V(38, E1, E1, D9), \
154 V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), V(BB, 69, 69, D2), V(70, D9, D9, A9), \
155 V(89, 8E, 8E, 07), V(A7, 94, 94, 33), V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), \
156 V(20, E9, E9, C9), V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
157 V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), V(DA, BF, BF, 65), \
158 V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), V(C3, 41, 41, 82), V(B0, 99, 99, 29), \
159 V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), \
160 V(3A, 16, 16, 2C)
161
162 #define V(a, b, c, d) 0x##a##b##c##d
163 static const uint32_t FT0[256] = {FT};
164 #undef V
165
166 #if !defined(MBEDTLS_AES_FEWER_TABLES)
167
168 #define V(a, b, c, d) 0x##b##c##d##a
169 static const uint32_t FT1[256] = {FT};
170 #undef V
171
172 #define V(a, b, c, d) 0x##c##d##a##b
173 static const uint32_t FT2[256] = {FT};
174 #undef V
175
176 #define V(a, b, c, d) 0x##d##a##b##c
177 static const uint32_t FT3[256] = {FT};
178 #undef V
179
180 #endif /* !MBEDTLS_AES_FEWER_TABLES */
181
182 #undef FT
183
184 /*
185 * Reverse S-box
186 */
187 static const unsigned char RSb[256] = {0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81,
188 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
189 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 0x08, 0x2E, 0xA1,
190 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68,
191 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E,
192 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
193 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A,
194 0x6B, 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 0x96, 0xAC,
195 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D,
196 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
197 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10,
198 0x59, 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9,
199 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 0x17,
200 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D};
201
202 /*
203 * Reverse tables
204 */
205 #define RT \
206 \
207 V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), V(CB, 6B, AB, 3B), \
208 V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), V(55, FA, 30, 20), V(F6, 6D, 76, AD), \
209 V(91, 76, CC, 88), V(25, 4C, 02, F5), V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), \
210 V(8F, A3, 62, B5), V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
211 V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), V(E7, 5F, 8F, 03), \
212 V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), V(2D, 83, BE, D4), V(D3, 21, 74, 58), \
213 V(29, 69, E0, 49), V(44, C8, C9, 8E), V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), \
214 V(DD, 71, B9, 27), V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
215 V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), V(E0, 77, 64, B1), \
216 V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), V(58, 68, 48, 70), V(19, FD, 45, 8F), \
217 V(87, 6C, DE, 94), V(B7, F8, 7B, 52), V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), \
218 V(2A, AB, 55, 66), V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
219 V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), V(2B, 1C, CF, 8A), \
220 V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), V(CD, F4, DA, 65), V(D5, BE, 05, 06), \
221 V(1F, 62, 34, D1), V(8A, FE, A6, C4), V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), \
222 V(75, EB, F6, A4), V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
223 V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), V(B5, 8D, 54, 91), \
224 V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), V(24, FB, 98, 19), V(97, E9, BD, D6), \
225 V(CC, 43, 40, 89), V(77, 9E, D9, 67), V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), \
226 V(DB, EE, C8, 79), V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
227 V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), V(FB, FF, 0E, FD), \
228 V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), V(64, D9, 0F, 0A), V(21, A6, 5C, 68), \
229 V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), \
230 V(9E, 91, 9B, 1B), V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
231 V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), V(0B, 0D, 09, 0E), \
232 V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), V(85, 19, F1, 57), V(4C, 07, 75, AF), \
233 V(BB, DD, 99, EE), V(FD, 60, 7F, A3), V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), \
234 V(34, 7E, FB, 5B), V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
235 V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), V(7D, 24, 4A, 85), \
236 V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), \
237 V(EC, 52, 86, 0D), V(D0, E3, C1, 77), V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), \
238 V(22, 64, E9, 47), V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
239 V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), V(CF, 81, F5, A6), \
240 V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), \
241 V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), \
242 V(F5, AF, C3, 82), V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
243 V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), V(09, 78, 26, CD), \
244 V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), V(65, 6E, 95, E6), V(7E, E6, FF, AA), \
245 V(08, CF, BC, 21), V(E6, E8, 15, EF), V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), \
246 V(D6, 7C, B0, 29), V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
247 V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), V(4A, 98, 04, F1), \
248 V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), V(8D, D6, 4D, 76), V(4D, B0, EF, 43), \
249 V(54, 4D, AA, CC), V(DF, 04, 96, E4), V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), \
250 V(7F, 51, 65, 46), V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
251 V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), V(8C, 61, D7, 9A), \
252 V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), V(EE, 27, A9, CE), V(35, C9, 61, B7), \
253 V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), \
254 V(BF, 37, C7, 73), V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
255 V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), V(72, C3, 1D, 16), \
256 V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), V(71, 01, A8, 39), V(DE, B3, 0C, 08), \
257 V(9C, E4, B4, D8), V(90, C1, 56, 64), V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), \
258 V(42, 57, B8, D0)
259
260 #define V(a, b, c, d) 0x##a##b##c##d
261 static const uint32_t RT0[256] = {RT};
262 #undef V
263
264 #if !defined(MBEDTLS_AES_FEWER_TABLES)
265
266 #define V(a, b, c, d) 0x##b##c##d##a
267 static const uint32_t RT1[256] = {RT};
268 #undef V
269
270 #define V(a, b, c, d) 0x##c##d##a##b
271 static const uint32_t RT2[256] = {RT};
272 #undef V
273
274 #define V(a, b, c, d) 0x##d##a##b##c
275 static const uint32_t RT3[256] = {RT};
276 #undef V
277
278 #endif /* !MBEDTLS_AES_FEWER_TABLES */
279
280 #undef RT
281
282 /*
283 * Round constants
284 */
285 static const uint32_t RCON[10] = {0x00000001, 0x00000002, 0x00000004, 0x00000008, 0x00000010, 0x00000020, 0x00000040,
286 0x00000080, 0x0000001B, 0x00000036};
287
288 #else /* MBEDTLS_AES_ROM_TABLES */
289
290 /*
291 * Forward S-box & tables
292 */
293 static unsigned char FSb[256];
294 static uint32_t FT0[256];
295 #if !defined(MBEDTLS_AES_FEWER_TABLES)
296 static uint32_t FT1[256];
297 static uint32_t FT2[256];
298 static uint32_t FT3[256];
299 #endif /* !MBEDTLS_AES_FEWER_TABLES */
300
301 /*
302 * Reverse S-box & tables
303 */
304 static unsigned char RSb[256];
305 static uint32_t RT0[256];
306 #if !defined(MBEDTLS_AES_FEWER_TABLES)
307 static uint32_t RT1[256];
308 static uint32_t RT2[256];
309 static uint32_t RT3[256];
310 #endif /* !MBEDTLS_AES_FEWER_TABLES */
311
312 /*
313 * Round constants
314 */
315 static uint32_t RCON[10];
316
317 /*
318 * Tables generation code
319 */
320 #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
321 #define XTIME(x) (((x) << 1) ^ (((x)&0x80) ? 0x1B : 0x00))
322 #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)] + log[(y)]) % 255] : 0)
323
324 static int aes_init_done = 0;
325
aes_gen_tables(void)326 static void aes_gen_tables(void)
327 {
328 int i, x, y, z;
329 int pow[256];
330 int log[256];
331
332 /*
333 * compute pow and log tables over GF(2^8)
334 */
335 for (i = 0, x = 1; i < 256; i++) {
336 pow[i] = x;
337 log[x] = i;
338 x = (x ^ XTIME(x)) & 0xFF;
339 }
340
341 /*
342 * calculate the round constants
343 */
344 for (i = 0, x = 1; i < 10; i++) {
345 RCON[i] = (uint32_t)x;
346 x = XTIME(x) & 0xFF;
347 }
348
349 /*
350 * generate the forward and reverse S-boxes
351 */
352 FSb[0x00] = 0x63;
353 RSb[0x63] = 0x00;
354
355 for (i = 1; i < 256; i++) {
356 x = pow[255 - log[i]];
357
358 y = x;
359 y = ((y << 1) | (y >> 7)) & 0xFF;
360 x ^= y;
361 y = ((y << 1) | (y >> 7)) & 0xFF;
362 x ^= y;
363 y = ((y << 1) | (y >> 7)) & 0xFF;
364 x ^= y;
365 y = ((y << 1) | (y >> 7)) & 0xFF;
366 x ^= y ^ 0x63;
367
368 FSb[i] = (unsigned char)x;
369 RSb[x] = (unsigned char)i;
370 }
371
372 /*
373 * generate the forward and reverse tables
374 */
375 for (i = 0; i < 256; i++) {
376 x = FSb[i];
377 y = XTIME(x) & 0xFF;
378 z = (y ^ x) & 0xFF;
379
380 FT0[i] = ((uint32_t)y) ^ ((uint32_t)x << 8) ^ ((uint32_t)x << 16) ^ ((uint32_t)z << 24);
381
382 #if !defined(MBEDTLS_AES_FEWER_TABLES)
383 FT1[i] = ROTL8(FT0[i]);
384 FT2[i] = ROTL8(FT1[i]);
385 FT3[i] = ROTL8(FT2[i]);
386 #endif /* !MBEDTLS_AES_FEWER_TABLES */
387
388 x = RSb[i];
389
390 RT0[i] = ((uint32_t)MUL(0x0E, x)) ^ ((uint32_t)MUL(0x09, x) << 8) ^ ((uint32_t)MUL(0x0D, x) << 16) ^
391 ((uint32_t)MUL(0x0B, x) << 24);
392
393 #if !defined(MBEDTLS_AES_FEWER_TABLES)
394 RT1[i] = ROTL8(RT0[i]);
395 RT2[i] = ROTL8(RT1[i]);
396 RT3[i] = ROTL8(RT2[i]);
397 #endif /* !MBEDTLS_AES_FEWER_TABLES */
398 }
399 }
400
401 #undef ROTL8
402
403 #endif /* MBEDTLS_AES_ROM_TABLES */
404
405 #if defined(MBEDTLS_AES_FEWER_TABLES)
406
407 #define ROTL8(x) ((uint32_t)((x) << 8) + (uint32_t)((x) >> 24))
408 #define ROTL16(x) ((uint32_t)((x) << 16) + (uint32_t)((x) >> 16))
409 #define ROTL24(x) ((uint32_t)((x) << 24) + (uint32_t)((x) >> 8))
410
411 #define AES_RT0(idx) RT0[idx]
412 #define AES_RT1(idx) ROTL8(RT0[idx])
413 #define AES_RT2(idx) ROTL16(RT0[idx])
414 #define AES_RT3(idx) ROTL24(RT0[idx])
415
416 #define AES_FT0(idx) FT0[idx]
417 #define AES_FT1(idx) ROTL8(FT0[idx])
418 #define AES_FT2(idx) ROTL16(FT0[idx])
419 #define AES_FT3(idx) ROTL24(FT0[idx])
420
421 #else /* MBEDTLS_AES_FEWER_TABLES */
422
423 #define AES_RT0(idx) RT0[idx]
424 #define AES_RT1(idx) RT1[idx]
425 #define AES_RT2(idx) RT2[idx]
426 #define AES_RT3(idx) RT3[idx]
427
428 #define AES_FT0(idx) FT0[idx]
429 #define AES_FT1(idx) FT1[idx]
430 #define AES_FT2(idx) FT2[idx]
431 #define AES_FT3(idx) FT3[idx]
432
433 #endif /* MBEDTLS_AES_FEWER_TABLES */
434
mbedtls_aes_init(mbedtls_aes_context * ctx)435 void mbedtls_aes_init(mbedtls_aes_context *ctx)
436 {
437 AES_VALIDATE(ctx != NULL);
438
439 memset(ctx, 0, sizeof(mbedtls_aes_context));
440 }
441
mbedtls_aes_free(mbedtls_aes_context * ctx)442 void mbedtls_aes_free(mbedtls_aes_context *ctx)
443 {
444 if (ctx == NULL)
445 return;
446
447 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context));
448 }
449
450 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_init(mbedtls_aes_xts_context * ctx)451 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
452 {
453 AES_VALIDATE(ctx != NULL);
454
455 mbedtls_aes_init(&ctx->crypt);
456 mbedtls_aes_init(&ctx->tweak);
457 }
458
mbedtls_aes_xts_free(mbedtls_aes_xts_context * ctx)459 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
460 {
461 if (ctx == NULL)
462 return;
463
464 mbedtls_aes_free(&ctx->crypt);
465 mbedtls_aes_free(&ctx->tweak);
466 }
467 #endif /* MBEDTLS_CIPHER_MODE_XTS */
468
469 /*
470 * AES key schedule (encryption)
471 */
472 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)473 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
474 {
475 unsigned int i;
476 uint32_t *RK;
477
478 AES_VALIDATE_RET(ctx != NULL);
479 AES_VALIDATE_RET(key != NULL);
480
481 if (keybits == 128) {
482 ctx->nr = 10;
483 memcpy(ctx->buf, key, 16);
484 return 0;
485 }
486
487 switch (keybits) {
488 case 128:
489 ctx->nr = 10;
490 break;
491 case 192:
492 ctx->nr = 12;
493 break;
494 case 256:
495 ctx->nr = 14;
496 break;
497 default:
498 return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
499 }
500
501 #if !defined(MBEDTLS_AES_ROM_TABLES)
502 if (aes_init_done == 0) {
503 aes_gen_tables();
504 aes_init_done = 1;
505 }
506 #endif
507
508 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
509 if (aes_padlock_ace == -1)
510 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
511
512 if (aes_padlock_ace)
513 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
514 else
515 #endif
516 ctx->rk = RK = ctx->buf;
517
518 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
519 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
520 return (mbedtls_aesni_setkey_enc((unsigned char *)ctx->rk, key, keybits));
521 #endif
522
523 for (i = 0; i < (keybits >> 5); i++) {
524 GET_UINT32_LE(RK[i], key, i << 2);
525 }
526
527 switch (ctx->nr) {
528 case 10:
529
530 for (i = 0; i < 10; i++, RK += 4) {
531 RK[4] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[3] >> 8) & 0xFF]) ^
532 ((uint32_t)FSb[(RK[3] >> 16) & 0xFF] << 8) ^ ((uint32_t)FSb[(RK[3] >> 24) & 0xFF] << 16) ^
533 ((uint32_t)FSb[(RK[3]) & 0xFF] << 24);
534
535 RK[5] = RK[1] ^ RK[4];
536 RK[6] = RK[2] ^ RK[5];
537 RK[7] = RK[3] ^ RK[6];
538 }
539 break;
540
541 case 12:
542
543 for (i = 0; i < 8; i++, RK += 6) {
544 RK[6] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[5] >> 8) & 0xFF]) ^
545 ((uint32_t)FSb[(RK[5] >> 16) & 0xFF] << 8) ^ ((uint32_t)FSb[(RK[5] >> 24) & 0xFF] << 16) ^
546 ((uint32_t)FSb[(RK[5]) & 0xFF] << 24);
547
548 RK[7] = RK[1] ^ RK[6];
549 RK[8] = RK[2] ^ RK[7];
550 RK[9] = RK[3] ^ RK[8];
551 RK[10] = RK[4] ^ RK[9];
552 RK[11] = RK[5] ^ RK[10];
553 }
554 break;
555
556 case 14:
557
558 for (i = 0; i < 7; i++, RK += 8) {
559 RK[8] = RK[0] ^ RCON[i] ^ ((uint32_t)FSb[(RK[7] >> 8) & 0xFF]) ^
560 ((uint32_t)FSb[(RK[7] >> 16) & 0xFF] << 8) ^ ((uint32_t)FSb[(RK[7] >> 24) & 0xFF] << 16) ^
561 ((uint32_t)FSb[(RK[7]) & 0xFF] << 24);
562
563 RK[9] = RK[1] ^ RK[8];
564 RK[10] = RK[2] ^ RK[9];
565 RK[11] = RK[3] ^ RK[10];
566
567 RK[12] = RK[4] ^ ((uint32_t)FSb[(RK[11]) & 0xFF]) ^ ((uint32_t)FSb[(RK[11] >> 8) & 0xFF] << 8) ^
568 ((uint32_t)FSb[(RK[11] >> 16) & 0xFF] << 16) ^ ((uint32_t)FSb[(RK[11] >> 24) & 0xFF] << 24);
569
570 RK[13] = RK[5] ^ RK[12];
571 RK[14] = RK[6] ^ RK[13];
572 RK[15] = RK[7] ^ RK[14];
573 }
574 break;
575 }
576
577 return (0);
578 }
579 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
580
581 /*
582 * AES key schedule (decryption)
583 */
584 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT)
mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)585 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
586 {
587 int i, j, ret;
588 mbedtls_aes_context cty;
589 uint32_t *RK;
590 uint32_t *SK;
591
592 AES_VALIDATE_RET(ctx != NULL);
593 AES_VALIDATE_RET(key != NULL);
594
595 if (keybits == 128) {
596 ctx->nr = 10;
597 memcpy(ctx->buf, key, 16);
598 return 0;
599 }
600
601 mbedtls_aes_init(&cty);
602
603 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
604 if (aes_padlock_ace == -1)
605 aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
606
607 if (aes_padlock_ace)
608 ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
609 else
610 #endif
611 ctx->rk = RK = ctx->buf;
612
613 /* Also checks keybits */
614 if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0)
615 goto exit;
616
617 ctx->nr = cty.nr;
618
619 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
620 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
621 mbedtls_aesni_inverse_key((unsigned char *)ctx->rk, (const unsigned char *)cty.rk, ctx->nr);
622 goto exit;
623 }
624 #endif
625
626 SK = cty.rk + cty.nr * 4;
627
628 *RK++ = *SK++;
629 *RK++ = *SK++;
630 *RK++ = *SK++;
631 *RK++ = *SK++;
632
633 for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
634 for (j = 0; j < 4; j++, SK++) {
635 *RK++ = AES_RT0(FSb[(*SK) & 0xFF]) ^ AES_RT1(FSb[(*SK >> 8) & 0xFF]) ^ AES_RT2(FSb[(*SK >> 16) & 0xFF]) ^
636 AES_RT3(FSb[(*SK >> 24) & 0xFF]);
637 }
638 }
639
640 *RK++ = *SK++;
641 *RK++ = *SK++;
642 *RK++ = *SK++;
643 *RK++ = *SK++;
644
645 exit:
646 mbedtls_aes_free(&cty);
647
648 return (ret);
649 }
650 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
651
652 #if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_decode_keys(const unsigned char * key,unsigned int keybits,const unsigned char ** key1,unsigned int * key1bits,const unsigned char ** key2,unsigned int * key2bits)653 static int mbedtls_aes_xts_decode_keys(const unsigned char *key, unsigned int keybits, const unsigned char **key1,
654 unsigned int *key1bits, const unsigned char **key2, unsigned int *key2bits)
655 {
656 const unsigned int half_keybits = keybits / 2;
657 const unsigned int half_keybytes = half_keybits / 8;
658
659 switch (keybits) {
660 case 256:
661 break;
662 case 512:
663 break;
664 default:
665 return (MBEDTLS_ERR_AES_INVALID_KEY_LENGTH);
666 }
667
668 *key1bits = half_keybits;
669 *key2bits = half_keybits;
670 *key1 = &key[0];
671 *key2 = &key[half_keybytes];
672
673 return 0;
674 }
675
mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)676 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, const unsigned char *key, unsigned int keybits)
677 {
678 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
679 const unsigned char *key1, *key2;
680 unsigned int key1bits, key2bits;
681
682 AES_VALIDATE_RET(ctx != NULL);
683 AES_VALIDATE_RET(key != NULL);
684
685 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, &key2, &key2bits);
686 if (ret != 0)
687 return (ret);
688
689 /* Set the tweak key. Always set tweak key for the encryption mode. */
690 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
691 if (ret != 0)
692 return (ret);
693
694 /* Set crypt key for encryption. */
695 return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
696 }
697
mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context * ctx,const unsigned char * key,unsigned int keybits)698 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, const unsigned char *key, unsigned int keybits)
699 {
700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
701 const unsigned char *key1, *key2;
702 unsigned int key1bits, key2bits;
703
704 AES_VALIDATE_RET(ctx != NULL);
705 AES_VALIDATE_RET(key != NULL);
706
707 ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, &key2, &key2bits);
708 if (ret != 0)
709 return (ret);
710
711 /* Set the tweak key. Always set tweak key for encryption. */
712 ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
713 if (ret != 0)
714 return (ret);
715
716 /* Set crypt key for decryption. */
717 return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
718 }
719 #endif /* MBEDTLS_CIPHER_MODE_XTS */
720
721 #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
722 do { \
723 (X0) = *RK++ ^ AES_FT0(((Y0)) & 0xFF) ^ AES_FT1(((Y1) >> 8) & 0xFF) ^ AES_FT2(((Y2) >> 16) & 0xFF) ^ \
724 AES_FT3(((Y3) >> 24) & 0xFF); \
725 \
726 (X1) = *RK++ ^ AES_FT0(((Y1)) & 0xFF) ^ AES_FT1(((Y2) >> 8) & 0xFF) ^ AES_FT2(((Y3) >> 16) & 0xFF) ^ \
727 AES_FT3(((Y0) >> 24) & 0xFF); \
728 \
729 (X2) = *RK++ ^ AES_FT0(((Y2)) & 0xFF) ^ AES_FT1(((Y3) >> 8) & 0xFF) ^ AES_FT2(((Y0) >> 16) & 0xFF) ^ \
730 AES_FT3(((Y1) >> 24) & 0xFF); \
731 \
732 (X3) = *RK++ ^ AES_FT0(((Y3)) & 0xFF) ^ AES_FT1(((Y0) >> 8) & 0xFF) ^ AES_FT2(((Y1) >> 16) & 0xFF) ^ \
733 AES_FT3(((Y2) >> 24) & 0xFF); \
734 } while (0)
735
736 #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
737 do { \
738 (X0) = *RK++ ^ AES_RT0(((Y0)) & 0xFF) ^ AES_RT1(((Y3) >> 8) & 0xFF) ^ AES_RT2(((Y2) >> 16) & 0xFF) ^ \
739 AES_RT3(((Y1) >> 24) & 0xFF); \
740 \
741 (X1) = *RK++ ^ AES_RT0(((Y1)) & 0xFF) ^ AES_RT1(((Y0) >> 8) & 0xFF) ^ AES_RT2(((Y3) >> 16) & 0xFF) ^ \
742 AES_RT3(((Y2) >> 24) & 0xFF); \
743 \
744 (X2) = *RK++ ^ AES_RT0(((Y2)) & 0xFF) ^ AES_RT1(((Y1) >> 8) & 0xFF) ^ AES_RT2(((Y0) >> 16) & 0xFF) ^ \
745 AES_RT3(((Y3) >> 24) & 0xFF); \
746 \
747 (X3) = *RK++ ^ AES_RT0(((Y3)) & 0xFF) ^ AES_RT1(((Y2) >> 8) & 0xFF) ^ AES_RT2(((Y1) >> 16) & 0xFF) ^ \
748 AES_RT3(((Y0) >> 24) & 0xFF); \
749 } while (0)
750
751 /*
752 * AES-ECB block encryption
753 */
754 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
mbedtls_internal_aes_encrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])755 int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16])
756 {
757 if (ctx->nr == 10) {
758 mbedtls_aes_lock();
759 (void)aes_encrypt((unsigned char *)ctx->buf, (unsigned char *)input, output);
760 mbedtls_aes_unlock();
761 return 0;
762 }
763
764 int i;
765 uint32_t *RK = ctx->rk;
766 struct {
767 uint32_t X[4];
768 uint32_t Y[4];
769 } t;
770
771 GET_UINT32_LE(t.X[0], input, 0);
772 t.X[0] ^= *RK++;
773 GET_UINT32_LE(t.X[1], input, 4);
774 t.X[1] ^= *RK++;
775 GET_UINT32_LE(t.X[2], input, 8);
776 t.X[2] ^= *RK++;
777 GET_UINT32_LE(t.X[3], input, 12);
778 t.X[3] ^= *RK++;
779
780 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
781 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
782 AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
783 }
784
785 AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
786
787 t.X[0] = *RK++ ^ ((uint32_t)FSb[(t.Y[0]) & 0xFF]) ^ ((uint32_t)FSb[(t.Y[1] >> 8) & 0xFF] << 8) ^
788 ((uint32_t)FSb[(t.Y[2] >> 16) & 0xFF] << 16) ^ ((uint32_t)FSb[(t.Y[3] >> 24) & 0xFF] << 24);
789
790 t.X[1] = *RK++ ^ ((uint32_t)FSb[(t.Y[1]) & 0xFF]) ^ ((uint32_t)FSb[(t.Y[2] >> 8) & 0xFF] << 8) ^
791 ((uint32_t)FSb[(t.Y[3] >> 16) & 0xFF] << 16) ^ ((uint32_t)FSb[(t.Y[0] >> 24) & 0xFF] << 24);
792
793 t.X[2] = *RK++ ^ ((uint32_t)FSb[(t.Y[2]) & 0xFF]) ^ ((uint32_t)FSb[(t.Y[3] >> 8) & 0xFF] << 8) ^
794 ((uint32_t)FSb[(t.Y[0] >> 16) & 0xFF] << 16) ^ ((uint32_t)FSb[(t.Y[1] >> 24) & 0xFF] << 24);
795
796 t.X[3] = *RK++ ^ ((uint32_t)FSb[(t.Y[3]) & 0xFF]) ^ ((uint32_t)FSb[(t.Y[0] >> 8) & 0xFF] << 8) ^
797 ((uint32_t)FSb[(t.Y[1] >> 16) & 0xFF] << 16) ^ ((uint32_t)FSb[(t.Y[2] >> 24) & 0xFF] << 24);
798
799 PUT_UINT32_LE(t.X[0], output, 0);
800 PUT_UINT32_LE(t.X[1], output, 4);
801 PUT_UINT32_LE(t.X[2], output, 8);
802 PUT_UINT32_LE(t.X[3], output, 12);
803
804 mbedtls_platform_zeroize(&t, sizeof(t));
805
806 return (0);
807 }
808 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
809
810 /*
811 * AES-ECB block decryption
812 */
813 #if !defined(MBEDTLS_AES_DECRYPT_ALT)
mbedtls_internal_aes_decrypt(mbedtls_aes_context * ctx,const unsigned char input[16],unsigned char output[16])814 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16])
815 {
816 if (ctx->nr == 10) {
817 mbedtls_aes_lock();
818 (void)aes_decrypt((unsigned char *)ctx->buf, (unsigned char *)input, output);
819 mbedtls_aes_unlock();
820 return 0;
821 }
822
823 int i;
824 uint32_t *RK = ctx->rk;
825 struct {
826 uint32_t X[4];
827 uint32_t Y[4];
828 } t;
829
830 GET_UINT32_LE(t.X[0], input, 0);
831 t.X[0] ^= *RK++;
832 GET_UINT32_LE(t.X[1], input, 4);
833 t.X[1] ^= *RK++;
834 GET_UINT32_LE(t.X[2], input, 8);
835 t.X[2] ^= *RK++;
836 GET_UINT32_LE(t.X[3], input, 12);
837 t.X[3] ^= *RK++;
838
839 for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
840 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
841 AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
842 }
843
844 AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
845
846 t.X[0] = *RK++ ^ ((uint32_t)RSb[(t.Y[0]) & 0xFF]) ^ ((uint32_t)RSb[(t.Y[3] >> 8) & 0xFF] << 8) ^
847 ((uint32_t)RSb[(t.Y[2] >> 16) & 0xFF] << 16) ^ ((uint32_t)RSb[(t.Y[1] >> 24) & 0xFF] << 24);
848
849 t.X[1] = *RK++ ^ ((uint32_t)RSb[(t.Y[1]) & 0xFF]) ^ ((uint32_t)RSb[(t.Y[0] >> 8) & 0xFF] << 8) ^
850 ((uint32_t)RSb[(t.Y[3] >> 16) & 0xFF] << 16) ^ ((uint32_t)RSb[(t.Y[2] >> 24) & 0xFF] << 24);
851
852 t.X[2] = *RK++ ^ ((uint32_t)RSb[(t.Y[2]) & 0xFF]) ^ ((uint32_t)RSb[(t.Y[1] >> 8) & 0xFF] << 8) ^
853 ((uint32_t)RSb[(t.Y[0] >> 16) & 0xFF] << 16) ^ ((uint32_t)RSb[(t.Y[3] >> 24) & 0xFF] << 24);
854
855 t.X[3] = *RK++ ^ ((uint32_t)RSb[(t.Y[3]) & 0xFF]) ^ ((uint32_t)RSb[(t.Y[2] >> 8) & 0xFF] << 8) ^
856 ((uint32_t)RSb[(t.Y[1] >> 16) & 0xFF] << 16) ^ ((uint32_t)RSb[(t.Y[0] >> 24) & 0xFF] << 24);
857
858 PUT_UINT32_LE(t.X[0], output, 0);
859 PUT_UINT32_LE(t.X[1], output, 4);
860 PUT_UINT32_LE(t.X[2], output, 8);
861 PUT_UINT32_LE(t.X[3], output, 12);
862
863 mbedtls_platform_zeroize(&t, sizeof(t));
864
865 return (0);
866 }
867 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
868
869 /*
870 * AES-ECB block encryption/decryption
871 */
mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx,int mode,const unsigned char input[16],unsigned char output[16])872 int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
873 {
874 AES_VALIDATE_RET(ctx != NULL);
875 AES_VALIDATE_RET(input != NULL);
876 AES_VALIDATE_RET(output != NULL);
877 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || mode == MBEDTLS_AES_DECRYPT);
878
879 #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
880 if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES))
881 return (mbedtls_aesni_crypt_ecb(ctx, mode, input, output));
882 #endif
883
884 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
885 if (aes_padlock_ace > 0) {
886 if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0)
887 return (0);
888
889 // If padlock data misaligned, we just fall back to
890 // unaccelerated mode
891 //
892 }
893 #endif
894
895 if (mode == MBEDTLS_AES_ENCRYPT)
896 return (mbedtls_internal_aes_encrypt(ctx, input, output));
897 else
898 return (mbedtls_internal_aes_decrypt(ctx, input, output));
899 }
900
901 #if defined(MBEDTLS_CIPHER_MODE_CBC)
902 /*
903 * AES-CBC buffer encryption/decryption
904 */
mbedtls_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)905 int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, int mode, size_t length, unsigned char iv[16],
906 const unsigned char *input, unsigned char *output)
907 {
908 int i;
909 unsigned char temp[16];
910
911 AES_VALIDATE_RET(ctx != NULL);
912 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || mode == MBEDTLS_AES_DECRYPT);
913 AES_VALIDATE_RET(iv != NULL);
914 AES_VALIDATE_RET(input != NULL);
915 AES_VALIDATE_RET(output != NULL);
916
917 if (length % 16)
918 return (MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH);
919
920 #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
921 if (aes_padlock_ace > 0) {
922 if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0)
923 return (0);
924
925 // If padlock data misaligned, we just fall back to
926 // unaccelerated mode
927 //
928 }
929 #endif
930
931 if (mode == MBEDTLS_AES_DECRYPT) {
932 while (length > 0) {
933 memcpy(temp, input, 16);
934 mbedtls_aes_crypt_ecb(ctx, mode, input, output);
935
936 for (i = 0; i < 16; i++)
937 output[i] = (unsigned char)(output[i] ^ iv[i]);
938
939 memcpy(iv, temp, 16);
940
941 input += 16;
942 output += 16;
943 length -= 16;
944 }
945 } else {
946 while (length > 0) {
947 for (i = 0; i < 16; i++)
948 output[i] = (unsigned char)(input[i] ^ iv[i]);
949
950 mbedtls_aes_crypt_ecb(ctx, mode, output, output);
951 memcpy(iv, output, 16);
952
953 input += 16;
954 output += 16;
955 length -= 16;
956 }
957 }
958
959 return (0);
960 }
961 #endif /* MBEDTLS_CIPHER_MODE_CBC */
962
963 #if defined(MBEDTLS_CIPHER_MODE_XTS)
964
965 /* Endianess with 64 bits values */
966 #ifndef GET_UINT64_LE
967 #define GET_UINT64_LE(n, b, i) \
968 { \
969 (n) = ((uint64_t)(b)[(i) + 7] << 56) | ((uint64_t)(b)[(i) + 6] << 48) | ((uint64_t)(b)[(i) + 5] << 40) | \
970 ((uint64_t)(b)[(i) + 4] << 32) | ((uint64_t)(b)[(i) + 3] << 24) | ((uint64_t)(b)[(i) + 2] << 16) | \
971 ((uint64_t)(b)[(i) + 1] << 8) | ((uint64_t)(b)[(i)]); \
972 }
973 #endif
974
975 #ifndef PUT_UINT64_LE
976 #define PUT_UINT64_LE(n, b, i) \
977 { \
978 (b)[(i) + 7] = (unsigned char)((n) >> 56); \
979 (b)[(i) + 6] = (unsigned char)((n) >> 48); \
980 (b)[(i) + 5] = (unsigned char)((n) >> 40); \
981 (b)[(i) + 4] = (unsigned char)((n) >> 32); \
982 (b)[(i) + 3] = (unsigned char)((n) >> 24); \
983 (b)[(i) + 2] = (unsigned char)((n) >> 16); \
984 (b)[(i) + 1] = (unsigned char)((n) >> 8); \
985 (b)[(i)] = (unsigned char)((n)); \
986 }
987 #endif
988
989 typedef unsigned char mbedtls_be128[16];
990
991 /*
992 * GF(2^128) multiplication function
993 *
994 * This function multiplies a field element by x in the polynomial field
995 * representation. It uses 64-bit word operations to gain speed but compensates
996 * for machine endianess and hence works correctly on both big and little
997 * endian machines.
998 */
mbedtls_gf128mul_x_ble(unsigned char r[16],const unsigned char x[16])999 static void mbedtls_gf128mul_x_ble(unsigned char r[16], const unsigned char x[16])
1000 {
1001 uint64_t a, b, ra, rb;
1002
1003 GET_UINT64_LE(a, x, 0);
1004 GET_UINT64_LE(b, x, 8);
1005
1006 ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1007 rb = (a >> 63) | (b << 1);
1008
1009 PUT_UINT64_LE(ra, r, 0);
1010 PUT_UINT64_LE(rb, r, 8);
1011 }
1012
1013 /*
1014 * AES-XTS buffer encryption/decryption
1015 */
mbedtls_aes_crypt_xts(mbedtls_aes_xts_context * ctx,int mode,size_t length,const unsigned char data_unit[16],const unsigned char * input,unsigned char * output)1016 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, int mode, size_t length, const unsigned char data_unit[16],
1017 const unsigned char *input, unsigned char *output)
1018 {
1019 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1020 size_t blocks = length / 16;
1021 size_t leftover = length % 16;
1022 unsigned char tweak[16];
1023 unsigned char prev_tweak[16];
1024 unsigned char tmp[16];
1025
1026 AES_VALIDATE_RET(ctx != NULL);
1027 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || mode == MBEDTLS_AES_DECRYPT);
1028 AES_VALIDATE_RET(data_unit != NULL);
1029 AES_VALIDATE_RET(input != NULL);
1030 AES_VALIDATE_RET(output != NULL);
1031
1032 /* Data units must be at least 16 bytes long. */
1033 if (length < 16)
1034 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1035
1036 /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1037 if (length > (1 << 20) * 16)
1038 return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
1039
1040 /* Compute the tweak. */
1041 ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, data_unit, tweak);
1042 if (ret != 0)
1043 return (ret);
1044
1045 while (blocks--) {
1046 size_t i;
1047
1048 if (leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0) {
1049 /* We are on the last block in a decrypt operation that has
1050 * leftover bytes, so we need to use the next tweak for this block,
1051 * and this tweak for the lefover bytes. Save the current tweak for
1052 * the leftovers and then update the current tweak for use on this,
1053 * the last full block. */
1054 memcpy(prev_tweak, tweak, sizeof(tweak));
1055 mbedtls_gf128mul_x_ble(tweak, tweak);
1056 }
1057
1058 for (i = 0; i < 16; i++)
1059 tmp[i] = input[i] ^ tweak[i];
1060
1061 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1062 if (ret != 0)
1063 return (ret);
1064
1065 for (i = 0; i < 16; i++)
1066 output[i] = tmp[i] ^ tweak[i];
1067
1068 /* Update the tweak for the next block. */
1069 mbedtls_gf128mul_x_ble(tweak, tweak);
1070
1071 output += 16;
1072 input += 16;
1073 }
1074
1075 if (leftover) {
1076 /* If we are on the leftover bytes in a decrypt operation, we need to
1077 * use the previous tweak for these bytes (as saved in prev_tweak). */
1078 unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1079
1080 /* We are now on the final part of the data unit, which doesn't divide
1081 * evenly by 16. It's time for ciphertext stealing. */
1082 size_t i;
1083 unsigned char *prev_output = output - 16;
1084
1085 /* Copy ciphertext bytes from the previous block to our output for each
1086 * byte of cyphertext we won't steal. At the same time, copy the
1087 * remainder of the input for this final round (since the loop bounds
1088 * are the same). */
1089 for (i = 0; i < leftover; i++) {
1090 output[i] = prev_output[i];
1091 tmp[i] = input[i] ^ t[i];
1092 }
1093
1094 /* Copy ciphertext bytes from the previous block for input in this
1095 * round. */
1096 for (; i < 16; i++)
1097 tmp[i] = prev_output[i] ^ t[i];
1098
1099 ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1100 if (ret != 0)
1101 return ret;
1102
1103 /* Write the result back to the previous block, overriding the previous
1104 * output we copied. */
1105 for (i = 0; i < 16; i++)
1106 prev_output[i] = tmp[i] ^ t[i];
1107 }
1108
1109 return (0);
1110 }
1111 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1112
1113 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1114 /*
1115 * AES-CFB128 buffer encryption/decryption
1116 */
mbedtls_aes_crypt_cfb128(mbedtls_aes_context * ctx,int mode,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1117 int mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, int mode, size_t length, size_t *iv_off, unsigned char iv[16],
1118 const unsigned char *input, unsigned char *output)
1119 {
1120 int c;
1121 size_t n;
1122
1123 AES_VALIDATE_RET(ctx != NULL);
1124 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || mode == MBEDTLS_AES_DECRYPT);
1125 AES_VALIDATE_RET(iv_off != NULL);
1126 AES_VALIDATE_RET(iv != NULL);
1127 AES_VALIDATE_RET(input != NULL);
1128 AES_VALIDATE_RET(output != NULL);
1129
1130 n = *iv_off;
1131
1132 if (n > 15)
1133 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1134
1135 if (mode == MBEDTLS_AES_DECRYPT) {
1136 while (length--) {
1137 if (n == 0)
1138 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1139
1140 c = *input++;
1141 *output++ = (unsigned char)(c ^ iv[n]);
1142 iv[n] = (unsigned char)c;
1143
1144 n = (n + 1) & 0x0F;
1145 }
1146 } else {
1147 while (length--) {
1148 if (n == 0)
1149 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1150
1151 iv[n] = *output++ = (unsigned char)(iv[n] ^ *input++);
1152
1153 n = (n + 1) & 0x0F;
1154 }
1155 }
1156
1157 *iv_off = n;
1158
1159 return (0);
1160 }
1161
1162 /*
1163 * AES-CFB8 buffer encryption/decryption
1164 */
mbedtls_aes_crypt_cfb8(mbedtls_aes_context * ctx,int mode,size_t length,unsigned char iv[16],const unsigned char * input,unsigned char * output)1165 int mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, int mode, size_t length, unsigned char iv[16],
1166 const unsigned char *input, unsigned char *output)
1167 {
1168 unsigned char c;
1169 unsigned char ov[17];
1170
1171 AES_VALIDATE_RET(ctx != NULL);
1172 AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT || mode == MBEDTLS_AES_DECRYPT);
1173 AES_VALIDATE_RET(iv != NULL);
1174 AES_VALIDATE_RET(input != NULL);
1175 AES_VALIDATE_RET(output != NULL);
1176 while (length--) {
1177 memcpy(ov, iv, 16);
1178 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1179
1180 if (mode == MBEDTLS_AES_DECRYPT)
1181 ov[16] = *input;
1182
1183 c = *output++ = (unsigned char)(iv[0] ^ *input++);
1184
1185 if (mode == MBEDTLS_AES_ENCRYPT)
1186 ov[16] = c;
1187
1188 memcpy(iv, ov + 1, 16);
1189 }
1190
1191 return (0);
1192 }
1193 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1194
1195 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1196 /*
1197 * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1198 */
mbedtls_aes_crypt_ofb(mbedtls_aes_context * ctx,size_t length,size_t * iv_off,unsigned char iv[16],const unsigned char * input,unsigned char * output)1199 int mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, size_t length, size_t *iv_off, unsigned char iv[16],
1200 const unsigned char *input, unsigned char *output)
1201 {
1202 int ret = 0;
1203 size_t n;
1204
1205 AES_VALIDATE_RET(ctx != NULL);
1206 AES_VALIDATE_RET(iv_off != NULL);
1207 AES_VALIDATE_RET(iv != NULL);
1208 AES_VALIDATE_RET(input != NULL);
1209 AES_VALIDATE_RET(output != NULL);
1210
1211 n = *iv_off;
1212
1213 if (n > 15)
1214 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1215
1216 while (length--) {
1217 if (n == 0) {
1218 ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv);
1219 if (ret != 0)
1220 goto exit;
1221 }
1222 *output++ = *input++ ^ iv[n];
1223
1224 n = (n + 1) & 0x0F;
1225 }
1226
1227 *iv_off = n;
1228
1229 exit:
1230 return (ret);
1231 }
1232 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1233
1234 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1235 /*
1236 * AES-CTR buffer encryption/decryption
1237 */
mbedtls_aes_crypt_ctr(mbedtls_aes_context * ctx,size_t length,size_t * nc_off,unsigned char nonce_counter[16],unsigned char stream_block[16],const unsigned char * input,unsigned char * output)1238 int mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, size_t length, size_t *nc_off, unsigned char nonce_counter[16],
1239 unsigned char stream_block[16], const unsigned char *input, unsigned char *output)
1240 {
1241 int c, i;
1242 size_t n;
1243
1244 AES_VALIDATE_RET(ctx != NULL);
1245 AES_VALIDATE_RET(nc_off != NULL);
1246 AES_VALIDATE_RET(nonce_counter != NULL);
1247 AES_VALIDATE_RET(stream_block != NULL);
1248 AES_VALIDATE_RET(input != NULL);
1249 AES_VALIDATE_RET(output != NULL);
1250
1251 n = *nc_off;
1252
1253 if (n > 0x0F)
1254 return (MBEDTLS_ERR_AES_BAD_INPUT_DATA);
1255
1256 while (length--) {
1257 if (n == 0) {
1258 mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1259
1260 for (i = 16; i > 0; i--)
1261 if (++nonce_counter[i - 1] != 0)
1262 break;
1263 }
1264 c = *input++;
1265 *output++ = (unsigned char)(c ^ stream_block[n]);
1266
1267 n = (n + 1) & 0x0F;
1268 }
1269
1270 *nc_off = n;
1271
1272 return (0);
1273 }
1274 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1275
1276 #endif /* MBEDTLS_AES_ALT */
1277
1278 #endif /* MBEDTLS_AES_C */
1279