1a8e1175bSopenharmony_ci/* 2a8e1175bSopenharmony_ci * FIPS-197 compliant AES implementation 3a8e1175bSopenharmony_ci * 4a8e1175bSopenharmony_ci * Copyright The Mbed TLS Contributors 5a8e1175bSopenharmony_ci * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6a8e1175bSopenharmony_ci */ 7a8e1175bSopenharmony_ci/* 8a8e1175bSopenharmony_ci * The AES block cipher was designed by Vincent Rijmen and Joan Daemen. 9a8e1175bSopenharmony_ci * 10a8e1175bSopenharmony_ci * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf 11a8e1175bSopenharmony_ci * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf 12a8e1175bSopenharmony_ci */ 13a8e1175bSopenharmony_ci 14a8e1175bSopenharmony_ci#include "common.h" 15a8e1175bSopenharmony_ci 16a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_C) 17a8e1175bSopenharmony_ci 18a8e1175bSopenharmony_ci#include <string.h> 19a8e1175bSopenharmony_ci 20a8e1175bSopenharmony_ci#include "mbedtls/aes.h" 21a8e1175bSopenharmony_ci#include "mbedtls/platform.h" 22a8e1175bSopenharmony_ci#include "mbedtls/platform_util.h" 23a8e1175bSopenharmony_ci#include "mbedtls/error.h" 24a8e1175bSopenharmony_ci 25a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 26a8e1175bSopenharmony_ci#if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \ 27a8e1175bSopenharmony_ci (defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \ 28a8e1175bSopenharmony_ci (defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C))) 29a8e1175bSopenharmony_ci#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites" 30a8e1175bSopenharmony_ci#endif 31a8e1175bSopenharmony_ci#endif 32a8e1175bSopenharmony_ci 33a8e1175bSopenharmony_ci#if defined(MBEDTLS_ARCH_IS_X86) 34a8e1175bSopenharmony_ci#if defined(MBEDTLS_PADLOCK_C) 35a8e1175bSopenharmony_ci#if !defined(MBEDTLS_HAVE_ASM) 36a8e1175bSopenharmony_ci#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites" 37a8e1175bSopenharmony_ci#endif 38a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 39a8e1175bSopenharmony_ci#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \ 40a8e1175bSopenharmony_ci "MBEDTLS_PADLOCK_C is set" 41a8e1175bSopenharmony_ci#endif 42a8e1175bSopenharmony_ci#endif 43a8e1175bSopenharmony_ci#endif 44a8e1175bSopenharmony_ci 45a8e1175bSopenharmony_ci#if defined(MBEDTLS_PADLOCK_C) 46a8e1175bSopenharmony_ci#include "padlock.h" 47a8e1175bSopenharmony_ci#endif 48a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_C) 49a8e1175bSopenharmony_ci#include "aesni.h" 50a8e1175bSopenharmony_ci#endif 51a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_C) 52a8e1175bSopenharmony_ci#include "aesce.h" 53a8e1175bSopenharmony_ci#endif 54a8e1175bSopenharmony_ci 55a8e1175bSopenharmony_ci#include "mbedtls/platform.h" 56a8e1175bSopenharmony_ci#include "ctr.h" 57a8e1175bSopenharmony_ci 58a8e1175bSopenharmony_ci/* 59a8e1175bSopenharmony_ci * This is a convenience shorthand macro to check if we need reverse S-box and 60a8e1175bSopenharmony_ci * reverse tables. It's private and only defined in this file. 61a8e1175bSopenharmony_ci */ 62a8e1175bSopenharmony_ci#if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \ 63a8e1175bSopenharmony_ci (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \ 64a8e1175bSopenharmony_ci !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 65a8e1175bSopenharmony_ci#define MBEDTLS_AES_NEED_REVERSE_TABLES 66a8e1175bSopenharmony_ci#endif 67a8e1175bSopenharmony_ci 68a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ALT) 69a8e1175bSopenharmony_ci 70a8e1175bSopenharmony_ci#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) 71a8e1175bSopenharmony_cistatic int aes_padlock_ace = -1; 72a8e1175bSopenharmony_ci#endif 73a8e1175bSopenharmony_ci 74a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_ROM_TABLES) 75a8e1175bSopenharmony_ci/* 76a8e1175bSopenharmony_ci * Forward S-box 77a8e1175bSopenharmony_ci */ 78a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] = 79a8e1175bSopenharmony_ci{ 80a8e1175bSopenharmony_ci 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 81a8e1175bSopenharmony_ci 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 82a8e1175bSopenharmony_ci 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 83a8e1175bSopenharmony_ci 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 84a8e1175bSopenharmony_ci 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 85a8e1175bSopenharmony_ci 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 86a8e1175bSopenharmony_ci 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 87a8e1175bSopenharmony_ci 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 88a8e1175bSopenharmony_ci 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 89a8e1175bSopenharmony_ci 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 90a8e1175bSopenharmony_ci 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 91a8e1175bSopenharmony_ci 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 92a8e1175bSopenharmony_ci 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 93a8e1175bSopenharmony_ci 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 94a8e1175bSopenharmony_ci 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 95a8e1175bSopenharmony_ci 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 96a8e1175bSopenharmony_ci 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 97a8e1175bSopenharmony_ci 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 98a8e1175bSopenharmony_ci 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 99a8e1175bSopenharmony_ci 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 100a8e1175bSopenharmony_ci 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 101a8e1175bSopenharmony_ci 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 102a8e1175bSopenharmony_ci 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 103a8e1175bSopenharmony_ci 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 104a8e1175bSopenharmony_ci 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 105a8e1175bSopenharmony_ci 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 106a8e1175bSopenharmony_ci 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 107a8e1175bSopenharmony_ci 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 108a8e1175bSopenharmony_ci 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 109a8e1175bSopenharmony_ci 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 110a8e1175bSopenharmony_ci 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 111a8e1175bSopenharmony_ci 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16 112a8e1175bSopenharmony_ci}; 113a8e1175bSopenharmony_ci 114a8e1175bSopenharmony_ci/* 115a8e1175bSopenharmony_ci * Forward tables 116a8e1175bSopenharmony_ci */ 117a8e1175bSopenharmony_ci#define FT \ 118a8e1175bSopenharmony_ci\ 119a8e1175bSopenharmony_ci V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \ 120a8e1175bSopenharmony_ci V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \ 121a8e1175bSopenharmony_ci V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \ 122a8e1175bSopenharmony_ci V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \ 123a8e1175bSopenharmony_ci V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \ 124a8e1175bSopenharmony_ci V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \ 125a8e1175bSopenharmony_ci V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \ 126a8e1175bSopenharmony_ci V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \ 127a8e1175bSopenharmony_ci V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \ 128a8e1175bSopenharmony_ci V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \ 129a8e1175bSopenharmony_ci V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \ 130a8e1175bSopenharmony_ci V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \ 131a8e1175bSopenharmony_ci V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \ 132a8e1175bSopenharmony_ci V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \ 133a8e1175bSopenharmony_ci V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \ 134a8e1175bSopenharmony_ci V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \ 135a8e1175bSopenharmony_ci V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \ 136a8e1175bSopenharmony_ci V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \ 137a8e1175bSopenharmony_ci V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \ 138a8e1175bSopenharmony_ci V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \ 139a8e1175bSopenharmony_ci V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \ 140a8e1175bSopenharmony_ci V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \ 141a8e1175bSopenharmony_ci V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \ 142a8e1175bSopenharmony_ci V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \ 143a8e1175bSopenharmony_ci V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \ 144a8e1175bSopenharmony_ci V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \ 145a8e1175bSopenharmony_ci V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \ 146a8e1175bSopenharmony_ci V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \ 147a8e1175bSopenharmony_ci V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \ 148a8e1175bSopenharmony_ci V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \ 149a8e1175bSopenharmony_ci V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \ 150a8e1175bSopenharmony_ci V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \ 151a8e1175bSopenharmony_ci V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \ 152a8e1175bSopenharmony_ci V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \ 153a8e1175bSopenharmony_ci V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \ 154a8e1175bSopenharmony_ci V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \ 155a8e1175bSopenharmony_ci V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \ 156a8e1175bSopenharmony_ci V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \ 157a8e1175bSopenharmony_ci V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \ 158a8e1175bSopenharmony_ci V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \ 159a8e1175bSopenharmony_ci V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \ 160a8e1175bSopenharmony_ci V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \ 161a8e1175bSopenharmony_ci V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \ 162a8e1175bSopenharmony_ci V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \ 163a8e1175bSopenharmony_ci V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \ 164a8e1175bSopenharmony_ci V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \ 165a8e1175bSopenharmony_ci V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \ 166a8e1175bSopenharmony_ci V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \ 167a8e1175bSopenharmony_ci V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \ 168a8e1175bSopenharmony_ci V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \ 169a8e1175bSopenharmony_ci V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \ 170a8e1175bSopenharmony_ci V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \ 171a8e1175bSopenharmony_ci V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \ 172a8e1175bSopenharmony_ci V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \ 173a8e1175bSopenharmony_ci V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \ 174a8e1175bSopenharmony_ci V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \ 175a8e1175bSopenharmony_ci V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \ 176a8e1175bSopenharmony_ci V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \ 177a8e1175bSopenharmony_ci V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \ 178a8e1175bSopenharmony_ci V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \ 179a8e1175bSopenharmony_ci V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \ 180a8e1175bSopenharmony_ci V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \ 181a8e1175bSopenharmony_ci V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \ 182a8e1175bSopenharmony_ci V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C) 183a8e1175bSopenharmony_ci 184a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##a##b##c##d 185a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT }; 186a8e1175bSopenharmony_ci#undef V 187a8e1175bSopenharmony_ci 188a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##b##c##d##a 189a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT }; 190a8e1175bSopenharmony_ci#undef V 191a8e1175bSopenharmony_ci 192a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##c##d##a##b 193a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT }; 194a8e1175bSopenharmony_ci#undef V 195a8e1175bSopenharmony_ci 196a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##d##a##b##c 197a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT }; 198a8e1175bSopenharmony_ci#undef V 199a8e1175bSopenharmony_ci 200a8e1175bSopenharmony_ci#undef FT 201a8e1175bSopenharmony_ci 202a8e1175bSopenharmony_ci/* 203a8e1175bSopenharmony_ci * Reverse S-box 204a8e1175bSopenharmony_ci */ 205a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] = 206a8e1175bSopenharmony_ci{ 207a8e1175bSopenharmony_ci 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 208a8e1175bSopenharmony_ci 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB, 209a8e1175bSopenharmony_ci 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 210a8e1175bSopenharmony_ci 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 211a8e1175bSopenharmony_ci 0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 212a8e1175bSopenharmony_ci 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E, 213a8e1175bSopenharmony_ci 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 214a8e1175bSopenharmony_ci 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25, 215a8e1175bSopenharmony_ci 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 216a8e1175bSopenharmony_ci 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 217a8e1175bSopenharmony_ci 0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 218a8e1175bSopenharmony_ci 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84, 219a8e1175bSopenharmony_ci 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 220a8e1175bSopenharmony_ci 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06, 221a8e1175bSopenharmony_ci 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 222a8e1175bSopenharmony_ci 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 223a8e1175bSopenharmony_ci 0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 224a8e1175bSopenharmony_ci 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73, 225a8e1175bSopenharmony_ci 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 226a8e1175bSopenharmony_ci 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E, 227a8e1175bSopenharmony_ci 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 228a8e1175bSopenharmony_ci 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 229a8e1175bSopenharmony_ci 0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 230a8e1175bSopenharmony_ci 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4, 231a8e1175bSopenharmony_ci 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 232a8e1175bSopenharmony_ci 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F, 233a8e1175bSopenharmony_ci 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 234a8e1175bSopenharmony_ci 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 235a8e1175bSopenharmony_ci 0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 236a8e1175bSopenharmony_ci 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61, 237a8e1175bSopenharmony_ci 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 238a8e1175bSopenharmony_ci 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D 239a8e1175bSopenharmony_ci}; 240a8e1175bSopenharmony_ci 241a8e1175bSopenharmony_ci/* 242a8e1175bSopenharmony_ci * Reverse tables 243a8e1175bSopenharmony_ci */ 244a8e1175bSopenharmony_ci#define RT \ 245a8e1175bSopenharmony_ci\ 246a8e1175bSopenharmony_ci V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \ 247a8e1175bSopenharmony_ci V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \ 248a8e1175bSopenharmony_ci V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \ 249a8e1175bSopenharmony_ci V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \ 250a8e1175bSopenharmony_ci V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \ 251a8e1175bSopenharmony_ci V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \ 252a8e1175bSopenharmony_ci V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \ 253a8e1175bSopenharmony_ci V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \ 254a8e1175bSopenharmony_ci V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \ 255a8e1175bSopenharmony_ci V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \ 256a8e1175bSopenharmony_ci V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \ 257a8e1175bSopenharmony_ci V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \ 258a8e1175bSopenharmony_ci V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \ 259a8e1175bSopenharmony_ci V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \ 260a8e1175bSopenharmony_ci V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \ 261a8e1175bSopenharmony_ci V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \ 262a8e1175bSopenharmony_ci V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \ 263a8e1175bSopenharmony_ci V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \ 264a8e1175bSopenharmony_ci V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \ 265a8e1175bSopenharmony_ci V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \ 266a8e1175bSopenharmony_ci V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \ 267a8e1175bSopenharmony_ci V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \ 268a8e1175bSopenharmony_ci V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \ 269a8e1175bSopenharmony_ci V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \ 270a8e1175bSopenharmony_ci V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \ 271a8e1175bSopenharmony_ci V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \ 272a8e1175bSopenharmony_ci V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \ 273a8e1175bSopenharmony_ci V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \ 274a8e1175bSopenharmony_ci V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \ 275a8e1175bSopenharmony_ci V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \ 276a8e1175bSopenharmony_ci V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \ 277a8e1175bSopenharmony_ci V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \ 278a8e1175bSopenharmony_ci V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \ 279a8e1175bSopenharmony_ci V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \ 280a8e1175bSopenharmony_ci V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \ 281a8e1175bSopenharmony_ci V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \ 282a8e1175bSopenharmony_ci V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \ 283a8e1175bSopenharmony_ci V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \ 284a8e1175bSopenharmony_ci V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \ 285a8e1175bSopenharmony_ci V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \ 286a8e1175bSopenharmony_ci V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \ 287a8e1175bSopenharmony_ci V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \ 288a8e1175bSopenharmony_ci V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \ 289a8e1175bSopenharmony_ci V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \ 290a8e1175bSopenharmony_ci V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \ 291a8e1175bSopenharmony_ci V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \ 292a8e1175bSopenharmony_ci V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \ 293a8e1175bSopenharmony_ci V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \ 294a8e1175bSopenharmony_ci V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \ 295a8e1175bSopenharmony_ci V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \ 296a8e1175bSopenharmony_ci V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \ 297a8e1175bSopenharmony_ci V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \ 298a8e1175bSopenharmony_ci V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \ 299a8e1175bSopenharmony_ci V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \ 300a8e1175bSopenharmony_ci V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \ 301a8e1175bSopenharmony_ci V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \ 302a8e1175bSopenharmony_ci V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \ 303a8e1175bSopenharmony_ci V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \ 304a8e1175bSopenharmony_ci V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \ 305a8e1175bSopenharmony_ci V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \ 306a8e1175bSopenharmony_ci V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \ 307a8e1175bSopenharmony_ci V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \ 308a8e1175bSopenharmony_ci V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \ 309a8e1175bSopenharmony_ci V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0) 310a8e1175bSopenharmony_ci 311a8e1175bSopenharmony_ci 312a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##a##b##c##d 313a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT }; 314a8e1175bSopenharmony_ci#undef V 315a8e1175bSopenharmony_ci 316a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##b##c##d##a 317a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT }; 318a8e1175bSopenharmony_ci#undef V 319a8e1175bSopenharmony_ci 320a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##c##d##a##b 321a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT }; 322a8e1175bSopenharmony_ci#undef V 323a8e1175bSopenharmony_ci 324a8e1175bSopenharmony_ci#define V(a, b, c, d) 0x##d##a##b##c 325a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT }; 326a8e1175bSopenharmony_ci#undef V 327a8e1175bSopenharmony_ci 328a8e1175bSopenharmony_ci#undef RT 329a8e1175bSopenharmony_ci 330a8e1175bSopenharmony_ci/* 331a8e1175bSopenharmony_ci * Round constants 332a8e1175bSopenharmony_ci */ 333a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] = 334a8e1175bSopenharmony_ci{ 335a8e1175bSopenharmony_ci 0x00000001, 0x00000002, 0x00000004, 0x00000008, 336a8e1175bSopenharmony_ci 0x00000010, 0x00000020, 0x00000040, 0x00000080, 337a8e1175bSopenharmony_ci 0x0000001B, 0x00000036 338a8e1175bSopenharmony_ci}; 339a8e1175bSopenharmony_ci 340a8e1175bSopenharmony_ci#else /* MBEDTLS_AES_ROM_TABLES */ 341a8e1175bSopenharmony_ci 342a8e1175bSopenharmony_ci/* 343a8e1175bSopenharmony_ci * Forward S-box & tables 344a8e1175bSopenharmony_ci */ 345a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static unsigned char FSb[256]; 346a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t FT0[256]; 347a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t FT1[256]; 348a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t FT2[256]; 349a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t FT3[256]; 350a8e1175bSopenharmony_ci 351a8e1175bSopenharmony_ci/* 352a8e1175bSopenharmony_ci * Reverse S-box & tables 353a8e1175bSopenharmony_ci */ 354a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static unsigned char RSb[256]; 355a8e1175bSopenharmony_ci 356a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t RT0[256]; 357a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t RT1[256]; 358a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t RT2[256]; 359a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t RT3[256]; 360a8e1175bSopenharmony_ci 361a8e1175bSopenharmony_ci/* 362a8e1175bSopenharmony_ci * Round constants 363a8e1175bSopenharmony_ci */ 364a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10]; 365a8e1175bSopenharmony_ci 366a8e1175bSopenharmony_ci/* 367a8e1175bSopenharmony_ci * Tables generation code 368a8e1175bSopenharmony_ci */ 369a8e1175bSopenharmony_ci#define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24) 370a8e1175bSopenharmony_ci#define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00)) 371a8e1175bSopenharmony_ci#define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0) 372a8e1175bSopenharmony_ci 373a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static int aes_init_done = 0; 374a8e1175bSopenharmony_ci 375a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void) 376a8e1175bSopenharmony_ci{ 377a8e1175bSopenharmony_ci int i; 378a8e1175bSopenharmony_ci uint8_t x, y, z; 379a8e1175bSopenharmony_ci uint8_t pow[256]; 380a8e1175bSopenharmony_ci uint8_t log[256]; 381a8e1175bSopenharmony_ci 382a8e1175bSopenharmony_ci /* 383a8e1175bSopenharmony_ci * compute pow and log tables over GF(2^8) 384a8e1175bSopenharmony_ci */ 385a8e1175bSopenharmony_ci for (i = 0, x = 1; i < 256; i++) { 386a8e1175bSopenharmony_ci pow[i] = x; 387a8e1175bSopenharmony_ci log[x] = (uint8_t) i; 388a8e1175bSopenharmony_ci x ^= XTIME(x); 389a8e1175bSopenharmony_ci } 390a8e1175bSopenharmony_ci 391a8e1175bSopenharmony_ci /* 392a8e1175bSopenharmony_ci * calculate the round constants 393a8e1175bSopenharmony_ci */ 394a8e1175bSopenharmony_ci for (i = 0, x = 1; i < 10; i++) { 395a8e1175bSopenharmony_ci round_constants[i] = x; 396a8e1175bSopenharmony_ci x = XTIME(x); 397a8e1175bSopenharmony_ci } 398a8e1175bSopenharmony_ci 399a8e1175bSopenharmony_ci /* 400a8e1175bSopenharmony_ci * generate the forward and reverse S-boxes 401a8e1175bSopenharmony_ci */ 402a8e1175bSopenharmony_ci FSb[0x00] = 0x63; 403a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) 404a8e1175bSopenharmony_ci RSb[0x63] = 0x00; 405a8e1175bSopenharmony_ci#endif 406a8e1175bSopenharmony_ci 407a8e1175bSopenharmony_ci for (i = 1; i < 256; i++) { 408a8e1175bSopenharmony_ci x = pow[255 - log[i]]; 409a8e1175bSopenharmony_ci 410a8e1175bSopenharmony_ci y = x; y = (y << 1) | (y >> 7); 411a8e1175bSopenharmony_ci x ^= y; y = (y << 1) | (y >> 7); 412a8e1175bSopenharmony_ci x ^= y; y = (y << 1) | (y >> 7); 413a8e1175bSopenharmony_ci x ^= y; y = (y << 1) | (y >> 7); 414a8e1175bSopenharmony_ci x ^= y ^ 0x63; 415a8e1175bSopenharmony_ci 416a8e1175bSopenharmony_ci FSb[i] = x; 417a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) 418a8e1175bSopenharmony_ci RSb[x] = (unsigned char) i; 419a8e1175bSopenharmony_ci#endif 420a8e1175bSopenharmony_ci } 421a8e1175bSopenharmony_ci 422a8e1175bSopenharmony_ci /* 423a8e1175bSopenharmony_ci * generate the forward and reverse tables 424a8e1175bSopenharmony_ci */ 425a8e1175bSopenharmony_ci for (i = 0; i < 256; i++) { 426a8e1175bSopenharmony_ci x = FSb[i]; 427a8e1175bSopenharmony_ci y = XTIME(x); 428a8e1175bSopenharmony_ci z = y ^ x; 429a8e1175bSopenharmony_ci 430a8e1175bSopenharmony_ci FT0[i] = ((uint32_t) y) ^ 431a8e1175bSopenharmony_ci ((uint32_t) x << 8) ^ 432a8e1175bSopenharmony_ci ((uint32_t) x << 16) ^ 433a8e1175bSopenharmony_ci ((uint32_t) z << 24); 434a8e1175bSopenharmony_ci 435a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_FEWER_TABLES) 436a8e1175bSopenharmony_ci FT1[i] = ROTL8(FT0[i]); 437a8e1175bSopenharmony_ci FT2[i] = ROTL8(FT1[i]); 438a8e1175bSopenharmony_ci FT3[i] = ROTL8(FT2[i]); 439a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_FEWER_TABLES */ 440a8e1175bSopenharmony_ci 441a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_NEED_REVERSE_TABLES) 442a8e1175bSopenharmony_ci x = RSb[i]; 443a8e1175bSopenharmony_ci 444a8e1175bSopenharmony_ci RT0[i] = ((uint32_t) MUL(0x0E, x)) ^ 445a8e1175bSopenharmony_ci ((uint32_t) MUL(0x09, x) << 8) ^ 446a8e1175bSopenharmony_ci ((uint32_t) MUL(0x0D, x) << 16) ^ 447a8e1175bSopenharmony_ci ((uint32_t) MUL(0x0B, x) << 24); 448a8e1175bSopenharmony_ci 449a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_FEWER_TABLES) 450a8e1175bSopenharmony_ci RT1[i] = ROTL8(RT0[i]); 451a8e1175bSopenharmony_ci RT2[i] = ROTL8(RT1[i]); 452a8e1175bSopenharmony_ci RT3[i] = ROTL8(RT2[i]); 453a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_FEWER_TABLES */ 454a8e1175bSopenharmony_ci#endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */ 455a8e1175bSopenharmony_ci } 456a8e1175bSopenharmony_ci} 457a8e1175bSopenharmony_ci 458a8e1175bSopenharmony_ci#undef ROTL8 459a8e1175bSopenharmony_ci 460a8e1175bSopenharmony_ci#endif /* MBEDTLS_AES_ROM_TABLES */ 461a8e1175bSopenharmony_ci 462a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_FEWER_TABLES) 463a8e1175bSopenharmony_ci 464a8e1175bSopenharmony_ci#define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24)) 465a8e1175bSopenharmony_ci#define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16)) 466a8e1175bSopenharmony_ci#define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8)) 467a8e1175bSopenharmony_ci 468a8e1175bSopenharmony_ci#define AES_RT0(idx) RT0[idx] 469a8e1175bSopenharmony_ci#define AES_RT1(idx) ROTL8(RT0[idx]) 470a8e1175bSopenharmony_ci#define AES_RT2(idx) ROTL16(RT0[idx]) 471a8e1175bSopenharmony_ci#define AES_RT3(idx) ROTL24(RT0[idx]) 472a8e1175bSopenharmony_ci 473a8e1175bSopenharmony_ci#define AES_FT0(idx) FT0[idx] 474a8e1175bSopenharmony_ci#define AES_FT1(idx) ROTL8(FT0[idx]) 475a8e1175bSopenharmony_ci#define AES_FT2(idx) ROTL16(FT0[idx]) 476a8e1175bSopenharmony_ci#define AES_FT3(idx) ROTL24(FT0[idx]) 477a8e1175bSopenharmony_ci 478a8e1175bSopenharmony_ci#else /* MBEDTLS_AES_FEWER_TABLES */ 479a8e1175bSopenharmony_ci 480a8e1175bSopenharmony_ci#define AES_RT0(idx) RT0[idx] 481a8e1175bSopenharmony_ci#define AES_RT1(idx) RT1[idx] 482a8e1175bSopenharmony_ci#define AES_RT2(idx) RT2[idx] 483a8e1175bSopenharmony_ci#define AES_RT3(idx) RT3[idx] 484a8e1175bSopenharmony_ci 485a8e1175bSopenharmony_ci#define AES_FT0(idx) FT0[idx] 486a8e1175bSopenharmony_ci#define AES_FT1(idx) FT1[idx] 487a8e1175bSopenharmony_ci#define AES_FT2(idx) FT2[idx] 488a8e1175bSopenharmony_ci#define AES_FT3(idx) FT3[idx] 489a8e1175bSopenharmony_ci 490a8e1175bSopenharmony_ci#endif /* MBEDTLS_AES_FEWER_TABLES */ 491a8e1175bSopenharmony_ci 492a8e1175bSopenharmony_civoid mbedtls_aes_init(mbedtls_aes_context *ctx) 493a8e1175bSopenharmony_ci{ 494a8e1175bSopenharmony_ci memset(ctx, 0, sizeof(mbedtls_aes_context)); 495a8e1175bSopenharmony_ci} 496a8e1175bSopenharmony_ci 497a8e1175bSopenharmony_civoid mbedtls_aes_free(mbedtls_aes_context *ctx) 498a8e1175bSopenharmony_ci{ 499a8e1175bSopenharmony_ci if (ctx == NULL) { 500a8e1175bSopenharmony_ci return; 501a8e1175bSopenharmony_ci } 502a8e1175bSopenharmony_ci 503a8e1175bSopenharmony_ci mbedtls_platform_zeroize(ctx, sizeof(mbedtls_aes_context)); 504a8e1175bSopenharmony_ci} 505a8e1175bSopenharmony_ci 506a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_XTS) 507a8e1175bSopenharmony_civoid mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx) 508a8e1175bSopenharmony_ci{ 509a8e1175bSopenharmony_ci mbedtls_aes_init(&ctx->crypt); 510a8e1175bSopenharmony_ci mbedtls_aes_init(&ctx->tweak); 511a8e1175bSopenharmony_ci} 512a8e1175bSopenharmony_ci 513a8e1175bSopenharmony_civoid mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx) 514a8e1175bSopenharmony_ci{ 515a8e1175bSopenharmony_ci if (ctx == NULL) { 516a8e1175bSopenharmony_ci return; 517a8e1175bSopenharmony_ci } 518a8e1175bSopenharmony_ci 519a8e1175bSopenharmony_ci mbedtls_aes_free(&ctx->crypt); 520a8e1175bSopenharmony_ci mbedtls_aes_free(&ctx->tweak); 521a8e1175bSopenharmony_ci} 522a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_XTS */ 523a8e1175bSopenharmony_ci 524a8e1175bSopenharmony_ci/* Some implementations need the round keys to be aligned. 525a8e1175bSopenharmony_ci * Return an offset to be added to buf, such that (buf + offset) is 526a8e1175bSopenharmony_ci * correctly aligned. 527a8e1175bSopenharmony_ci * Note that the offset is in units of elements of buf, i.e. 32-bit words, 528a8e1175bSopenharmony_ci * i.e. an offset of 1 means 4 bytes and so on. 529a8e1175bSopenharmony_ci */ 530a8e1175bSopenharmony_ci#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \ 531a8e1175bSopenharmony_ci (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2) 532a8e1175bSopenharmony_ci#define MAY_NEED_TO_ALIGN 533a8e1175bSopenharmony_ci#endif 534a8e1175bSopenharmony_ci 535a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf) 536a8e1175bSopenharmony_ci{ 537a8e1175bSopenharmony_ci#if defined(MAY_NEED_TO_ALIGN) 538a8e1175bSopenharmony_ci int align_16_bytes = 0; 539a8e1175bSopenharmony_ci 540a8e1175bSopenharmony_ci#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) 541a8e1175bSopenharmony_ci if (aes_padlock_ace == -1) { 542a8e1175bSopenharmony_ci aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE); 543a8e1175bSopenharmony_ci } 544a8e1175bSopenharmony_ci if (aes_padlock_ace) { 545a8e1175bSopenharmony_ci align_16_bytes = 1; 546a8e1175bSopenharmony_ci } 547a8e1175bSopenharmony_ci#endif 548a8e1175bSopenharmony_ci 549a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2 550a8e1175bSopenharmony_ci if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 551a8e1175bSopenharmony_ci align_16_bytes = 1; 552a8e1175bSopenharmony_ci } 553a8e1175bSopenharmony_ci#endif 554a8e1175bSopenharmony_ci 555a8e1175bSopenharmony_ci if (align_16_bytes) { 556a8e1175bSopenharmony_ci /* These implementations needs 16-byte alignment 557a8e1175bSopenharmony_ci * for the round key array. */ 558a8e1175bSopenharmony_ci unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4; 559a8e1175bSopenharmony_ci if (delta == 0) { 560a8e1175bSopenharmony_ci return 0; 561a8e1175bSopenharmony_ci } else { 562a8e1175bSopenharmony_ci return 4 - delta; // 16 bytes = 4 uint32_t 563a8e1175bSopenharmony_ci } 564a8e1175bSopenharmony_ci } 565a8e1175bSopenharmony_ci#else /* MAY_NEED_TO_ALIGN */ 566a8e1175bSopenharmony_ci (void) buf; 567a8e1175bSopenharmony_ci#endif /* MAY_NEED_TO_ALIGN */ 568a8e1175bSopenharmony_ci 569a8e1175bSopenharmony_ci return 0; 570a8e1175bSopenharmony_ci} 571a8e1175bSopenharmony_ci 572a8e1175bSopenharmony_ci/* 573a8e1175bSopenharmony_ci * AES key schedule (encryption) 574a8e1175bSopenharmony_ci */ 575a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_SETKEY_ENC_ALT) 576a8e1175bSopenharmony_ciint mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, 577a8e1175bSopenharmony_ci unsigned int keybits) 578a8e1175bSopenharmony_ci{ 579a8e1175bSopenharmony_ci uint32_t *RK; 580a8e1175bSopenharmony_ci 581a8e1175bSopenharmony_ci switch (keybits) { 582a8e1175bSopenharmony_ci case 128: ctx->nr = 10; break; 583a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 584a8e1175bSopenharmony_ci case 192: ctx->nr = 12; break; 585a8e1175bSopenharmony_ci case 256: ctx->nr = 14; break; 586a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 587a8e1175bSopenharmony_ci default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; 588a8e1175bSopenharmony_ci } 589a8e1175bSopenharmony_ci 590a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ROM_TABLES) 591a8e1175bSopenharmony_ci if (aes_init_done == 0) { 592a8e1175bSopenharmony_ci aes_gen_tables(); 593a8e1175bSopenharmony_ci aes_init_done = 1; 594a8e1175bSopenharmony_ci } 595a8e1175bSopenharmony_ci#endif 596a8e1175bSopenharmony_ci 597a8e1175bSopenharmony_ci ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); 598a8e1175bSopenharmony_ci RK = ctx->buf + ctx->rk_offset; 599a8e1175bSopenharmony_ci 600a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_HAVE_CODE) 601a8e1175bSopenharmony_ci if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 602a8e1175bSopenharmony_ci return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits); 603a8e1175bSopenharmony_ci } 604a8e1175bSopenharmony_ci#endif 605a8e1175bSopenharmony_ci 606a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_HAVE_CODE) 607a8e1175bSopenharmony_ci if (MBEDTLS_AESCE_HAS_SUPPORT()) { 608a8e1175bSopenharmony_ci return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits); 609a8e1175bSopenharmony_ci } 610a8e1175bSopenharmony_ci#endif 611a8e1175bSopenharmony_ci 612a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 613a8e1175bSopenharmony_ci for (unsigned int i = 0; i < (keybits >> 5); i++) { 614a8e1175bSopenharmony_ci RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2); 615a8e1175bSopenharmony_ci } 616a8e1175bSopenharmony_ci 617a8e1175bSopenharmony_ci switch (ctx->nr) { 618a8e1175bSopenharmony_ci case 10: 619a8e1175bSopenharmony_ci 620a8e1175bSopenharmony_ci for (unsigned int i = 0; i < 10; i++, RK += 4) { 621a8e1175bSopenharmony_ci RK[4] = RK[0] ^ round_constants[i] ^ 622a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^ 623a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^ 624a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^ 625a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24); 626a8e1175bSopenharmony_ci 627a8e1175bSopenharmony_ci RK[5] = RK[1] ^ RK[4]; 628a8e1175bSopenharmony_ci RK[6] = RK[2] ^ RK[5]; 629a8e1175bSopenharmony_ci RK[7] = RK[3] ^ RK[6]; 630a8e1175bSopenharmony_ci } 631a8e1175bSopenharmony_ci break; 632a8e1175bSopenharmony_ci 633a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 634a8e1175bSopenharmony_ci case 12: 635a8e1175bSopenharmony_ci 636a8e1175bSopenharmony_ci for (unsigned int i = 0; i < 8; i++, RK += 6) { 637a8e1175bSopenharmony_ci RK[6] = RK[0] ^ round_constants[i] ^ 638a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^ 639a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^ 640a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^ 641a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24); 642a8e1175bSopenharmony_ci 643a8e1175bSopenharmony_ci RK[7] = RK[1] ^ RK[6]; 644a8e1175bSopenharmony_ci RK[8] = RK[2] ^ RK[7]; 645a8e1175bSopenharmony_ci RK[9] = RK[3] ^ RK[8]; 646a8e1175bSopenharmony_ci RK[10] = RK[4] ^ RK[9]; 647a8e1175bSopenharmony_ci RK[11] = RK[5] ^ RK[10]; 648a8e1175bSopenharmony_ci } 649a8e1175bSopenharmony_ci break; 650a8e1175bSopenharmony_ci 651a8e1175bSopenharmony_ci case 14: 652a8e1175bSopenharmony_ci 653a8e1175bSopenharmony_ci for (unsigned int i = 0; i < 7; i++, RK += 8) { 654a8e1175bSopenharmony_ci RK[8] = RK[0] ^ round_constants[i] ^ 655a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^ 656a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^ 657a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^ 658a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24); 659a8e1175bSopenharmony_ci 660a8e1175bSopenharmony_ci RK[9] = RK[1] ^ RK[8]; 661a8e1175bSopenharmony_ci RK[10] = RK[2] ^ RK[9]; 662a8e1175bSopenharmony_ci RK[11] = RK[3] ^ RK[10]; 663a8e1175bSopenharmony_ci 664a8e1175bSopenharmony_ci RK[12] = RK[4] ^ 665a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^ 666a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^ 667a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^ 668a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24); 669a8e1175bSopenharmony_ci 670a8e1175bSopenharmony_ci RK[13] = RK[5] ^ RK[12]; 671a8e1175bSopenharmony_ci RK[14] = RK[6] ^ RK[13]; 672a8e1175bSopenharmony_ci RK[15] = RK[7] ^ RK[14]; 673a8e1175bSopenharmony_ci } 674a8e1175bSopenharmony_ci break; 675a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ 676a8e1175bSopenharmony_ci } 677a8e1175bSopenharmony_ci 678a8e1175bSopenharmony_ci return 0; 679a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ 680a8e1175bSopenharmony_ci} 681a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */ 682a8e1175bSopenharmony_ci 683a8e1175bSopenharmony_ci/* 684a8e1175bSopenharmony_ci * AES key schedule (decryption) 685a8e1175bSopenharmony_ci */ 686a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 687a8e1175bSopenharmony_ciint mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, 688a8e1175bSopenharmony_ci unsigned int keybits) 689a8e1175bSopenharmony_ci{ 690a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 691a8e1175bSopenharmony_ci uint32_t *SK; 692a8e1175bSopenharmony_ci#endif 693a8e1175bSopenharmony_ci int ret; 694a8e1175bSopenharmony_ci mbedtls_aes_context cty; 695a8e1175bSopenharmony_ci uint32_t *RK; 696a8e1175bSopenharmony_ci 697a8e1175bSopenharmony_ci 698a8e1175bSopenharmony_ci mbedtls_aes_init(&cty); 699a8e1175bSopenharmony_ci 700a8e1175bSopenharmony_ci ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf); 701a8e1175bSopenharmony_ci RK = ctx->buf + ctx->rk_offset; 702a8e1175bSopenharmony_ci 703a8e1175bSopenharmony_ci /* Also checks keybits */ 704a8e1175bSopenharmony_ci if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) { 705a8e1175bSopenharmony_ci goto exit; 706a8e1175bSopenharmony_ci } 707a8e1175bSopenharmony_ci 708a8e1175bSopenharmony_ci ctx->nr = cty.nr; 709a8e1175bSopenharmony_ci 710a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_HAVE_CODE) 711a8e1175bSopenharmony_ci if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 712a8e1175bSopenharmony_ci mbedtls_aesni_inverse_key((unsigned char *) RK, 713a8e1175bSopenharmony_ci (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr); 714a8e1175bSopenharmony_ci goto exit; 715a8e1175bSopenharmony_ci } 716a8e1175bSopenharmony_ci#endif 717a8e1175bSopenharmony_ci 718a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_HAVE_CODE) 719a8e1175bSopenharmony_ci if (MBEDTLS_AESCE_HAS_SUPPORT()) { 720a8e1175bSopenharmony_ci mbedtls_aesce_inverse_key( 721a8e1175bSopenharmony_ci (unsigned char *) RK, 722a8e1175bSopenharmony_ci (const unsigned char *) (cty.buf + cty.rk_offset), 723a8e1175bSopenharmony_ci ctx->nr); 724a8e1175bSopenharmony_ci goto exit; 725a8e1175bSopenharmony_ci } 726a8e1175bSopenharmony_ci#endif 727a8e1175bSopenharmony_ci 728a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 729a8e1175bSopenharmony_ci SK = cty.buf + cty.rk_offset + cty.nr * 4; 730a8e1175bSopenharmony_ci 731a8e1175bSopenharmony_ci *RK++ = *SK++; 732a8e1175bSopenharmony_ci *RK++ = *SK++; 733a8e1175bSopenharmony_ci *RK++ = *SK++; 734a8e1175bSopenharmony_ci *RK++ = *SK++; 735a8e1175bSopenharmony_ci SK -= 8; 736a8e1175bSopenharmony_ci for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) { 737a8e1175bSopenharmony_ci for (int j = 0; j < 4; j++, SK++) { 738a8e1175bSopenharmony_ci *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^ 739a8e1175bSopenharmony_ci AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^ 740a8e1175bSopenharmony_ci AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^ 741a8e1175bSopenharmony_ci AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]); 742a8e1175bSopenharmony_ci } 743a8e1175bSopenharmony_ci } 744a8e1175bSopenharmony_ci 745a8e1175bSopenharmony_ci *RK++ = *SK++; 746a8e1175bSopenharmony_ci *RK++ = *SK++; 747a8e1175bSopenharmony_ci *RK++ = *SK++; 748a8e1175bSopenharmony_ci *RK++ = *SK++; 749a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ 750a8e1175bSopenharmony_ciexit: 751a8e1175bSopenharmony_ci mbedtls_aes_free(&cty); 752a8e1175bSopenharmony_ci 753a8e1175bSopenharmony_ci return ret; 754a8e1175bSopenharmony_ci} 755a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ 756a8e1175bSopenharmony_ci 757a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_XTS) 758a8e1175bSopenharmony_cistatic int mbedtls_aes_xts_decode_keys(const unsigned char *key, 759a8e1175bSopenharmony_ci unsigned int keybits, 760a8e1175bSopenharmony_ci const unsigned char **key1, 761a8e1175bSopenharmony_ci unsigned int *key1bits, 762a8e1175bSopenharmony_ci const unsigned char **key2, 763a8e1175bSopenharmony_ci unsigned int *key2bits) 764a8e1175bSopenharmony_ci{ 765a8e1175bSopenharmony_ci const unsigned int half_keybits = keybits / 2; 766a8e1175bSopenharmony_ci const unsigned int half_keybytes = half_keybits / 8; 767a8e1175bSopenharmony_ci 768a8e1175bSopenharmony_ci switch (keybits) { 769a8e1175bSopenharmony_ci case 256: break; 770a8e1175bSopenharmony_ci case 512: break; 771a8e1175bSopenharmony_ci default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH; 772a8e1175bSopenharmony_ci } 773a8e1175bSopenharmony_ci 774a8e1175bSopenharmony_ci *key1bits = half_keybits; 775a8e1175bSopenharmony_ci *key2bits = half_keybits; 776a8e1175bSopenharmony_ci *key1 = &key[0]; 777a8e1175bSopenharmony_ci *key2 = &key[half_keybytes]; 778a8e1175bSopenharmony_ci 779a8e1175bSopenharmony_ci return 0; 780a8e1175bSopenharmony_ci} 781a8e1175bSopenharmony_ci 782a8e1175bSopenharmony_ciint mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx, 783a8e1175bSopenharmony_ci const unsigned char *key, 784a8e1175bSopenharmony_ci unsigned int keybits) 785a8e1175bSopenharmony_ci{ 786a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 787a8e1175bSopenharmony_ci const unsigned char *key1, *key2; 788a8e1175bSopenharmony_ci unsigned int key1bits, key2bits; 789a8e1175bSopenharmony_ci 790a8e1175bSopenharmony_ci ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, 791a8e1175bSopenharmony_ci &key2, &key2bits); 792a8e1175bSopenharmony_ci if (ret != 0) { 793a8e1175bSopenharmony_ci return ret; 794a8e1175bSopenharmony_ci } 795a8e1175bSopenharmony_ci 796a8e1175bSopenharmony_ci /* Set the tweak key. Always set tweak key for the encryption mode. */ 797a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); 798a8e1175bSopenharmony_ci if (ret != 0) { 799a8e1175bSopenharmony_ci return ret; 800a8e1175bSopenharmony_ci } 801a8e1175bSopenharmony_ci 802a8e1175bSopenharmony_ci /* Set crypt key for encryption. */ 803a8e1175bSopenharmony_ci return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits); 804a8e1175bSopenharmony_ci} 805a8e1175bSopenharmony_ci 806a8e1175bSopenharmony_ciint mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx, 807a8e1175bSopenharmony_ci const unsigned char *key, 808a8e1175bSopenharmony_ci unsigned int keybits) 809a8e1175bSopenharmony_ci{ 810a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 811a8e1175bSopenharmony_ci const unsigned char *key1, *key2; 812a8e1175bSopenharmony_ci unsigned int key1bits, key2bits; 813a8e1175bSopenharmony_ci 814a8e1175bSopenharmony_ci ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits, 815a8e1175bSopenharmony_ci &key2, &key2bits); 816a8e1175bSopenharmony_ci if (ret != 0) { 817a8e1175bSopenharmony_ci return ret; 818a8e1175bSopenharmony_ci } 819a8e1175bSopenharmony_ci 820a8e1175bSopenharmony_ci /* Set the tweak key. Always set tweak key for encryption. */ 821a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits); 822a8e1175bSopenharmony_ci if (ret != 0) { 823a8e1175bSopenharmony_ci return ret; 824a8e1175bSopenharmony_ci } 825a8e1175bSopenharmony_ci 826a8e1175bSopenharmony_ci /* Set crypt key for decryption. */ 827a8e1175bSopenharmony_ci return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits); 828a8e1175bSopenharmony_ci} 829a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_XTS */ 830a8e1175bSopenharmony_ci 831a8e1175bSopenharmony_ci#define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ 832a8e1175bSopenharmony_ci do \ 833a8e1175bSopenharmony_ci { \ 834a8e1175bSopenharmony_ci (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \ 835a8e1175bSopenharmony_ci AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \ 836a8e1175bSopenharmony_ci AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \ 837a8e1175bSopenharmony_ci AES_FT3(MBEDTLS_BYTE_3(Y3)); \ 838a8e1175bSopenharmony_ci \ 839a8e1175bSopenharmony_ci (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \ 840a8e1175bSopenharmony_ci AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \ 841a8e1175bSopenharmony_ci AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \ 842a8e1175bSopenharmony_ci AES_FT3(MBEDTLS_BYTE_3(Y0)); \ 843a8e1175bSopenharmony_ci \ 844a8e1175bSopenharmony_ci (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \ 845a8e1175bSopenharmony_ci AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \ 846a8e1175bSopenharmony_ci AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \ 847a8e1175bSopenharmony_ci AES_FT3(MBEDTLS_BYTE_3(Y1)); \ 848a8e1175bSopenharmony_ci \ 849a8e1175bSopenharmony_ci (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \ 850a8e1175bSopenharmony_ci AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \ 851a8e1175bSopenharmony_ci AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \ 852a8e1175bSopenharmony_ci AES_FT3(MBEDTLS_BYTE_3(Y2)); \ 853a8e1175bSopenharmony_ci } while (0) 854a8e1175bSopenharmony_ci 855a8e1175bSopenharmony_ci#define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \ 856a8e1175bSopenharmony_ci do \ 857a8e1175bSopenharmony_ci { \ 858a8e1175bSopenharmony_ci (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \ 859a8e1175bSopenharmony_ci AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \ 860a8e1175bSopenharmony_ci AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \ 861a8e1175bSopenharmony_ci AES_RT3(MBEDTLS_BYTE_3(Y1)); \ 862a8e1175bSopenharmony_ci \ 863a8e1175bSopenharmony_ci (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \ 864a8e1175bSopenharmony_ci AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \ 865a8e1175bSopenharmony_ci AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \ 866a8e1175bSopenharmony_ci AES_RT3(MBEDTLS_BYTE_3(Y2)); \ 867a8e1175bSopenharmony_ci \ 868a8e1175bSopenharmony_ci (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \ 869a8e1175bSopenharmony_ci AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \ 870a8e1175bSopenharmony_ci AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \ 871a8e1175bSopenharmony_ci AES_RT3(MBEDTLS_BYTE_3(Y3)); \ 872a8e1175bSopenharmony_ci \ 873a8e1175bSopenharmony_ci (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \ 874a8e1175bSopenharmony_ci AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \ 875a8e1175bSopenharmony_ci AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \ 876a8e1175bSopenharmony_ci AES_RT3(MBEDTLS_BYTE_3(Y0)); \ 877a8e1175bSopenharmony_ci } while (0) 878a8e1175bSopenharmony_ci 879a8e1175bSopenharmony_ci/* 880a8e1175bSopenharmony_ci * AES-ECB block encryption 881a8e1175bSopenharmony_ci */ 882a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ENCRYPT_ALT) 883a8e1175bSopenharmony_ciint mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, 884a8e1175bSopenharmony_ci const unsigned char input[16], 885a8e1175bSopenharmony_ci unsigned char output[16]) 886a8e1175bSopenharmony_ci{ 887a8e1175bSopenharmony_ci int i; 888a8e1175bSopenharmony_ci uint32_t *RK = ctx->buf + ctx->rk_offset; 889a8e1175bSopenharmony_ci struct { 890a8e1175bSopenharmony_ci uint32_t X[4]; 891a8e1175bSopenharmony_ci uint32_t Y[4]; 892a8e1175bSopenharmony_ci } t; 893a8e1175bSopenharmony_ci 894a8e1175bSopenharmony_ci t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; 895a8e1175bSopenharmony_ci t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; 896a8e1175bSopenharmony_ci t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; 897a8e1175bSopenharmony_ci t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; 898a8e1175bSopenharmony_ci 899a8e1175bSopenharmony_ci for (i = (ctx->nr >> 1) - 1; i > 0; i--) { 900a8e1175bSopenharmony_ci AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 901a8e1175bSopenharmony_ci AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); 902a8e1175bSopenharmony_ci } 903a8e1175bSopenharmony_ci 904a8e1175bSopenharmony_ci AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 905a8e1175bSopenharmony_ci 906a8e1175bSopenharmony_ci t.X[0] = *RK++ ^ \ 907a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ 908a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ 909a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ 910a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); 911a8e1175bSopenharmony_ci 912a8e1175bSopenharmony_ci t.X[1] = *RK++ ^ \ 913a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ 914a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ 915a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ 916a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); 917a8e1175bSopenharmony_ci 918a8e1175bSopenharmony_ci t.X[2] = *RK++ ^ \ 919a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ 920a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ 921a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ 922a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); 923a8e1175bSopenharmony_ci 924a8e1175bSopenharmony_ci t.X[3] = *RK++ ^ \ 925a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ 926a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ 927a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ 928a8e1175bSopenharmony_ci ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); 929a8e1175bSopenharmony_ci 930a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); 931a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); 932a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); 933a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); 934a8e1175bSopenharmony_ci 935a8e1175bSopenharmony_ci mbedtls_platform_zeroize(&t, sizeof(t)); 936a8e1175bSopenharmony_ci 937a8e1175bSopenharmony_ci return 0; 938a8e1175bSopenharmony_ci} 939a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_ENCRYPT_ALT */ 940a8e1175bSopenharmony_ci 941a8e1175bSopenharmony_ci/* 942a8e1175bSopenharmony_ci * AES-ECB block decryption 943a8e1175bSopenharmony_ci */ 944a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 945a8e1175bSopenharmony_ciint mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, 946a8e1175bSopenharmony_ci const unsigned char input[16], 947a8e1175bSopenharmony_ci unsigned char output[16]) 948a8e1175bSopenharmony_ci{ 949a8e1175bSopenharmony_ci int i; 950a8e1175bSopenharmony_ci uint32_t *RK = ctx->buf + ctx->rk_offset; 951a8e1175bSopenharmony_ci struct { 952a8e1175bSopenharmony_ci uint32_t X[4]; 953a8e1175bSopenharmony_ci uint32_t Y[4]; 954a8e1175bSopenharmony_ci } t; 955a8e1175bSopenharmony_ci 956a8e1175bSopenharmony_ci t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++; 957a8e1175bSopenharmony_ci t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++; 958a8e1175bSopenharmony_ci t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++; 959a8e1175bSopenharmony_ci t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++; 960a8e1175bSopenharmony_ci 961a8e1175bSopenharmony_ci for (i = (ctx->nr >> 1) - 1; i > 0; i--) { 962a8e1175bSopenharmony_ci AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 963a8e1175bSopenharmony_ci AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]); 964a8e1175bSopenharmony_ci } 965a8e1175bSopenharmony_ci 966a8e1175bSopenharmony_ci AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]); 967a8e1175bSopenharmony_ci 968a8e1175bSopenharmony_ci t.X[0] = *RK++ ^ \ 969a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^ 970a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^ 971a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^ 972a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24); 973a8e1175bSopenharmony_ci 974a8e1175bSopenharmony_ci t.X[1] = *RK++ ^ \ 975a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^ 976a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^ 977a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^ 978a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24); 979a8e1175bSopenharmony_ci 980a8e1175bSopenharmony_ci t.X[2] = *RK++ ^ \ 981a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^ 982a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^ 983a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^ 984a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24); 985a8e1175bSopenharmony_ci 986a8e1175bSopenharmony_ci t.X[3] = *RK++ ^ \ 987a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^ 988a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^ 989a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^ 990a8e1175bSopenharmony_ci ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24); 991a8e1175bSopenharmony_ci 992a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0); 993a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4); 994a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8); 995a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12); 996a8e1175bSopenharmony_ci 997a8e1175bSopenharmony_ci mbedtls_platform_zeroize(&t, sizeof(t)); 998a8e1175bSopenharmony_ci 999a8e1175bSopenharmony_ci return 0; 1000a8e1175bSopenharmony_ci} 1001a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */ 1002a8e1175bSopenharmony_ci 1003a8e1175bSopenharmony_ci/* VIA Padlock and our intrinsics-based implementation of AESNI require 1004a8e1175bSopenharmony_ci * the round keys to be aligned on a 16-byte boundary. We take care of this 1005a8e1175bSopenharmony_ci * before creating them, but the AES context may have moved (this can happen 1006a8e1175bSopenharmony_ci * if the library is called from a language with managed memory), and in later 1007a8e1175bSopenharmony_ci * calls it might have a different alignment with respect to 16-byte memory. 1008a8e1175bSopenharmony_ci * So we may need to realign. 1009a8e1175bSopenharmony_ci */ 1010a8e1175bSopenharmony_ciMBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx) 1011a8e1175bSopenharmony_ci{ 1012a8e1175bSopenharmony_ci unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf); 1013a8e1175bSopenharmony_ci if (new_offset != ctx->rk_offset) { 1014a8e1175bSopenharmony_ci memmove(ctx->buf + new_offset, // new address 1015a8e1175bSopenharmony_ci ctx->buf + ctx->rk_offset, // current address 1016a8e1175bSopenharmony_ci (ctx->nr + 1) * 16); // number of round keys * bytes per rk 1017a8e1175bSopenharmony_ci ctx->rk_offset = new_offset; 1018a8e1175bSopenharmony_ci } 1019a8e1175bSopenharmony_ci} 1020a8e1175bSopenharmony_ci 1021a8e1175bSopenharmony_ci/* 1022a8e1175bSopenharmony_ci * AES-ECB block encryption/decryption 1023a8e1175bSopenharmony_ci */ 1024a8e1175bSopenharmony_ciint mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, 1025a8e1175bSopenharmony_ci int mode, 1026a8e1175bSopenharmony_ci const unsigned char input[16], 1027a8e1175bSopenharmony_ci unsigned char output[16]) 1028a8e1175bSopenharmony_ci{ 1029a8e1175bSopenharmony_ci if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1030a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1031a8e1175bSopenharmony_ci } 1032a8e1175bSopenharmony_ci 1033a8e1175bSopenharmony_ci#if defined(MAY_NEED_TO_ALIGN) 1034a8e1175bSopenharmony_ci aes_maybe_realign(ctx); 1035a8e1175bSopenharmony_ci#endif 1036a8e1175bSopenharmony_ci 1037a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_HAVE_CODE) 1038a8e1175bSopenharmony_ci if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 1039a8e1175bSopenharmony_ci return mbedtls_aesni_crypt_ecb(ctx, mode, input, output); 1040a8e1175bSopenharmony_ci } 1041a8e1175bSopenharmony_ci#endif 1042a8e1175bSopenharmony_ci 1043a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_HAVE_CODE) 1044a8e1175bSopenharmony_ci if (MBEDTLS_AESCE_HAS_SUPPORT()) { 1045a8e1175bSopenharmony_ci return mbedtls_aesce_crypt_ecb(ctx, mode, input, output); 1046a8e1175bSopenharmony_ci } 1047a8e1175bSopenharmony_ci#endif 1048a8e1175bSopenharmony_ci 1049a8e1175bSopenharmony_ci#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) 1050a8e1175bSopenharmony_ci if (aes_padlock_ace > 0) { 1051a8e1175bSopenharmony_ci return mbedtls_padlock_xcryptecb(ctx, mode, input, output); 1052a8e1175bSopenharmony_ci } 1053a8e1175bSopenharmony_ci#endif 1054a8e1175bSopenharmony_ci 1055a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 1056a8e1175bSopenharmony_ci#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 1057a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1058a8e1175bSopenharmony_ci return mbedtls_internal_aes_decrypt(ctx, input, output); 1059a8e1175bSopenharmony_ci } else 1060a8e1175bSopenharmony_ci#endif 1061a8e1175bSopenharmony_ci { 1062a8e1175bSopenharmony_ci return mbedtls_internal_aes_encrypt(ctx, input, output); 1063a8e1175bSopenharmony_ci } 1064a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */ 1065a8e1175bSopenharmony_ci} 1066a8e1175bSopenharmony_ci 1067a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CBC) 1068a8e1175bSopenharmony_ci 1069a8e1175bSopenharmony_ci/* 1070a8e1175bSopenharmony_ci * AES-CBC buffer encryption/decryption 1071a8e1175bSopenharmony_ci */ 1072a8e1175bSopenharmony_ciint mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx, 1073a8e1175bSopenharmony_ci int mode, 1074a8e1175bSopenharmony_ci size_t length, 1075a8e1175bSopenharmony_ci unsigned char iv[16], 1076a8e1175bSopenharmony_ci const unsigned char *input, 1077a8e1175bSopenharmony_ci unsigned char *output) 1078a8e1175bSopenharmony_ci{ 1079a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1080a8e1175bSopenharmony_ci unsigned char temp[16]; 1081a8e1175bSopenharmony_ci 1082a8e1175bSopenharmony_ci if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1083a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1084a8e1175bSopenharmony_ci } 1085a8e1175bSopenharmony_ci 1086a8e1175bSopenharmony_ci /* Nothing to do if length is zero. */ 1087a8e1175bSopenharmony_ci if (length == 0) { 1088a8e1175bSopenharmony_ci return 0; 1089a8e1175bSopenharmony_ci } 1090a8e1175bSopenharmony_ci 1091a8e1175bSopenharmony_ci if (length % 16) { 1092a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1093a8e1175bSopenharmony_ci } 1094a8e1175bSopenharmony_ci 1095a8e1175bSopenharmony_ci#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) 1096a8e1175bSopenharmony_ci if (aes_padlock_ace > 0) { 1097a8e1175bSopenharmony_ci if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) { 1098a8e1175bSopenharmony_ci return 0; 1099a8e1175bSopenharmony_ci } 1100a8e1175bSopenharmony_ci 1101a8e1175bSopenharmony_ci // If padlock data misaligned, we just fall back to 1102a8e1175bSopenharmony_ci // unaccelerated mode 1103a8e1175bSopenharmony_ci // 1104a8e1175bSopenharmony_ci } 1105a8e1175bSopenharmony_ci#endif 1106a8e1175bSopenharmony_ci 1107a8e1175bSopenharmony_ci const unsigned char *ivp = iv; 1108a8e1175bSopenharmony_ci 1109a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1110a8e1175bSopenharmony_ci while (length > 0) { 1111a8e1175bSopenharmony_ci memcpy(temp, input, 16); 1112a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, mode, input, output); 1113a8e1175bSopenharmony_ci if (ret != 0) { 1114a8e1175bSopenharmony_ci goto exit; 1115a8e1175bSopenharmony_ci } 1116a8e1175bSopenharmony_ci /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on 1117a8e1175bSopenharmony_ci * the result for the next block in CBC, and the cost of transferring that data from 1118a8e1175bSopenharmony_ci * NEON registers, NEON is slower on aarch64. */ 1119a8e1175bSopenharmony_ci mbedtls_xor_no_simd(output, output, iv, 16); 1120a8e1175bSopenharmony_ci 1121a8e1175bSopenharmony_ci memcpy(iv, temp, 16); 1122a8e1175bSopenharmony_ci 1123a8e1175bSopenharmony_ci input += 16; 1124a8e1175bSopenharmony_ci output += 16; 1125a8e1175bSopenharmony_ci length -= 16; 1126a8e1175bSopenharmony_ci } 1127a8e1175bSopenharmony_ci } else { 1128a8e1175bSopenharmony_ci while (length > 0) { 1129a8e1175bSopenharmony_ci mbedtls_xor_no_simd(output, input, ivp, 16); 1130a8e1175bSopenharmony_ci 1131a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, mode, output, output); 1132a8e1175bSopenharmony_ci if (ret != 0) { 1133a8e1175bSopenharmony_ci goto exit; 1134a8e1175bSopenharmony_ci } 1135a8e1175bSopenharmony_ci ivp = output; 1136a8e1175bSopenharmony_ci 1137a8e1175bSopenharmony_ci input += 16; 1138a8e1175bSopenharmony_ci output += 16; 1139a8e1175bSopenharmony_ci length -= 16; 1140a8e1175bSopenharmony_ci } 1141a8e1175bSopenharmony_ci memcpy(iv, ivp, 16); 1142a8e1175bSopenharmony_ci } 1143a8e1175bSopenharmony_ci ret = 0; 1144a8e1175bSopenharmony_ci 1145a8e1175bSopenharmony_ciexit: 1146a8e1175bSopenharmony_ci return ret; 1147a8e1175bSopenharmony_ci} 1148a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CBC */ 1149a8e1175bSopenharmony_ci 1150a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_XTS) 1151a8e1175bSopenharmony_ci 1152a8e1175bSopenharmony_citypedef unsigned char mbedtls_be128[16]; 1153a8e1175bSopenharmony_ci 1154a8e1175bSopenharmony_ci/* 1155a8e1175bSopenharmony_ci * GF(2^128) multiplication function 1156a8e1175bSopenharmony_ci * 1157a8e1175bSopenharmony_ci * This function multiplies a field element by x in the polynomial field 1158a8e1175bSopenharmony_ci * representation. It uses 64-bit word operations to gain speed but compensates 1159a8e1175bSopenharmony_ci * for machine endianness and hence works correctly on both big and little 1160a8e1175bSopenharmony_ci * endian machines. 1161a8e1175bSopenharmony_ci */ 1162a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C) 1163a8e1175bSopenharmony_ciMBEDTLS_OPTIMIZE_FOR_PERFORMANCE 1164a8e1175bSopenharmony_ci#endif 1165a8e1175bSopenharmony_cistatic inline void mbedtls_gf128mul_x_ble(unsigned char r[16], 1166a8e1175bSopenharmony_ci const unsigned char x[16]) 1167a8e1175bSopenharmony_ci{ 1168a8e1175bSopenharmony_ci uint64_t a, b, ra, rb; 1169a8e1175bSopenharmony_ci 1170a8e1175bSopenharmony_ci a = MBEDTLS_GET_UINT64_LE(x, 0); 1171a8e1175bSopenharmony_ci b = MBEDTLS_GET_UINT64_LE(x, 8); 1172a8e1175bSopenharmony_ci 1173a8e1175bSopenharmony_ci ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3)); 1174a8e1175bSopenharmony_ci rb = (a >> 63) | (b << 1); 1175a8e1175bSopenharmony_ci 1176a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT64_LE(ra, r, 0); 1177a8e1175bSopenharmony_ci MBEDTLS_PUT_UINT64_LE(rb, r, 8); 1178a8e1175bSopenharmony_ci} 1179a8e1175bSopenharmony_ci 1180a8e1175bSopenharmony_ci/* 1181a8e1175bSopenharmony_ci * AES-XTS buffer encryption/decryption 1182a8e1175bSopenharmony_ci * 1183a8e1175bSopenharmony_ci * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble() 1184a8e1175bSopenharmony_ci * is a 3x performance improvement for gcc -Os, if we have hardware AES support. 1185a8e1175bSopenharmony_ci */ 1186a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C) 1187a8e1175bSopenharmony_ciMBEDTLS_OPTIMIZE_FOR_PERFORMANCE 1188a8e1175bSopenharmony_ci#endif 1189a8e1175bSopenharmony_ciint mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx, 1190a8e1175bSopenharmony_ci int mode, 1191a8e1175bSopenharmony_ci size_t length, 1192a8e1175bSopenharmony_ci const unsigned char data_unit[16], 1193a8e1175bSopenharmony_ci const unsigned char *input, 1194a8e1175bSopenharmony_ci unsigned char *output) 1195a8e1175bSopenharmony_ci{ 1196a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1197a8e1175bSopenharmony_ci size_t blocks = length / 16; 1198a8e1175bSopenharmony_ci size_t leftover = length % 16; 1199a8e1175bSopenharmony_ci unsigned char tweak[16]; 1200a8e1175bSopenharmony_ci unsigned char prev_tweak[16]; 1201a8e1175bSopenharmony_ci unsigned char tmp[16]; 1202a8e1175bSopenharmony_ci 1203a8e1175bSopenharmony_ci if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1204a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1205a8e1175bSopenharmony_ci } 1206a8e1175bSopenharmony_ci 1207a8e1175bSopenharmony_ci /* Data units must be at least 16 bytes long. */ 1208a8e1175bSopenharmony_ci if (length < 16) { 1209a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1210a8e1175bSopenharmony_ci } 1211a8e1175bSopenharmony_ci 1212a8e1175bSopenharmony_ci /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */ 1213a8e1175bSopenharmony_ci if (length > (1 << 20) * 16) { 1214a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH; 1215a8e1175bSopenharmony_ci } 1216a8e1175bSopenharmony_ci 1217a8e1175bSopenharmony_ci /* Compute the tweak. */ 1218a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(&ctx->tweak, MBEDTLS_AES_ENCRYPT, 1219a8e1175bSopenharmony_ci data_unit, tweak); 1220a8e1175bSopenharmony_ci if (ret != 0) { 1221a8e1175bSopenharmony_ci return ret; 1222a8e1175bSopenharmony_ci } 1223a8e1175bSopenharmony_ci 1224a8e1175bSopenharmony_ci while (blocks--) { 1225a8e1175bSopenharmony_ci if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) { 1226a8e1175bSopenharmony_ci /* We are on the last block in a decrypt operation that has 1227a8e1175bSopenharmony_ci * leftover bytes, so we need to use the next tweak for this block, 1228a8e1175bSopenharmony_ci * and this tweak for the leftover bytes. Save the current tweak for 1229a8e1175bSopenharmony_ci * the leftovers and then update the current tweak for use on this, 1230a8e1175bSopenharmony_ci * the last full block. */ 1231a8e1175bSopenharmony_ci memcpy(prev_tweak, tweak, sizeof(tweak)); 1232a8e1175bSopenharmony_ci mbedtls_gf128mul_x_ble(tweak, tweak); 1233a8e1175bSopenharmony_ci } 1234a8e1175bSopenharmony_ci 1235a8e1175bSopenharmony_ci mbedtls_xor(tmp, input, tweak, 16); 1236a8e1175bSopenharmony_ci 1237a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); 1238a8e1175bSopenharmony_ci if (ret != 0) { 1239a8e1175bSopenharmony_ci return ret; 1240a8e1175bSopenharmony_ci } 1241a8e1175bSopenharmony_ci 1242a8e1175bSopenharmony_ci mbedtls_xor(output, tmp, tweak, 16); 1243a8e1175bSopenharmony_ci 1244a8e1175bSopenharmony_ci /* Update the tweak for the next block. */ 1245a8e1175bSopenharmony_ci mbedtls_gf128mul_x_ble(tweak, tweak); 1246a8e1175bSopenharmony_ci 1247a8e1175bSopenharmony_ci output += 16; 1248a8e1175bSopenharmony_ci input += 16; 1249a8e1175bSopenharmony_ci } 1250a8e1175bSopenharmony_ci 1251a8e1175bSopenharmony_ci if (leftover) { 1252a8e1175bSopenharmony_ci /* If we are on the leftover bytes in a decrypt operation, we need to 1253a8e1175bSopenharmony_ci * use the previous tweak for these bytes (as saved in prev_tweak). */ 1254a8e1175bSopenharmony_ci unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak; 1255a8e1175bSopenharmony_ci 1256a8e1175bSopenharmony_ci /* We are now on the final part of the data unit, which doesn't divide 1257a8e1175bSopenharmony_ci * evenly by 16. It's time for ciphertext stealing. */ 1258a8e1175bSopenharmony_ci size_t i; 1259a8e1175bSopenharmony_ci unsigned char *prev_output = output - 16; 1260a8e1175bSopenharmony_ci 1261a8e1175bSopenharmony_ci /* Copy ciphertext bytes from the previous block to our output for each 1262a8e1175bSopenharmony_ci * byte of ciphertext we won't steal. */ 1263a8e1175bSopenharmony_ci for (i = 0; i < leftover; i++) { 1264a8e1175bSopenharmony_ci output[i] = prev_output[i]; 1265a8e1175bSopenharmony_ci } 1266a8e1175bSopenharmony_ci 1267a8e1175bSopenharmony_ci /* Copy the remainder of the input for this final round. */ 1268a8e1175bSopenharmony_ci mbedtls_xor(tmp, input, t, leftover); 1269a8e1175bSopenharmony_ci 1270a8e1175bSopenharmony_ci /* Copy ciphertext bytes from the previous block for input in this 1271a8e1175bSopenharmony_ci * round. */ 1272a8e1175bSopenharmony_ci mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i); 1273a8e1175bSopenharmony_ci 1274a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp); 1275a8e1175bSopenharmony_ci if (ret != 0) { 1276a8e1175bSopenharmony_ci return ret; 1277a8e1175bSopenharmony_ci } 1278a8e1175bSopenharmony_ci 1279a8e1175bSopenharmony_ci /* Write the result back to the previous block, overriding the previous 1280a8e1175bSopenharmony_ci * output we copied. */ 1281a8e1175bSopenharmony_ci mbedtls_xor(prev_output, tmp, t, 16); 1282a8e1175bSopenharmony_ci } 1283a8e1175bSopenharmony_ci 1284a8e1175bSopenharmony_ci return 0; 1285a8e1175bSopenharmony_ci} 1286a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_XTS */ 1287a8e1175bSopenharmony_ci 1288a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CFB) 1289a8e1175bSopenharmony_ci/* 1290a8e1175bSopenharmony_ci * AES-CFB128 buffer encryption/decryption 1291a8e1175bSopenharmony_ci */ 1292a8e1175bSopenharmony_ciint mbedtls_aes_crypt_cfb128(mbedtls_aes_context *ctx, 1293a8e1175bSopenharmony_ci int mode, 1294a8e1175bSopenharmony_ci size_t length, 1295a8e1175bSopenharmony_ci size_t *iv_off, 1296a8e1175bSopenharmony_ci unsigned char iv[16], 1297a8e1175bSopenharmony_ci const unsigned char *input, 1298a8e1175bSopenharmony_ci unsigned char *output) 1299a8e1175bSopenharmony_ci{ 1300a8e1175bSopenharmony_ci int c; 1301a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1302a8e1175bSopenharmony_ci size_t n; 1303a8e1175bSopenharmony_ci 1304a8e1175bSopenharmony_ci if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1305a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1306a8e1175bSopenharmony_ci } 1307a8e1175bSopenharmony_ci 1308a8e1175bSopenharmony_ci n = *iv_off; 1309a8e1175bSopenharmony_ci 1310a8e1175bSopenharmony_ci if (n > 15) { 1311a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1312a8e1175bSopenharmony_ci } 1313a8e1175bSopenharmony_ci 1314a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1315a8e1175bSopenharmony_ci while (length--) { 1316a8e1175bSopenharmony_ci if (n == 0) { 1317a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1318a8e1175bSopenharmony_ci if (ret != 0) { 1319a8e1175bSopenharmony_ci goto exit; 1320a8e1175bSopenharmony_ci } 1321a8e1175bSopenharmony_ci } 1322a8e1175bSopenharmony_ci 1323a8e1175bSopenharmony_ci c = *input++; 1324a8e1175bSopenharmony_ci *output++ = (unsigned char) (c ^ iv[n]); 1325a8e1175bSopenharmony_ci iv[n] = (unsigned char) c; 1326a8e1175bSopenharmony_ci 1327a8e1175bSopenharmony_ci n = (n + 1) & 0x0F; 1328a8e1175bSopenharmony_ci } 1329a8e1175bSopenharmony_ci } else { 1330a8e1175bSopenharmony_ci while (length--) { 1331a8e1175bSopenharmony_ci if (n == 0) { 1332a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1333a8e1175bSopenharmony_ci if (ret != 0) { 1334a8e1175bSopenharmony_ci goto exit; 1335a8e1175bSopenharmony_ci } 1336a8e1175bSopenharmony_ci } 1337a8e1175bSopenharmony_ci 1338a8e1175bSopenharmony_ci iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++); 1339a8e1175bSopenharmony_ci 1340a8e1175bSopenharmony_ci n = (n + 1) & 0x0F; 1341a8e1175bSopenharmony_ci } 1342a8e1175bSopenharmony_ci } 1343a8e1175bSopenharmony_ci 1344a8e1175bSopenharmony_ci *iv_off = n; 1345a8e1175bSopenharmony_ci ret = 0; 1346a8e1175bSopenharmony_ci 1347a8e1175bSopenharmony_ciexit: 1348a8e1175bSopenharmony_ci return ret; 1349a8e1175bSopenharmony_ci} 1350a8e1175bSopenharmony_ci 1351a8e1175bSopenharmony_ci/* 1352a8e1175bSopenharmony_ci * AES-CFB8 buffer encryption/decryption 1353a8e1175bSopenharmony_ci */ 1354a8e1175bSopenharmony_ciint mbedtls_aes_crypt_cfb8(mbedtls_aes_context *ctx, 1355a8e1175bSopenharmony_ci int mode, 1356a8e1175bSopenharmony_ci size_t length, 1357a8e1175bSopenharmony_ci unsigned char iv[16], 1358a8e1175bSopenharmony_ci const unsigned char *input, 1359a8e1175bSopenharmony_ci unsigned char *output) 1360a8e1175bSopenharmony_ci{ 1361a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1362a8e1175bSopenharmony_ci unsigned char c; 1363a8e1175bSopenharmony_ci unsigned char ov[17]; 1364a8e1175bSopenharmony_ci 1365a8e1175bSopenharmony_ci if (mode != MBEDTLS_AES_ENCRYPT && mode != MBEDTLS_AES_DECRYPT) { 1366a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1367a8e1175bSopenharmony_ci } 1368a8e1175bSopenharmony_ci while (length--) { 1369a8e1175bSopenharmony_ci memcpy(ov, iv, 16); 1370a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1371a8e1175bSopenharmony_ci if (ret != 0) { 1372a8e1175bSopenharmony_ci goto exit; 1373a8e1175bSopenharmony_ci } 1374a8e1175bSopenharmony_ci 1375a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1376a8e1175bSopenharmony_ci ov[16] = *input; 1377a8e1175bSopenharmony_ci } 1378a8e1175bSopenharmony_ci 1379a8e1175bSopenharmony_ci c = *output++ = (unsigned char) (iv[0] ^ *input++); 1380a8e1175bSopenharmony_ci 1381a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_ENCRYPT) { 1382a8e1175bSopenharmony_ci ov[16] = c; 1383a8e1175bSopenharmony_ci } 1384a8e1175bSopenharmony_ci 1385a8e1175bSopenharmony_ci memcpy(iv, ov + 1, 16); 1386a8e1175bSopenharmony_ci } 1387a8e1175bSopenharmony_ci ret = 0; 1388a8e1175bSopenharmony_ci 1389a8e1175bSopenharmony_ciexit: 1390a8e1175bSopenharmony_ci return ret; 1391a8e1175bSopenharmony_ci} 1392a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CFB */ 1393a8e1175bSopenharmony_ci 1394a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_OFB) 1395a8e1175bSopenharmony_ci/* 1396a8e1175bSopenharmony_ci * AES-OFB (Output Feedback Mode) buffer encryption/decryption 1397a8e1175bSopenharmony_ci */ 1398a8e1175bSopenharmony_ciint mbedtls_aes_crypt_ofb(mbedtls_aes_context *ctx, 1399a8e1175bSopenharmony_ci size_t length, 1400a8e1175bSopenharmony_ci size_t *iv_off, 1401a8e1175bSopenharmony_ci unsigned char iv[16], 1402a8e1175bSopenharmony_ci const unsigned char *input, 1403a8e1175bSopenharmony_ci unsigned char *output) 1404a8e1175bSopenharmony_ci{ 1405a8e1175bSopenharmony_ci int ret = 0; 1406a8e1175bSopenharmony_ci size_t n; 1407a8e1175bSopenharmony_ci 1408a8e1175bSopenharmony_ci n = *iv_off; 1409a8e1175bSopenharmony_ci 1410a8e1175bSopenharmony_ci if (n > 15) { 1411a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1412a8e1175bSopenharmony_ci } 1413a8e1175bSopenharmony_ci 1414a8e1175bSopenharmony_ci while (length--) { 1415a8e1175bSopenharmony_ci if (n == 0) { 1416a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, iv, iv); 1417a8e1175bSopenharmony_ci if (ret != 0) { 1418a8e1175bSopenharmony_ci goto exit; 1419a8e1175bSopenharmony_ci } 1420a8e1175bSopenharmony_ci } 1421a8e1175bSopenharmony_ci *output++ = *input++ ^ iv[n]; 1422a8e1175bSopenharmony_ci 1423a8e1175bSopenharmony_ci n = (n + 1) & 0x0F; 1424a8e1175bSopenharmony_ci } 1425a8e1175bSopenharmony_ci 1426a8e1175bSopenharmony_ci *iv_off = n; 1427a8e1175bSopenharmony_ci 1428a8e1175bSopenharmony_ciexit: 1429a8e1175bSopenharmony_ci return ret; 1430a8e1175bSopenharmony_ci} 1431a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_OFB */ 1432a8e1175bSopenharmony_ci 1433a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) 1434a8e1175bSopenharmony_ci/* 1435a8e1175bSopenharmony_ci * AES-CTR buffer encryption/decryption 1436a8e1175bSopenharmony_ci */ 1437a8e1175bSopenharmony_ciint mbedtls_aes_crypt_ctr(mbedtls_aes_context *ctx, 1438a8e1175bSopenharmony_ci size_t length, 1439a8e1175bSopenharmony_ci size_t *nc_off, 1440a8e1175bSopenharmony_ci unsigned char nonce_counter[16], 1441a8e1175bSopenharmony_ci unsigned char stream_block[16], 1442a8e1175bSopenharmony_ci const unsigned char *input, 1443a8e1175bSopenharmony_ci unsigned char *output) 1444a8e1175bSopenharmony_ci{ 1445a8e1175bSopenharmony_ci int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1446a8e1175bSopenharmony_ci 1447a8e1175bSopenharmony_ci size_t offset = *nc_off; 1448a8e1175bSopenharmony_ci 1449a8e1175bSopenharmony_ci if (offset > 0x0F) { 1450a8e1175bSopenharmony_ci return MBEDTLS_ERR_AES_BAD_INPUT_DATA; 1451a8e1175bSopenharmony_ci } 1452a8e1175bSopenharmony_ci 1453a8e1175bSopenharmony_ci for (size_t i = 0; i < length;) { 1454a8e1175bSopenharmony_ci size_t n = 16; 1455a8e1175bSopenharmony_ci if (offset == 0) { 1456a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block); 1457a8e1175bSopenharmony_ci if (ret != 0) { 1458a8e1175bSopenharmony_ci goto exit; 1459a8e1175bSopenharmony_ci } 1460a8e1175bSopenharmony_ci mbedtls_ctr_increment_counter(nonce_counter); 1461a8e1175bSopenharmony_ci } else { 1462a8e1175bSopenharmony_ci n -= offset; 1463a8e1175bSopenharmony_ci } 1464a8e1175bSopenharmony_ci 1465a8e1175bSopenharmony_ci if (n > (length - i)) { 1466a8e1175bSopenharmony_ci n = (length - i); 1467a8e1175bSopenharmony_ci } 1468a8e1175bSopenharmony_ci mbedtls_xor(&output[i], &input[i], &stream_block[offset], n); 1469a8e1175bSopenharmony_ci // offset might be non-zero for the last block, but in that case, we don't use it again 1470a8e1175bSopenharmony_ci offset = 0; 1471a8e1175bSopenharmony_ci i += n; 1472a8e1175bSopenharmony_ci } 1473a8e1175bSopenharmony_ci 1474a8e1175bSopenharmony_ci // capture offset for future resumption 1475a8e1175bSopenharmony_ci *nc_off = (*nc_off + length) % 16; 1476a8e1175bSopenharmony_ci 1477a8e1175bSopenharmony_ci ret = 0; 1478a8e1175bSopenharmony_ci 1479a8e1175bSopenharmony_ciexit: 1480a8e1175bSopenharmony_ci return ret; 1481a8e1175bSopenharmony_ci} 1482a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CTR */ 1483a8e1175bSopenharmony_ci 1484a8e1175bSopenharmony_ci#endif /* !MBEDTLS_AES_ALT */ 1485a8e1175bSopenharmony_ci 1486a8e1175bSopenharmony_ci#if defined(MBEDTLS_SELF_TEST) 1487a8e1175bSopenharmony_ci/* 1488a8e1175bSopenharmony_ci * AES test vectors from: 1489a8e1175bSopenharmony_ci * 1490a8e1175bSopenharmony_ci * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip 1491a8e1175bSopenharmony_ci */ 1492a8e1175bSopenharmony_ci#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 1493a8e1175bSopenharmony_cistatic const unsigned char aes_test_ecb_dec[][16] = 1494a8e1175bSopenharmony_ci{ 1495a8e1175bSopenharmony_ci { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58, 1496a8e1175bSopenharmony_ci 0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 }, 1497a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1498a8e1175bSopenharmony_ci { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2, 1499a8e1175bSopenharmony_ci 0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 }, 1500a8e1175bSopenharmony_ci { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D, 1501a8e1175bSopenharmony_ci 0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE } 1502a8e1175bSopenharmony_ci#endif 1503a8e1175bSopenharmony_ci}; 1504a8e1175bSopenharmony_ci#endif 1505a8e1175bSopenharmony_ci 1506a8e1175bSopenharmony_cistatic const unsigned char aes_test_ecb_enc[][16] = 1507a8e1175bSopenharmony_ci{ 1508a8e1175bSopenharmony_ci { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73, 1509a8e1175bSopenharmony_ci 0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F }, 1510a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1511a8e1175bSopenharmony_ci { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11, 1512a8e1175bSopenharmony_ci 0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 }, 1513a8e1175bSopenharmony_ci { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D, 1514a8e1175bSopenharmony_ci 0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 } 1515a8e1175bSopenharmony_ci#endif 1516a8e1175bSopenharmony_ci}; 1517a8e1175bSopenharmony_ci 1518a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CBC) 1519a8e1175bSopenharmony_cistatic const unsigned char aes_test_cbc_dec[][16] = 1520a8e1175bSopenharmony_ci{ 1521a8e1175bSopenharmony_ci { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73, 1522a8e1175bSopenharmony_ci 0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 }, 1523a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1524a8e1175bSopenharmony_ci { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75, 1525a8e1175bSopenharmony_ci 0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B }, 1526a8e1175bSopenharmony_ci { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75, 1527a8e1175bSopenharmony_ci 0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 } 1528a8e1175bSopenharmony_ci#endif 1529a8e1175bSopenharmony_ci}; 1530a8e1175bSopenharmony_ci 1531a8e1175bSopenharmony_cistatic const unsigned char aes_test_cbc_enc[][16] = 1532a8e1175bSopenharmony_ci{ 1533a8e1175bSopenharmony_ci { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84, 1534a8e1175bSopenharmony_ci 0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D }, 1535a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1536a8e1175bSopenharmony_ci { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB, 1537a8e1175bSopenharmony_ci 0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 }, 1538a8e1175bSopenharmony_ci { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5, 1539a8e1175bSopenharmony_ci 0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 } 1540a8e1175bSopenharmony_ci#endif 1541a8e1175bSopenharmony_ci}; 1542a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CBC */ 1543a8e1175bSopenharmony_ci 1544a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CFB) 1545a8e1175bSopenharmony_ci/* 1546a8e1175bSopenharmony_ci * AES-CFB128 test vectors from: 1547a8e1175bSopenharmony_ci * 1548a8e1175bSopenharmony_ci * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf 1549a8e1175bSopenharmony_ci */ 1550a8e1175bSopenharmony_cistatic const unsigned char aes_test_cfb128_key[][32] = 1551a8e1175bSopenharmony_ci{ 1552a8e1175bSopenharmony_ci { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1553a8e1175bSopenharmony_ci 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1554a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1555a8e1175bSopenharmony_ci { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1556a8e1175bSopenharmony_ci 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1557a8e1175bSopenharmony_ci 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1558a8e1175bSopenharmony_ci { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1559a8e1175bSopenharmony_ci 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1560a8e1175bSopenharmony_ci 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1561a8e1175bSopenharmony_ci 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1562a8e1175bSopenharmony_ci#endif 1563a8e1175bSopenharmony_ci}; 1564a8e1175bSopenharmony_ci 1565a8e1175bSopenharmony_cistatic const unsigned char aes_test_cfb128_iv[16] = 1566a8e1175bSopenharmony_ci{ 1567a8e1175bSopenharmony_ci 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1568a8e1175bSopenharmony_ci 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1569a8e1175bSopenharmony_ci}; 1570a8e1175bSopenharmony_ci 1571a8e1175bSopenharmony_cistatic const unsigned char aes_test_cfb128_pt[64] = 1572a8e1175bSopenharmony_ci{ 1573a8e1175bSopenharmony_ci 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1574a8e1175bSopenharmony_ci 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1575a8e1175bSopenharmony_ci 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1576a8e1175bSopenharmony_ci 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1577a8e1175bSopenharmony_ci 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1578a8e1175bSopenharmony_ci 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1579a8e1175bSopenharmony_ci 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1580a8e1175bSopenharmony_ci 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1581a8e1175bSopenharmony_ci}; 1582a8e1175bSopenharmony_ci 1583a8e1175bSopenharmony_cistatic const unsigned char aes_test_cfb128_ct[][64] = 1584a8e1175bSopenharmony_ci{ 1585a8e1175bSopenharmony_ci { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1586a8e1175bSopenharmony_ci 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1587a8e1175bSopenharmony_ci 0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F, 1588a8e1175bSopenharmony_ci 0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B, 1589a8e1175bSopenharmony_ci 0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40, 1590a8e1175bSopenharmony_ci 0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF, 1591a8e1175bSopenharmony_ci 0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E, 1592a8e1175bSopenharmony_ci 0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 }, 1593a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1594a8e1175bSopenharmony_ci { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1595a8e1175bSopenharmony_ci 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1596a8e1175bSopenharmony_ci 0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21, 1597a8e1175bSopenharmony_ci 0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A, 1598a8e1175bSopenharmony_ci 0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1, 1599a8e1175bSopenharmony_ci 0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9, 1600a8e1175bSopenharmony_ci 0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0, 1601a8e1175bSopenharmony_ci 0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF }, 1602a8e1175bSopenharmony_ci { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1603a8e1175bSopenharmony_ci 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1604a8e1175bSopenharmony_ci 0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8, 1605a8e1175bSopenharmony_ci 0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B, 1606a8e1175bSopenharmony_ci 0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92, 1607a8e1175bSopenharmony_ci 0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9, 1608a8e1175bSopenharmony_ci 0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8, 1609a8e1175bSopenharmony_ci 0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 } 1610a8e1175bSopenharmony_ci#endif 1611a8e1175bSopenharmony_ci}; 1612a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CFB */ 1613a8e1175bSopenharmony_ci 1614a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_OFB) 1615a8e1175bSopenharmony_ci/* 1616a8e1175bSopenharmony_ci * AES-OFB test vectors from: 1617a8e1175bSopenharmony_ci * 1618a8e1175bSopenharmony_ci * https://csrc.nist.gov/publications/detail/sp/800-38a/final 1619a8e1175bSopenharmony_ci */ 1620a8e1175bSopenharmony_cistatic const unsigned char aes_test_ofb_key[][32] = 1621a8e1175bSopenharmony_ci{ 1622a8e1175bSopenharmony_ci { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6, 1623a8e1175bSopenharmony_ci 0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C }, 1624a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1625a8e1175bSopenharmony_ci { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52, 1626a8e1175bSopenharmony_ci 0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5, 1627a8e1175bSopenharmony_ci 0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B }, 1628a8e1175bSopenharmony_ci { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE, 1629a8e1175bSopenharmony_ci 0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81, 1630a8e1175bSopenharmony_ci 0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7, 1631a8e1175bSopenharmony_ci 0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 } 1632a8e1175bSopenharmony_ci#endif 1633a8e1175bSopenharmony_ci}; 1634a8e1175bSopenharmony_ci 1635a8e1175bSopenharmony_cistatic const unsigned char aes_test_ofb_iv[16] = 1636a8e1175bSopenharmony_ci{ 1637a8e1175bSopenharmony_ci 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1638a8e1175bSopenharmony_ci 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F 1639a8e1175bSopenharmony_ci}; 1640a8e1175bSopenharmony_ci 1641a8e1175bSopenharmony_cistatic const unsigned char aes_test_ofb_pt[64] = 1642a8e1175bSopenharmony_ci{ 1643a8e1175bSopenharmony_ci 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 1644a8e1175bSopenharmony_ci 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, 1645a8e1175bSopenharmony_ci 0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C, 1646a8e1175bSopenharmony_ci 0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51, 1647a8e1175bSopenharmony_ci 0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11, 1648a8e1175bSopenharmony_ci 0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF, 1649a8e1175bSopenharmony_ci 0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17, 1650a8e1175bSopenharmony_ci 0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10 1651a8e1175bSopenharmony_ci}; 1652a8e1175bSopenharmony_ci 1653a8e1175bSopenharmony_cistatic const unsigned char aes_test_ofb_ct[][64] = 1654a8e1175bSopenharmony_ci{ 1655a8e1175bSopenharmony_ci { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20, 1656a8e1175bSopenharmony_ci 0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A, 1657a8e1175bSopenharmony_ci 0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03, 1658a8e1175bSopenharmony_ci 0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25, 1659a8e1175bSopenharmony_ci 0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6, 1660a8e1175bSopenharmony_ci 0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc, 1661a8e1175bSopenharmony_ci 0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78, 1662a8e1175bSopenharmony_ci 0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e }, 1663a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) 1664a8e1175bSopenharmony_ci { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB, 1665a8e1175bSopenharmony_ci 0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74, 1666a8e1175bSopenharmony_ci 0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c, 1667a8e1175bSopenharmony_ci 0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01, 1668a8e1175bSopenharmony_ci 0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f, 1669a8e1175bSopenharmony_ci 0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2, 1670a8e1175bSopenharmony_ci 0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e, 1671a8e1175bSopenharmony_ci 0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a }, 1672a8e1175bSopenharmony_ci { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B, 1673a8e1175bSopenharmony_ci 0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60, 1674a8e1175bSopenharmony_ci 0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a, 1675a8e1175bSopenharmony_ci 0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d, 1676a8e1175bSopenharmony_ci 0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed, 1677a8e1175bSopenharmony_ci 0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08, 1678a8e1175bSopenharmony_ci 0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8, 1679a8e1175bSopenharmony_ci 0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 } 1680a8e1175bSopenharmony_ci#endif 1681a8e1175bSopenharmony_ci}; 1682a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_OFB */ 1683a8e1175bSopenharmony_ci 1684a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) 1685a8e1175bSopenharmony_ci/* 1686a8e1175bSopenharmony_ci * AES-CTR test vectors from: 1687a8e1175bSopenharmony_ci * 1688a8e1175bSopenharmony_ci * http://www.faqs.org/rfcs/rfc3686.html 1689a8e1175bSopenharmony_ci */ 1690a8e1175bSopenharmony_ci 1691a8e1175bSopenharmony_cistatic const unsigned char aes_test_ctr_key[][16] = 1692a8e1175bSopenharmony_ci{ 1693a8e1175bSopenharmony_ci { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC, 1694a8e1175bSopenharmony_ci 0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E }, 1695a8e1175bSopenharmony_ci { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7, 1696a8e1175bSopenharmony_ci 0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 }, 1697a8e1175bSopenharmony_ci { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8, 1698a8e1175bSopenharmony_ci 0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC } 1699a8e1175bSopenharmony_ci}; 1700a8e1175bSopenharmony_ci 1701a8e1175bSopenharmony_cistatic const unsigned char aes_test_ctr_nonce_counter[][16] = 1702a8e1175bSopenharmony_ci{ 1703a8e1175bSopenharmony_ci { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 1704a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }, 1705a8e1175bSopenharmony_ci { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59, 1706a8e1175bSopenharmony_ci 0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 }, 1707a8e1175bSopenharmony_ci { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F, 1708a8e1175bSopenharmony_ci 0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 } 1709a8e1175bSopenharmony_ci}; 1710a8e1175bSopenharmony_ci 1711a8e1175bSopenharmony_cistatic const unsigned char aes_test_ctr_pt[][48] = 1712a8e1175bSopenharmony_ci{ 1713a8e1175bSopenharmony_ci { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62, 1714a8e1175bSopenharmony_ci 0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 }, 1715a8e1175bSopenharmony_ci { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1716a8e1175bSopenharmony_ci 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1717a8e1175bSopenharmony_ci 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1718a8e1175bSopenharmony_ci 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F }, 1719a8e1175bSopenharmony_ci 1720a8e1175bSopenharmony_ci { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 1721a8e1175bSopenharmony_ci 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 1722a8e1175bSopenharmony_ci 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 1723a8e1175bSopenharmony_ci 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 1724a8e1175bSopenharmony_ci 0x20, 0x21, 0x22, 0x23 } 1725a8e1175bSopenharmony_ci}; 1726a8e1175bSopenharmony_ci 1727a8e1175bSopenharmony_cistatic const unsigned char aes_test_ctr_ct[][48] = 1728a8e1175bSopenharmony_ci{ 1729a8e1175bSopenharmony_ci { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79, 1730a8e1175bSopenharmony_ci 0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 }, 1731a8e1175bSopenharmony_ci { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9, 1732a8e1175bSopenharmony_ci 0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88, 1733a8e1175bSopenharmony_ci 0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8, 1734a8e1175bSopenharmony_ci 0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 }, 1735a8e1175bSopenharmony_ci { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9, 1736a8e1175bSopenharmony_ci 0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7, 1737a8e1175bSopenharmony_ci 0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36, 1738a8e1175bSopenharmony_ci 0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53, 1739a8e1175bSopenharmony_ci 0x25, 0xB2, 0x07, 0x2F } 1740a8e1175bSopenharmony_ci}; 1741a8e1175bSopenharmony_ci 1742a8e1175bSopenharmony_cistatic const int aes_test_ctr_len[3] = 1743a8e1175bSopenharmony_ci{ 16, 32, 36 }; 1744a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CTR */ 1745a8e1175bSopenharmony_ci 1746a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_XTS) 1747a8e1175bSopenharmony_ci/* 1748a8e1175bSopenharmony_ci * AES-XTS test vectors from: 1749a8e1175bSopenharmony_ci * 1750a8e1175bSopenharmony_ci * IEEE P1619/D16 Annex B 1751a8e1175bSopenharmony_ci * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf 1752a8e1175bSopenharmony_ci * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf) 1753a8e1175bSopenharmony_ci */ 1754a8e1175bSopenharmony_cistatic const unsigned char aes_test_xts_key[][32] = 1755a8e1175bSopenharmony_ci{ 1756a8e1175bSopenharmony_ci { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1757a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1758a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1759a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1760a8e1175bSopenharmony_ci { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1761a8e1175bSopenharmony_ci 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 1762a8e1175bSopenharmony_ci 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1763a8e1175bSopenharmony_ci 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1764a8e1175bSopenharmony_ci { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 1765a8e1175bSopenharmony_ci 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0, 1766a8e1175bSopenharmony_ci 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 1767a8e1175bSopenharmony_ci 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 }, 1768a8e1175bSopenharmony_ci}; 1769a8e1175bSopenharmony_ci 1770a8e1175bSopenharmony_cistatic const unsigned char aes_test_xts_pt32[][32] = 1771a8e1175bSopenharmony_ci{ 1772a8e1175bSopenharmony_ci { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1773a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1774a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1775a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1776a8e1175bSopenharmony_ci { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1777a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1778a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1779a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1780a8e1175bSopenharmony_ci { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1781a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1782a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 1783a8e1175bSopenharmony_ci 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 }, 1784a8e1175bSopenharmony_ci}; 1785a8e1175bSopenharmony_ci 1786a8e1175bSopenharmony_cistatic const unsigned char aes_test_xts_ct32[][32] = 1787a8e1175bSopenharmony_ci{ 1788a8e1175bSopenharmony_ci { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec, 1789a8e1175bSopenharmony_ci 0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92, 1790a8e1175bSopenharmony_ci 0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85, 1791a8e1175bSopenharmony_ci 0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e }, 1792a8e1175bSopenharmony_ci { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e, 1793a8e1175bSopenharmony_ci 0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b, 1794a8e1175bSopenharmony_ci 0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4, 1795a8e1175bSopenharmony_ci 0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 }, 1796a8e1175bSopenharmony_ci { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a, 1797a8e1175bSopenharmony_ci 0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2, 1798a8e1175bSopenharmony_ci 0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53, 1799a8e1175bSopenharmony_ci 0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 }, 1800a8e1175bSopenharmony_ci}; 1801a8e1175bSopenharmony_ci 1802a8e1175bSopenharmony_cistatic const unsigned char aes_test_xts_data_unit[][16] = 1803a8e1175bSopenharmony_ci{ 1804a8e1175bSopenharmony_ci { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 1805a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1806a8e1175bSopenharmony_ci { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1807a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1808a8e1175bSopenharmony_ci { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00, 1809a8e1175bSopenharmony_ci 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, 1810a8e1175bSopenharmony_ci}; 1811a8e1175bSopenharmony_ci 1812a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_XTS */ 1813a8e1175bSopenharmony_ci 1814a8e1175bSopenharmony_ci/* 1815a8e1175bSopenharmony_ci * Checkup routine 1816a8e1175bSopenharmony_ci */ 1817a8e1175bSopenharmony_ciint mbedtls_aes_self_test(int verbose) 1818a8e1175bSopenharmony_ci{ 1819a8e1175bSopenharmony_ci int ret = 0, i, j, u, mode; 1820a8e1175bSopenharmony_ci unsigned int keybits; 1821a8e1175bSopenharmony_ci unsigned char key[32]; 1822a8e1175bSopenharmony_ci unsigned char buf[64]; 1823a8e1175bSopenharmony_ci const unsigned char *aes_tests; 1824a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1825a8e1175bSopenharmony_ci defined(MBEDTLS_CIPHER_MODE_OFB) 1826a8e1175bSopenharmony_ci unsigned char iv[16]; 1827a8e1175bSopenharmony_ci#endif 1828a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CBC) 1829a8e1175bSopenharmony_ci unsigned char prv[16]; 1830a8e1175bSopenharmony_ci#endif 1831a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \ 1832a8e1175bSopenharmony_ci defined(MBEDTLS_CIPHER_MODE_OFB) 1833a8e1175bSopenharmony_ci size_t offset; 1834a8e1175bSopenharmony_ci#endif 1835a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS) 1836a8e1175bSopenharmony_ci int len; 1837a8e1175bSopenharmony_ci#endif 1838a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) 1839a8e1175bSopenharmony_ci unsigned char nonce_counter[16]; 1840a8e1175bSopenharmony_ci unsigned char stream_block[16]; 1841a8e1175bSopenharmony_ci#endif 1842a8e1175bSopenharmony_ci mbedtls_aes_context ctx; 1843a8e1175bSopenharmony_ci 1844a8e1175bSopenharmony_ci memset(key, 0, 32); 1845a8e1175bSopenharmony_ci mbedtls_aes_init(&ctx); 1846a8e1175bSopenharmony_ci 1847a8e1175bSopenharmony_ci if (verbose != 0) { 1848a8e1175bSopenharmony_ci#if defined(MBEDTLS_AES_ALT) 1849a8e1175bSopenharmony_ci mbedtls_printf(" AES note: alternative implementation.\n"); 1850a8e1175bSopenharmony_ci#else /* MBEDTLS_AES_ALT */ 1851a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESNI_HAVE_CODE) 1852a8e1175bSopenharmony_ci#if MBEDTLS_AESNI_HAVE_CODE == 1 1853a8e1175bSopenharmony_ci mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n"); 1854a8e1175bSopenharmony_ci#elif MBEDTLS_AESNI_HAVE_CODE == 2 1855a8e1175bSopenharmony_ci mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n"); 1856a8e1175bSopenharmony_ci#else 1857a8e1175bSopenharmony_ci#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE" 1858a8e1175bSopenharmony_ci#endif 1859a8e1175bSopenharmony_ci if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) { 1860a8e1175bSopenharmony_ci mbedtls_printf(" AES note: using AESNI.\n"); 1861a8e1175bSopenharmony_ci } else 1862a8e1175bSopenharmony_ci#endif 1863a8e1175bSopenharmony_ci#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE) 1864a8e1175bSopenharmony_ci if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) { 1865a8e1175bSopenharmony_ci mbedtls_printf(" AES note: using VIA Padlock.\n"); 1866a8e1175bSopenharmony_ci } else 1867a8e1175bSopenharmony_ci#endif 1868a8e1175bSopenharmony_ci#if defined(MBEDTLS_AESCE_HAVE_CODE) 1869a8e1175bSopenharmony_ci if (MBEDTLS_AESCE_HAS_SUPPORT()) { 1870a8e1175bSopenharmony_ci mbedtls_printf(" AES note: using AESCE.\n"); 1871a8e1175bSopenharmony_ci } else 1872a8e1175bSopenharmony_ci#endif 1873a8e1175bSopenharmony_ci { 1874a8e1175bSopenharmony_ci#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) 1875a8e1175bSopenharmony_ci mbedtls_printf(" AES note: built-in implementation.\n"); 1876a8e1175bSopenharmony_ci#endif 1877a8e1175bSopenharmony_ci } 1878a8e1175bSopenharmony_ci#endif /* MBEDTLS_AES_ALT */ 1879a8e1175bSopenharmony_ci } 1880a8e1175bSopenharmony_ci 1881a8e1175bSopenharmony_ci /* 1882a8e1175bSopenharmony_ci * ECB mode 1883a8e1175bSopenharmony_ci */ 1884a8e1175bSopenharmony_ci { 1885a8e1175bSopenharmony_ci static const int num_tests = 1886a8e1175bSopenharmony_ci sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc); 1887a8e1175bSopenharmony_ci 1888a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 1889a8e1175bSopenharmony_ci u = i >> 1; 1890a8e1175bSopenharmony_ci keybits = 128 + u * 64; 1891a8e1175bSopenharmony_ci mode = i & 1; 1892a8e1175bSopenharmony_ci 1893a8e1175bSopenharmony_ci if (verbose != 0) { 1894a8e1175bSopenharmony_ci mbedtls_printf(" AES-ECB-%3u (%s): ", keybits, 1895a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1896a8e1175bSopenharmony_ci } 1897a8e1175bSopenharmony_ci#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 1898a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1899a8e1175bSopenharmony_ci if (verbose != 0) { 1900a8e1175bSopenharmony_ci mbedtls_printf("skipped\n"); 1901a8e1175bSopenharmony_ci } 1902a8e1175bSopenharmony_ci continue; 1903a8e1175bSopenharmony_ci } 1904a8e1175bSopenharmony_ci#endif 1905a8e1175bSopenharmony_ci 1906a8e1175bSopenharmony_ci memset(buf, 0, 16); 1907a8e1175bSopenharmony_ci 1908a8e1175bSopenharmony_ci#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) 1909a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1910a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); 1911a8e1175bSopenharmony_ci aes_tests = aes_test_ecb_dec[u]; 1912a8e1175bSopenharmony_ci } else 1913a8e1175bSopenharmony_ci#endif 1914a8e1175bSopenharmony_ci { 1915a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 1916a8e1175bSopenharmony_ci aes_tests = aes_test_ecb_enc[u]; 1917a8e1175bSopenharmony_ci } 1918a8e1175bSopenharmony_ci 1919a8e1175bSopenharmony_ci /* 1920a8e1175bSopenharmony_ci * AES-192 is an optional feature that may be unavailable when 1921a8e1175bSopenharmony_ci * there is an alternative underlying implementation i.e. when 1922a8e1175bSopenharmony_ci * MBEDTLS_AES_ALT is defined. 1923a8e1175bSopenharmony_ci */ 1924a8e1175bSopenharmony_ci if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 1925a8e1175bSopenharmony_ci mbedtls_printf("skipped\n"); 1926a8e1175bSopenharmony_ci continue; 1927a8e1175bSopenharmony_ci } else if (ret != 0) { 1928a8e1175bSopenharmony_ci goto exit; 1929a8e1175bSopenharmony_ci } 1930a8e1175bSopenharmony_ci 1931a8e1175bSopenharmony_ci for (j = 0; j < 10000; j++) { 1932a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf); 1933a8e1175bSopenharmony_ci if (ret != 0) { 1934a8e1175bSopenharmony_ci goto exit; 1935a8e1175bSopenharmony_ci } 1936a8e1175bSopenharmony_ci } 1937a8e1175bSopenharmony_ci 1938a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, 16) != 0) { 1939a8e1175bSopenharmony_ci ret = 1; 1940a8e1175bSopenharmony_ci goto exit; 1941a8e1175bSopenharmony_ci } 1942a8e1175bSopenharmony_ci 1943a8e1175bSopenharmony_ci if (verbose != 0) { 1944a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 1945a8e1175bSopenharmony_ci } 1946a8e1175bSopenharmony_ci } 1947a8e1175bSopenharmony_ci 1948a8e1175bSopenharmony_ci if (verbose != 0) { 1949a8e1175bSopenharmony_ci mbedtls_printf("\n"); 1950a8e1175bSopenharmony_ci } 1951a8e1175bSopenharmony_ci } 1952a8e1175bSopenharmony_ci 1953a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CBC) 1954a8e1175bSopenharmony_ci /* 1955a8e1175bSopenharmony_ci * CBC mode 1956a8e1175bSopenharmony_ci */ 1957a8e1175bSopenharmony_ci { 1958a8e1175bSopenharmony_ci static const int num_tests = 1959a8e1175bSopenharmony_ci sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec); 1960a8e1175bSopenharmony_ci 1961a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 1962a8e1175bSopenharmony_ci u = i >> 1; 1963a8e1175bSopenharmony_ci keybits = 128 + u * 64; 1964a8e1175bSopenharmony_ci mode = i & 1; 1965a8e1175bSopenharmony_ci 1966a8e1175bSopenharmony_ci if (verbose != 0) { 1967a8e1175bSopenharmony_ci mbedtls_printf(" AES-CBC-%3u (%s): ", keybits, 1968a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 1969a8e1175bSopenharmony_ci } 1970a8e1175bSopenharmony_ci 1971a8e1175bSopenharmony_ci memset(iv, 0, 16); 1972a8e1175bSopenharmony_ci memset(prv, 0, 16); 1973a8e1175bSopenharmony_ci memset(buf, 0, 16); 1974a8e1175bSopenharmony_ci 1975a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 1976a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_dec(&ctx, key, keybits); 1977a8e1175bSopenharmony_ci aes_tests = aes_test_cbc_dec[u]; 1978a8e1175bSopenharmony_ci } else { 1979a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 1980a8e1175bSopenharmony_ci aes_tests = aes_test_cbc_enc[u]; 1981a8e1175bSopenharmony_ci } 1982a8e1175bSopenharmony_ci 1983a8e1175bSopenharmony_ci /* 1984a8e1175bSopenharmony_ci * AES-192 is an optional feature that may be unavailable when 1985a8e1175bSopenharmony_ci * there is an alternative underlying implementation i.e. when 1986a8e1175bSopenharmony_ci * MBEDTLS_AES_ALT is defined. 1987a8e1175bSopenharmony_ci */ 1988a8e1175bSopenharmony_ci if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 1989a8e1175bSopenharmony_ci mbedtls_printf("skipped\n"); 1990a8e1175bSopenharmony_ci continue; 1991a8e1175bSopenharmony_ci } else if (ret != 0) { 1992a8e1175bSopenharmony_ci goto exit; 1993a8e1175bSopenharmony_ci } 1994a8e1175bSopenharmony_ci 1995a8e1175bSopenharmony_ci for (j = 0; j < 10000; j++) { 1996a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_ENCRYPT) { 1997a8e1175bSopenharmony_ci unsigned char tmp[16]; 1998a8e1175bSopenharmony_ci 1999a8e1175bSopenharmony_ci memcpy(tmp, prv, 16); 2000a8e1175bSopenharmony_ci memcpy(prv, buf, 16); 2001a8e1175bSopenharmony_ci memcpy(buf, tmp, 16); 2002a8e1175bSopenharmony_ci } 2003a8e1175bSopenharmony_ci 2004a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf); 2005a8e1175bSopenharmony_ci if (ret != 0) { 2006a8e1175bSopenharmony_ci goto exit; 2007a8e1175bSopenharmony_ci } 2008a8e1175bSopenharmony_ci 2009a8e1175bSopenharmony_ci } 2010a8e1175bSopenharmony_ci 2011a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, 16) != 0) { 2012a8e1175bSopenharmony_ci ret = 1; 2013a8e1175bSopenharmony_ci goto exit; 2014a8e1175bSopenharmony_ci } 2015a8e1175bSopenharmony_ci 2016a8e1175bSopenharmony_ci if (verbose != 0) { 2017a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 2018a8e1175bSopenharmony_ci } 2019a8e1175bSopenharmony_ci } 2020a8e1175bSopenharmony_ci 2021a8e1175bSopenharmony_ci if (verbose != 0) { 2022a8e1175bSopenharmony_ci mbedtls_printf("\n"); 2023a8e1175bSopenharmony_ci } 2024a8e1175bSopenharmony_ci } 2025a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CBC */ 2026a8e1175bSopenharmony_ci 2027a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CFB) 2028a8e1175bSopenharmony_ci /* 2029a8e1175bSopenharmony_ci * CFB128 mode 2030a8e1175bSopenharmony_ci */ 2031a8e1175bSopenharmony_ci { 2032a8e1175bSopenharmony_ci static const int num_tests = 2033a8e1175bSopenharmony_ci sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key); 2034a8e1175bSopenharmony_ci 2035a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 2036a8e1175bSopenharmony_ci u = i >> 1; 2037a8e1175bSopenharmony_ci keybits = 128 + u * 64; 2038a8e1175bSopenharmony_ci mode = i & 1; 2039a8e1175bSopenharmony_ci 2040a8e1175bSopenharmony_ci if (verbose != 0) { 2041a8e1175bSopenharmony_ci mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits, 2042a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2043a8e1175bSopenharmony_ci } 2044a8e1175bSopenharmony_ci 2045a8e1175bSopenharmony_ci memcpy(iv, aes_test_cfb128_iv, 16); 2046a8e1175bSopenharmony_ci memcpy(key, aes_test_cfb128_key[u], keybits / 8); 2047a8e1175bSopenharmony_ci 2048a8e1175bSopenharmony_ci offset = 0; 2049a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 2050a8e1175bSopenharmony_ci /* 2051a8e1175bSopenharmony_ci * AES-192 is an optional feature that may be unavailable when 2052a8e1175bSopenharmony_ci * there is an alternative underlying implementation i.e. when 2053a8e1175bSopenharmony_ci * MBEDTLS_AES_ALT is defined. 2054a8e1175bSopenharmony_ci */ 2055a8e1175bSopenharmony_ci if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 2056a8e1175bSopenharmony_ci mbedtls_printf("skipped\n"); 2057a8e1175bSopenharmony_ci continue; 2058a8e1175bSopenharmony_ci } else if (ret != 0) { 2059a8e1175bSopenharmony_ci goto exit; 2060a8e1175bSopenharmony_ci } 2061a8e1175bSopenharmony_ci 2062a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 2063a8e1175bSopenharmony_ci memcpy(buf, aes_test_cfb128_ct[u], 64); 2064a8e1175bSopenharmony_ci aes_tests = aes_test_cfb128_pt; 2065a8e1175bSopenharmony_ci } else { 2066a8e1175bSopenharmony_ci memcpy(buf, aes_test_cfb128_pt, 64); 2067a8e1175bSopenharmony_ci aes_tests = aes_test_cfb128_ct[u]; 2068a8e1175bSopenharmony_ci } 2069a8e1175bSopenharmony_ci 2070a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf); 2071a8e1175bSopenharmony_ci if (ret != 0) { 2072a8e1175bSopenharmony_ci goto exit; 2073a8e1175bSopenharmony_ci } 2074a8e1175bSopenharmony_ci 2075a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, 64) != 0) { 2076a8e1175bSopenharmony_ci ret = 1; 2077a8e1175bSopenharmony_ci goto exit; 2078a8e1175bSopenharmony_ci } 2079a8e1175bSopenharmony_ci 2080a8e1175bSopenharmony_ci if (verbose != 0) { 2081a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 2082a8e1175bSopenharmony_ci } 2083a8e1175bSopenharmony_ci } 2084a8e1175bSopenharmony_ci 2085a8e1175bSopenharmony_ci if (verbose != 0) { 2086a8e1175bSopenharmony_ci mbedtls_printf("\n"); 2087a8e1175bSopenharmony_ci } 2088a8e1175bSopenharmony_ci } 2089a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CFB */ 2090a8e1175bSopenharmony_ci 2091a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_OFB) 2092a8e1175bSopenharmony_ci /* 2093a8e1175bSopenharmony_ci * OFB mode 2094a8e1175bSopenharmony_ci */ 2095a8e1175bSopenharmony_ci { 2096a8e1175bSopenharmony_ci static const int num_tests = 2097a8e1175bSopenharmony_ci sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key); 2098a8e1175bSopenharmony_ci 2099a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 2100a8e1175bSopenharmony_ci u = i >> 1; 2101a8e1175bSopenharmony_ci keybits = 128 + u * 64; 2102a8e1175bSopenharmony_ci mode = i & 1; 2103a8e1175bSopenharmony_ci 2104a8e1175bSopenharmony_ci if (verbose != 0) { 2105a8e1175bSopenharmony_ci mbedtls_printf(" AES-OFB-%3u (%s): ", keybits, 2106a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2107a8e1175bSopenharmony_ci } 2108a8e1175bSopenharmony_ci 2109a8e1175bSopenharmony_ci memcpy(iv, aes_test_ofb_iv, 16); 2110a8e1175bSopenharmony_ci memcpy(key, aes_test_ofb_key[u], keybits / 8); 2111a8e1175bSopenharmony_ci 2112a8e1175bSopenharmony_ci offset = 0; 2113a8e1175bSopenharmony_ci ret = mbedtls_aes_setkey_enc(&ctx, key, keybits); 2114a8e1175bSopenharmony_ci /* 2115a8e1175bSopenharmony_ci * AES-192 is an optional feature that may be unavailable when 2116a8e1175bSopenharmony_ci * there is an alternative underlying implementation i.e. when 2117a8e1175bSopenharmony_ci * MBEDTLS_AES_ALT is defined. 2118a8e1175bSopenharmony_ci */ 2119a8e1175bSopenharmony_ci if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) { 2120a8e1175bSopenharmony_ci mbedtls_printf("skipped\n"); 2121a8e1175bSopenharmony_ci continue; 2122a8e1175bSopenharmony_ci } else if (ret != 0) { 2123a8e1175bSopenharmony_ci goto exit; 2124a8e1175bSopenharmony_ci } 2125a8e1175bSopenharmony_ci 2126a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 2127a8e1175bSopenharmony_ci memcpy(buf, aes_test_ofb_ct[u], 64); 2128a8e1175bSopenharmony_ci aes_tests = aes_test_ofb_pt; 2129a8e1175bSopenharmony_ci } else { 2130a8e1175bSopenharmony_ci memcpy(buf, aes_test_ofb_pt, 64); 2131a8e1175bSopenharmony_ci aes_tests = aes_test_ofb_ct[u]; 2132a8e1175bSopenharmony_ci } 2133a8e1175bSopenharmony_ci 2134a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf); 2135a8e1175bSopenharmony_ci if (ret != 0) { 2136a8e1175bSopenharmony_ci goto exit; 2137a8e1175bSopenharmony_ci } 2138a8e1175bSopenharmony_ci 2139a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, 64) != 0) { 2140a8e1175bSopenharmony_ci ret = 1; 2141a8e1175bSopenharmony_ci goto exit; 2142a8e1175bSopenharmony_ci } 2143a8e1175bSopenharmony_ci 2144a8e1175bSopenharmony_ci if (verbose != 0) { 2145a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 2146a8e1175bSopenharmony_ci } 2147a8e1175bSopenharmony_ci } 2148a8e1175bSopenharmony_ci 2149a8e1175bSopenharmony_ci if (verbose != 0) { 2150a8e1175bSopenharmony_ci mbedtls_printf("\n"); 2151a8e1175bSopenharmony_ci } 2152a8e1175bSopenharmony_ci } 2153a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_OFB */ 2154a8e1175bSopenharmony_ci 2155a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_CTR) 2156a8e1175bSopenharmony_ci /* 2157a8e1175bSopenharmony_ci * CTR mode 2158a8e1175bSopenharmony_ci */ 2159a8e1175bSopenharmony_ci { 2160a8e1175bSopenharmony_ci static const int num_tests = 2161a8e1175bSopenharmony_ci sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key); 2162a8e1175bSopenharmony_ci 2163a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 2164a8e1175bSopenharmony_ci u = i >> 1; 2165a8e1175bSopenharmony_ci mode = i & 1; 2166a8e1175bSopenharmony_ci 2167a8e1175bSopenharmony_ci if (verbose != 0) { 2168a8e1175bSopenharmony_ci mbedtls_printf(" AES-CTR-128 (%s): ", 2169a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2170a8e1175bSopenharmony_ci } 2171a8e1175bSopenharmony_ci 2172a8e1175bSopenharmony_ci memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16); 2173a8e1175bSopenharmony_ci memcpy(key, aes_test_ctr_key[u], 16); 2174a8e1175bSopenharmony_ci 2175a8e1175bSopenharmony_ci offset = 0; 2176a8e1175bSopenharmony_ci if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) { 2177a8e1175bSopenharmony_ci goto exit; 2178a8e1175bSopenharmony_ci } 2179a8e1175bSopenharmony_ci 2180a8e1175bSopenharmony_ci len = aes_test_ctr_len[u]; 2181a8e1175bSopenharmony_ci 2182a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 2183a8e1175bSopenharmony_ci memcpy(buf, aes_test_ctr_ct[u], len); 2184a8e1175bSopenharmony_ci aes_tests = aes_test_ctr_pt[u]; 2185a8e1175bSopenharmony_ci } else { 2186a8e1175bSopenharmony_ci memcpy(buf, aes_test_ctr_pt[u], len); 2187a8e1175bSopenharmony_ci aes_tests = aes_test_ctr_ct[u]; 2188a8e1175bSopenharmony_ci } 2189a8e1175bSopenharmony_ci 2190a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter, 2191a8e1175bSopenharmony_ci stream_block, buf, buf); 2192a8e1175bSopenharmony_ci if (ret != 0) { 2193a8e1175bSopenharmony_ci goto exit; 2194a8e1175bSopenharmony_ci } 2195a8e1175bSopenharmony_ci 2196a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, len) != 0) { 2197a8e1175bSopenharmony_ci ret = 1; 2198a8e1175bSopenharmony_ci goto exit; 2199a8e1175bSopenharmony_ci } 2200a8e1175bSopenharmony_ci 2201a8e1175bSopenharmony_ci if (verbose != 0) { 2202a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 2203a8e1175bSopenharmony_ci } 2204a8e1175bSopenharmony_ci } 2205a8e1175bSopenharmony_ci } 2206a8e1175bSopenharmony_ci 2207a8e1175bSopenharmony_ci if (verbose != 0) { 2208a8e1175bSopenharmony_ci mbedtls_printf("\n"); 2209a8e1175bSopenharmony_ci } 2210a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_CTR */ 2211a8e1175bSopenharmony_ci 2212a8e1175bSopenharmony_ci#if defined(MBEDTLS_CIPHER_MODE_XTS) 2213a8e1175bSopenharmony_ci /* 2214a8e1175bSopenharmony_ci * XTS mode 2215a8e1175bSopenharmony_ci */ 2216a8e1175bSopenharmony_ci { 2217a8e1175bSopenharmony_ci static const int num_tests = 2218a8e1175bSopenharmony_ci sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key); 2219a8e1175bSopenharmony_ci mbedtls_aes_xts_context ctx_xts; 2220a8e1175bSopenharmony_ci 2221a8e1175bSopenharmony_ci mbedtls_aes_xts_init(&ctx_xts); 2222a8e1175bSopenharmony_ci 2223a8e1175bSopenharmony_ci for (i = 0; i < num_tests << 1; i++) { 2224a8e1175bSopenharmony_ci const unsigned char *data_unit; 2225a8e1175bSopenharmony_ci u = i >> 1; 2226a8e1175bSopenharmony_ci mode = i & 1; 2227a8e1175bSopenharmony_ci 2228a8e1175bSopenharmony_ci if (verbose != 0) { 2229a8e1175bSopenharmony_ci mbedtls_printf(" AES-XTS-128 (%s): ", 2230a8e1175bSopenharmony_ci (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc"); 2231a8e1175bSopenharmony_ci } 2232a8e1175bSopenharmony_ci 2233a8e1175bSopenharmony_ci memset(key, 0, sizeof(key)); 2234a8e1175bSopenharmony_ci memcpy(key, aes_test_xts_key[u], 32); 2235a8e1175bSopenharmony_ci data_unit = aes_test_xts_data_unit[u]; 2236a8e1175bSopenharmony_ci 2237a8e1175bSopenharmony_ci len = sizeof(*aes_test_xts_ct32); 2238a8e1175bSopenharmony_ci 2239a8e1175bSopenharmony_ci if (mode == MBEDTLS_AES_DECRYPT) { 2240a8e1175bSopenharmony_ci ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256); 2241a8e1175bSopenharmony_ci if (ret != 0) { 2242a8e1175bSopenharmony_ci goto exit; 2243a8e1175bSopenharmony_ci } 2244a8e1175bSopenharmony_ci memcpy(buf, aes_test_xts_ct32[u], len); 2245a8e1175bSopenharmony_ci aes_tests = aes_test_xts_pt32[u]; 2246a8e1175bSopenharmony_ci } else { 2247a8e1175bSopenharmony_ci ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256); 2248a8e1175bSopenharmony_ci if (ret != 0) { 2249a8e1175bSopenharmony_ci goto exit; 2250a8e1175bSopenharmony_ci } 2251a8e1175bSopenharmony_ci memcpy(buf, aes_test_xts_pt32[u], len); 2252a8e1175bSopenharmony_ci aes_tests = aes_test_xts_ct32[u]; 2253a8e1175bSopenharmony_ci } 2254a8e1175bSopenharmony_ci 2255a8e1175bSopenharmony_ci 2256a8e1175bSopenharmony_ci ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit, 2257a8e1175bSopenharmony_ci buf, buf); 2258a8e1175bSopenharmony_ci if (ret != 0) { 2259a8e1175bSopenharmony_ci goto exit; 2260a8e1175bSopenharmony_ci } 2261a8e1175bSopenharmony_ci 2262a8e1175bSopenharmony_ci if (memcmp(buf, aes_tests, len) != 0) { 2263a8e1175bSopenharmony_ci ret = 1; 2264a8e1175bSopenharmony_ci goto exit; 2265a8e1175bSopenharmony_ci } 2266a8e1175bSopenharmony_ci 2267a8e1175bSopenharmony_ci if (verbose != 0) { 2268a8e1175bSopenharmony_ci mbedtls_printf("passed\n"); 2269a8e1175bSopenharmony_ci } 2270a8e1175bSopenharmony_ci } 2271a8e1175bSopenharmony_ci 2272a8e1175bSopenharmony_ci if (verbose != 0) { 2273a8e1175bSopenharmony_ci mbedtls_printf("\n"); 2274a8e1175bSopenharmony_ci } 2275a8e1175bSopenharmony_ci 2276a8e1175bSopenharmony_ci mbedtls_aes_xts_free(&ctx_xts); 2277a8e1175bSopenharmony_ci } 2278a8e1175bSopenharmony_ci#endif /* MBEDTLS_CIPHER_MODE_XTS */ 2279a8e1175bSopenharmony_ci 2280a8e1175bSopenharmony_ci ret = 0; 2281a8e1175bSopenharmony_ci 2282a8e1175bSopenharmony_ciexit: 2283a8e1175bSopenharmony_ci if (ret != 0 && verbose != 0) { 2284a8e1175bSopenharmony_ci mbedtls_printf("failed\n"); 2285a8e1175bSopenharmony_ci } 2286a8e1175bSopenharmony_ci 2287a8e1175bSopenharmony_ci mbedtls_aes_free(&ctx); 2288a8e1175bSopenharmony_ci 2289a8e1175bSopenharmony_ci return ret; 2290a8e1175bSopenharmony_ci} 2291a8e1175bSopenharmony_ci 2292a8e1175bSopenharmony_ci#endif /* MBEDTLS_SELF_TEST */ 2293a8e1175bSopenharmony_ci 2294a8e1175bSopenharmony_ci#endif /* MBEDTLS_AES_C */ 2295