NCBI C++ ToolKit
aes.c
Go to the documentation of this file.

Go to the SVN repository for this file.

1 /*
2  * FIPS-197 compliant AES implementation
3  *
4  * Copyright The Mbed TLS Contributors
5  * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6  */
7 /*
8  * The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
9  *
10  * https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf
11  * http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
12  */
13 
14 #include "common.h"
15 
16 #if defined(MBEDTLS_AES_C)
17 
18 #include <string.h>
19 
20 #include "mbedtls/aes.h"
21 #include "mbedtls/platform.h"
22 #include "mbedtls/platform_util.h"
23 #include "mbedtls/error.h"
24 
25 #if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
26 #if !((defined(MBEDTLS_ARCH_IS_ARMV8_A) && defined(MBEDTLS_AESCE_C)) || \
27  (defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \
28  (defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C)))
29 #error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
30 #endif
31 #endif
32 
33 #if defined(MBEDTLS_ARCH_IS_X86)
34 #if defined(MBEDTLS_PADLOCK_C)
35 #if !defined(MBEDTLS_HAVE_ASM)
36 #error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
37 #endif
38 #if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
39 #error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
40  "MBEDTLS_PADLOCK_C is set"
41 #endif
42 #endif
43 #endif
44 
45 #if defined(MBEDTLS_PADLOCK_C)
46 #include "padlock.h"
47 #endif
48 #if defined(MBEDTLS_AESNI_C)
49 #include "aesni.h"
50 #endif
51 #if defined(MBEDTLS_AESCE_C)
52 #include "aesce.h"
53 #endif
54 
55 #include "mbedtls/platform.h"
56 #include "ctr.h"
57 
58 /*
59  * This is a convenience shorthand macro to check if we need reverse S-box and
60  * reverse tables. It's private and only defined in this file.
61  */
62 #if (!defined(MBEDTLS_AES_DECRYPT_ALT) || \
63  (!defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY))) && \
64  !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
65 #define MBEDTLS_AES_NEED_REVERSE_TABLES
66 #endif
67 
68 #if !defined(MBEDTLS_AES_ALT)
69 
70 #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
71 static int aes_padlock_ace = -1;
72 #endif
73 
74 #if defined(MBEDTLS_AES_ROM_TABLES)
75 /*
76  * Forward S-box
77  */
78 MBEDTLS_MAYBE_UNUSED static const unsigned char FSb[256] =
79 {
80  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5,
81  0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
82  0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
83  0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
84  0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
85  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
86  0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A,
87  0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
88  0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
89  0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
90  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B,
91  0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
92  0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85,
93  0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
94  0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
95  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
96  0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17,
97  0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
98  0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88,
99  0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
100  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
101  0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
102  0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9,
103  0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
104  0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
105  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
106  0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
107  0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
108  0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94,
109  0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
110  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68,
111  0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
112 };
113 
114 /*
115  * Forward tables
116  */
117 #define FT \
118 \
119  V(A5, 63, 63, C6), V(84, 7C, 7C, F8), V(99, 77, 77, EE), V(8D, 7B, 7B, F6), \
120  V(0D, F2, F2, FF), V(BD, 6B, 6B, D6), V(B1, 6F, 6F, DE), V(54, C5, C5, 91), \
121  V(50, 30, 30, 60), V(03, 01, 01, 02), V(A9, 67, 67, CE), V(7D, 2B, 2B, 56), \
122  V(19, FE, FE, E7), V(62, D7, D7, B5), V(E6, AB, AB, 4D), V(9A, 76, 76, EC), \
123  V(45, CA, CA, 8F), V(9D, 82, 82, 1F), V(40, C9, C9, 89), V(87, 7D, 7D, FA), \
124  V(15, FA, FA, EF), V(EB, 59, 59, B2), V(C9, 47, 47, 8E), V(0B, F0, F0, FB), \
125  V(EC, AD, AD, 41), V(67, D4, D4, B3), V(FD, A2, A2, 5F), V(EA, AF, AF, 45), \
126  V(BF, 9C, 9C, 23), V(F7, A4, A4, 53), V(96, 72, 72, E4), V(5B, C0, C0, 9B), \
127  V(C2, B7, B7, 75), V(1C, FD, FD, E1), V(AE, 93, 93, 3D), V(6A, 26, 26, 4C), \
128  V(5A, 36, 36, 6C), V(41, 3F, 3F, 7E), V(02, F7, F7, F5), V(4F, CC, CC, 83), \
129  V(5C, 34, 34, 68), V(F4, A5, A5, 51), V(34, E5, E5, D1), V(08, F1, F1, F9), \
130  V(93, 71, 71, E2), V(73, D8, D8, AB), V(53, 31, 31, 62), V(3F, 15, 15, 2A), \
131  V(0C, 04, 04, 08), V(52, C7, C7, 95), V(65, 23, 23, 46), V(5E, C3, C3, 9D), \
132  V(28, 18, 18, 30), V(A1, 96, 96, 37), V(0F, 05, 05, 0A), V(B5, 9A, 9A, 2F), \
133  V(09, 07, 07, 0E), V(36, 12, 12, 24), V(9B, 80, 80, 1B), V(3D, E2, E2, DF), \
134  V(26, EB, EB, CD), V(69, 27, 27, 4E), V(CD, B2, B2, 7F), V(9F, 75, 75, EA), \
135  V(1B, 09, 09, 12), V(9E, 83, 83, 1D), V(74, 2C, 2C, 58), V(2E, 1A, 1A, 34), \
136  V(2D, 1B, 1B, 36), V(B2, 6E, 6E, DC), V(EE, 5A, 5A, B4), V(FB, A0, A0, 5B), \
137  V(F6, 52, 52, A4), V(4D, 3B, 3B, 76), V(61, D6, D6, B7), V(CE, B3, B3, 7D), \
138  V(7B, 29, 29, 52), V(3E, E3, E3, DD), V(71, 2F, 2F, 5E), V(97, 84, 84, 13), \
139  V(F5, 53, 53, A6), V(68, D1, D1, B9), V(00, 00, 00, 00), V(2C, ED, ED, C1), \
140  V(60, 20, 20, 40), V(1F, FC, FC, E3), V(C8, B1, B1, 79), V(ED, 5B, 5B, B6), \
141  V(BE, 6A, 6A, D4), V(46, CB, CB, 8D), V(D9, BE, BE, 67), V(4B, 39, 39, 72), \
142  V(DE, 4A, 4A, 94), V(D4, 4C, 4C, 98), V(E8, 58, 58, B0), V(4A, CF, CF, 85), \
143  V(6B, D0, D0, BB), V(2A, EF, EF, C5), V(E5, AA, AA, 4F), V(16, FB, FB, ED), \
144  V(C5, 43, 43, 86), V(D7, 4D, 4D, 9A), V(55, 33, 33, 66), V(94, 85, 85, 11), \
145  V(CF, 45, 45, 8A), V(10, F9, F9, E9), V(06, 02, 02, 04), V(81, 7F, 7F, FE), \
146  V(F0, 50, 50, A0), V(44, 3C, 3C, 78), V(BA, 9F, 9F, 25), V(E3, A8, A8, 4B), \
147  V(F3, 51, 51, A2), V(FE, A3, A3, 5D), V(C0, 40, 40, 80), V(8A, 8F, 8F, 05), \
148  V(AD, 92, 92, 3F), V(BC, 9D, 9D, 21), V(48, 38, 38, 70), V(04, F5, F5, F1), \
149  V(DF, BC, BC, 63), V(C1, B6, B6, 77), V(75, DA, DA, AF), V(63, 21, 21, 42), \
150  V(30, 10, 10, 20), V(1A, FF, FF, E5), V(0E, F3, F3, FD), V(6D, D2, D2, BF), \
151  V(4C, CD, CD, 81), V(14, 0C, 0C, 18), V(35, 13, 13, 26), V(2F, EC, EC, C3), \
152  V(E1, 5F, 5F, BE), V(A2, 97, 97, 35), V(CC, 44, 44, 88), V(39, 17, 17, 2E), \
153  V(57, C4, C4, 93), V(F2, A7, A7, 55), V(82, 7E, 7E, FC), V(47, 3D, 3D, 7A), \
154  V(AC, 64, 64, C8), V(E7, 5D, 5D, BA), V(2B, 19, 19, 32), V(95, 73, 73, E6), \
155  V(A0, 60, 60, C0), V(98, 81, 81, 19), V(D1, 4F, 4F, 9E), V(7F, DC, DC, A3), \
156  V(66, 22, 22, 44), V(7E, 2A, 2A, 54), V(AB, 90, 90, 3B), V(83, 88, 88, 0B), \
157  V(CA, 46, 46, 8C), V(29, EE, EE, C7), V(D3, B8, B8, 6B), V(3C, 14, 14, 28), \
158  V(79, DE, DE, A7), V(E2, 5E, 5E, BC), V(1D, 0B, 0B, 16), V(76, DB, DB, AD), \
159  V(3B, E0, E0, DB), V(56, 32, 32, 64), V(4E, 3A, 3A, 74), V(1E, 0A, 0A, 14), \
160  V(DB, 49, 49, 92), V(0A, 06, 06, 0C), V(6C, 24, 24, 48), V(E4, 5C, 5C, B8), \
161  V(5D, C2, C2, 9F), V(6E, D3, D3, BD), V(EF, AC, AC, 43), V(A6, 62, 62, C4), \
162  V(A8, 91, 91, 39), V(A4, 95, 95, 31), V(37, E4, E4, D3), V(8B, 79, 79, F2), \
163  V(32, E7, E7, D5), V(43, C8, C8, 8B), V(59, 37, 37, 6E), V(B7, 6D, 6D, DA), \
164  V(8C, 8D, 8D, 01), V(64, D5, D5, B1), V(D2, 4E, 4E, 9C), V(E0, A9, A9, 49), \
165  V(B4, 6C, 6C, D8), V(FA, 56, 56, AC), V(07, F4, F4, F3), V(25, EA, EA, CF), \
166  V(AF, 65, 65, CA), V(8E, 7A, 7A, F4), V(E9, AE, AE, 47), V(18, 08, 08, 10), \
167  V(D5, BA, BA, 6F), V(88, 78, 78, F0), V(6F, 25, 25, 4A), V(72, 2E, 2E, 5C), \
168  V(24, 1C, 1C, 38), V(F1, A6, A6, 57), V(C7, B4, B4, 73), V(51, C6, C6, 97), \
169  V(23, E8, E8, CB), V(7C, DD, DD, A1), V(9C, 74, 74, E8), V(21, 1F, 1F, 3E), \
170  V(DD, 4B, 4B, 96), V(DC, BD, BD, 61), V(86, 8B, 8B, 0D), V(85, 8A, 8A, 0F), \
171  V(90, 70, 70, E0), V(42, 3E, 3E, 7C), V(C4, B5, B5, 71), V(AA, 66, 66, CC), \
172  V(D8, 48, 48, 90), V(05, 03, 03, 06), V(01, F6, F6, F7), V(12, 0E, 0E, 1C), \
173  V(A3, 61, 61, C2), V(5F, 35, 35, 6A), V(F9, 57, 57, AE), V(D0, B9, B9, 69), \
174  V(91, 86, 86, 17), V(58, C1, C1, 99), V(27, 1D, 1D, 3A), V(B9, 9E, 9E, 27), \
175  V(38, E1, E1, D9), V(13, F8, F8, EB), V(B3, 98, 98, 2B), V(33, 11, 11, 22), \
176  V(BB, 69, 69, D2), V(70, D9, D9, A9), V(89, 8E, 8E, 07), V(A7, 94, 94, 33), \
177  V(B6, 9B, 9B, 2D), V(22, 1E, 1E, 3C), V(92, 87, 87, 15), V(20, E9, E9, C9), \
178  V(49, CE, CE, 87), V(FF, 55, 55, AA), V(78, 28, 28, 50), V(7A, DF, DF, A5), \
179  V(8F, 8C, 8C, 03), V(F8, A1, A1, 59), V(80, 89, 89, 09), V(17, 0D, 0D, 1A), \
180  V(DA, BF, BF, 65), V(31, E6, E6, D7), V(C6, 42, 42, 84), V(B8, 68, 68, D0), \
181  V(C3, 41, 41, 82), V(B0, 99, 99, 29), V(77, 2D, 2D, 5A), V(11, 0F, 0F, 1E), \
182  V(CB, B0, B0, 7B), V(FC, 54, 54, A8), V(D6, BB, BB, 6D), V(3A, 16, 16, 2C)
183 
184 #define V(a, b, c, d) 0x##a##b##c##d
185 MBEDTLS_MAYBE_UNUSED static const uint32_t FT0[256] = { FT };
186 #undef V
187 
188 #define V(a, b, c, d) 0x##b##c##d##a
189 MBEDTLS_MAYBE_UNUSED static const uint32_t FT1[256] = { FT };
190 #undef V
191 
192 #define V(a, b, c, d) 0x##c##d##a##b
193 MBEDTLS_MAYBE_UNUSED static const uint32_t FT2[256] = { FT };
194 #undef V
195 
196 #define V(a, b, c, d) 0x##d##a##b##c
197 MBEDTLS_MAYBE_UNUSED static const uint32_t FT3[256] = { FT };
198 #undef V
199 
200 #undef FT
201 
202 /*
203  * Reverse S-box
204  */
205 MBEDTLS_MAYBE_UNUSED static const unsigned char RSb[256] =
206 {
207  0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38,
208  0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
209  0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
210  0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
211  0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D,
212  0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
213  0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2,
214  0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
215  0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
216  0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92,
217  0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA,
218  0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
219  0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A,
220  0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
221  0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
222  0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
223  0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA,
224  0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
225  0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85,
226  0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
227  0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
228  0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
229  0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20,
230  0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
231  0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31,
232  0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
233  0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
234  0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
235  0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0,
236  0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
237  0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26,
238  0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D
239 };
240 
241 /*
242  * Reverse tables
243  */
244 #define RT \
245 \
246  V(50, A7, F4, 51), V(53, 65, 41, 7E), V(C3, A4, 17, 1A), V(96, 5E, 27, 3A), \
247  V(CB, 6B, AB, 3B), V(F1, 45, 9D, 1F), V(AB, 58, FA, AC), V(93, 03, E3, 4B), \
248  V(55, FA, 30, 20), V(F6, 6D, 76, AD), V(91, 76, CC, 88), V(25, 4C, 02, F5), \
249  V(FC, D7, E5, 4F), V(D7, CB, 2A, C5), V(80, 44, 35, 26), V(8F, A3, 62, B5), \
250  V(49, 5A, B1, DE), V(67, 1B, BA, 25), V(98, 0E, EA, 45), V(E1, C0, FE, 5D), \
251  V(02, 75, 2F, C3), V(12, F0, 4C, 81), V(A3, 97, 46, 8D), V(C6, F9, D3, 6B), \
252  V(E7, 5F, 8F, 03), V(95, 9C, 92, 15), V(EB, 7A, 6D, BF), V(DA, 59, 52, 95), \
253  V(2D, 83, BE, D4), V(D3, 21, 74, 58), V(29, 69, E0, 49), V(44, C8, C9, 8E), \
254  V(6A, 89, C2, 75), V(78, 79, 8E, F4), V(6B, 3E, 58, 99), V(DD, 71, B9, 27), \
255  V(B6, 4F, E1, BE), V(17, AD, 88, F0), V(66, AC, 20, C9), V(B4, 3A, CE, 7D), \
256  V(18, 4A, DF, 63), V(82, 31, 1A, E5), V(60, 33, 51, 97), V(45, 7F, 53, 62), \
257  V(E0, 77, 64, B1), V(84, AE, 6B, BB), V(1C, A0, 81, FE), V(94, 2B, 08, F9), \
258  V(58, 68, 48, 70), V(19, FD, 45, 8F), V(87, 6C, DE, 94), V(B7, F8, 7B, 52), \
259  V(23, D3, 73, AB), V(E2, 02, 4B, 72), V(57, 8F, 1F, E3), V(2A, AB, 55, 66), \
260  V(07, 28, EB, B2), V(03, C2, B5, 2F), V(9A, 7B, C5, 86), V(A5, 08, 37, D3), \
261  V(F2, 87, 28, 30), V(B2, A5, BF, 23), V(BA, 6A, 03, 02), V(5C, 82, 16, ED), \
262  V(2B, 1C, CF, 8A), V(92, B4, 79, A7), V(F0, F2, 07, F3), V(A1, E2, 69, 4E), \
263  V(CD, F4, DA, 65), V(D5, BE, 05, 06), V(1F, 62, 34, D1), V(8A, FE, A6, C4), \
264  V(9D, 53, 2E, 34), V(A0, 55, F3, A2), V(32, E1, 8A, 05), V(75, EB, F6, A4), \
265  V(39, EC, 83, 0B), V(AA, EF, 60, 40), V(06, 9F, 71, 5E), V(51, 10, 6E, BD), \
266  V(F9, 8A, 21, 3E), V(3D, 06, DD, 96), V(AE, 05, 3E, DD), V(46, BD, E6, 4D), \
267  V(B5, 8D, 54, 91), V(05, 5D, C4, 71), V(6F, D4, 06, 04), V(FF, 15, 50, 60), \
268  V(24, FB, 98, 19), V(97, E9, BD, D6), V(CC, 43, 40, 89), V(77, 9E, D9, 67), \
269  V(BD, 42, E8, B0), V(88, 8B, 89, 07), V(38, 5B, 19, E7), V(DB, EE, C8, 79), \
270  V(47, 0A, 7C, A1), V(E9, 0F, 42, 7C), V(C9, 1E, 84, F8), V(00, 00, 00, 00), \
271  V(83, 86, 80, 09), V(48, ED, 2B, 32), V(AC, 70, 11, 1E), V(4E, 72, 5A, 6C), \
272  V(FB, FF, 0E, FD), V(56, 38, 85, 0F), V(1E, D5, AE, 3D), V(27, 39, 2D, 36), \
273  V(64, D9, 0F, 0A), V(21, A6, 5C, 68), V(D1, 54, 5B, 9B), V(3A, 2E, 36, 24), \
274  V(B1, 67, 0A, 0C), V(0F, E7, 57, 93), V(D2, 96, EE, B4), V(9E, 91, 9B, 1B), \
275  V(4F, C5, C0, 80), V(A2, 20, DC, 61), V(69, 4B, 77, 5A), V(16, 1A, 12, 1C), \
276  V(0A, BA, 93, E2), V(E5, 2A, A0, C0), V(43, E0, 22, 3C), V(1D, 17, 1B, 12), \
277  V(0B, 0D, 09, 0E), V(AD, C7, 8B, F2), V(B9, A8, B6, 2D), V(C8, A9, 1E, 14), \
278  V(85, 19, F1, 57), V(4C, 07, 75, AF), V(BB, DD, 99, EE), V(FD, 60, 7F, A3), \
279  V(9F, 26, 01, F7), V(BC, F5, 72, 5C), V(C5, 3B, 66, 44), V(34, 7E, FB, 5B), \
280  V(76, 29, 43, 8B), V(DC, C6, 23, CB), V(68, FC, ED, B6), V(63, F1, E4, B8), \
281  V(CA, DC, 31, D7), V(10, 85, 63, 42), V(40, 22, 97, 13), V(20, 11, C6, 84), \
282  V(7D, 24, 4A, 85), V(F8, 3D, BB, D2), V(11, 32, F9, AE), V(6D, A1, 29, C7), \
283  V(4B, 2F, 9E, 1D), V(F3, 30, B2, DC), V(EC, 52, 86, 0D), V(D0, E3, C1, 77), \
284  V(6C, 16, B3, 2B), V(99, B9, 70, A9), V(FA, 48, 94, 11), V(22, 64, E9, 47), \
285  V(C4, 8C, FC, A8), V(1A, 3F, F0, A0), V(D8, 2C, 7D, 56), V(EF, 90, 33, 22), \
286  V(C7, 4E, 49, 87), V(C1, D1, 38, D9), V(FE, A2, CA, 8C), V(36, 0B, D4, 98), \
287  V(CF, 81, F5, A6), V(28, DE, 7A, A5), V(26, 8E, B7, DA), V(A4, BF, AD, 3F), \
288  V(E4, 9D, 3A, 2C), V(0D, 92, 78, 50), V(9B, CC, 5F, 6A), V(62, 46, 7E, 54), \
289  V(C2, 13, 8D, F6), V(E8, B8, D8, 90), V(5E, F7, 39, 2E), V(F5, AF, C3, 82), \
290  V(BE, 80, 5D, 9F), V(7C, 93, D0, 69), V(A9, 2D, D5, 6F), V(B3, 12, 25, CF), \
291  V(3B, 99, AC, C8), V(A7, 7D, 18, 10), V(6E, 63, 9C, E8), V(7B, BB, 3B, DB), \
292  V(09, 78, 26, CD), V(F4, 18, 59, 6E), V(01, B7, 9A, EC), V(A8, 9A, 4F, 83), \
293  V(65, 6E, 95, E6), V(7E, E6, FF, AA), V(08, CF, BC, 21), V(E6, E8, 15, EF), \
294  V(D9, 9B, E7, BA), V(CE, 36, 6F, 4A), V(D4, 09, 9F, EA), V(D6, 7C, B0, 29), \
295  V(AF, B2, A4, 31), V(31, 23, 3F, 2A), V(30, 94, A5, C6), V(C0, 66, A2, 35), \
296  V(37, BC, 4E, 74), V(A6, CA, 82, FC), V(B0, D0, 90, E0), V(15, D8, A7, 33), \
297  V(4A, 98, 04, F1), V(F7, DA, EC, 41), V(0E, 50, CD, 7F), V(2F, F6, 91, 17), \
298  V(8D, D6, 4D, 76), V(4D, B0, EF, 43), V(54, 4D, AA, CC), V(DF, 04, 96, E4), \
299  V(E3, B5, D1, 9E), V(1B, 88, 6A, 4C), V(B8, 1F, 2C, C1), V(7F, 51, 65, 46), \
300  V(04, EA, 5E, 9D), V(5D, 35, 8C, 01), V(73, 74, 87, FA), V(2E, 41, 0B, FB), \
301  V(5A, 1D, 67, B3), V(52, D2, DB, 92), V(33, 56, 10, E9), V(13, 47, D6, 6D), \
302  V(8C, 61, D7, 9A), V(7A, 0C, A1, 37), V(8E, 14, F8, 59), V(89, 3C, 13, EB), \
303  V(EE, 27, A9, CE), V(35, C9, 61, B7), V(ED, E5, 1C, E1), V(3C, B1, 47, 7A), \
304  V(59, DF, D2, 9C), V(3F, 73, F2, 55), V(79, CE, 14, 18), V(BF, 37, C7, 73), \
305  V(EA, CD, F7, 53), V(5B, AA, FD, 5F), V(14, 6F, 3D, DF), V(86, DB, 44, 78), \
306  V(81, F3, AF, CA), V(3E, C4, 68, B9), V(2C, 34, 24, 38), V(5F, 40, A3, C2), \
307  V(72, C3, 1D, 16), V(0C, 25, E2, BC), V(8B, 49, 3C, 28), V(41, 95, 0D, FF), \
308  V(71, 01, A8, 39), V(DE, B3, 0C, 08), V(9C, E4, B4, D8), V(90, C1, 56, 64), \
309  V(61, 84, CB, 7B), V(70, B6, 32, D5), V(74, 5C, 6C, 48), V(42, 57, B8, D0)
310 
311 
312 #define V(a, b, c, d) 0x##a##b##c##d
313 MBEDTLS_MAYBE_UNUSED static const uint32_t RT0[256] = { RT };
314 #undef V
315 
316 #define V(a, b, c, d) 0x##b##c##d##a
317 MBEDTLS_MAYBE_UNUSED static const uint32_t RT1[256] = { RT };
318 #undef V
319 
320 #define V(a, b, c, d) 0x##c##d##a##b
321 MBEDTLS_MAYBE_UNUSED static const uint32_t RT2[256] = { RT };
322 #undef V
323 
324 #define V(a, b, c, d) 0x##d##a##b##c
325 MBEDTLS_MAYBE_UNUSED static const uint32_t RT3[256] = { RT };
326 #undef V
327 
328 #undef RT
329 
330 /*
331  * Round constants
332  */
333 MBEDTLS_MAYBE_UNUSED static const uint32_t round_constants[10] =
334 {
335  0x00000001, 0x00000002, 0x00000004, 0x00000008,
336  0x00000010, 0x00000020, 0x00000040, 0x00000080,
337  0x0000001B, 0x00000036
338 };
339 
340 #else /* MBEDTLS_AES_ROM_TABLES */
341 
342 /*
343  * Forward S-box & tables
344  */
345 MBEDTLS_MAYBE_UNUSED static unsigned char FSb[256];
346 MBEDTLS_MAYBE_UNUSED static uint32_t FT0[256];
347 MBEDTLS_MAYBE_UNUSED static uint32_t FT1[256];
348 MBEDTLS_MAYBE_UNUSED static uint32_t FT2[256];
349 MBEDTLS_MAYBE_UNUSED static uint32_t FT3[256];
350 
351 /*
352  * Reverse S-box & tables
353  */
354 MBEDTLS_MAYBE_UNUSED static unsigned char RSb[256];
355 
356 MBEDTLS_MAYBE_UNUSED static uint32_t RT0[256];
357 MBEDTLS_MAYBE_UNUSED static uint32_t RT1[256];
358 MBEDTLS_MAYBE_UNUSED static uint32_t RT2[256];
359 MBEDTLS_MAYBE_UNUSED static uint32_t RT3[256];
360 
361 /*
362  * Round constants
363  */
364 MBEDTLS_MAYBE_UNUSED static uint32_t round_constants[10];
365 
366 /*
367  * Tables generation code
368  */
369 #define ROTL8(x) (((x) << 8) & 0xFFFFFFFF) | ((x) >> 24)
370 #define XTIME(x) (((x) << 1) ^ (((x) & 0x80) ? 0x1B : 0x00))
371 #define MUL(x, y) (((x) && (y)) ? pow[(log[(x)]+log[(y)]) % 255] : 0)
372 
373 MBEDTLS_MAYBE_UNUSED static int aes_init_done = 0;
374 
375 MBEDTLS_MAYBE_UNUSED static void aes_gen_tables(void)
376 {
377  int i;
378  uint8_t x, y, z;
379  uint8_t pow[256];
380  uint8_t log[256];
381 
382  /*
383  * compute pow and log tables over GF(2^8)
384  */
385  for (i = 0, x = 1; i < 256; i++) {
386  pow[i] = x;
387  log[x] = (uint8_t) i;
388  x ^= XTIME(x);
389  }
390 
391  /*
392  * calculate the round constants
393  */
394  for (i = 0, x = 1; i < 10; i++) {
395  round_constants[i] = x;
396  x = XTIME(x);
397  }
398 
399  /*
400  * generate the forward and reverse S-boxes
401  */
402  FSb[0x00] = 0x63;
403 #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
404  RSb[0x63] = 0x00;
405 #endif
406 
407  for (i = 1; i < 256; i++) {
408  x = pow[255 - log[i]];
409 
410  y = x; y = (y << 1) | (y >> 7);
411  x ^= y; y = (y << 1) | (y >> 7);
412  x ^= y; y = (y << 1) | (y >> 7);
413  x ^= y; y = (y << 1) | (y >> 7);
414  x ^= y ^ 0x63;
415 
416  FSb[i] = x;
417 #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
418  RSb[x] = (unsigned char) i;
419 #endif
420  }
421 
422  /*
423  * generate the forward and reverse tables
424  */
425  for (i = 0; i < 256; i++) {
426  x = FSb[i];
427  y = XTIME(x);
428  z = y ^ x;
429 
430  FT0[i] = ((uint32_t) y) ^
431  ((uint32_t) x << 8) ^
432  ((uint32_t) x << 16) ^
433  ((uint32_t) z << 24);
434 
435 #if !defined(MBEDTLS_AES_FEWER_TABLES)
436  FT1[i] = ROTL8(FT0[i]);
437  FT2[i] = ROTL8(FT1[i]);
438  FT3[i] = ROTL8(FT2[i]);
439 #endif /* !MBEDTLS_AES_FEWER_TABLES */
440 
441 #if defined(MBEDTLS_AES_NEED_REVERSE_TABLES)
442  x = RSb[i];
443 
444  RT0[i] = ((uint32_t) MUL(0x0E, x)) ^
445  ((uint32_t) MUL(0x09, x) << 8) ^
446  ((uint32_t) MUL(0x0D, x) << 16) ^
447  ((uint32_t) MUL(0x0B, x) << 24);
448 
449 #if !defined(MBEDTLS_AES_FEWER_TABLES)
450  RT1[i] = ROTL8(RT0[i]);
451  RT2[i] = ROTL8(RT1[i]);
452  RT3[i] = ROTL8(RT2[i]);
453 #endif /* !MBEDTLS_AES_FEWER_TABLES */
454 #endif /* MBEDTLS_AES_NEED_REVERSE_TABLES */
455  }
456 }
457 
458 #undef ROTL8
459 
460 #endif /* MBEDTLS_AES_ROM_TABLES */
461 
462 #if defined(MBEDTLS_AES_FEWER_TABLES)
463 
464 #define ROTL8(x) ((uint32_t) ((x) << 8) + (uint32_t) ((x) >> 24))
465 #define ROTL16(x) ((uint32_t) ((x) << 16) + (uint32_t) ((x) >> 16))
466 #define ROTL24(x) ((uint32_t) ((x) << 24) + (uint32_t) ((x) >> 8))
467 
468 #define AES_RT0(idx) RT0[idx]
469 #define AES_RT1(idx) ROTL8(RT0[idx])
470 #define AES_RT2(idx) ROTL16(RT0[idx])
471 #define AES_RT3(idx) ROTL24(RT0[idx])
472 
473 #define AES_FT0(idx) FT0[idx]
474 #define AES_FT1(idx) ROTL8(FT0[idx])
475 #define AES_FT2(idx) ROTL16(FT0[idx])
476 #define AES_FT3(idx) ROTL24(FT0[idx])
477 
478 #else /* MBEDTLS_AES_FEWER_TABLES */
479 
480 #define AES_RT0(idx) RT0[idx]
481 #define AES_RT1(idx) RT1[idx]
482 #define AES_RT2(idx) RT2[idx]
483 #define AES_RT3(idx) RT3[idx]
484 
485 #define AES_FT0(idx) FT0[idx]
486 #define AES_FT1(idx) FT1[idx]
487 #define AES_FT2(idx) FT2[idx]
488 #define AES_FT3(idx) FT3[idx]
489 
490 #endif /* MBEDTLS_AES_FEWER_TABLES */
491 
493 {
494  memset(ctx, 0, sizeof(mbedtls_aes_context));
495 }
496 
498 {
499  if (ctx == NULL) {
500  return;
501  }
502 
504 }
505 
506 #if defined(MBEDTLS_CIPHER_MODE_XTS)
507 void mbedtls_aes_xts_init(mbedtls_aes_xts_context *ctx)
508 {
509  mbedtls_aes_init(&ctx->crypt);
510  mbedtls_aes_init(&ctx->tweak);
511 }
512 
513 void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
514 {
515  if (ctx == NULL) {
516  return;
517  }
518 
519  mbedtls_aes_free(&ctx->crypt);
520  mbedtls_aes_free(&ctx->tweak);
521 }
522 #endif /* MBEDTLS_CIPHER_MODE_XTS */
523 
524 /* Some implementations need the round keys to be aligned.
525  * Return an offset to be added to buf, such that (buf + offset) is
526  * correctly aligned.
527  * Note that the offset is in units of elements of buf, i.e. 32-bit words,
528  * i.e. an offset of 1 means 4 bytes and so on.
529  */
530 #if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \
531  (defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
532 #define MAY_NEED_TO_ALIGN
533 #endif
534 
535 MBEDTLS_MAYBE_UNUSED static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
536 {
537 #if defined(MAY_NEED_TO_ALIGN)
538  int align_16_bytes = 0;
539 
540 #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
541  if (aes_padlock_ace == -1) {
542  aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
543  }
544  if (aes_padlock_ace) {
545  align_16_bytes = 1;
546  }
547 #endif
548 
549 #if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
551  align_16_bytes = 1;
552  }
553 #endif
554 
555  if (align_16_bytes) {
556  /* These implementations needs 16-byte alignment
557  * for the round key array. */
558  unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
559  if (delta == 0) {
560  return 0;
561  } else {
562  return 4 - delta; // 16 bytes = 4 uint32_t
563  }
564  }
565 #else /* MAY_NEED_TO_ALIGN */
566  (void) buf;
567 #endif /* MAY_NEED_TO_ALIGN */
568 
569  return 0;
570 }
571 
572 /*
573  * AES key schedule (encryption)
574  */
575 #if !defined(MBEDTLS_AES_SETKEY_ENC_ALT)
576 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
577  unsigned int keybits)
578 {
579  uint32_t *RK;
580 
581  switch (keybits) {
582  case 128: ctx->nr = 10; break;
583 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
584  case 192: ctx->nr = 12; break;
585  case 256: ctx->nr = 14; break;
586 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
587  default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
588  }
589 
590 #if !defined(MBEDTLS_AES_ROM_TABLES)
591  if (aes_init_done == 0) {
592  aes_gen_tables();
593  aes_init_done = 1;
594  }
595 #endif
596 
597  ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
598  RK = ctx->buf + ctx->rk_offset;
599 
600 #if defined(MBEDTLS_AESNI_HAVE_CODE)
602  return mbedtls_aesni_setkey_enc((unsigned char *) RK, key, keybits);
603  }
604 #endif
605 
606 #if defined(MBEDTLS_AESCE_HAVE_CODE)
607  if (MBEDTLS_AESCE_HAS_SUPPORT()) {
608  return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
609  }
610 #endif
611 
612 #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
613  for (unsigned int i = 0; i < (keybits >> 5); i++) {
614  RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
615  }
616 
617  switch (ctx->nr) {
618  case 10:
619 
620  for (unsigned int i = 0; i < 10; i++, RK += 4) {
621  RK[4] = RK[0] ^ round_constants[i] ^
622  ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
623  ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
624  ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[3])] << 16) ^
625  ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[3])] << 24);
626 
627  RK[5] = RK[1] ^ RK[4];
628  RK[6] = RK[2] ^ RK[5];
629  RK[7] = RK[3] ^ RK[6];
630  }
631  break;
632 
633 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
634  case 12:
635 
636  for (unsigned int i = 0; i < 8; i++, RK += 6) {
637  RK[6] = RK[0] ^ round_constants[i] ^
638  ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
639  ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
640  ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[5])] << 16) ^
641  ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[5])] << 24);
642 
643  RK[7] = RK[1] ^ RK[6];
644  RK[8] = RK[2] ^ RK[7];
645  RK[9] = RK[3] ^ RK[8];
646  RK[10] = RK[4] ^ RK[9];
647  RK[11] = RK[5] ^ RK[10];
648  }
649  break;
650 
651  case 14:
652 
653  for (unsigned int i = 0; i < 7; i++, RK += 8) {
654  RK[8] = RK[0] ^ round_constants[i] ^
655  ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
656  ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
657  ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[7])] << 16) ^
658  ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[7])] << 24);
659 
660  RK[9] = RK[1] ^ RK[8];
661  RK[10] = RK[2] ^ RK[9];
662  RK[11] = RK[3] ^ RK[10];
663 
664  RK[12] = RK[4] ^
665  ((uint32_t) FSb[MBEDTLS_BYTE_0(RK[11])]) ^
666  ((uint32_t) FSb[MBEDTLS_BYTE_1(RK[11])] << 8) ^
667  ((uint32_t) FSb[MBEDTLS_BYTE_2(RK[11])] << 16) ^
668  ((uint32_t) FSb[MBEDTLS_BYTE_3(RK[11])] << 24);
669 
670  RK[13] = RK[5] ^ RK[12];
671  RK[14] = RK[6] ^ RK[13];
672  RK[15] = RK[7] ^ RK[14];
673  }
674  break;
675 #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
676  }
677 
678  return 0;
679 #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
680 }
681 #endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
682 
683 /*
684  * AES key schedule (decryption)
685  */
686 #if !defined(MBEDTLS_AES_SETKEY_DEC_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
687 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
688  unsigned int keybits)
689 {
690 #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
691  uint32_t *SK;
692 #endif
693  int ret;
695  uint32_t *RK;
696 
697 
698  mbedtls_aes_init(&cty);
699 
700  ctx->rk_offset = mbedtls_aes_rk_offset(ctx->buf);
701  RK = ctx->buf + ctx->rk_offset;
702 
703  /* Also checks keybits */
704  if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
705  goto exit;
706  }
707 
708  ctx->nr = cty.nr;
709 
710 #if defined(MBEDTLS_AESNI_HAVE_CODE)
712  mbedtls_aesni_inverse_key((unsigned char *) RK,
713  (const unsigned char *) (cty.buf + cty.rk_offset), ctx->nr);
714  goto exit;
715  }
716 #endif
717 
718 #if defined(MBEDTLS_AESCE_HAVE_CODE)
719  if (MBEDTLS_AESCE_HAS_SUPPORT()) {
720  mbedtls_aesce_inverse_key(
721  (unsigned char *) RK,
722  (const unsigned char *) (cty.buf + cty.rk_offset),
723  ctx->nr);
724  goto exit;
725  }
726 #endif
727 
728 #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
729  SK = cty.buf + cty.rk_offset + cty.nr * 4;
730 
731  *RK++ = *SK++;
732  *RK++ = *SK++;
733  *RK++ = *SK++;
734  *RK++ = *SK++;
735  SK -= 8;
736  for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
737  for (int j = 0; j < 4; j++, SK++) {
738  *RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
739  AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
740  AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
741  AES_RT3(FSb[MBEDTLS_BYTE_3(*SK)]);
742  }
743  }
744 
745  *RK++ = *SK++;
746  *RK++ = *SK++;
747  *RK++ = *SK++;
748  *RK++ = *SK++;
749 #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
750 exit:
751  mbedtls_aes_free(&cty);
752 
753  return ret;
754 }
755 #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
756 
757 #if defined(MBEDTLS_CIPHER_MODE_XTS)
758 static int mbedtls_aes_xts_decode_keys(const unsigned char *key,
759  unsigned int keybits,
760  const unsigned char **key1,
761  unsigned int *key1bits,
762  const unsigned char **key2,
763  unsigned int *key2bits)
764 {
765  const unsigned int half_keybits = keybits / 2;
766  const unsigned int half_keybytes = half_keybits / 8;
767 
768  switch (keybits) {
769  case 256: break;
770  case 512: break;
771  default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
772  }
773 
774  *key1bits = half_keybits;
775  *key2bits = half_keybits;
776  *key1 = &key[0];
777  *key2 = &key[half_keybytes];
778 
779  return 0;
780 }
781 
782 int mbedtls_aes_xts_setkey_enc(mbedtls_aes_xts_context *ctx,
783  const unsigned char *key,
784  unsigned int keybits)
785 {
787  const unsigned char *key1, *key2;
788  unsigned int key1bits, key2bits;
789 
790  ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
791  &key2, &key2bits);
792  if (ret != 0) {
793  return ret;
794  }
795 
796  /* Set the tweak key. Always set tweak key for the encryption mode. */
797  ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
798  if (ret != 0) {
799  return ret;
800  }
801 
802  /* Set crypt key for encryption. */
803  return mbedtls_aes_setkey_enc(&ctx->crypt, key1, key1bits);
804 }
805 
806 int mbedtls_aes_xts_setkey_dec(mbedtls_aes_xts_context *ctx,
807  const unsigned char *key,
808  unsigned int keybits)
809 {
811  const unsigned char *key1, *key2;
812  unsigned int key1bits, key2bits;
813 
814  ret = mbedtls_aes_xts_decode_keys(key, keybits, &key1, &key1bits,
815  &key2, &key2bits);
816  if (ret != 0) {
817  return ret;
818  }
819 
820  /* Set the tweak key. Always set tweak key for encryption. */
821  ret = mbedtls_aes_setkey_enc(&ctx->tweak, key2, key2bits);
822  if (ret != 0) {
823  return ret;
824  }
825 
826  /* Set crypt key for decryption. */
827  return mbedtls_aes_setkey_dec(&ctx->crypt, key1, key1bits);
828 }
829 #endif /* MBEDTLS_CIPHER_MODE_XTS */
830 
831 #define AES_FROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
832  do \
833  { \
834  (X0) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y0)) ^ \
835  AES_FT1(MBEDTLS_BYTE_1(Y1)) ^ \
836  AES_FT2(MBEDTLS_BYTE_2(Y2)) ^ \
837  AES_FT3(MBEDTLS_BYTE_3(Y3)); \
838  \
839  (X1) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y1)) ^ \
840  AES_FT1(MBEDTLS_BYTE_1(Y2)) ^ \
841  AES_FT2(MBEDTLS_BYTE_2(Y3)) ^ \
842  AES_FT3(MBEDTLS_BYTE_3(Y0)); \
843  \
844  (X2) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y2)) ^ \
845  AES_FT1(MBEDTLS_BYTE_1(Y3)) ^ \
846  AES_FT2(MBEDTLS_BYTE_2(Y0)) ^ \
847  AES_FT3(MBEDTLS_BYTE_3(Y1)); \
848  \
849  (X3) = *RK++ ^ AES_FT0(MBEDTLS_BYTE_0(Y3)) ^ \
850  AES_FT1(MBEDTLS_BYTE_1(Y0)) ^ \
851  AES_FT2(MBEDTLS_BYTE_2(Y1)) ^ \
852  AES_FT3(MBEDTLS_BYTE_3(Y2)); \
853  } while (0)
854 
855 #define AES_RROUND(X0, X1, X2, X3, Y0, Y1, Y2, Y3) \
856  do \
857  { \
858  (X0) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y0)) ^ \
859  AES_RT1(MBEDTLS_BYTE_1(Y3)) ^ \
860  AES_RT2(MBEDTLS_BYTE_2(Y2)) ^ \
861  AES_RT3(MBEDTLS_BYTE_3(Y1)); \
862  \
863  (X1) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y1)) ^ \
864  AES_RT1(MBEDTLS_BYTE_1(Y0)) ^ \
865  AES_RT2(MBEDTLS_BYTE_2(Y3)) ^ \
866  AES_RT3(MBEDTLS_BYTE_3(Y2)); \
867  \
868  (X2) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y2)) ^ \
869  AES_RT1(MBEDTLS_BYTE_1(Y1)) ^ \
870  AES_RT2(MBEDTLS_BYTE_2(Y0)) ^ \
871  AES_RT3(MBEDTLS_BYTE_3(Y3)); \
872  \
873  (X3) = *RK++ ^ AES_RT0(MBEDTLS_BYTE_0(Y3)) ^ \
874  AES_RT1(MBEDTLS_BYTE_1(Y2)) ^ \
875  AES_RT2(MBEDTLS_BYTE_2(Y1)) ^ \
876  AES_RT3(MBEDTLS_BYTE_3(Y0)); \
877  } while (0)
878 
879 /*
880  * AES-ECB block encryption
881  */
882 #if !defined(MBEDTLS_AES_ENCRYPT_ALT)
884  const unsigned char input[16],
885  unsigned char output[16])
886 {
887  int i;
888  uint32_t *RK = ctx->buf + ctx->rk_offset;
889  struct {
890  uint32_t X[4];
891  uint32_t Y[4];
892  } t;
893 
894  t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
895  t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
896  t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
897  t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
898 
899  for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
900  AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
901  AES_FROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
902  }
903 
904  AES_FROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
905 
906  t.X[0] = *RK++ ^ \
907  ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
908  ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
909  ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
910  ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
911 
912  t.X[1] = *RK++ ^ \
913  ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
914  ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
915  ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
916  ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
917 
918  t.X[2] = *RK++ ^ \
919  ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
920  ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
921  ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
922  ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
923 
924  t.X[3] = *RK++ ^ \
925  ((uint32_t) FSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
926  ((uint32_t) FSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
927  ((uint32_t) FSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
928  ((uint32_t) FSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
929 
930  MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
931  MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
932  MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
933  MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
934 
935  mbedtls_platform_zeroize(&t, sizeof(t));
936 
937  return 0;
938 }
939 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
940 
941 /*
942  * AES-ECB block decryption
943  */
944 #if !defined(MBEDTLS_AES_DECRYPT_ALT) && !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
946  const unsigned char input[16],
947  unsigned char output[16])
948 {
949  int i;
950  uint32_t *RK = ctx->buf + ctx->rk_offset;
951  struct {
952  uint32_t X[4];
953  uint32_t Y[4];
954  } t;
955 
956  t.X[0] = MBEDTLS_GET_UINT32_LE(input, 0); t.X[0] ^= *RK++;
957  t.X[1] = MBEDTLS_GET_UINT32_LE(input, 4); t.X[1] ^= *RK++;
958  t.X[2] = MBEDTLS_GET_UINT32_LE(input, 8); t.X[2] ^= *RK++;
959  t.X[3] = MBEDTLS_GET_UINT32_LE(input, 12); t.X[3] ^= *RK++;
960 
961  for (i = (ctx->nr >> 1) - 1; i > 0; i--) {
962  AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
963  AES_RROUND(t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3]);
964  }
965 
966  AES_RROUND(t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3]);
967 
968  t.X[0] = *RK++ ^ \
969  ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[0])]) ^
970  ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[3])] << 8) ^
971  ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[2])] << 16) ^
972  ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[1])] << 24);
973 
974  t.X[1] = *RK++ ^ \
975  ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[1])]) ^
976  ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[0])] << 8) ^
977  ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[3])] << 16) ^
978  ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[2])] << 24);
979 
980  t.X[2] = *RK++ ^ \
981  ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[2])]) ^
982  ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[1])] << 8) ^
983  ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[0])] << 16) ^
984  ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[3])] << 24);
985 
986  t.X[3] = *RK++ ^ \
987  ((uint32_t) RSb[MBEDTLS_BYTE_0(t.Y[3])]) ^
988  ((uint32_t) RSb[MBEDTLS_BYTE_1(t.Y[2])] << 8) ^
989  ((uint32_t) RSb[MBEDTLS_BYTE_2(t.Y[1])] << 16) ^
990  ((uint32_t) RSb[MBEDTLS_BYTE_3(t.Y[0])] << 24);
991 
992  MBEDTLS_PUT_UINT32_LE(t.X[0], output, 0);
993  MBEDTLS_PUT_UINT32_LE(t.X[1], output, 4);
994  MBEDTLS_PUT_UINT32_LE(t.X[2], output, 8);
995  MBEDTLS_PUT_UINT32_LE(t.X[3], output, 12);
996 
997  mbedtls_platform_zeroize(&t, sizeof(t));
998 
999  return 0;
1000 }
1001 #endif /* !MBEDTLS_AES_DECRYPT_ALT && !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
1002 
1003 /* VIA Padlock and our intrinsics-based implementation of AESNI require
1004  * the round keys to be aligned on a 16-byte boundary. We take care of this
1005  * before creating them, but the AES context may have moved (this can happen
1006  * if the library is called from a language with managed memory), and in later
1007  * calls it might have a different alignment with respect to 16-byte memory.
1008  * So we may need to realign.
1009  */
1010 MBEDTLS_MAYBE_UNUSED static void aes_maybe_realign(mbedtls_aes_context *ctx)
1011 {
1012  unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
1013  if (new_offset != ctx->rk_offset) {
1014  memmove(ctx->buf + new_offset, // new address
1015  ctx->buf + ctx->rk_offset, // current address
1016  (ctx->nr + 1) * 16); // number of round keys * bytes per rk
1017  ctx->rk_offset = new_offset;
1018  }
1019 }
1020 
1021 /*
1022  * AES-ECB block encryption/decryption
1023  */
1025  int mode,
1026  const unsigned char input[16],
1027  unsigned char output[16])
1028 {
1031  }
1032 
1033 #if defined(MAY_NEED_TO_ALIGN)
1034  aes_maybe_realign(ctx);
1035 #endif
1036 
1037 #if defined(MBEDTLS_AESNI_HAVE_CODE)
1040  }
1041 #endif
1042 
1043 #if defined(MBEDTLS_AESCE_HAVE_CODE)
1044  if (MBEDTLS_AESCE_HAS_SUPPORT()) {
1045  return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
1046  }
1047 #endif
1048 
1049 #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1050  if (aes_padlock_ace > 0) {
1051  return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
1052  }
1053 #endif
1054 
1055 #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
1056 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1057  if (mode == MBEDTLS_AES_DECRYPT) {
1059  } else
1060 #endif
1061  {
1063  }
1064 #endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
1065 }
1066 
1067 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1068 
1069 /*
1070  * AES-CBC buffer encryption/decryption
1071  */
1073  int mode,
1074  size_t length,
1075  unsigned char iv[16],
1076  const unsigned char *input,
1077  unsigned char *output)
1078 {
1080  unsigned char temp[16];
1081 
1084  }
1085 
1086  /* Nothing to do if length is zero. */
1087  if (length == 0) {
1088  return 0;
1089  }
1090 
1091  if (length % 16) {
1093  }
1094 
1095 #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1096  if (aes_padlock_ace > 0) {
1097  if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
1098  return 0;
1099  }
1100 
1101  // If padlock data misaligned, we just fall back to
1102  // unaccelerated mode
1103  //
1104  }
1105 #endif
1106 
1107  const unsigned char *ivp = iv;
1108 
1109  if (mode == MBEDTLS_AES_DECRYPT) {
1110  while (length > 0) {
1111  memcpy(temp, input, 16);
1113  if (ret != 0) {
1114  goto exit;
1115  }
1116  /* Avoid using the NEON implementation of mbedtls_xor. Because of the dependency on
1117  * the result for the next block in CBC, and the cost of transferring that data from
1118  * NEON registers, NEON is slower on aarch64. */
1119  mbedtls_xor_no_simd(output, output, iv, 16);
1120 
1121  memcpy(iv, temp, 16);
1122 
1123  input += 16;
1124  output += 16;
1125  length -= 16;
1126  }
1127  } else {
1128  while (length > 0) {
1129  mbedtls_xor_no_simd(output, input, ivp, 16);
1130 
1132  if (ret != 0) {
1133  goto exit;
1134  }
1135  ivp = output;
1136 
1137  input += 16;
1138  output += 16;
1139  length -= 16;
1140  }
1141  memcpy(iv, ivp, 16);
1142  }
1143  ret = 0;
1144 
1145 exit:
1146  return ret;
1147 }
1148 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1149 
1150 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1151 
1152 typedef unsigned char mbedtls_be128[16];
1153 
1154 /*
1155  * GF(2^128) multiplication function
1156  *
1157  * This function multiplies a field element by x in the polynomial field
1158  * representation. It uses 64-bit word operations to gain speed but compensates
1159  * for machine endianness and hence works correctly on both big and little
1160  * endian machines.
1161  */
1162 #if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
1164 #endif
1165 static inline void mbedtls_gf128mul_x_ble(unsigned char r[16],
1166  const unsigned char x[16])
1167 {
1168  uint64_t a, b, ra, rb;
1169 
1170  a = MBEDTLS_GET_UINT64_LE(x, 0);
1171  b = MBEDTLS_GET_UINT64_LE(x, 8);
1172 
1173  ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
1174  rb = (a >> 63) | (b << 1);
1175 
1176  MBEDTLS_PUT_UINT64_LE(ra, r, 0);
1177  MBEDTLS_PUT_UINT64_LE(rb, r, 8);
1178 }
1179 
1180 /*
1181  * AES-XTS buffer encryption/decryption
1182  *
1183  * Use of MBEDTLS_OPTIMIZE_FOR_PERFORMANCE here and for mbedtls_gf128mul_x_ble()
1184  * is a 3x performance improvement for gcc -Os, if we have hardware AES support.
1185  */
1186 #if defined(MBEDTLS_AESCE_C) || defined(MBEDTLS_AESNI_C)
1188 #endif
1189 int mbedtls_aes_crypt_xts(mbedtls_aes_xts_context *ctx,
1190  int mode,
1191  size_t length,
1192  const unsigned char data_unit[16],
1193  const unsigned char *input,
1194  unsigned char *output)
1195 {
1197  size_t blocks = length / 16;
1198  size_t leftover = length % 16;
1199  unsigned char tweak[16];
1200  unsigned char prev_tweak[16];
1201  unsigned char tmp[16];
1202 
1205  }
1206 
1207  /* Data units must be at least 16 bytes long. */
1208  if (length < 16) {
1210  }
1211 
1212  /* NIST SP 800-38E disallows data units larger than 2**20 blocks. */
1213  if (length > (1 << 20) * 16) {
1215  }
1216 
1217  /* Compute the tweak. */
1219  data_unit, tweak);
1220  if (ret != 0) {
1221  return ret;
1222  }
1223 
1224  while (blocks--) {
1225  if (MBEDTLS_UNLIKELY(leftover && (mode == MBEDTLS_AES_DECRYPT) && blocks == 0)) {
1226  /* We are on the last block in a decrypt operation that has
1227  * leftover bytes, so we need to use the next tweak for this block,
1228  * and this tweak for the leftover bytes. Save the current tweak for
1229  * the leftovers and then update the current tweak for use on this,
1230  * the last full block. */
1231  memcpy(prev_tweak, tweak, sizeof(tweak));
1232  mbedtls_gf128mul_x_ble(tweak, tweak);
1233  }
1234 
1235  mbedtls_xor(tmp, input, tweak, 16);
1236 
1237  ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1238  if (ret != 0) {
1239  return ret;
1240  }
1241 
1242  mbedtls_xor(output, tmp, tweak, 16);
1243 
1244  /* Update the tweak for the next block. */
1245  mbedtls_gf128mul_x_ble(tweak, tweak);
1246 
1247  output += 16;
1248  input += 16;
1249  }
1250 
1251  if (leftover) {
1252  /* If we are on the leftover bytes in a decrypt operation, we need to
1253  * use the previous tweak for these bytes (as saved in prev_tweak). */
1254  unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? prev_tweak : tweak;
1255 
1256  /* We are now on the final part of the data unit, which doesn't divide
1257  * evenly by 16. It's time for ciphertext stealing. */
1258  size_t i;
1259  unsigned char *prev_output = output - 16;
1260 
1261  /* Copy ciphertext bytes from the previous block to our output for each
1262  * byte of ciphertext we won't steal. */
1263  for (i = 0; i < leftover; i++) {
1264  output[i] = prev_output[i];
1265  }
1266 
1267  /* Copy the remainder of the input for this final round. */
1268  mbedtls_xor(tmp, input, t, leftover);
1269 
1270  /* Copy ciphertext bytes from the previous block for input in this
1271  * round. */
1272  mbedtls_xor(tmp + i, prev_output + i, t + i, 16 - i);
1273 
1274  ret = mbedtls_aes_crypt_ecb(&ctx->crypt, mode, tmp, tmp);
1275  if (ret != 0) {
1276  return ret;
1277  }
1278 
1279  /* Write the result back to the previous block, overriding the previous
1280  * output we copied. */
1281  mbedtls_xor(prev_output, tmp, t, 16);
1282  }
1283 
1284  return 0;
1285 }
1286 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1287 
1288 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1289 /*
1290  * AES-CFB128 buffer encryption/decryption
1291  */
1293  int mode,
1294  size_t length,
1295  size_t *iv_off,
1296  unsigned char iv[16],
1297  const unsigned char *input,
1298  unsigned char *output)
1299 {
1300  int c;
1302  size_t n;
1303 
1306  }
1307 
1308  n = *iv_off;
1309 
1310  if (n > 15) {
1312  }
1313 
1314  if (mode == MBEDTLS_AES_DECRYPT) {
1315  while (length--) {
1316  if (n == 0) {
1318  if (ret != 0) {
1319  goto exit;
1320  }
1321  }
1322 
1323  c = *input++;
1324  *output++ = (unsigned char) (c ^ iv[n]);
1325  iv[n] = (unsigned char) c;
1326 
1327  n = (n + 1) & 0x0F;
1328  }
1329  } else {
1330  while (length--) {
1331  if (n == 0) {
1333  if (ret != 0) {
1334  goto exit;
1335  }
1336  }
1337 
1338  iv[n] = *output++ = (unsigned char) (iv[n] ^ *input++);
1339 
1340  n = (n + 1) & 0x0F;
1341  }
1342  }
1343 
1344  *iv_off = n;
1345  ret = 0;
1346 
1347 exit:
1348  return ret;
1349 }
1350 
1351 /*
1352  * AES-CFB8 buffer encryption/decryption
1353  */
1355  int mode,
1356  size_t length,
1357  unsigned char iv[16],
1358  const unsigned char *input,
1359  unsigned char *output)
1360 {
1362  unsigned char c;
1363  unsigned char ov[17];
1364 
1367  }
1368  while (length--) {
1369  memcpy(ov, iv, 16);
1371  if (ret != 0) {
1372  goto exit;
1373  }
1374 
1375  if (mode == MBEDTLS_AES_DECRYPT) {
1376  ov[16] = *input;
1377  }
1378 
1379  c = *output++ = (unsigned char) (iv[0] ^ *input++);
1380 
1381  if (mode == MBEDTLS_AES_ENCRYPT) {
1382  ov[16] = c;
1383  }
1384 
1385  memcpy(iv, ov + 1, 16);
1386  }
1387  ret = 0;
1388 
1389 exit:
1390  return ret;
1391 }
1392 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1393 
1394 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1395 /*
1396  * AES-OFB (Output Feedback Mode) buffer encryption/decryption
1397  */
1399  size_t length,
1400  size_t *iv_off,
1401  unsigned char iv[16],
1402  const unsigned char *input,
1403  unsigned char *output)
1404 {
1405  int ret = 0;
1406  size_t n;
1407 
1408  n = *iv_off;
1409 
1410  if (n > 15) {
1412  }
1413 
1414  while (length--) {
1415  if (n == 0) {
1417  if (ret != 0) {
1418  goto exit;
1419  }
1420  }
1421  *output++ = *input++ ^ iv[n];
1422 
1423  n = (n + 1) & 0x0F;
1424  }
1425 
1426  *iv_off = n;
1427 
1428 exit:
1429  return ret;
1430 }
1431 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1432 
1433 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1434 /*
1435  * AES-CTR buffer encryption/decryption
1436  */
1438  size_t length,
1439  size_t *nc_off,
1440  unsigned char nonce_counter[16],
1441  unsigned char stream_block[16],
1442  const unsigned char *input,
1443  unsigned char *output)
1444 {
1446 
1447  size_t offset = *nc_off;
1448 
1449  if (offset > 0x0F) {
1451  }
1452 
1453  for (size_t i = 0; i < length;) {
1454  size_t n = 16;
1455  if (offset == 0) {
1456  ret = mbedtls_aes_crypt_ecb(ctx, MBEDTLS_AES_ENCRYPT, nonce_counter, stream_block);
1457  if (ret != 0) {
1458  goto exit;
1459  }
1460  mbedtls_ctr_increment_counter(nonce_counter);
1461  } else {
1462  n -= offset;
1463  }
1464 
1465  if (n > (length - i)) {
1466  n = (length - i);
1467  }
1468  mbedtls_xor(&output[i], &input[i], &stream_block[offset], n);
1469  // offset might be non-zero for the last block, but in that case, we don't use it again
1470  offset = 0;
1471  i += n;
1472  }
1473 
1474  // capture offset for future resumption
1475  *nc_off = (*nc_off + length) % 16;
1476 
1477  ret = 0;
1478 
1479 exit:
1480  return ret;
1481 }
1482 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1483 
1484 #endif /* !MBEDTLS_AES_ALT */
1485 
1486 #if defined(MBEDTLS_SELF_TEST)
1487 /*
1488  * AES test vectors from:
1489  *
1490  * http://csrc.nist.gov/archive/aes/rijndael/rijndael-vals.zip
1491  */
1492 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1493 static const unsigned char aes_test_ecb_dec[][16] =
1494 {
1495  { 0x44, 0x41, 0x6A, 0xC2, 0xD1, 0xF5, 0x3C, 0x58,
1496  0x33, 0x03, 0x91, 0x7E, 0x6B, 0xE9, 0xEB, 0xE0 },
1497 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1498  { 0x48, 0xE3, 0x1E, 0x9E, 0x25, 0x67, 0x18, 0xF2,
1499  0x92, 0x29, 0x31, 0x9C, 0x19, 0xF1, 0x5B, 0xA4 },
1500  { 0x05, 0x8C, 0xCF, 0xFD, 0xBB, 0xCB, 0x38, 0x2D,
1501  0x1F, 0x6F, 0x56, 0x58, 0x5D, 0x8A, 0x4A, 0xDE }
1502 #endif
1503 };
1504 #endif
1505 
1506 static const unsigned char aes_test_ecb_enc[][16] =
1507 {
1508  { 0xC3, 0x4C, 0x05, 0x2C, 0xC0, 0xDA, 0x8D, 0x73,
1509  0x45, 0x1A, 0xFE, 0x5F, 0x03, 0xBE, 0x29, 0x7F },
1510 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1511  { 0xF3, 0xF6, 0x75, 0x2A, 0xE8, 0xD7, 0x83, 0x11,
1512  0x38, 0xF0, 0x41, 0x56, 0x06, 0x31, 0xB1, 0x14 },
1513  { 0x8B, 0x79, 0xEE, 0xCC, 0x93, 0xA0, 0xEE, 0x5D,
1514  0xFF, 0x30, 0xB4, 0xEA, 0x21, 0x63, 0x6D, 0xA4 }
1515 #endif
1516 };
1517 
1518 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1519 static const unsigned char aes_test_cbc_dec[][16] =
1520 {
1521  { 0xFA, 0xCA, 0x37, 0xE0, 0xB0, 0xC8, 0x53, 0x73,
1522  0xDF, 0x70, 0x6E, 0x73, 0xF7, 0xC9, 0xAF, 0x86 },
1523 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1524  { 0x5D, 0xF6, 0x78, 0xDD, 0x17, 0xBA, 0x4E, 0x75,
1525  0xB6, 0x17, 0x68, 0xC6, 0xAD, 0xEF, 0x7C, 0x7B },
1526  { 0x48, 0x04, 0xE1, 0x81, 0x8F, 0xE6, 0x29, 0x75,
1527  0x19, 0xA3, 0xE8, 0x8C, 0x57, 0x31, 0x04, 0x13 }
1528 #endif
1529 };
1530 
1531 static const unsigned char aes_test_cbc_enc[][16] =
1532 {
1533  { 0x8A, 0x05, 0xFC, 0x5E, 0x09, 0x5A, 0xF4, 0x84,
1534  0x8A, 0x08, 0xD3, 0x28, 0xD3, 0x68, 0x8E, 0x3D },
1535 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1536  { 0x7B, 0xD9, 0x66, 0xD5, 0x3A, 0xD8, 0xC1, 0xBB,
1537  0x85, 0xD2, 0xAD, 0xFA, 0xE8, 0x7B, 0xB1, 0x04 },
1538  { 0xFE, 0x3C, 0x53, 0x65, 0x3E, 0x2F, 0x45, 0xB5,
1539  0x6F, 0xCD, 0x88, 0xB2, 0xCC, 0x89, 0x8F, 0xF0 }
1540 #endif
1541 };
1542 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1543 
1544 #if defined(MBEDTLS_CIPHER_MODE_CFB)
1545 /*
1546  * AES-CFB128 test vectors from:
1547  *
1548  * http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
1549  */
1550 static const unsigned char aes_test_cfb128_key[][32] =
1551 {
1552  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1553  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1554 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1555  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1556  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1557  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1558  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1559  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1560  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1561  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1562 #endif
1563 };
1564 
1565 static const unsigned char aes_test_cfb128_iv[16] =
1566 {
1567  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1568  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1569 };
1570 
1571 static const unsigned char aes_test_cfb128_pt[64] =
1572 {
1573  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1574  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1575  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1576  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1577  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1578  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1579  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1580  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1581 };
1582 
1583 static const unsigned char aes_test_cfb128_ct[][64] =
1584 {
1585  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1586  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1587  0xC8, 0xA6, 0x45, 0x37, 0xA0, 0xB3, 0xA9, 0x3F,
1588  0xCD, 0xE3, 0xCD, 0xAD, 0x9F, 0x1C, 0xE5, 0x8B,
1589  0x26, 0x75, 0x1F, 0x67, 0xA3, 0xCB, 0xB1, 0x40,
1590  0xB1, 0x80, 0x8C, 0xF1, 0x87, 0xA4, 0xF4, 0xDF,
1591  0xC0, 0x4B, 0x05, 0x35, 0x7C, 0x5D, 0x1C, 0x0E,
1592  0xEA, 0xC4, 0xC6, 0x6F, 0x9F, 0xF7, 0xF2, 0xE6 },
1593 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1594  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1595  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1596  0x67, 0xCE, 0x7F, 0x7F, 0x81, 0x17, 0x36, 0x21,
1597  0x96, 0x1A, 0x2B, 0x70, 0x17, 0x1D, 0x3D, 0x7A,
1598  0x2E, 0x1E, 0x8A, 0x1D, 0xD5, 0x9B, 0x88, 0xB1,
1599  0xC8, 0xE6, 0x0F, 0xED, 0x1E, 0xFA, 0xC4, 0xC9,
1600  0xC0, 0x5F, 0x9F, 0x9C, 0xA9, 0x83, 0x4F, 0xA0,
1601  0x42, 0xAE, 0x8F, 0xBA, 0x58, 0x4B, 0x09, 0xFF },
1602  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1603  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1604  0x39, 0xFF, 0xED, 0x14, 0x3B, 0x28, 0xB1, 0xC8,
1605  0x32, 0x11, 0x3C, 0x63, 0x31, 0xE5, 0x40, 0x7B,
1606  0xDF, 0x10, 0x13, 0x24, 0x15, 0xE5, 0x4B, 0x92,
1607  0xA1, 0x3E, 0xD0, 0xA8, 0x26, 0x7A, 0xE2, 0xF9,
1608  0x75, 0xA3, 0x85, 0x74, 0x1A, 0xB9, 0xCE, 0xF8,
1609  0x20, 0x31, 0x62, 0x3D, 0x55, 0xB1, 0xE4, 0x71 }
1610 #endif
1611 };
1612 #endif /* MBEDTLS_CIPHER_MODE_CFB */
1613 
1614 #if defined(MBEDTLS_CIPHER_MODE_OFB)
1615 /*
1616  * AES-OFB test vectors from:
1617  *
1618  * https://csrc.nist.gov/publications/detail/sp/800-38a/final
1619  */
1620 static const unsigned char aes_test_ofb_key[][32] =
1621 {
1622  { 0x2B, 0x7E, 0x15, 0x16, 0x28, 0xAE, 0xD2, 0xA6,
1623  0xAB, 0xF7, 0x15, 0x88, 0x09, 0xCF, 0x4F, 0x3C },
1624 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1625  { 0x8E, 0x73, 0xB0, 0xF7, 0xDA, 0x0E, 0x64, 0x52,
1626  0xC8, 0x10, 0xF3, 0x2B, 0x80, 0x90, 0x79, 0xE5,
1627  0x62, 0xF8, 0xEA, 0xD2, 0x52, 0x2C, 0x6B, 0x7B },
1628  { 0x60, 0x3D, 0xEB, 0x10, 0x15, 0xCA, 0x71, 0xBE,
1629  0x2B, 0x73, 0xAE, 0xF0, 0x85, 0x7D, 0x77, 0x81,
1630  0x1F, 0x35, 0x2C, 0x07, 0x3B, 0x61, 0x08, 0xD7,
1631  0x2D, 0x98, 0x10, 0xA3, 0x09, 0x14, 0xDF, 0xF4 }
1632 #endif
1633 };
1634 
1635 static const unsigned char aes_test_ofb_iv[16] =
1636 {
1637  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1638  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
1639 };
1640 
1641 static const unsigned char aes_test_ofb_pt[64] =
1642 {
1643  0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
1644  0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
1645  0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
1646  0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51,
1647  0x30, 0xC8, 0x1C, 0x46, 0xA3, 0x5C, 0xE4, 0x11,
1648  0xE5, 0xFB, 0xC1, 0x19, 0x1A, 0x0A, 0x52, 0xEF,
1649  0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17,
1650  0xAD, 0x2B, 0x41, 0x7B, 0xE6, 0x6C, 0x37, 0x10
1651 };
1652 
1653 static const unsigned char aes_test_ofb_ct[][64] =
1654 {
1655  { 0x3B, 0x3F, 0xD9, 0x2E, 0xB7, 0x2D, 0xAD, 0x20,
1656  0x33, 0x34, 0x49, 0xF8, 0xE8, 0x3C, 0xFB, 0x4A,
1657  0x77, 0x89, 0x50, 0x8d, 0x16, 0x91, 0x8f, 0x03,
1658  0xf5, 0x3c, 0x52, 0xda, 0xc5, 0x4e, 0xd8, 0x25,
1659  0x97, 0x40, 0x05, 0x1e, 0x9c, 0x5f, 0xec, 0xf6,
1660  0x43, 0x44, 0xf7, 0xa8, 0x22, 0x60, 0xed, 0xcc,
1661  0x30, 0x4c, 0x65, 0x28, 0xf6, 0x59, 0xc7, 0x78,
1662  0x66, 0xa5, 0x10, 0xd9, 0xc1, 0xd6, 0xae, 0x5e },
1663 #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
1664  { 0xCD, 0xC8, 0x0D, 0x6F, 0xDD, 0xF1, 0x8C, 0xAB,
1665  0x34, 0xC2, 0x59, 0x09, 0xC9, 0x9A, 0x41, 0x74,
1666  0xfc, 0xc2, 0x8b, 0x8d, 0x4c, 0x63, 0x83, 0x7c,
1667  0x09, 0xe8, 0x17, 0x00, 0xc1, 0x10, 0x04, 0x01,
1668  0x8d, 0x9a, 0x9a, 0xea, 0xc0, 0xf6, 0x59, 0x6f,
1669  0x55, 0x9c, 0x6d, 0x4d, 0xaf, 0x59, 0xa5, 0xf2,
1670  0x6d, 0x9f, 0x20, 0x08, 0x57, 0xca, 0x6c, 0x3e,
1671  0x9c, 0xac, 0x52, 0x4b, 0xd9, 0xac, 0xc9, 0x2a },
1672  { 0xDC, 0x7E, 0x84, 0xBF, 0xDA, 0x79, 0x16, 0x4B,
1673  0x7E, 0xCD, 0x84, 0x86, 0x98, 0x5D, 0x38, 0x60,
1674  0x4f, 0xeb, 0xdc, 0x67, 0x40, 0xd2, 0x0b, 0x3a,
1675  0xc8, 0x8f, 0x6a, 0xd8, 0x2a, 0x4f, 0xb0, 0x8d,
1676  0x71, 0xab, 0x47, 0xa0, 0x86, 0xe8, 0x6e, 0xed,
1677  0xf3, 0x9d, 0x1c, 0x5b, 0xba, 0x97, 0xc4, 0x08,
1678  0x01, 0x26, 0x14, 0x1d, 0x67, 0xf3, 0x7b, 0xe8,
1679  0x53, 0x8f, 0x5a, 0x8b, 0xe7, 0x40, 0xe4, 0x84 }
1680 #endif
1681 };
1682 #endif /* MBEDTLS_CIPHER_MODE_OFB */
1683 
1684 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1685 /*
1686  * AES-CTR test vectors from:
1687  *
1688  * http://www.faqs.org/rfcs/rfc3686.html
1689  */
1690 
1691 static const unsigned char aes_test_ctr_key[][16] =
1692 {
1693  { 0xAE, 0x68, 0x52, 0xF8, 0x12, 0x10, 0x67, 0xCC,
1694  0x4B, 0xF7, 0xA5, 0x76, 0x55, 0x77, 0xF3, 0x9E },
1695  { 0x7E, 0x24, 0x06, 0x78, 0x17, 0xFA, 0xE0, 0xD7,
1696  0x43, 0xD6, 0xCE, 0x1F, 0x32, 0x53, 0x91, 0x63 },
1697  { 0x76, 0x91, 0xBE, 0x03, 0x5E, 0x50, 0x20, 0xA8,
1698  0xAC, 0x6E, 0x61, 0x85, 0x29, 0xF9, 0xA0, 0xDC }
1699 };
1700 
1701 static const unsigned char aes_test_ctr_nonce_counter[][16] =
1702 {
1703  { 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00,
1704  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 },
1705  { 0x00, 0x6C, 0xB6, 0xDB, 0xC0, 0x54, 0x3B, 0x59,
1706  0xDA, 0x48, 0xD9, 0x0B, 0x00, 0x00, 0x00, 0x01 },
1707  { 0x00, 0xE0, 0x01, 0x7B, 0x27, 0x77, 0x7F, 0x3F,
1708  0x4A, 0x17, 0x86, 0xF0, 0x00, 0x00, 0x00, 0x01 }
1709 };
1710 
1711 static const unsigned char aes_test_ctr_pt[][48] =
1712 {
1713  { 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20, 0x62,
1714  0x6C, 0x6F, 0x63, 0x6B, 0x20, 0x6D, 0x73, 0x67 },
1715  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1716  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1717  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1718  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F },
1719 
1720  { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1721  0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
1722  0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
1723  0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
1724  0x20, 0x21, 0x22, 0x23 }
1725 };
1726 
1727 static const unsigned char aes_test_ctr_ct[][48] =
1728 {
1729  { 0xE4, 0x09, 0x5D, 0x4F, 0xB7, 0xA7, 0xB3, 0x79,
1730  0x2D, 0x61, 0x75, 0xA3, 0x26, 0x13, 0x11, 0xB8 },
1731  { 0x51, 0x04, 0xA1, 0x06, 0x16, 0x8A, 0x72, 0xD9,
1732  0x79, 0x0D, 0x41, 0xEE, 0x8E, 0xDA, 0xD3, 0x88,
1733  0xEB, 0x2E, 0x1E, 0xFC, 0x46, 0xDA, 0x57, 0xC8,
1734  0xFC, 0xE6, 0x30, 0xDF, 0x91, 0x41, 0xBE, 0x28 },
1735  { 0xC1, 0xCF, 0x48, 0xA8, 0x9F, 0x2F, 0xFD, 0xD9,
1736  0xCF, 0x46, 0x52, 0xE9, 0xEF, 0xDB, 0x72, 0xD7,
1737  0x45, 0x40, 0xA4, 0x2B, 0xDE, 0x6D, 0x78, 0x36,
1738  0xD5, 0x9A, 0x5C, 0xEA, 0xAE, 0xF3, 0x10, 0x53,
1739  0x25, 0xB2, 0x07, 0x2F }
1740 };
1741 
1742 static const int aes_test_ctr_len[3] =
1743 { 16, 32, 36 };
1744 #endif /* MBEDTLS_CIPHER_MODE_CTR */
1745 
1746 #if defined(MBEDTLS_CIPHER_MODE_XTS)
1747 /*
1748  * AES-XTS test vectors from:
1749  *
1750  * IEEE P1619/D16 Annex B
1751  * https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
1752  * (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
1753  */
1754 static const unsigned char aes_test_xts_key[][32] =
1755 {
1756  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1757  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1760  { 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1761  0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
1762  0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1763  0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1764  { 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
1765  0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
1766  0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
1767  0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
1768 };
1769 
1770 static const unsigned char aes_test_xts_pt32[][32] =
1771 {
1772  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1773  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1774  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1775  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1776  { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1777  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1778  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1779  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1780  { 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1781  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1782  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
1783  0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
1784 };
1785 
1786 static const unsigned char aes_test_xts_ct32[][32] =
1787 {
1788  { 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
1789  0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
1790  0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
1791  0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
1792  { 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
1793  0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
1794  0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
1795  0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
1796  { 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
1797  0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
1798  0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
1799  0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
1800 };
1801 
1802 static const unsigned char aes_test_xts_data_unit[][16] =
1803 {
1804  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1805  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1806  { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1807  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1808  { 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
1809  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
1810 };
1811 
1812 #endif /* MBEDTLS_CIPHER_MODE_XTS */
1813 
1814 /*
1815  * Checkup routine
1816  */
1817 int mbedtls_aes_self_test(int verbose)
1818 {
1819  int ret = 0, i, j, u, mode;
1820  unsigned int keybits;
1821  unsigned char key[32];
1822  unsigned char buf[64];
1823  const unsigned char *aes_tests;
1824 #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1825  defined(MBEDTLS_CIPHER_MODE_OFB)
1826  unsigned char iv[16];
1827 #endif
1828 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1829  unsigned char prv[16];
1830 #endif
1831 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
1832  defined(MBEDTLS_CIPHER_MODE_OFB)
1833  size_t offset;
1834 #endif
1835 #if defined(MBEDTLS_CIPHER_MODE_CTR) || defined(MBEDTLS_CIPHER_MODE_XTS)
1836  int len;
1837 #endif
1838 #if defined(MBEDTLS_CIPHER_MODE_CTR)
1839  unsigned char nonce_counter[16];
1840  unsigned char stream_block[16];
1841 #endif
1843 
1844  memset(key, 0, 32);
1846 
1847  if (verbose != 0) {
1848 #if defined(MBEDTLS_AES_ALT)
1849  mbedtls_printf(" AES note: alternative implementation.\n");
1850 #else /* MBEDTLS_AES_ALT */
1851 #if defined(MBEDTLS_AESNI_HAVE_CODE)
1852 #if MBEDTLS_AESNI_HAVE_CODE == 1
1853  mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n");
1854 #elif MBEDTLS_AESNI_HAVE_CODE == 2
1855  mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n");
1856 #else
1857 #error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
1858 #endif
1860  mbedtls_printf(" AES note: using AESNI.\n");
1861  } else
1862 #endif
1863 #if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
1864  if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
1865  mbedtls_printf(" AES note: using VIA Padlock.\n");
1866  } else
1867 #endif
1868 #if defined(MBEDTLS_AESCE_HAVE_CODE)
1869  if (MBEDTLS_AESCE_HAS_SUPPORT()) {
1870  mbedtls_printf(" AES note: using AESCE.\n");
1871  } else
1872 #endif
1873  {
1874 #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
1875  mbedtls_printf(" AES note: built-in implementation.\n");
1876 #endif
1877  }
1878 #endif /* MBEDTLS_AES_ALT */
1879  }
1880 
1881  /*
1882  * ECB mode
1883  */
1884  {
1885  static const int num_tests =
1886  sizeof(aes_test_ecb_enc) / sizeof(*aes_test_ecb_enc);
1887 
1888  for (i = 0; i < num_tests << 1; i++) {
1889  u = i >> 1;
1890  keybits = 128 + u * 64;
1891  mode = i & 1;
1892 
1893  if (verbose != 0) {
1894  mbedtls_printf(" AES-ECB-%3u (%s): ", keybits,
1895  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1896  }
1897 #if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1898  if (mode == MBEDTLS_AES_DECRYPT) {
1899  if (verbose != 0) {
1900  mbedtls_printf("skipped\n");
1901  }
1902  continue;
1903  }
1904 #endif
1905 
1906  memset(buf, 0, 16);
1907 
1908 #if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
1909  if (mode == MBEDTLS_AES_DECRYPT) {
1910  ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1911  aes_tests = aes_test_ecb_dec[u];
1912  } else
1913 #endif
1914  {
1915  ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1916  aes_tests = aes_test_ecb_enc[u];
1917  }
1918 
1919  /*
1920  * AES-192 is an optional feature that may be unavailable when
1921  * there is an alternative underlying implementation i.e. when
1922  * MBEDTLS_AES_ALT is defined.
1923  */
1924  if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1925  mbedtls_printf("skipped\n");
1926  continue;
1927  } else if (ret != 0) {
1928  goto exit;
1929  }
1930 
1931  for (j = 0; j < 10000; j++) {
1932  ret = mbedtls_aes_crypt_ecb(&ctx, mode, buf, buf);
1933  if (ret != 0) {
1934  goto exit;
1935  }
1936  }
1937 
1938  if (memcmp(buf, aes_tests, 16) != 0) {
1939  ret = 1;
1940  goto exit;
1941  }
1942 
1943  if (verbose != 0) {
1944  mbedtls_printf("passed\n");
1945  }
1946  }
1947 
1948  if (verbose != 0) {
1949  mbedtls_printf("\n");
1950  }
1951  }
1952 
1953 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1954  /*
1955  * CBC mode
1956  */
1957  {
1958  static const int num_tests =
1959  sizeof(aes_test_cbc_dec) / sizeof(*aes_test_cbc_dec);
1960 
1961  for (i = 0; i < num_tests << 1; i++) {
1962  u = i >> 1;
1963  keybits = 128 + u * 64;
1964  mode = i & 1;
1965 
1966  if (verbose != 0) {
1967  mbedtls_printf(" AES-CBC-%3u (%s): ", keybits,
1968  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
1969  }
1970 
1971  memset(iv, 0, 16);
1972  memset(prv, 0, 16);
1973  memset(buf, 0, 16);
1974 
1975  if (mode == MBEDTLS_AES_DECRYPT) {
1976  ret = mbedtls_aes_setkey_dec(&ctx, key, keybits);
1977  aes_tests = aes_test_cbc_dec[u];
1978  } else {
1979  ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
1980  aes_tests = aes_test_cbc_enc[u];
1981  }
1982 
1983  /*
1984  * AES-192 is an optional feature that may be unavailable when
1985  * there is an alternative underlying implementation i.e. when
1986  * MBEDTLS_AES_ALT is defined.
1987  */
1988  if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
1989  mbedtls_printf("skipped\n");
1990  continue;
1991  } else if (ret != 0) {
1992  goto exit;
1993  }
1994 
1995  for (j = 0; j < 10000; j++) {
1996  if (mode == MBEDTLS_AES_ENCRYPT) {
1997  unsigned char tmp[16];
1998 
1999  memcpy(tmp, prv, 16);
2000  memcpy(prv, buf, 16);
2001  memcpy(buf, tmp, 16);
2002  }
2003 
2004  ret = mbedtls_aes_crypt_cbc(&ctx, mode, 16, iv, buf, buf);
2005  if (ret != 0) {
2006  goto exit;
2007  }
2008 
2009  }
2010 
2011  if (memcmp(buf, aes_tests, 16) != 0) {
2012  ret = 1;
2013  goto exit;
2014  }
2015 
2016  if (verbose != 0) {
2017  mbedtls_printf("passed\n");
2018  }
2019  }
2020 
2021  if (verbose != 0) {
2022  mbedtls_printf("\n");
2023  }
2024  }
2025 #endif /* MBEDTLS_CIPHER_MODE_CBC */
2026 
2027 #if defined(MBEDTLS_CIPHER_MODE_CFB)
2028  /*
2029  * CFB128 mode
2030  */
2031  {
2032  static const int num_tests =
2033  sizeof(aes_test_cfb128_key) / sizeof(*aes_test_cfb128_key);
2034 
2035  for (i = 0; i < num_tests << 1; i++) {
2036  u = i >> 1;
2037  keybits = 128 + u * 64;
2038  mode = i & 1;
2039 
2040  if (verbose != 0) {
2041  mbedtls_printf(" AES-CFB128-%3u (%s): ", keybits,
2042  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2043  }
2044 
2045  memcpy(iv, aes_test_cfb128_iv, 16);
2046  memcpy(key, aes_test_cfb128_key[u], keybits / 8);
2047 
2048  offset = 0;
2049  ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2050  /*
2051  * AES-192 is an optional feature that may be unavailable when
2052  * there is an alternative underlying implementation i.e. when
2053  * MBEDTLS_AES_ALT is defined.
2054  */
2055  if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2056  mbedtls_printf("skipped\n");
2057  continue;
2058  } else if (ret != 0) {
2059  goto exit;
2060  }
2061 
2062  if (mode == MBEDTLS_AES_DECRYPT) {
2063  memcpy(buf, aes_test_cfb128_ct[u], 64);
2064  aes_tests = aes_test_cfb128_pt;
2065  } else {
2066  memcpy(buf, aes_test_cfb128_pt, 64);
2067  aes_tests = aes_test_cfb128_ct[u];
2068  }
2069 
2070  ret = mbedtls_aes_crypt_cfb128(&ctx, mode, 64, &offset, iv, buf, buf);
2071  if (ret != 0) {
2072  goto exit;
2073  }
2074 
2075  if (memcmp(buf, aes_tests, 64) != 0) {
2076  ret = 1;
2077  goto exit;
2078  }
2079 
2080  if (verbose != 0) {
2081  mbedtls_printf("passed\n");
2082  }
2083  }
2084 
2085  if (verbose != 0) {
2086  mbedtls_printf("\n");
2087  }
2088  }
2089 #endif /* MBEDTLS_CIPHER_MODE_CFB */
2090 
2091 #if defined(MBEDTLS_CIPHER_MODE_OFB)
2092  /*
2093  * OFB mode
2094  */
2095  {
2096  static const int num_tests =
2097  sizeof(aes_test_ofb_key) / sizeof(*aes_test_ofb_key);
2098 
2099  for (i = 0; i < num_tests << 1; i++) {
2100  u = i >> 1;
2101  keybits = 128 + u * 64;
2102  mode = i & 1;
2103 
2104  if (verbose != 0) {
2105  mbedtls_printf(" AES-OFB-%3u (%s): ", keybits,
2106  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2107  }
2108 
2109  memcpy(iv, aes_test_ofb_iv, 16);
2110  memcpy(key, aes_test_ofb_key[u], keybits / 8);
2111 
2112  offset = 0;
2113  ret = mbedtls_aes_setkey_enc(&ctx, key, keybits);
2114  /*
2115  * AES-192 is an optional feature that may be unavailable when
2116  * there is an alternative underlying implementation i.e. when
2117  * MBEDTLS_AES_ALT is defined.
2118  */
2119  if (ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED && keybits == 192) {
2120  mbedtls_printf("skipped\n");
2121  continue;
2122  } else if (ret != 0) {
2123  goto exit;
2124  }
2125 
2126  if (mode == MBEDTLS_AES_DECRYPT) {
2127  memcpy(buf, aes_test_ofb_ct[u], 64);
2128  aes_tests = aes_test_ofb_pt;
2129  } else {
2130  memcpy(buf, aes_test_ofb_pt, 64);
2131  aes_tests = aes_test_ofb_ct[u];
2132  }
2133 
2134  ret = mbedtls_aes_crypt_ofb(&ctx, 64, &offset, iv, buf, buf);
2135  if (ret != 0) {
2136  goto exit;
2137  }
2138 
2139  if (memcmp(buf, aes_tests, 64) != 0) {
2140  ret = 1;
2141  goto exit;
2142  }
2143 
2144  if (verbose != 0) {
2145  mbedtls_printf("passed\n");
2146  }
2147  }
2148 
2149  if (verbose != 0) {
2150  mbedtls_printf("\n");
2151  }
2152  }
2153 #endif /* MBEDTLS_CIPHER_MODE_OFB */
2154 
2155 #if defined(MBEDTLS_CIPHER_MODE_CTR)
2156  /*
2157  * CTR mode
2158  */
2159  {
2160  static const int num_tests =
2161  sizeof(aes_test_ctr_key) / sizeof(*aes_test_ctr_key);
2162 
2163  for (i = 0; i < num_tests << 1; i++) {
2164  u = i >> 1;
2165  mode = i & 1;
2166 
2167  if (verbose != 0) {
2168  mbedtls_printf(" AES-CTR-128 (%s): ",
2169  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2170  }
2171 
2172  memcpy(nonce_counter, aes_test_ctr_nonce_counter[u], 16);
2173  memcpy(key, aes_test_ctr_key[u], 16);
2174 
2175  offset = 0;
2176  if ((ret = mbedtls_aes_setkey_enc(&ctx, key, 128)) != 0) {
2177  goto exit;
2178  }
2179 
2180  len = aes_test_ctr_len[u];
2181 
2182  if (mode == MBEDTLS_AES_DECRYPT) {
2183  memcpy(buf, aes_test_ctr_ct[u], len);
2184  aes_tests = aes_test_ctr_pt[u];
2185  } else {
2186  memcpy(buf, aes_test_ctr_pt[u], len);
2187  aes_tests = aes_test_ctr_ct[u];
2188  }
2189 
2190  ret = mbedtls_aes_crypt_ctr(&ctx, len, &offset, nonce_counter,
2191  stream_block, buf, buf);
2192  if (ret != 0) {
2193  goto exit;
2194  }
2195 
2196  if (memcmp(buf, aes_tests, len) != 0) {
2197  ret = 1;
2198  goto exit;
2199  }
2200 
2201  if (verbose != 0) {
2202  mbedtls_printf("passed\n");
2203  }
2204  }
2205  }
2206 
2207  if (verbose != 0) {
2208  mbedtls_printf("\n");
2209  }
2210 #endif /* MBEDTLS_CIPHER_MODE_CTR */
2211 
2212 #if defined(MBEDTLS_CIPHER_MODE_XTS)
2213  /*
2214  * XTS mode
2215  */
2216  {
2217  static const int num_tests =
2218  sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
2219  mbedtls_aes_xts_context ctx_xts;
2220 
2221  mbedtls_aes_xts_init(&ctx_xts);
2222 
2223  for (i = 0; i < num_tests << 1; i++) {
2224  const unsigned char *data_unit;
2225  u = i >> 1;
2226  mode = i & 1;
2227 
2228  if (verbose != 0) {
2229  mbedtls_printf(" AES-XTS-128 (%s): ",
2230  (mode == MBEDTLS_AES_DECRYPT) ? "dec" : "enc");
2231  }
2232 
2233  memset(key, 0, sizeof(key));
2234  memcpy(key, aes_test_xts_key[u], 32);
2235  data_unit = aes_test_xts_data_unit[u];
2236 
2237  len = sizeof(*aes_test_xts_ct32);
2238 
2239  if (mode == MBEDTLS_AES_DECRYPT) {
2240  ret = mbedtls_aes_xts_setkey_dec(&ctx_xts, key, 256);
2241  if (ret != 0) {
2242  goto exit;
2243  }
2244  memcpy(buf, aes_test_xts_ct32[u], len);
2245  aes_tests = aes_test_xts_pt32[u];
2246  } else {
2247  ret = mbedtls_aes_xts_setkey_enc(&ctx_xts, key, 256);
2248  if (ret != 0) {
2249  goto exit;
2250  }
2251  memcpy(buf, aes_test_xts_pt32[u], len);
2252  aes_tests = aes_test_xts_ct32[u];
2253  }
2254 
2255 
2256  ret = mbedtls_aes_crypt_xts(&ctx_xts, mode, len, data_unit,
2257  buf, buf);
2258  if (ret != 0) {
2259  goto exit;
2260  }
2261 
2262  if (memcmp(buf, aes_tests, len) != 0) {
2263  ret = 1;
2264  goto exit;
2265  }
2266 
2267  if (verbose != 0) {
2268  mbedtls_printf("passed\n");
2269  }
2270  }
2271 
2272  if (verbose != 0) {
2273  mbedtls_printf("\n");
2274  }
2275 
2276  mbedtls_aes_xts_free(&ctx_xts);
2277  }
2278 #endif /* MBEDTLS_CIPHER_MODE_XTS */
2279 
2280  ret = 0;
2281 
2282 exit:
2283  if (ret != 0 && verbose != 0) {
2284  mbedtls_printf("failed\n");
2285  }
2286 
2288 
2289  return ret;
2290 }
2291 
2292 #endif /* MBEDTLS_SELF_TEST */
2293 
2294 #endif /* MBEDTLS_AES_C */
This file contains AES definitions and functions.
MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx, int mode, const unsigned char input[16], unsigned char output[16])
This function performs an AES single-block encryption or decryption operation.
#define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
Invalid key length.
Definition: aes.h:44
MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
This function sets the encryption key.
MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16])
Internal AES block decryption function.
#define MBEDTLS_ERR_AES_BAD_INPUT_DATA
Invalid input data.
Definition: aes.h:50
void mbedtls_aes_init(mbedtls_aes_context *ctx)
This function initializes the specified AES context.
MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
This function sets the decryption key.
#define MBEDTLS_AES_DECRYPT
AES decryption.
Definition: aes.h:40
#define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
Invalid data input length.
Definition: aes.h:46
MBEDTLS_CHECK_RETURN_TYPICAL int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16])
Internal AES block encryption function.
#define MBEDTLS_AES_ENCRYPT
AES encryption.
Definition: aes.h:39
void mbedtls_aes_free(mbedtls_aes_context *ctx)
This function releases and clears the specified AES context.
Support hardware AES acceleration on Armv8-A processors with the Armv8-A Cryptographic Extension.
AES-NI for hardware AES acceleration on some Intel processors.
#define MBEDTLS_AESNI_AES
Definition: aesni.h:20
#define MBEDTLS_GET_UINT64_LE(data, offset)
Get the unsigned 64 bits integer corresponding to eight bytes in little-endian order (LSB first).
Definition: alignment.h:657
#define MBEDTLS_BYTE_1(x)
Definition: alignment.h:269
#define MBEDTLS_PUT_UINT64_LE(n, data, offset)
Put in memory a 64 bits unsigned integer in little-endian order.
Definition: alignment.h:672
#define MBEDTLS_GET_UINT32_LE(data, offset)
Get the unsigned 32 bits integer corresponding to four bytes in little-endian order (LSB first).
Definition: alignment.h:448
#define MBEDTLS_PUT_UINT32_LE(n, data, offset)
Put in memory a 32 bits unsigned integer in little-endian order.
Definition: alignment.h:464
#define MBEDTLS_BYTE_2(x)
Definition: alignment.h:270
#define MBEDTLS_BYTE_0(x)
Byte Reading Macros.
Definition: alignment.h:268
#define MBEDTLS_BYTE_3(x)
Definition: alignment.h:271
#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
Definition: common.h:405
#define MBEDTLS_MAYBE_UNUSED
Definition: common.h:432
static void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
Perform a fast block XOR operation, such that r[i] = a[i] ^ b[i] where 0 <= i < n.
Definition: common.h:186
static void mbedtls_xor_no_simd(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n)
Perform a fast block XOR operation, such that r[i] = a[i] ^ b[i] where 0 <= i < n.
Definition: common.h:268
#define MBEDTLS_UNLIKELY(x)
Definition: common.h:380
This file contains common functionality for counter algorithms.
static void mbedtls_ctr_increment_counter(uint8_t n[16])
Increment a big-endian 16-byte value.
Definition: ctr.h:21
CS_CONTEXT * ctx
Definition: t0006.c:12
static unsigned num_tests
Definition: blob1.c:70
static SQLCHAR output[256]
Definition: print.c:5
static char tmp[3200]
Definition: utf8.c:42
int offset
Definition: replacements.h:160
Uint8 uint64_t
unsigned char uint8_t
Uint4 uint32_t
#define NULL
Definition: ncbistd.hpp:225
unsigned int uintptr_t
Definition: ncbitype.h:197
exit(2)
char * buf
static int input()
int i
yy_size_t n
int len
mdb_mode_t mode
Definition: lmdb++.h:38
const struct ncbi::grid::netcache::search::fields::KEY key
unsigned int a
Definition: ncbi_localip.c:102
EIPRangeType t
Definition: ncbi_localip.c:101
#define mbedtls_aes_crypt_ofb
#define mbedtls_platform_zeroize
#define mbedtls_aes_xts_setkey_dec
#define mbedtls_aes_xts_init
#define mbedtls_aesni_setkey_enc
#define mbedtls_aes_xts_setkey_enc
#define mbedtls_aesni_crypt_ecb
#define mbedtls_aes_crypt_xts
#define mbedtls_aesni_inverse_key
#define mbedtls_aes_crypt_cfb8
#define mbedtls_aes_crypt_ctr
#define mbedtls_aes_crypt_cfb128
#define mbedtls_aes_xts_free
#define mbedtls_aesni_has_support
#define mbedtls_aes_crypt_cbc
Int4 delta(size_t dimension_, const Int4 *score_)
double r(size_t dimension_, const Int4 *score_, const double *prob_, double theta_)
VIA PadLock ACE for HW encryption/decryption supported by some processors.
#define memmove(a, b, c)
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
#define mbedtls_printf
Definition: platform.h:219
Common and shared functions used by multiple modules in the Mbed TLS library.
true_type verbose
Definition: processing.cpp:890
Error to string translation.
#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED
The requested feature is not supported by the platform.
Definition: error.h:105
#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED
This is a bug in the library.
Definition: error.h:100
#define uint32_t
Definition: config.h:42
#define uint8_t
Definition: config.h:54
static DP_BlockInfo * blocks
The AES context-type definition.
Definition: aes.h:63
Modified on Sat May 18 11:39:29 2024 by modify_doxy.py rev. 669887