Commit graph

223 commits

Author SHA1 Message Date
Dave Rodgman
28a97acb3c code style
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-06-14 20:15:15 +01:00
Dave Rodgman
d05e7f1ab3 Do not use NEON for AES-CBC on aarch64
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-06-14 18:58:48 +01:00
Dave Rodgman
906c63cf35 Revert "improve cbc encrypt perf"
This reverts commit f1e396c427.

Performance is slightly better with this reverted, especially
for AES-CBC 192.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-06-14 17:55:41 +01:00
Dave Rodgman
360e04f379 Fix AES-XTS perf regression
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-06-09 17:23:15 +01:00
Dave Rodgman
9d1635e742 Revert not-useful changes to AES-CBC decrypt
Signed-off-by: Dave Rodgman <dave.rodgman@gmail.com>
2023-06-07 16:38:26 +01:00
Dave Rodgman
f1e396c427 improve cbc encrypt perf
Signed-off-by: Dave Rodgman <dave.rodgman@gmail.com>
2023-06-07 16:38:26 +01:00
Dave Rodgman
262d8ced79 Fix AES-CBC for in-place operation
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-22 23:13:45 +01:00
Dave Rodgman
797c4ff365 Make AES-CBC more efficient
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-05-22 19:42:22 +01:00
Yanray Wang
59c2dfa48c aes selftest: determine selftest loop limit in runtime
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-11 17:56:21 +08:00
Yanray Wang
62c9991a5b aes selftest: remove non-128-bit data if aes_128bit_only enabled
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-11 11:11:17 +08:00
Arto Kinnunen
0f06618db0 AES: skip 192bit and 256bit key in selftest if 128bit_only enabled
This includes:
 - aes.c
 - cmac.c
 - gcm.c
 - nist_kw.c

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 11:20:59 +08:00
Arto Kinnunen
732ca3221d AES: add macro of MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Add configuration option to support 128-bit key length only
in AES calculation.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-05-05 11:20:38 +08:00
Gilles Peskine
9c682e724a AESNI: Overhaul implementation selection
Have clearly separated code to:
* determine whether the assembly-based implementation is available;
* determine whether the intrinsics-based implementation is available;
* select one of the available implementations if any.

Now MBEDTLS_AESNI_HAVE_CODE can be the single interface for aes.c and
aesni.c to determine which AESNI is built.

Change the implementation selection: now, if both implementations are
available, always prefer assembly. Before, the intrinsics were used if
available. This preference is to minimize disruption, and will likely
be revised in a later minor release.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 17:21:33 +01:00
Gilles Peskine
0de8f853f0 Clean up AES context alignment code
Use a single auxiliary function to determine rk_offset, covering both
setkey_enc and setkey_dec, covering both AESNI and PADLOCK. For AESNI, only
build this when using the intrinsics-based implementation, since the
assembly implementation supports unaligned access.

Simplify "do we need to realign?" to "is the desired offset now equal to
the current offset?".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 17:14:59 +01:00
Gilles Peskine
0f454e4642 Use consistent guards for padlock code
The padlock feature is enabled if
```
defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
```
with the second macro coming from `padlock.h`. The availability of the
macro `MBEDTLS_PADLOCK_ALIGN16` is coincidentally equivalent to
`MBEDTLS_HAVE_X86` but this is not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 14:58:46 +01:00
Gilles Peskine
148cad134a Fix unaligned access if the context is moved during operation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-16 13:08:42 +01:00
Gilles Peskine
d671917d0d AESNI: add implementation with intrinsics
As of this commit, to use the intrinsics for MBEDTLS_AESNI_C:

* With MSVC, this should be the default.
* With Clang, build with `clang -maes -mpclmul` or equivalent.
* With GCC, build with `gcc -mpclmul -msse2` or equivalent.

In particular, for now, with a GCC-like compiler, when building specifically
for a target that supports both the AES and GCM instructions, the old
implementation using assembly is selected.

This method for platform selection will likely be improved in the future.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-15 20:47:59 +01:00
Gilles Peskine
7e67bd516d AES, GCM selftest: indicate which implementation is used
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-15 20:47:59 +01:00
Gilles Peskine
9af58cd7f8 New preprocessor symbol indicating that AESNI support is present
The configuration symbol MBEDTLS_AESNI_C requests AESNI support, but it is
ignored if the platform doesn't have AESNI. This allows keeping
MBEDTLS_AESNI_C enabled (as it is in the default build) when building for
platforms other than x86_64, or when MBEDTLS_HAVE_ASM is disabled.

To facilitate maintenance, always use the symbol MBEDTLS_AESNI_HAVE_CODE to
answer the question "can I call mbedtls_aesni_xxx functions?", rather than
repeating the check `defined(MBEDTLS_AESNI_C) && ...`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-15 19:38:37 +01:00
Jerry Yu
2bb3d8101f Add en(de)crypt routine
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:53 +08:00
Jerry Yu
e096da1af6 Add inverse key function
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Jerry Yu
3f2fb71072 Add key expansion for encrypt
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-02-07 17:11:52 +08:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Manuel Pégourié-Gonnard
a9ac61203b
Merge pull request #6666 from daverodgman/fast_unaligned
Fast unaligned memory access macros
2022-12-12 12:18:17 +01:00
Tom Cosgrove
1797b05602 Fix typos prior to release
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-12-04 17:19:59 +00:00
Dave Rodgman
069e7f462a Correct mixed up comments
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-24 19:37:26 +00:00
Dave Rodgman
a8cf607458 Use mbedtls_xor in AES
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-11-22 17:32:43 +00:00
Andrzej Kurek
252283f2aa Fix missing cipher mode dependencies
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-10-19 08:35:08 -04:00
Gilles Peskine
0fe6631486
Merge pull request #6291 from gilles-peskine-arm/platform.h-unconditional-3.2
Include platform.h unconditionally
2022-10-13 10:19:22 +02:00
Gilles Peskine
a7aa80c058 Include platform.h unconditionally: second automatic part
Some source files included platform.h in a nested conditional. The previous
commit "Include platform.h unconditionally: automatic part" only removed
the outer conditional. This commit removes the inner conditional.

This commit once again replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-15 20:34:10 +02:00
Gilles Peskine
945b23c46f Include platform.h unconditionally: automatic part
We used to include platform.h only when MBEDTLS_PLATFORM_C was enabled, and
to define ad hoc replacements for mbedtls_xxx functions on a case-by-case
basis when MBEDTLS_PLATFORM_C was disabled. The only reason for this
complication was to allow building individual source modules without copying
platform.h. This is not something we support or recommend anymore, so get
rid of the complication: include platform.h unconditionally.

There should be no change in behavior since just including the header should
not change the behavior of a program.

This commit replaces most occurrences of conditional inclusion of
platform.h, using the following code:

```
perl -i -0777 -pe 's!#if.*\n#include "mbedtls/platform.h"\n(#else.*\n(#define (mbedtls|MBEDTLS)_.*\n|#include <(stdarg|stddef|stdio|stdlib|string|time)\.h>\n)*)?#endif.*!#include "mbedtls/platform.h"!mg' $(git grep -l '#include "mbedtls/platform.h"')
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-09-15 20:33:07 +02:00
Tuvshinzaya Erdenekhuu
a8ef1565bb Re-introduce ENUM validation in aes.c
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
2022-08-31 10:14:57 +01:00
Tuvshinzaya Erdenekhuu
cac11d7797 Remove NULL pointer validation in aes.c
Signed-off-by: Tuvshinzaya Erdenekhuu <tuvshinzaya.erdenekhuu@arm.com>
2022-08-31 10:14:57 +01:00
Werner Lewis
7656a373b6 Reformat AES changes for readability
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-29 16:17:50 +01:00
Werner Lewis
dd76ef359d Refactor AES context to be shallow-copyable
Replace RK pointer in AES context with a buffer offset, to allow
shallow copying. Fixes #2147.

Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-29 16:17:50 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Paul Elliott
00738bf65e Ensure ctr_drbg is initialised every time
ctr_drbg is a local variable and thus needs initialisation every time
LLVMFuzzerTestOneInput() is called, the rest of the variables inside the
if(initialised) block are all static.

Add extra validation to attempt to catch this issue in future.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-02-10 18:38:53 +00:00
Gilles Peskine
7820a574f1 Catch failures of AES or DES operations
Declare all AES and DES functions that return int as needing to have
their result checked, and do check the result in our code.

A DES or AES block operation can fail in alternative implementations of
mbedtls_internal_aes_encrypt() (under MBEDTLS_AES_ENCRYPT_ALT),
mbedtls_internal_aes_decrypt() (under MBEDTLS_AES_DECRYPT_ALT),
mbedtls_des_crypt_ecb() (under MBEDTLS_DES_CRYPT_ECB_ALT),
mbedtls_des3_crypt_ecb() (under MBEDTLS_DES3_CRYPT_ECB_ALT).
A failure can happen if the accelerator peripheral is in a bad state.
Several block modes were not catching the error.

This commit does the following code changes, grouped together to avoid
having an intermediate commit where the build fails:

* Add MBEDTLS_CHECK_RETURN to all functions returning int in aes.h and des.h.
* Fix all places where this causes a GCC warning, indicating that our code
  was not properly checking the result of an AES operation:
    * In library code: on failure, goto exit and return ret.
    * In pkey programs: goto exit.
    * In the benchmark program: exit (not ideal since there's no error
      message, but it's what the code currently does for failures).
    * In test code: TEST_ASSERT.
* Changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-09-27 16:22:08 +02:00
Joe Subbiani
99edd6c810 Add UINT64 GET and PUT macros
Copy over the GET/PUT_UINT64_LE/BE macros from aes.c and sha512.c
Add the MBEDTLS_ prefix to all 4 macros.
Modify the GET_UINT64 macros to no longer take a target variable
as a parameter, so when the macro function is called it must be
assigned to a variable in the same statement.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:56:47 +01:00
Joe Subbiani
cd84d76e9b Add Character byte reading macros
These cast to an unsigned char rather than a uint8_t
like with MBEDTLS_BYTE_x
These save alot of space and will improve maintence by
replacing the appropriate code with MBEDTLS_CHAR_x

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:55:41 +01:00
Joe Subbiani
6a50631497 GET macros use a target variable
The GET macros used to write to a macro parameter, but now
they can be used to assign a value to the desired variable
rather than pass it in as an argument and have it modified
in the macro function.

Due to this MBEDTLS_BYTES_TO_U32_LE is the same as
MBEDTLS_GET_UINT32_LE and was there for replaced in the
appropriate files and removed from common.h

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:55 +01:00
Joe Subbiani
5ecac217f0 Prefixed macros with MBEDTLS
As per tests/scripts/check-names.sh, macros in
library/ header files should be prefixed with
MBEDTLS_
The macro functions in common.h where also indented
to comply with the same test

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:54 +01:00
Joe Subbiani
54c6134ff7 Move UINT32_LE macros to common.h
32-bit integer manipulation macros (little edian):
GET_UINT32_LE and PUT_UINT32_LE appear in several
files in library/.
Removes duplicate code and save vertical
space the macro has been moved to common.h.
Improves maintainability.

Also provided brief comment in common.h for
BYTES_TO_U32_LE. comment/documentation will
probably need to be edited further for all
recent additions to library/common.h

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:31:53 +01:00
Ronald Cron
f1eb425782
Merge pull request #4469 from xiaoxiang781216/padlock
aes: Check aes_padlock_ace > 0 before calling padlock
2021-05-28 11:06:40 +02:00
Xiang Xiao
12e18369e8 aes: Check aes_padlock_ace > 0 before calling padlock
Sometime user may forget to call mbedtls_aes_setkey_enc or
mbedtls_aes_setkey_dec before mbedtls_aes_crypt_ecb and then
the code normally crash inside the assembly code. With this
patch, the code will stop inside the C source code which is
more convenient to locate the problem.

Signed-off-by: Xiang Xiao <xiaoxiang@xiaomi.com>
Change-Id: I0e1d6b219f8709f8acaee5f345344335fc82fed3
2021-05-11 03:28:46 -07:00
TRodziewicz
85dfc4de20 Applying current changes
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-30 00:07:04 +02:00
TRodziewicz
18efb73743 Remove deprecated functions and constants.
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-29 23:12:19 +02:00
Chris Jones
16dbaeb9eb Move padlock.h to library
`padlock.h` is actually an internal header and is moved accordingly.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Chris Jones
187782f41e Move aesni.h to library
`aesni.h` is an internal header and is moved accordingly.

Also removes some references to internal headers in scripts with
only public headers.

Signed-off-by: Chris Jones <christopher.jones@arm.com>
2021-03-10 12:52:37 +00:00
Gilles Peskine
cac5536b45
Merge pull request #3823 from gabor-mezei-arm/3818_MBEDTLS_AES_SETKEY_DEC_ALT_excludes_MBEDTLS_CIPHER_MODE_XTS
Make the aes xts methods independent from MBEDTLS_AES_SETKEY_DEC_ALT
2020-11-09 20:44:08 +01:00
gabor-mezei-arm
95db3012c8
Make the aes xts methods independent from MBEDTLS_AES_SETKEY_DEC_ALT
This is fix for the MBEDTLS_AES_SETKEY_DEC_ALT macro switch is including the aes xts methods
and building with a custom mbedtls_aes_setkey_dec function will disable the aes xts methods.
The fix is separating the aes xts methods and the MBEDTLS_AES_SETKEY_DEC_ALT can only
switch the presence of the mbedtls_aes_setkey_dec function.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-26 11:52:05 +01:00
Gilles Peskine
5197c6692c Put local variables in a struct
This way we can have a single call to mbedtls_platform_zeroize, which
saves a few bytes of code size.

Additionally, on my PC, I notice a significant speed improvement
(x86_64 build with MBEDTLS_AESNI_C disabled, gcc 5.4.0 -O3). I don't
have an explanation for that (I expected no measurable difference).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-26 17:03:24 +02:00
Gilles Peskine
ee4d4eb625 Remove a useless zeroization
Remove the zeroization of a pointer variable in the AES block
functions. The code was valid but spurious and misleading since it
looked like a mistaken attempt to zeroize the pointed-to buffer.
Reported by Antonio de la Piedra, CEA Leti, France.

Note that we do not zeroize the buffer here because these are the
round keys, and they need to stay until all the blocks are processed.
They will be zeroized in mbedtls_aes_free().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-08-25 19:28:13 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Kenneth Soerensen
518d435e7b Fix GCC format-signedness warnings
Signed-off-by: Kenneth Soerensen <knnthsrnsn@gmail.com>
2020-04-22 16:01:48 +02:00
Janos Follath
d27a88438f Merge branch 'development' into development-restricted 2020-01-15 15:55:11 +00:00
Janos Follath
24eed8d2d2 Initialise return values to an error
Initialising the return values to and error is best practice and makes
the library more robust.
2019-12-03 16:07:18 +00:00
Andrzej Kurek
96ae5cd087 Zeroize local AES variables before exiting the function
This issue has been reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihang) Bai,
Grant Hernandez, and Kevin Butler (University of Florida) and
Dave Tian (Purdue University).

In AES encrypt and decrypt some variables were left on the stack. The value
of these variables can be used to recover the last round key. To follow best
practice and to limit the impact of buffer overread vulnerabilities (like
Heartbleed) we need to zeroize them before exiting the function.
2019-11-12 03:05:51 -05:00
Hanno Becker
818bac55ef Add further missing brackets around macro parameters 2019-02-19 17:59:57 +00:00
Hanno Becker
1eeca41472 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-02-19 17:59:00 +00:00
Manuel Pégourié-Gonnard
e55e103bfe Fix off-by-one in iv_off check and add tests 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
5b89c09273 Add check for iv_off in AES-CFB128 and AES-OFB
The check is mandatory as skipping it results in buffer overread of arbitrary
size.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
998a358529 Make a check more explicit in aes.c
The check was already done later when calling ECB, (as evidenced by the tests
passing, which have a call with data_unit set to NULL), but it's more readable
to have it here too, and more helpful when debugging.
2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
eb6d3968b1 Fix some whitespace issues in aes.c 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
2bc535be86 Add parameter validation for AES-CTR 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
8e41eb7187 Add parameter validation for AES-OFB 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1677cca54b Add parameter validation for AES-CFB functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
191af1313a Add param validation for mbedtls_aes_crypt_xts() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
3178d1a997 Add param validation for mbedtls_aes_crypt_cbc() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
1aca260571 Add parameter validation for mbedtls_aes_crypt_ecb() 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
68e3dff3f1 Add parameter validation XTS setkey functions 2018-12-18 12:22:40 +01:00
Manuel Pégourié-Gonnard
44c5d58d05 Document AES functions and fix free() functions 2018-12-11 12:28:56 +01:00
Manuel Pégourié-Gonnard
0e9cddbf1a Introduce generic validation macros
Avoid duplicating source code for each module.
2018-12-11 12:28:56 +01:00
Simon Butcher
5201e414aa Add optional parameter validation to the AES module
This adds additional and optional parameter validation to the AES module that
can be used by enabling the MBEDTLS_CHECK_PARAMS config.h option.
2018-12-11 12:28:56 +01:00
Simon Butcher
e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor
9924bdc792 Deprecate hardware acceleration errors
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
2018-11-09 15:01:07 +00:00
Jaeden Amero
a74faba27a aes: xts: Correct NIST 80-38E to 800-38E
Correct a typo in an AES XTS implementation comment where the relevant
NIST standard was incorrectly referred to as NIST 80-38E instead of NIST
800-38E.
2018-10-23 12:07:18 +01:00
Jaeden Amero
8381fcb3f9 aes: xts: Update inaccurate comments
It is inaccurate to call a data unit a "sector". A disk sector is a
common use case for the data unit, but there exist other types of data
units that are not sectors.
2018-10-23 12:07:18 +01:00
Simon Butcher
2711ad7505 Merge remote-tracking branch 'public/pr/1736' into development 2018-06-17 17:34:55 +01:00
Simon Butcher
66a8903f4a Fix for missing len var when XTS config'd and CTR not
The AES XTS self-test was using a variable len, which was declared only when CTR
was enabled. Changed the declaration of len to be conditional on CTR and XTS.
2018-06-15 18:20:29 +01:00
Simon Butcher
675590519a Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 14:13:14 +01:00
Simon Butcher
2ff0e52087 Fix missing preprocessor condition in AES self-test
The AES OFB self-test made use of a variable `offset` but failed to have a
preprocessor condition around it, so unless CTR and CBC were enabled, the
variable would be undeclared.
2018-06-14 09:57:07 +01:00
Jaeden Amero
8cfc75f603 aes: xts: Fix style issues with gf128mul 2018-06-13 12:13:58 +01:00
Jaeden Amero
5f0b06aeda aes: xts: Fix description of gf128mul
THe function `mbedtls_gf128mul_x_ble()` doesn't multiply by x, x^4, and
x^8. Update the function description to properly describe what the function
does.
2018-06-13 12:13:58 +01:00
Jaeden Amero
21d79cf947 aes: Add self test for AES-XTS 2018-06-13 12:05:04 +01:00
Jaeden Amero
cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero
d82cd860b2 aes: xts: Rewrite to avoid use of goto
The flow was a bit hard to follow with the `goto` everywhere. Rewrite the
XTS implementation to avoid the use of `goto`.
2018-06-13 12:05:04 +01:00
Jaeden Amero
0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero
5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero
9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero
e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero
010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Aorimn
5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn
380162c34c Double perf for AES-XEX
As seen from the first benchmark run, AES-XEX was running pourly (even
slower than AES-CBC). This commit doubles the performances of the
current implementation.
2018-06-13 12:02:30 +01:00
Aorimn
9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn
0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Simon Butcher
5db13621ec Clarify documentation for AES OFB
1. Changed reference/link to NIST SP800-38A
 2. Clarified language around AES-OFB usage
2018-06-11 14:03:22 +01:00
Simon Butcher
00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher
ad4e4938d1 Fix AES-OFB support for errors, tests and self-test
Adds error handling into mbedtls_aes_crypt_ofb for AES errors, a self-test
for the OFB mode using NIST SP 800-38A test vectors and adds a check to
potential return errors in setting the AES encryption key in the OFB test
suite.
2018-06-11 14:03:22 +01:00