TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 2df4bfe80336ecaee77262eddd15b752a78b07cd / . / library / aria.c
blob: 25beafc0988c143eb9cc47e0566dc4005f11b7ff [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]22/*
23 * This implementation is based on the following standards:
24 * [1] http://210.104.33.10/ARIA/doc/ARIA-specification-e.pdf
25 * [2] https://tools.ietf.org/html/rfc5794
26 */
27
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]28#if !defined(MBEDTLS_CONFIG_FILE)
29#include "mbedtls/config.h"
30#else
31#include MBEDTLS_CONFIG_FILE
32#endif
33
34#if defined(MBEDTLS_ARIA_C)
35
36#include "mbedtls/aria.h"
37
38#include <string.h>
39
40#if defined(MBEDTLS_SELF_TEST)
41#if defined(MBEDTLS_PLATFORM_C)
42#include "mbedtls/platform.h"
43#else
44#include <stdio.h>
45#define mbedtls_printf printf
46#endif /* MBEDTLS_PLATFORM_C */
47#endif /* MBEDTLS_SELF_TEST */
48
49#if !defined(MBEDTLS_ARIA_ALT)
50
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]51#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
52 !defined(inline) && !defined(__cplusplus)
53#define inline __inline
54#endif
55
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]56/* Implementation that should never be optimized out by the compiler */
57static void mbedtls_zeroize( void *v, size_t n ) {
58 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
59}
60
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]61/*
62 * 32-bit integer manipulation macros (little endian)
63 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]64#ifndef GET_UINT32_LE
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]65#define GET_UINT32_LE( n, b, i ) \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]66{ \
67 (n) = ( (uint32_t) (b)[(i) ] ) \
68 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
69 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
70 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
71}
72#endif
73
74#ifndef PUT_UINT32_LE
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]75#define PUT_UINT32_LE( n, b, i ) \
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]76{ \
77 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
78 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
79 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
80 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
81}
82#endif
83
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]84/*
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]85 * modify byte order: ( A B C D ) -> ( B A D C ), i.e. swap pairs of bytes
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]86 *
87 * This is submatrix P1 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]88 *
89 * Common compilers fail to translate this to minimal number of instructions,
90 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]91 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]92#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]93#if defined(__arm__) /* rev16 available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]94/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
95#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]96 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
97 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]98static inline uint32_t aria_p1( uint32_t x )
99{
100 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]101 __asm( "rev16 %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]102 return( r );
103}
104#define ARIA_P1 aria_p1
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]105#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
106 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]107static inline uint32_t aria_p1( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]108{
109 uint32_t r;
110 __asm( "rev16 r, x" );
111 return( r );
112}
113#define ARIA_P1 aria_p1
114#endif
115#endif /* arm */
116#if defined(__GNUC__) && \
117 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnard2df4bfe2018-05-22 13:39:01 +0200[diff] [blame^]118/* I couldn't find an Intel equivalent of rev16, so two instructions */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]119#define ARIA_P1(x) ARIA_P2( ARIA_P3( x ) )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]120#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]121#endif /* MBEDTLS_HAVE_ASM && GNUC */
122#if !defined(ARIA_P1)
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]123#define ARIA_P1(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]124#endif
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]125
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]126/*
127 * modify byte order: ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
128 *
129 * This is submatrix P2 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]130 *
131 * Common compilers will translate this to a single instruction.
Manuel Pégourié-Gonnard35ad8912018-02-26 11:59:16 +0100[diff] [blame]132 */
133#define ARIA_P2(x) (((x) >> 16) ^ ((x) << 16))
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]134
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]135/*
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]136 * modify byte order: ( A B C D ) -> ( D C B A ), i.e. change endianness
137 *
138 * This is submatrix P3 in [1] Appendix B.1
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]139 *
140 * Some compilers fail to translate this to a single instruction,
141 * so let's provide asm versions for common platforms with C fallback.
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]142 */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]143#if defined(MBEDTLS_HAVE_ASM)
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]144#if defined(__arm__) /* rev available from v6 up */
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]145/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
146#if defined(__GNUC__) && \
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]147 ( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 ) && \
148 __ARM_ARCH >= 6
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]149static inline uint32_t aria_p3( uint32_t x )
150{
151 uint32_t r;
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]152 __asm( "rev %0, %1" : "=l" (r) : "l" (x) );
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]153 return( r );
154}
155#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard20787252018-03-01 10:37:47 +0100[diff] [blame]156#elif defined(__ARMCC_VERSION) && __ARMCC_VERSION < 6000000 && \
157 ( __TARGET_ARCH_ARM >= 6 || __TARGET_ARCH_THUMB >= 3 )
Manuel Pégourié-Gonnardc0bb66f2018-02-28 12:38:04 +0100[diff] [blame]158static inline uint32_t aria_p3( uint32_t x )
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]159{
160 uint32_t r;
161 __asm( "rev r, x" );
162 return( r );
163}
164#define ARIA_P3 aria_p3
165#endif
166#endif /* arm */
167#if defined(__GNUC__) && \
168 defined(__i386__) || defined(__amd64__) || defined( __x86_64__)
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]169static inline uint32_t aria_p3( uint32_t x )
170{
Manuel Pégourié-Gonnard21662142018-03-01 11:27:14 +0100[diff] [blame]171 __asm( "bswap %0" : "=r" (x) : "0" (x) );
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]172 return( x );
173}
174#define ARIA_P3 aria_p3
Manuel Pégourié-Gonnard377b2b62018-02-27 10:22:26 +0100[diff] [blame]175#endif /* x86 gnuc */
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]176#endif /* MBEDTLS_HAVE_ASM && GNUC */
177#if !defined(ARIA_P3)
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]178#define ARIA_P3(x) ARIA_P2( ARIA_P1 ( x ) )
Manuel Pégourié-Gonnardfb0e4f02018-02-26 16:08:40 +0100[diff] [blame]179#endif
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]180
181/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]182 * ARIA Affine Transform
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]183 * (a, b, c, d) = state in/out
184 *
Manuel Pégourié-Gonnardd418b0d2018-05-22 12:56:11 +0200[diff] [blame]185 * If we denote the first byte of input by 0, ..., the last byte by f,
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]186 * then inputs are: a = 0123, b = 4567, c = 89ab, d = cdef.
187 *
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]188 * Reading [1] 2.4 or [2] 2.4.3 in columns and performing simple
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]189 * rearrangements on adjacent pairs, output is:
190 *
191 * a = 3210 + 4545 + 6767 + 88aa + 99bb + dccd + effe
192 * = 3210 + 4567 + 6745 + 89ab + 98ba + dcfe + efcd
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]193 * b = 0101 + 2323 + 5476 + 8998 + baab + eecc + ffdd
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]194 * = 0123 + 2301 + 5476 + 89ab + ba98 + efcd + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]195 * c = 0022 + 1133 + 4554 + 7667 + ab89 + dcdc + fefe
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]196 * = 0123 + 1032 + 4567 + 7654 + ab89 + dcfe + fedc
Manuel Pégourié-Gonnard366e1b02018-03-01 14:48:10 +0100[diff] [blame]197 * d = 1001 + 2332 + 6644 + 7755 + 9898 + baba + cdef
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]198 * = 1032 + 2301 + 6745 + 7654 + 98ba + ba98 + cdef
199 *
200 * Note: another presentation of the A transform can be found as the first
201 * half of App. B.1 in [1] in terms of 4-byte operators P1, P2, P3 and P4.
202 * The implementation below uses only P1 and P2 as they are sufficient.
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]203 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]204static inline void aria_a( uint32_t *a, uint32_t *b,
205 uint32_t *c, uint32_t *d )
206{
207 uint32_t ta, tb, tc;
Manuel Pégourié-Gonnardf205a012018-02-26 14:10:23 +0100[diff] [blame]208 ta = *b; // 4567
209 *b = *a; // 0123
210 *a = ARIA_P2( ta ); // 6745
211 tb = ARIA_P2( *d ); // efcd
212 *d = ARIA_P1( *c ); // 98ba
213 *c = ARIA_P1( tb ); // fedc
214 ta ^= *d; // 4567+98ba
215 tc = ARIA_P2( *b ); // 2301
216 ta = ARIA_P1( ta ) ^ tc ^ *c; // 2301+5476+89ab+fedc
217 tb ^= ARIA_P2( *d ); // ba98+efcd
218 tc ^= ARIA_P1( *a ); // 2301+7654
219 *b ^= ta ^ tb; // 0123+2301+5476+89ab+ba98+efcd+fedc OUT
220 tb = ARIA_P2( tb ) ^ ta; // 2301+5476+89ab+98ba+cdef+fedc
221 *a ^= ARIA_P1( tb ); // 3210+4567+6745+89ab+98ba+dcfe+efcd OUT
222 ta = ARIA_P2( ta ); // 0123+7654+ab89+dcfe
223 *d ^= ARIA_P1( ta ) ^ tc; // 1032+2301+6745+7654+98ba+ba98+cdef OUT
224 tc = ARIA_P2( tc ); // 0123+5476
225 *c ^= ARIA_P1( tc ) ^ ta; // 0123+1032+4567+7654+ab89+dcfe+fedc OUT
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]226}
227
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]228/*
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]229 * ARIA Substitution Layer SL1 / SL2
230 * (a, b, c, d) = state in/out
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]231 * (sa, sb, sc, sd) = 256 8-bit S-Boxes (see below)
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]232 *
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]233 * By passing sb1, sb2, is1, is2 as S-Boxes you get SL1
234 * By passing is1, is2, sb1, sb2 as S-Boxes you get SL2
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]235 */
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]236static inline void aria_sl( uint32_t *a, uint32_t *b,
237 uint32_t *c, uint32_t *d,
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]238 const uint8_t sa[256], const uint8_t sb[256],
239 const uint8_t sc[256], const uint8_t sd[256] )
Manuel Pégourié-Gonnard8c76a942018-02-21 12:03:22 +0100[diff] [blame]240{
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]241 *a = ( (uint32_t) sa[ *a & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]242 (((uint32_t) sb[(*a >> 8) & 0xFF]) << 8) ^
243 (((uint32_t) sc[(*a >> 16) & 0xFF]) << 16) ^
244 (((uint32_t) sd[ *a >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]245 *b = ( (uint32_t) sa[ *b & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]246 (((uint32_t) sb[(*b >> 8) & 0xFF]) << 8) ^
247 (((uint32_t) sc[(*b >> 16) & 0xFF]) << 16) ^
248 (((uint32_t) sd[ *b >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]249 *c = ( (uint32_t) sa[ *c & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]250 (((uint32_t) sb[(*c >> 8) & 0xFF]) << 8) ^
251 (((uint32_t) sc[(*c >> 16) & 0xFF]) << 16) ^
252 (((uint32_t) sd[ *c >> 24 ]) << 24);
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]253 *d = ( (uint32_t) sa[ *d & 0xFF] ) ^
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]254 (((uint32_t) sb[(*d >> 8) & 0xFF]) << 8) ^
255 (((uint32_t) sc[(*d >> 16) & 0xFF]) << 16) ^
256 (((uint32_t) sd[ *d >> 24 ]) << 24);
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]257}
258
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]259/*
260 * S-Boxes
261 */
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]262static const uint8_t aria_sb1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]263{
264 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
265 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
266 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
267 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
268 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
269 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
270 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
271 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
272 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
273 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
274 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
275 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
276 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
277 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
278 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
279 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
280 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
281 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
282 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
283 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
284 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
285 0xB0, 0x54, 0xBB, 0x16
286};
287
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]288static const uint8_t aria_sb2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]289{
290 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
291 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
292 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
293 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
294 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
295 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
296 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
297 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
298 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
299 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
300 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
301 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
302 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
303 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
304 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
305 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
306 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
307 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
308 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
309 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
310 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
311 0xAF, 0xBA, 0xB5, 0x81
312};
313
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]314static const uint8_t aria_is1[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]315{
316 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
317 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
318 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
319 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
320 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
321 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
322 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
323 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
324 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
325 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
326 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
327 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
328 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
329 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
330 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
331 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
332 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
333 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
334 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
335 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
336 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
337 0x55, 0x21, 0x0C, 0x7D
338};
339
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]340static const uint8_t aria_is2[256] =
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]341{
342 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
343 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
344 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
345 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
346 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
347 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
348 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
349 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
350 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
351 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
352 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
353 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
354 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
355 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
356 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
357 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
358 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
359 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
360 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
361 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
362 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
363 0x03, 0xA2, 0xAC, 0x60
364};
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]365
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]366/*
367 * Helper for key schedule: r = FO( p, k ) ^ x
368 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]369static void aria_fo_xor( uint32_t r[4], const uint32_t p[4],
370 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]371{
372 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]373
374 a = p[0] ^ k[0];
375 b = p[1] ^ k[1];
376 c = p[2] ^ k[2];
377 d = p[3] ^ k[3];
378
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]379 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
380 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]381
382 r[0] = a ^ x[0];
383 r[1] = b ^ x[1];
384 r[2] = c ^ x[2];
385 r[3] = d ^ x[3];
386}
387
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]388/*
389 * Helper for key schedule: r = FE( p, k ) ^ x
390 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]391static void aria_fe_xor( uint32_t r[4], const uint32_t p[4],
392 const uint32_t k[4], const uint32_t x[4] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]393{
394 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]395
396 a = p[0] ^ k[0];
397 b = p[1] ^ k[1];
398 c = p[2] ^ k[2];
399 d = p[3] ^ k[3];
400
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]401 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
402 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]403
404 r[0] = a ^ x[0];
405 r[1] = b ^ x[1];
406 r[2] = c ^ x[2];
407 r[3] = d ^ x[3];
408}
409
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]410/*
411 * Big endian 128-bit rotation: r = a ^ (b <<< n), used only in key setup.
412 *
413 * We chose to store bytes into 32-bit words in little-endian format (see
414 * GET/PUT_UINT32_LE) so we need to reverse bytes here.
415 */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]416static void aria_rot128( uint32_t r[4], const uint32_t a[4],
417 const uint32_t b[4], uint8_t n )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]418{
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]419 uint8_t i, j;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]420 uint32_t t, u;
421
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]422 const uint8_t n1 = n % 32; // bit offset
423 const uint8_t n2 = n1 ? 32 - n1 : 0; // reverse bit offset
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]424
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]425 j = ( n / 32 ) % 4; // initial word offset
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]426 t = ARIA_P3( b[j] ); // big endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]427 for( i = 0; i < 4; i++ )
428 {
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]429 j = ( j + 1 ) % 4; // get next word, big endian
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]430 u = ARIA_P3( b[j] );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]431 t <<= n1; // rotate
Manuel Pégourié-Gonnardc76ceb62018-02-21 09:50:17 +0100[diff] [blame]432 t |= u >> n2;
Manuel Pégourié-Gonnardcac50082018-02-26 15:23:03 +0100[diff] [blame]433 t = ARIA_P3( t ); // back to little endian
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]434 r[i] = a[i] ^ t; // store
435 t = u; // move to next word
436 }
437}
438
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]439/*
440 * Set encryption key
441 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]442int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
443 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]444{
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]445 /* round constant masks */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]446 const uint32_t rc[3][4] =
447 {
448 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
449 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
450 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
451 };
452
453 int i;
454 uint32_t w[4][4], *w2;
455
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]456 if( keybits != 128 && keybits != 192 && keybits != 256 )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]457 return( MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]458
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]459 /* Copy key to W0 (and potential remainder to W1) */
460 GET_UINT32_LE( w[0][0], key, 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]461 GET_UINT32_LE( w[0][1], key, 4 );
462 GET_UINT32_LE( w[0][2], key, 8 );
463 GET_UINT32_LE( w[0][3], key, 12 );
464
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]465 memset( w[1], 0, 16 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]466 if( keybits >= 192 )
467 {
468 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
469 GET_UINT32_LE( w[1][1], key, 20 );
470 }
471 if( keybits == 256 )
472 {
473 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
474 GET_UINT32_LE( w[1][3], key, 28 );
475 }
476
Manuel Pégourié-Gonnard12e2fbd2018-05-22 13:01:09 +0200[diff] [blame]477 i = ( keybits - 128 ) >> 6; // index: 0, 1, 2
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]478 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
479
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]480 aria_fo_xor( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]481 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]482 aria_fe_xor( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]483 i = i < 2 ? i + 1 : 0;
Manuel Pégourié-Gonnarda6d639e2018-02-20 13:45:44 +0100[diff] [blame]484 aria_fo_xor( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]485
486 for( i = 0; i < 4; i++ ) // create round keys
487 {
488 w2 = w[(i + 1) & 3];
Manuel Pégourié-Gonnard9cc89242018-02-21 09:44:29 +0100[diff] [blame]489 aria_rot128( ctx->rk[i ], w[i], w2, 128 - 19 );
490 aria_rot128( ctx->rk[i + 4], w[i], w2, 128 - 31 );
491 aria_rot128( ctx->rk[i + 8], w[i], w2, 61 );
492 aria_rot128( ctx->rk[i + 12], w[i], w2, 31 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]493 }
494 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
495
Manuel Pégourié-Gonnard89924dd2018-05-22 13:07:07 +0200[diff] [blame]496 /* w holds enough info to reconstruct the round keys */
497 mbedtls_zeroize( w, sizeof( w ) );
498
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]499 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]500}
501
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]502/*
503 * Set decryption key
504 */
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]505int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
506 const unsigned char *key, unsigned int keybits )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]507{
508 int i, j, k, ret;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]509
510 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
511 if( ret != 0 )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]512 return( ret );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]513
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]514 /* flip the order of round keys */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]515 for( i = 0, j = ctx->nr; i < j; i++, j-- )
516 {
517 for( k = 0; k < 4; k++ )
518 {
Manuel Pégourié-Gonnarde1ad7492018-02-20 13:59:05 +0100[diff] [blame]519 uint32_t t = ctx->rk[i][k];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]520 ctx->rk[i][k] = ctx->rk[j][k];
521 ctx->rk[j][k] = t;
522 }
523 }
524
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]525 /* apply affine transform to middle keys */
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]526 for( i = 1; i < ctx->nr; i++ )
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]527 {
528 aria_a( &ctx->rk[i][0], &ctx->rk[i][1],
529 &ctx->rk[i][2], &ctx->rk[i][3] );
530 }
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]531
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]532 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]533}
534
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]535/*
536 * Encrypt a block
537 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]538int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]539 const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
540 unsigned char output[MBEDTLS_ARIA_BLOCKSIZE] )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]541{
542 int i;
543
544 uint32_t a, b, c, d;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]545
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]546 GET_UINT32_LE( a, input, 0 );
547 GET_UINT32_LE( b, input, 4 );
548 GET_UINT32_LE( c, input, 8 );
549 GET_UINT32_LE( d, input, 12 );
550
551 i = 0;
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]552 while( 1 )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]553 {
554 a ^= ctx->rk[i][0];
555 b ^= ctx->rk[i][1];
556 c ^= ctx->rk[i][2];
557 d ^= ctx->rk[i][3];
558 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]559
560 aria_sl( &a, &b, &c, &d, aria_sb1, aria_sb2, aria_is1, aria_is2 );
561 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]562
563 a ^= ctx->rk[i][0];
564 b ^= ctx->rk[i][1];
565 c ^= ctx->rk[i][2];
566 d ^= ctx->rk[i][3];
567 i++;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]568
569 aria_sl( &a, &b, &c, &d, aria_is1, aria_is2, aria_sb1, aria_sb2 );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]570 if( i >= ctx->nr )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]571 break;
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]572 aria_a( &a, &b, &c, &d );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]573 }
574
Manuel Pégourié-Gonnard64744f82018-02-21 12:35:19 +0100[diff] [blame]575 /* final key mixing */
576 a ^= ctx->rk[i][0];
577 b ^= ctx->rk[i][1];
578 c ^= ctx->rk[i][2];
579 d ^= ctx->rk[i][3];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]580
581 PUT_UINT32_LE( a, output, 0 );
582 PUT_UINT32_LE( b, output, 4 );
583 PUT_UINT32_LE( c, output, 8 );
584 PUT_UINT32_LE( d, output, 12 );
585
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]586 return( 0 );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]587}
588
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]589/* Initialize context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]590void mbedtls_aria_init( mbedtls_aria_context *ctx )
591{
592 memset( ctx, 0, sizeof( mbedtls_aria_context ) );
593}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]594
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]595/* Clear context */
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]596void mbedtls_aria_free( mbedtls_aria_context *ctx )
597{
598 if( ctx == NULL )
599 return;
600
Manuel Pégourié-Gonnard56453932018-02-21 10:08:31 +0100[diff] [blame]601 mbedtls_zeroize( ctx, sizeof( mbedtls_aria_context ) );
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]602}
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]603
604#if defined(MBEDTLS_CIPHER_MODE_CBC)
605/*
606 * ARIA-CBC buffer encryption/decryption
607 */
608int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]609 int mode,
610 size_t length,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]611 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]612 const unsigned char *input,
613 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]614{
615 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]616 unsigned char temp[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]617
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]618 if( length % MBEDTLS_ARIA_BLOCKSIZE )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]619 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
620
621 if( mode == MBEDTLS_ARIA_DECRYPT )
622 {
623 while( length > 0 )
624 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]625 memcpy( temp, input, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]626 mbedtls_aria_crypt_ecb( ctx, input, output );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]627
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]628 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]629 output[i] = (unsigned char)( output[i] ^ iv[i] );
630
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]631 memcpy( iv, temp, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]632
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]633 input += MBEDTLS_ARIA_BLOCKSIZE;
634 output += MBEDTLS_ARIA_BLOCKSIZE;
635 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]636 }
637 }
638 else
639 {
640 while( length > 0 )
641 {
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]642 for( i = 0; i < MBEDTLS_ARIA_BLOCKSIZE; i++ )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]643 output[i] = (unsigned char)( input[i] ^ iv[i] );
644
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]645 mbedtls_aria_crypt_ecb( ctx, output, output );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]646 memcpy( iv, output, MBEDTLS_ARIA_BLOCKSIZE );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]647
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]648 input += MBEDTLS_ARIA_BLOCKSIZE;
649 output += MBEDTLS_ARIA_BLOCKSIZE;
650 length -= MBEDTLS_ARIA_BLOCKSIZE;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]651 }
652 }
653
654 return( 0 );
655}
656#endif /* MBEDTLS_CIPHER_MODE_CBC */
657
658#if defined(MBEDTLS_CIPHER_MODE_CFB)
659/*
660 * ARIA-CFB128 buffer encryption/decryption
661 */
662int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]663 int mode,
664 size_t length,
665 size_t *iv_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]666 unsigned char iv[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]667 const unsigned char *input,
668 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]669{
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]670 unsigned char c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]671 size_t n = *iv_off;
672
673 if( mode == MBEDTLS_ARIA_DECRYPT )
674 {
675 while( length-- )
676 {
677 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]678 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]679
680 c = *input++;
Manuel Pégourié-Gonnard565e4e02018-05-22 13:30:28 +0200[diff] [blame]681 *output++ = c ^ iv[n];
682 iv[n] = c;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]683
684 n = ( n + 1 ) & 0x0F;
685 }
686 }
687 else
688 {
689 while( length-- )
690 {
691 if( n == 0 )
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]692 mbedtls_aria_crypt_ecb( ctx, iv, iv );
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]693
694 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
695
696 n = ( n + 1 ) & 0x0F;
697 }
698 }
699
700 *iv_off = n;
701
702 return( 0 );
703}
704#endif /* MBEDTLS_CIPHER_MODE_CFB */
705
706#if defined(MBEDTLS_CIPHER_MODE_CTR)
707/*
708 * ARIA-CTR buffer encryption/decryption
709 */
710int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]711 size_t length,
712 size_t *nc_off,
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]713 unsigned char nonce_counter[MBEDTLS_ARIA_BLOCKSIZE],
714 unsigned char stream_block[MBEDTLS_ARIA_BLOCKSIZE],
Manuel Pégourié-Gonnard4231e7f2018-02-28 10:54:31 +0100[diff] [blame]715 const unsigned char *input,
716 unsigned char *output )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]717{
718 int c, i;
719 size_t n = *nc_off;
720
721 while( length-- )
722 {
723 if( n == 0 ) {
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]724 mbedtls_aria_crypt_ecb( ctx, nonce_counter,
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]725 stream_block );
726
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]727 for( i = MBEDTLS_ARIA_BLOCKSIZE; i > 0; i-- )
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]728 if( ++nonce_counter[i - 1] != 0 )
729 break;
730 }
731 c = *input++;
732 *output++ = (unsigned char)( c ^ stream_block[n] );
733
734 n = ( n + 1 ) & 0x0F;
735 }
736
737 *nc_off = n;
738
739 return( 0 );
740}
741#endif /* MBEDTLS_CIPHER_MODE_CTR */
742#endif /* !MBEDTLS_ARIA_ALT */
743
744#if defined(MBEDTLS_SELF_TEST)
745
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]746/*
747 * Basic ARIA ECB test vectors from RFC 5794
748 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]749static const uint8_t aria_test1_ecb_key[32] = // test key
750{
751 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
752 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
753 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
754 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
755};
756
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]757static const uint8_t aria_test1_ecb_pt[MBEDTLS_ARIA_BLOCKSIZE] = // plaintext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]758{
759 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
760 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
761};
762
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]763static const uint8_t aria_test1_ecb_ct[3][MBEDTLS_ARIA_BLOCKSIZE] = // ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]764{
765 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
766 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 },
767 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
768 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 },
769 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
770 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
771};
772
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]773/*
774 * Mode tests from "Test Vectors for ARIA" Version 1.0
775 * http://210.104.33.10/ARIA/doc/ARIA-testvector-e.pdf
776 */
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]777#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) || \
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]778 defined(MBEDTLS_CIPHER_MODE_CTR))
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]779static const uint8_t aria_test2_key[32] =
780{
781 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 128 bit
782 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
783 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // 192 bit
784 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff // 256 bit
785};
786
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]787static const uint8_t aria_test2_pt[48] =
788{
789 0x11, 0x11, 0x11, 0x11, 0xaa, 0xaa, 0xaa, 0xaa, // same for all
790 0x11, 0x11, 0x11, 0x11, 0xbb, 0xbb, 0xbb, 0xbb,
791 0x11, 0x11, 0x11, 0x11, 0xcc, 0xcc, 0xcc, 0xcc,
792 0x11, 0x11, 0x11, 0x11, 0xdd, 0xdd, 0xdd, 0xdd,
793 0x22, 0x22, 0x22, 0x22, 0xaa, 0xaa, 0xaa, 0xaa,
794 0x22, 0x22, 0x22, 0x22, 0xbb, 0xbb, 0xbb, 0xbb,
795};
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]796#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]797
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]798#if (defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]799static const uint8_t aria_test2_iv[MBEDTLS_ARIA_BLOCKSIZE] =
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]800{
801 0x0f, 0x1e, 0x2d, 0x3c, 0x4b, 0x5a, 0x69, 0x78, // same for CBC, CFB
802 0x87, 0x96, 0xa5, 0xb4, 0xc3, 0xd2, 0xe1, 0xf0 // CTR has zero IV
803};
804#endif
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]805
806#if defined(MBEDTLS_CIPHER_MODE_CBC)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]807static const uint8_t aria_test2_cbc_ct[3][48] = // CBC ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]808{
809 { 0x49, 0xd6, 0x18, 0x60, 0xb1, 0x49, 0x09, 0x10, // 128-bit key
810 0x9c, 0xef, 0x0d, 0x22, 0xa9, 0x26, 0x81, 0x34,
811 0xfa, 0xdf, 0x9f, 0xb2, 0x31, 0x51, 0xe9, 0x64,
812 0x5f, 0xba, 0x75, 0x01, 0x8b, 0xdb, 0x15, 0x38,
813 0xb5, 0x33, 0x34, 0x63, 0x4b, 0xbf, 0x7d, 0x4c,
814 0xd4, 0xb5, 0x37, 0x70, 0x33, 0x06, 0x0c, 0x15 },
815 { 0xaf, 0xe6, 0xcf, 0x23, 0x97, 0x4b, 0x53, 0x3c, // 192-bit key
816 0x67, 0x2a, 0x82, 0x62, 0x64, 0xea, 0x78, 0x5f,
817 0x4e, 0x4f, 0x7f, 0x78, 0x0d, 0xc7, 0xf3, 0xf1,
818 0xe0, 0x96, 0x2b, 0x80, 0x90, 0x23, 0x86, 0xd5,
819 0x14, 0xe9, 0xc3, 0xe7, 0x72, 0x59, 0xde, 0x92,
820 0xdd, 0x11, 0x02, 0xff, 0xab, 0x08, 0x6c, 0x1e },
821 { 0x52, 0x3a, 0x8a, 0x80, 0x6a, 0xe6, 0x21, 0xf1, // 256-bit key
822 0x55, 0xfd, 0xd2, 0x8d, 0xbc, 0x34, 0xe1, 0xab,
823 0x7b, 0x9b, 0x42, 0x43, 0x2a, 0xd8, 0xb2, 0xef,
824 0xb9, 0x6e, 0x23, 0xb1, 0x3f, 0x0a, 0x6e, 0x52,
825 0xf3, 0x61, 0x85, 0xd5, 0x0a, 0xd0, 0x02, 0xc5,
826 0xf6, 0x01, 0xbe, 0xe5, 0x49, 0x3f, 0x11, 0x8b }
827};
828#endif /* MBEDTLS_CIPHER_MODE_CBC */
829
830#if defined(MBEDTLS_CIPHER_MODE_CFB)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]831static const uint8_t aria_test2_cfb_ct[3][48] = // CFB ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]832{
833 { 0x37, 0x20, 0xe5, 0x3b, 0xa7, 0xd6, 0x15, 0x38, // 128-bit key
834 0x34, 0x06, 0xb0, 0x9f, 0x0a, 0x05, 0xa2, 0x00,
835 0xc0, 0x7c, 0x21, 0xe6, 0x37, 0x0f, 0x41, 0x3a,
836 0x5d, 0x13, 0x25, 0x00, 0xa6, 0x82, 0x85, 0x01,
837 0x7c, 0x61, 0xb4, 0x34, 0xc7, 0xb7, 0xca, 0x96,
838 0x85, 0xa5, 0x10, 0x71, 0x86, 0x1e, 0x4d, 0x4b },
839 { 0x41, 0x71, 0xf7, 0x19, 0x2b, 0xf4, 0x49, 0x54, // 192-bit key
840 0x94, 0xd2, 0x73, 0x61, 0x29, 0x64, 0x0f, 0x5c,
841 0x4d, 0x87, 0xa9, 0xa2, 0x13, 0x66, 0x4c, 0x94,
842 0x48, 0x47, 0x7c, 0x6e, 0xcc, 0x20, 0x13, 0x59,
843 0x8d, 0x97, 0x66, 0x95, 0x2d, 0xd8, 0xc3, 0x86,
844 0x8f, 0x17, 0xe3, 0x6e, 0xf6, 0x6f, 0xd8, 0x4b },
845 { 0x26, 0x83, 0x47, 0x05, 0xb0, 0xf2, 0xc0, 0xe2, // 256-bit key
846 0x58, 0x8d, 0x4a, 0x7f, 0x09, 0x00, 0x96, 0x35,
847 0xf2, 0x8b, 0xb9, 0x3d, 0x8c, 0x31, 0xf8, 0x70,
848 0xec, 0x1e, 0x0b, 0xdb, 0x08, 0x2b, 0x66, 0xfa,
849 0x40, 0x2d, 0xd9, 0xc2, 0x02, 0xbe, 0x30, 0x0c,
850 0x45, 0x17, 0xd1, 0x96, 0xb1, 0x4d, 0x4c, 0xe1 }
851};
852#endif /* MBEDTLS_CIPHER_MODE_CFB */
853
854#if defined(MBEDTLS_CIPHER_MODE_CTR)
Manuel Pégourié-Gonnardf3a46a92018-02-28 12:38:21 +0100[diff] [blame]855static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]856{
857 { 0xac, 0x5d, 0x7d, 0xe8, 0x05, 0xa0, 0xbf, 0x1c, // 128-bit key
858 0x57, 0xc8, 0x54, 0x50, 0x1a, 0xf6, 0x0f, 0xa1,
859 0x14, 0x97, 0xe2, 0xa3, 0x45, 0x19, 0xde, 0xa1,
860 0x56, 0x9e, 0x91, 0xe5, 0xb5, 0xcc, 0xae, 0x2f,
861 0xf3, 0xbf, 0xa1, 0xbf, 0x97, 0x5f, 0x45, 0x71,
862 0xf4, 0x8b, 0xe1, 0x91, 0x61, 0x35, 0x46, 0xc3 },
863 { 0x08, 0x62, 0x5c, 0xa8, 0xfe, 0x56, 0x9c, 0x19, // 192-bit key
864 0xba, 0x7a, 0xf3, 0x76, 0x0a, 0x6e, 0xd1, 0xce,
865 0xf4, 0xd1, 0x99, 0x26, 0x3e, 0x99, 0x9d, 0xde,
866 0x14, 0x08, 0x2d, 0xbb, 0xa7, 0x56, 0x0b, 0x79,
867 0xa4, 0xc6, 0xb4, 0x56, 0xb8, 0x70, 0x7d, 0xce,
868 0x75, 0x1f, 0x98, 0x54, 0xf1, 0x88, 0x93, 0xdf },
869 { 0x30, 0x02, 0x6c, 0x32, 0x96, 0x66, 0x14, 0x17, // 256-bit key
870 0x21, 0x17, 0x8b, 0x99, 0xc0, 0xa1, 0xf1, 0xb2,
871 0xf0, 0x69, 0x40, 0x25, 0x3f, 0x7b, 0x30, 0x89,
872 0xe2, 0xa3, 0x0e, 0xa8, 0x6a, 0xa3, 0xc8, 0x8f,
873 0x59, 0x40, 0xf0, 0x5a, 0xd7, 0xee, 0x41, 0xd7,
874 0x13, 0x47, 0xbb, 0x72, 0x61, 0xe3, 0x48, 0xf1 }
875};
876#endif /* MBEDTLS_CIPHER_MODE_CFB */
877
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]878#define ARIA_SELF_TEST_IF_FAIL \
879 { \
880 if( verbose ) \
881 printf( "failed\n" ); \
882 return( 1 ); \
883 } else { \
884 if( verbose ) \
885 printf( "passed\n" ); \
886 }
887
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]888/*
889 * Checkup routine
890 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]891int mbedtls_aria_self_test( int verbose )
892{
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]893 int i;
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]894 uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]895 mbedtls_aria_context ctx;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]896
Markku-Juhani O. Saarinen6ba68d42017-12-01 14:26:21 +0000[diff] [blame]897#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
898 size_t j;
Markku-Juhani O. Saarinen3c0b53b2017-11-30 16:00:34 +0000[diff] [blame]899#endif
900
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]901#if (defined(MBEDTLS_CIPHER_MODE_CBC) || \
902 defined(MBEDTLS_CIPHER_MODE_CFB) || \
903 defined(MBEDTLS_CIPHER_MODE_CTR))
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]904 uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]905#endif
906
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]907 /*
908 * Test set 1
909 */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]910 for( i = 0; i < 3; i++ )
911 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]912 /* test ECB encryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]913 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]914 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]915 mbedtls_aria_setkey_enc( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]916 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_pt, blk );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]917 if( memcmp( blk, aria_test1_ecb_ct[i], MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]918 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]919
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]920 /* test ECB decryption */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]921 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]922 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]923 mbedtls_aria_setkey_dec( &ctx, aria_test1_ecb_key, 128 + 64 * i );
Manuel Pégourié-Gonnard08c337d2018-05-22 13:18:01 +0200[diff] [blame]924 mbedtls_aria_crypt_ecb( &ctx, aria_test1_ecb_ct[i], blk );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]925 if( memcmp( blk, aria_test1_ecb_pt, MBEDTLS_ARIA_BLOCKSIZE ) != 0 )
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]926 ARIA_SELF_TEST_IF_FAIL;
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]927 }
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]928 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]929 printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]930
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]931 /*
932 * Test set 2
933 */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]934#if defined(MBEDTLS_CIPHER_MODE_CBC)
935 for( i = 0; i < 3; i++ )
936 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]937 /* Test CBC encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]938 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]939 printf( " ARIA-CBC-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]940 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]941 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]942 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]943 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, iv,
944 aria_test2_pt, buf );
945 if( memcmp( buf, aria_test2_cbc_ct[i], 48 ) != 0 )
946 ARIA_SELF_TEST_IF_FAIL;
947
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]948 /* Test CBC decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]949 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]950 printf( " ARIA-CBC-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]951 mbedtls_aria_setkey_dec( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]952 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]953 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]954 mbedtls_aria_crypt_cbc( &ctx, MBEDTLS_ARIA_DECRYPT, 48, iv,
955 aria_test2_cbc_ct[i], buf );
956 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
957 ARIA_SELF_TEST_IF_FAIL;
958 }
959 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]960 printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]961
962#endif /* MBEDTLS_CIPHER_MODE_CBC */
963
964#if defined(MBEDTLS_CIPHER_MODE_CFB)
965 for( i = 0; i < 3; i++ )
966 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]967 /* Test CFB encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]968 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]969 printf( " ARIA-CFB-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]970 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]971 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]972 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]973 j = 0;
974 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_ENCRYPT, 48, &j, iv,
975 aria_test2_pt, buf );
976 if( memcmp( buf, aria_test2_cfb_ct[i], 48 ) != 0 )
977 ARIA_SELF_TEST_IF_FAIL;
978
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]979 /* Test CFB decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]980 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]981 printf( " ARIA-CFB-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]982 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]983 memcpy( iv, aria_test2_iv, MBEDTLS_ARIA_BLOCKSIZE );
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]984 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]985 j = 0;
986 mbedtls_aria_crypt_cfb128( &ctx, MBEDTLS_ARIA_DECRYPT, 48, &j,
987 iv, aria_test2_cfb_ct[i], buf );
988 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
989 ARIA_SELF_TEST_IF_FAIL;
990 }
991 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]992 printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]993#endif /* MBEDTLS_CIPHER_MODE_CFB */
994
995#if defined(MBEDTLS_CIPHER_MODE_CTR)
996 for( i = 0; i < 3; i++ )
997 {
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]998 /* Test CTR encryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]999 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1000 printf( " ARIA-CTR-%d (enc): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1001 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1002 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1003 memset( buf, 0x55, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1004 j = 0;
1005 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1006 aria_test2_pt, buf );
1007 if( memcmp( buf, aria_test2_ctr_ct[i], 48 ) != 0 )
1008 ARIA_SELF_TEST_IF_FAIL;
1009
Manuel Pégourié-Gonnarda41ecda2018-02-21 10:33:26 +0100[diff] [blame]1010 /* Test CTR decryption */
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1011 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1012 printf( " ARIA-CTR-%d (dec): ", 128 + 64 * i );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1013 mbedtls_aria_setkey_enc( &ctx, aria_test2_key, 128 + 64 * i );
Manuel Pégourié-Gonnard5ad88b62018-03-01 09:20:47 +0100[diff] [blame]1014 memset( iv, 0, MBEDTLS_ARIA_BLOCKSIZE ); // IV = 0
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1015 memset( buf, 0xAA, sizeof( buf ) );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1016 j = 0;
1017 mbedtls_aria_crypt_ctr( &ctx, 48, &j, iv, blk,
1018 aria_test2_ctr_ct[i], buf );
1019 if( memcmp( buf, aria_test2_pt, 48 ) != 0 )
1020 ARIA_SELF_TEST_IF_FAIL;
1021 }
1022 if( verbose )
Manuel Pégourié-Gonnard7fc08792018-03-01 09:33:20 +0100[diff] [blame]1023 printf( "\n" );
Markku-Juhani O. Saarinen259fa602017-11-30 15:48:37 +0000[diff] [blame]1024#endif /* MBEDTLS_CIPHER_MODE_CTR */
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame]1025
1026 return( 0 );
1027}
1028
1029#endif /* MBEDTLS_SELF_TEST */
1030
1031#endif /* MBEDTLS_ARIA_C */