TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 41efbaabc9abe692c1ba1f3aa25d8e26f7765620 / . / library / aria.c
blob: 0eb22ecc8f299fa084ef9521dfcedf965a8991c5 [file] [log] [blame]
Markku-Juhani O. Saarinen41efbaa2017-11-30 11:37:55 +0000[diff] [blame^]1/*
2 * ARIA implementation
3 *
4 * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22
23#if !defined(MBEDTLS_CONFIG_FILE)
24#include "mbedtls/config.h"
25#else
26#include MBEDTLS_CONFIG_FILE
27#endif
28
29#if defined(MBEDTLS_ARIA_C)
30
31#include "mbedtls/aria.h"
32
33#include <string.h>
34
35#if defined(MBEDTLS_SELF_TEST)
36#if defined(MBEDTLS_PLATFORM_C)
37#include "mbedtls/platform.h"
38#else
39#include <stdio.h>
40#define mbedtls_printf printf
41#endif /* MBEDTLS_PLATFORM_C */
42#endif /* MBEDTLS_SELF_TEST */
43
44#if !defined(MBEDTLS_ARIA_ALT)
45
46// 32-bit integer manipulation macros (little endian)
47
48#ifndef GET_UINT32_LE
49#define GET_UINT32_LE(n,b,i) \
50{ \
51 (n) = ( (uint32_t) (b)[(i) ] ) \
52 | ( (uint32_t) (b)[(i) + 1] << 8 ) \
53 | ( (uint32_t) (b)[(i) + 2] << 16 ) \
54 | ( (uint32_t) (b)[(i) + 3] << 24 ); \
55}
56#endif
57
58#ifndef PUT_UINT32_LE
59#define PUT_UINT32_LE(n,b,i) \
60{ \
61 (b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
62 (b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
63 (b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
64 (b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
65}
66#endif
67
68// FLIP1 modifies byte order ( A B C D ) -> ( C D A B ), i.e. rotate by 16 bits
69#define ARIA_FLIP1(x) (((x) >> 16) ^ ((x) << 16))
70
71// FLIP2 modifies byte order ( A B C D ) -> ( B A D C ), swap pairs of bytes
72#define ARIA_FLIP2(x) ((((x) >> 8) & 0x00FF00FF) ^ (((x) & 0x00FF00FF) << 8))
73
74// Affine Transform A
75// (ra, rb, rc, rd) = state in/out
76// (ta, tb, tc) = temporary variables
77
78#define ARIA_A( ra, rb, rc, rd, ta, tb, tc ) { \
79 ta = rb; \
80 rb = ra; \
81 ra = ARIA_FLIP1( ta ); \
82 tb = ARIA_FLIP1( rd ); \
83 rd = ARIA_FLIP2( rc ); \
84 rc = ARIA_FLIP2( tb ); \
85 ta ^= rd; \
86 tc = ARIA_FLIP1( rb ); \
87 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
88 tb ^= ARIA_FLIP1( rd ); \
89 tc ^= ARIA_FLIP2( ra ); \
90 rb ^= ta ^ tb; \
91 tb = ARIA_FLIP1( tb ) ^ ta; \
92 ra ^= ARIA_FLIP2( tb ); \
93 ta = ARIA_FLIP1( ta ); \
94 rd ^= ARIA_FLIP2( ta ) ^ tc; \
95 tc = ARIA_FLIP1( tc ); \
96 rc ^= ARIA_FLIP2( tc ) ^ ta; \
97}
98
99
100// ARIA Round function ( Substitution Layer SLx + Affine Transform A )
101// (ra, rb, rc, rd) = state in/out
102// (sa, sb, sc, sd) = 256 8-bit S-Boxes
103// (ta, tb, tc) = temporary variables
104
105#define ARIA_SLA( ra, rb, rc, rd, sa, sb, sc, sd, ta, tb, tc ) { \
106 ta = ( (uint32_t) sc[(rb >> 16) & 0xFF]) ^ \
107 (((uint32_t) sd[ rb >> 24]) << 8) ^ \
108 (((uint32_t) sa[ rb & 0xFF]) << 16) ^ \
109 (((uint32_t) sb[(rb >> 8) & 0xFF]) << 24); \
110 rb = ( (uint32_t) sa[ ra & 0xFF]) ^ \
111 (((uint32_t) sb[(ra >> 8) & 0xFF]) << 8) ^ \
112 (((uint32_t) sc[(ra >> 16) & 0xFF]) << 16) ^ \
113 (((uint32_t) sd[ ra >> 24]) << 24); \
114 ra = ta; \
115 ta = ( (uint32_t) sd[ rd >> 24]) ^ \
116 (((uint32_t) sc[(rd >> 16) & 0xFF]) << 8) ^ \
117 (((uint32_t) sb[(rd >> 8) & 0xFF]) << 16) ^ \
118 (((uint32_t) sa[ rd & 0xFF]) << 24); \
119 rd = ( (uint32_t) sb[(rc >> 8) & 0xFF]) ^ \
120 (((uint32_t) sa[ rc & 0xFF]) << 8) ^ \
121 (((uint32_t) sd[ rc >> 24]) << 16) ^ \
122 (((uint32_t) sc[(rc >> 16) & 0xFF]) << 24); \
123 rc = ta; \
124 ta = ARIA_FLIP1( ra ) ^ rd; \
125 tc = ARIA_FLIP1( rb ); \
126 ta = ARIA_FLIP2( ta ) ^ tc ^ rc; \
127 tb = ARIA_FLIP2( rc ) ^ ARIA_FLIP1( rd ); \
128 tc ^= ARIA_FLIP2( ra ); \
129 rb ^= ta^ tb; \
130 tb = ARIA_FLIP1( tb ) ^ ta; \
131 ra ^= ARIA_FLIP2( tb ); \
132 ta = ARIA_FLIP1( ta ); \
133 rd ^= ARIA_FLIP2( ta ) ^ tc; \
134 tc = ARIA_FLIP1( tc ); \
135 rc ^= ARIA_FLIP2( tc ) ^ ta; \
136}
137
138// S-Boxes
139
140static const uint8_t aria_sb1[0x100] =
141{
142 0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B,
143 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0,
144 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
145 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
146 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
147 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
148 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED,
149 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
150 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
151 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
152 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC,
153 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
154 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14,
155 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C,
156 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
157 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
158 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F,
159 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
160 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11,
161 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
162 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
163 0xB0, 0x54, 0xBB, 0x16
164};
165
166static const uint8_t aria_sb2[0x100] =
167{
168 0xE2, 0x4E, 0x54, 0xFC, 0x94, 0xC2, 0x4A, 0xCC, 0x62, 0x0D, 0x6A, 0x46,
169 0x3C, 0x4D, 0x8B, 0xD1, 0x5E, 0xFA, 0x64, 0xCB, 0xB4, 0x97, 0xBE, 0x2B,
170 0xBC, 0x77, 0x2E, 0x03, 0xD3, 0x19, 0x59, 0xC1, 0x1D, 0x06, 0x41, 0x6B,
171 0x55, 0xF0, 0x99, 0x69, 0xEA, 0x9C, 0x18, 0xAE, 0x63, 0xDF, 0xE7, 0xBB,
172 0x00, 0x73, 0x66, 0xFB, 0x96, 0x4C, 0x85, 0xE4, 0x3A, 0x09, 0x45, 0xAA,
173 0x0F, 0xEE, 0x10, 0xEB, 0x2D, 0x7F, 0xF4, 0x29, 0xAC, 0xCF, 0xAD, 0x91,
174 0x8D, 0x78, 0xC8, 0x95, 0xF9, 0x2F, 0xCE, 0xCD, 0x08, 0x7A, 0x88, 0x38,
175 0x5C, 0x83, 0x2A, 0x28, 0x47, 0xDB, 0xB8, 0xC7, 0x93, 0xA4, 0x12, 0x53,
176 0xFF, 0x87, 0x0E, 0x31, 0x36, 0x21, 0x58, 0x48, 0x01, 0x8E, 0x37, 0x74,
177 0x32, 0xCA, 0xE9, 0xB1, 0xB7, 0xAB, 0x0C, 0xD7, 0xC4, 0x56, 0x42, 0x26,
178 0x07, 0x98, 0x60, 0xD9, 0xB6, 0xB9, 0x11, 0x40, 0xEC, 0x20, 0x8C, 0xBD,
179 0xA0, 0xC9, 0x84, 0x04, 0x49, 0x23, 0xF1, 0x4F, 0x50, 0x1F, 0x13, 0xDC,
180 0xD8, 0xC0, 0x9E, 0x57, 0xE3, 0xC3, 0x7B, 0x65, 0x3B, 0x02, 0x8F, 0x3E,
181 0xE8, 0x25, 0x92, 0xE5, 0x15, 0xDD, 0xFD, 0x17, 0xA9, 0xBF, 0xD4, 0x9A,
182 0x7E, 0xC5, 0x39, 0x67, 0xFE, 0x76, 0x9D, 0x43, 0xA7, 0xE1, 0xD0, 0xF5,
183 0x68, 0xF2, 0x1B, 0x34, 0x70, 0x05, 0xA3, 0x8A, 0xD5, 0x79, 0x86, 0xA8,
184 0x30, 0xC6, 0x51, 0x4B, 0x1E, 0xA6, 0x27, 0xF6, 0x35, 0xD2, 0x6E, 0x24,
185 0x16, 0x82, 0x5F, 0xDA, 0xE6, 0x75, 0xA2, 0xEF, 0x2C, 0xB2, 0x1C, 0x9F,
186 0x5D, 0x6F, 0x80, 0x0A, 0x72, 0x44, 0x9B, 0x6C, 0x90, 0x0B, 0x5B, 0x33,
187 0x7D, 0x5A, 0x52, 0xF3, 0x61, 0xA1, 0xF7, 0xB0, 0xD6, 0x3F, 0x7C, 0x6D,
188 0xED, 0x14, 0xE0, 0xA5, 0x3D, 0x22, 0xB3, 0xF8, 0x89, 0xDE, 0x71, 0x1A,
189 0xAF, 0xBA, 0xB5, 0x81
190};
191
192static const uint8_t aria_is1[0x100] =
193{
194 0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E,
195 0x81, 0xF3, 0xD7, 0xFB, 0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87,
196 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB, 0x54, 0x7B, 0x94, 0x32,
197 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
198 0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49,
199 0x6D, 0x8B, 0xD1, 0x25, 0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16,
200 0xD4, 0xA4, 0x5C, 0xCC, 0x5D, 0x65, 0xB6, 0x92, 0x6C, 0x70, 0x48, 0x50,
201 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
202 0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05,
203 0xB8, 0xB3, 0x45, 0x06, 0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02,
204 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B, 0x3A, 0x91, 0x11, 0x41,
205 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
206 0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8,
207 0x1C, 0x75, 0xDF, 0x6E, 0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89,
208 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x3E, 0x4B,
209 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
210 0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59,
211 0x27, 0x80, 0xEC, 0x5F, 0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D,
212 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF, 0xA0, 0xE0, 0x3B, 0x4D,
213 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
214 0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63,
215 0x55, 0x21, 0x0C, 0x7D
216};
217
218static const uint8_t aria_is2[0x100] =
219{
220 0x30, 0x68, 0x99, 0x1B, 0x87, 0xB9, 0x21, 0x78, 0x50, 0x39, 0xDB, 0xE1,
221 0x72, 0x09, 0x62, 0x3C, 0x3E, 0x7E, 0x5E, 0x8E, 0xF1, 0xA0, 0xCC, 0xA3,
222 0x2A, 0x1D, 0xFB, 0xB6, 0xD6, 0x20, 0xC4, 0x8D, 0x81, 0x65, 0xF5, 0x89,
223 0xCB, 0x9D, 0x77, 0xC6, 0x57, 0x43, 0x56, 0x17, 0xD4, 0x40, 0x1A, 0x4D,
224 0xC0, 0x63, 0x6C, 0xE3, 0xB7, 0xC8, 0x64, 0x6A, 0x53, 0xAA, 0x38, 0x98,
225 0x0C, 0xF4, 0x9B, 0xED, 0x7F, 0x22, 0x76, 0xAF, 0xDD, 0x3A, 0x0B, 0x58,
226 0x67, 0x88, 0x06, 0xC3, 0x35, 0x0D, 0x01, 0x8B, 0x8C, 0xC2, 0xE6, 0x5F,
227 0x02, 0x24, 0x75, 0x93, 0x66, 0x1E, 0xE5, 0xE2, 0x54, 0xD8, 0x10, 0xCE,
228 0x7A, 0xE8, 0x08, 0x2C, 0x12, 0x97, 0x32, 0xAB, 0xB4, 0x27, 0x0A, 0x23,
229 0xDF, 0xEF, 0xCA, 0xD9, 0xB8, 0xFA, 0xDC, 0x31, 0x6B, 0xD1, 0xAD, 0x19,
230 0x49, 0xBD, 0x51, 0x96, 0xEE, 0xE4, 0xA8, 0x41, 0xDA, 0xFF, 0xCD, 0x55,
231 0x86, 0x36, 0xBE, 0x61, 0x52, 0xF8, 0xBB, 0x0E, 0x82, 0x48, 0x69, 0x9A,
232 0xE0, 0x47, 0x9E, 0x5C, 0x04, 0x4B, 0x34, 0x15, 0x79, 0x26, 0xA7, 0xDE,
233 0x29, 0xAE, 0x92, 0xD7, 0x84, 0xE9, 0xD2, 0xBA, 0x5D, 0xF3, 0xC5, 0xB0,
234 0xBF, 0xA4, 0x3B, 0x71, 0x44, 0x46, 0x2B, 0xFC, 0xEB, 0x6F, 0xD5, 0xF6,
235 0x14, 0xFE, 0x7C, 0x70, 0x5A, 0x7D, 0xFD, 0x2F, 0x18, 0x83, 0x16, 0xA5,
236 0x91, 0x1F, 0x05, 0x95, 0x74, 0xA9, 0xC1, 0x5B, 0x4A, 0x85, 0x6D, 0x13,
237 0x07, 0x4F, 0x4E, 0x45, 0xB2, 0x0F, 0xC9, 0x1C, 0xA6, 0xBC, 0xEC, 0x73,
238 0x90, 0x7B, 0xCF, 0x59, 0x8F, 0xA1, 0xF9, 0x2D, 0xF2, 0xB1, 0x00, 0x94,
239 0x37, 0x9F, 0xD0, 0x2E, 0x9C, 0x6E, 0x28, 0x3F, 0x80, 0xF0, 0x3D, 0xD3,
240 0x25, 0x8A, 0xB5, 0xE7, 0x42, 0xB3, 0xC7, 0xEA, 0xF7, 0x4C, 0x11, 0x33,
241 0x03, 0xA2, 0xAC, 0x60
242};
243// FO and FE are helpers for key schedule
244
245// r = FO( p, k ) ^ x
246
247static void aria_fo( uint32_t r[4],
248 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
249{
250 uint32_t a, b, c, d;
251 uint32_t t, u, v;
252
253 a = p[0] ^ k[0];
254 b = p[1] ^ k[1];
255 c = p[2] ^ k[2];
256 d = p[3] ^ k[3];
257
258 ARIA_SLA( a, b, c, d, aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
259
260 r[0] = a ^ x[0];
261 r[1] = b ^ x[1];
262 r[2] = c ^ x[2];
263 r[3] = d ^ x[3];
264}
265
266// r = FE( p, k ) ^ x
267
268static void aria_fe(uint32_t r[4],
269 const uint32_t p[4], const uint32_t k[4], const uint32_t x[4] )
270{
271 uint32_t a, b, c, d;
272 uint32_t t, u, v;
273
274 a = p[0] ^ k[0];
275 b = p[1] ^ k[1];
276 c = p[2] ^ k[2];
277 d = p[3] ^ k[3];
278
279 ARIA_SLA( a, b, c, d, aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
280
281 r[0] = a ^ x[0];
282 r[1] = b ^ x[1];
283 r[2] = c ^ x[2];
284 r[3] = d ^ x[3];
285}
286
287// Big endian 128-bit rotation: d = a ^ (b <<< n), used only in key setup.
288// This is relatively slow since our implementation is geared towards
289// little-endian targets and stores state in that order.
290
291static void aria_rot128(uint32_t r[4], const uint32_t a[4],
292 const uint32_t b[4], int n)
293{
294 int i, j, n1, n2;
295 uint32_t t, u;
296
297 j = (n >> 5) & 3; // word offset
298 n1 = n & 0x1F; // bit offsets
299 n2 = 32 - n1; // n1 should be nonzero!
300 t = ARIA_FLIP1( ARIA_FLIP2( b[j] ) ); // big endian
301 for( i = 0; i < 4; i++ )
302 {
303 j = (j + 1) & 3; // get next word, big endian
304 u = ARIA_FLIP1( ARIA_FLIP2( b[j] ) );
305 t <<= n1; // rotate
306 if (n2 < 32) // intel rotate 32 bits = 0 bits..
307 t |= u >> n2;
308 t = ARIA_FLIP1( ARIA_FLIP2( t ) ); // back to little endian
309 r[i] = a[i] ^ t; // store
310 t = u; // move to next word
311 }
312}
313
314// Set encryption key
315
316int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
317 const unsigned char *key, unsigned int keybits)
318{
319 // round constant masks
320 const uint32_t rc[3][4] =
321 {
322 { 0xB7C17C51, 0x940A2227, 0xE8AB13FE, 0xE06E9AFA },
323 { 0xCC4AB16D, 0x20C8219E, 0xD5B128FF, 0xB0E25DEF },
324 { 0x1D3792DB, 0x70E92621, 0x75972403, 0x0EC9E804 }
325 };
326
327 int i;
328 uint32_t w[4][4], *w2;
329
330 if (keybits != 128 && keybits != 192 && keybits != 256)
331 return MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH;
332
333 // W0 = KL
334 GET_UINT32_LE( w[0][0], key, 0 ); // copy key to W0 | W1
335 GET_UINT32_LE( w[0][1], key, 4 );
336 GET_UINT32_LE( w[0][2], key, 8 );
337 GET_UINT32_LE( w[0][3], key, 12 );
338
339 memset(w[1], 0, 16);
340 if( keybits >= 192 )
341 {
342 GET_UINT32_LE( w[1][0], key, 16 ); // 192 bit key
343 GET_UINT32_LE( w[1][1], key, 20 );
344 }
345 if( keybits == 256 )
346 {
347 GET_UINT32_LE( w[1][2], key, 24 ); // 256 bit key
348 GET_UINT32_LE( w[1][3], key, 28 );
349 }
350
351 i = (keybits - 128) >> 6; // index: 0, 1, 2
352 ctx->nr = 12 + 2 * i; // no. rounds: 12, 14, 16
353
354 aria_fo( w[1], w[0], rc[i], w[1] ); // W1 = FO(W0, CK1) ^ KR
355 i = i < 2 ? i + 1 : 0;
356 aria_fe( w[2], w[1], rc[i], w[0] ); // W2 = FE(W1, CK2) ^ W0
357 i = i < 2 ? i + 1 : 0;
358 aria_fo( w[3], w[2], rc[i], w[1] ); // W3 = FO(W2, CK3) ^ W1
359
360 for( i = 0; i < 4; i++ ) // create round keys
361 {
362 w2 = w[(i + 1) & 3];
363 aria_rot128( ctx->rk[i ], w[i], w2, -19);
364 aria_rot128( ctx->rk[i + 4], w[i], w2, -31);
365 aria_rot128( ctx->rk[i + 8], w[i], w2, 61);
366 aria_rot128( ctx->rk[i + 12], w[i], w2, 31);
367 }
368 aria_rot128( ctx->rk[16], w[0], w[1], 19 );
369
370 return 0;
371}
372
373// Set decryption key
374
375int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
376 const unsigned char *key, unsigned int keybits)
377{
378 int i, j, k, ret;
379 uint32_t t, u, v;
380
381 ret = mbedtls_aria_setkey_enc( ctx, key, keybits );
382 if( ret != 0 )
383 return ret;
384
385 // flip the order of round keys
386 for( i = 0, j = ctx->nr; i < j; i++, j-- )
387 {
388 for( k = 0; k < 4; k++ )
389 {
390 t = ctx->rk[i][k];
391 ctx->rk[i][k] = ctx->rk[j][k];
392 ctx->rk[j][k] = t;
393 }
394 }
395
396 // apply affine transform to middle keys
397 for (i = 1; i < ctx->nr; i++ )
398 {
399 ARIA_A( ctx->rk[i][0], ctx->rk[i][1], ctx->rk[i][2], ctx->rk[i][3],
400 t, u, v );
401 }
402
403 return 0;
404}
405
406// Encrypt a block
407
408int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
409 int mode,
410 const unsigned char input[16],
411 unsigned char output[16] )
412{
413 int i;
414
415 uint32_t a, b, c, d;
416 uint32_t t, u, v;
417
418 ( (void) mode );
419
420 GET_UINT32_LE( a, input, 0 );
421 GET_UINT32_LE( b, input, 4 );
422 GET_UINT32_LE( c, input, 8 );
423 GET_UINT32_LE( d, input, 12 );
424
425 i = 0;
426 while (1)
427 {
428 a ^= ctx->rk[i][0];
429 b ^= ctx->rk[i][1];
430 c ^= ctx->rk[i][2];
431 d ^= ctx->rk[i][3];
432 i++;
433 ARIA_SLA( a, b, c, d,
434 aria_sb1, aria_sb2, aria_is1, aria_is2, t, u, v );
435
436 a ^= ctx->rk[i][0];
437 b ^= ctx->rk[i][1];
438 c ^= ctx->rk[i][2];
439 d ^= ctx->rk[i][3];
440 i++;
441 if (i >= ctx->nr)
442 break;
443
444 ARIA_SLA( a, b, c, d,
445 aria_is1, aria_is2, aria_sb1, aria_sb2, t, u, v );
446 }
447
448 // final substitution
449
450 a = ctx->rk[i][0] ^
451 ( (uint32_t) aria_is1[ a & 0xFF]) ^
452 (((uint32_t) aria_is2[(a >> 8) & 0xFF]) << 8) ^
453 (((uint32_t) aria_sb1[(a >> 16) & 0xFF]) << 16) ^
454 (((uint32_t) aria_sb2[ a >> 24 ]) << 24);
455
456 b = ctx->rk[i][1] ^
457 ( (uint32_t) aria_is1[ b & 0xFF]) ^
458 (((uint32_t) aria_is2[(b >> 8) & 0xFF]) << 8) ^
459 (((uint32_t) aria_sb1[(b >> 16) & 0xFF]) << 16) ^
460 (((uint32_t) aria_sb2[ b >> 24 ]) << 24);
461
462 c = ctx->rk[i][2] ^
463 ( (uint32_t) aria_is1[ c & 0xFF]) ^
464 (((uint32_t) aria_is2[(c >> 8) & 0xFF]) << 8) ^
465 (((uint32_t) aria_sb1[(c >> 16) & 0xFF]) << 16) ^
466 (((uint32_t) aria_sb2[ c >> 24 ]) << 24);
467
468 d = ctx->rk[i][3] ^
469 ( (uint32_t) aria_is1[ d & 0xFF]) ^
470 (((uint32_t) aria_is2[(d >> 8) & 0xFF]) << 8) ^
471 (((uint32_t) aria_sb1[(d >> 16) & 0xFF]) << 16) ^
472 (((uint32_t) aria_sb2[ d >> 24 ]) << 24);
473
474 PUT_UINT32_LE( a, output, 0 );
475 PUT_UINT32_LE( b, output, 4 );
476 PUT_UINT32_LE( c, output, 8 );
477 PUT_UINT32_LE( d, output, 12 );
478
479 return 0;
480}
481
482
483
484#if defined(MBEDTLS_CIPHER_MODE_CBC)
485/*
486 * ARIA-CBC buffer encryption/decryption
487 */
488int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
489 int mode,
490 size_t length,
491 unsigned char iv[16],
492 const unsigned char *input,
493 unsigned char *output )
494{
495 int i;
496 unsigned char temp[16];
497
498 if( length % 16 )
499 return( MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH );
500
501 if( mode == MBEDTLS_ARIA_DECRYPT )
502 {
503 while( length > 0 )
504 {
505 memcpy( temp, input, 16 );
506 mbedtls_aria_crypt_ecb( ctx, mode, input, output );
507
508 for( i = 0; i < 16; i++ )
509 output[i] = (unsigned char)( output[i] ^ iv[i] );
510
511 memcpy( iv, temp, 16 );
512
513 input += 16;
514 output += 16;
515 length -= 16;
516 }
517 }
518 else
519 {
520 while( length > 0 )
521 {
522 for( i = 0; i < 16; i++ )
523 output[i] = (unsigned char)( input[i] ^ iv[i] );
524
525 mbedtls_aria_crypt_ecb( ctx, mode, output, output );
526 memcpy( iv, output, 16 );
527
528 input += 16;
529 output += 16;
530 length -= 16;
531 }
532 }
533
534 return( 0 );
535}
536#endif /* MBEDTLS_CIPHER_MODE_CBC */
537
538#if defined(MBEDTLS_CIPHER_MODE_CFB)
539/*
540 * ARIA-CFB128 buffer encryption/decryption
541 */
542int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
543 int mode,
544 size_t length,
545 size_t *iv_off,
546 unsigned char iv[16],
547 const unsigned char *input,
548 unsigned char *output )
549{
550 int c;
551 size_t n = *iv_off;
552
553 if( mode == MBEDTLS_ARIA_DECRYPT )
554 {
555 while( length-- )
556 {
557 if( n == 0 )
558 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
559
560 c = *input++;
561 *output++ = (unsigned char)( c ^ iv[n] );
562 iv[n] = (unsigned char) c;
563
564 n = ( n + 1 ) & 0x0F;
565 }
566 }
567 else
568 {
569 while( length-- )
570 {
571 if( n == 0 )
572 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, iv, iv );
573
574 iv[n] = *output++ = (unsigned char)( iv[n] ^ *input++ );
575
576 n = ( n + 1 ) & 0x0F;
577 }
578 }
579
580 *iv_off = n;
581
582 return( 0 );
583}
584#endif /* MBEDTLS_CIPHER_MODE_CFB */
585
586#if defined(MBEDTLS_CIPHER_MODE_CTR)
587/*
588 * ARIA-CTR buffer encryption/decryption
589 */
590int mbedtls_aria_crypt_ctr( mbedtls_aria_context *ctx,
591 size_t length,
592 size_t *nc_off,
593 unsigned char nonce_counter[16],
594 unsigned char stream_block[16],
595 const unsigned char *input,
596 unsigned char *output )
597{
598 int c, i;
599 size_t n = *nc_off;
600
601 while( length-- )
602 {
603 if( n == 0 ) {
604 mbedtls_aria_crypt_ecb( ctx, MBEDTLS_ARIA_ENCRYPT, nonce_counter,
605 stream_block );
606
607 for( i = 16; i > 0; i-- )
608 if( ++nonce_counter[i - 1] != 0 )
609 break;
610 }
611 c = *input++;
612 *output++ = (unsigned char)( c ^ stream_block[n] );
613
614 n = ( n + 1 ) & 0x0F;
615 }
616
617 *nc_off = n;
618
619 return( 0 );
620}
621#endif /* MBEDTLS_CIPHER_MODE_CTR */
622#endif /* !MBEDTLS_ARIA_ALT */
623
624#if defined(MBEDTLS_SELF_TEST)
625
626/*
627 * Checkup routine
628 */
629
630int mbedtls_aria_self_test( int verbose )
631{
632 // ECB test vectors from RFC 5794
633
634 const uint8_t aria_ecb_test_key[32] = // test key
635 {
636 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 128 bit
637 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
638 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, // 192 bit
639 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F // 256 bit
640 };
641 const uint8_t aria_ecb_test_pt[16] = // plaintext
642 {
643 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, // same for all
644 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF // key sizes
645 };
646 const uint8_t aria_ecb_test_ct[3][16] = // ciphertext
647 {
648 { 0xD7, 0x18, 0xFB, 0xD6, 0xAB, 0x64, 0x4C, 0x73, // 128 bit
649 0x9D, 0xA9, 0x5F, 0x3B, 0xE6, 0x45, 0x17, 0x78 }
650 ,
651 { 0x26, 0x44, 0x9C, 0x18, 0x05, 0xDB, 0xE7, 0xAA, // 192 bit
652 0x25, 0xA4, 0x68, 0xCE, 0x26, 0x3A, 0x9E, 0x79 }
653 ,
654 { 0xF9, 0x2B, 0xD7, 0xC7, 0x9F, 0xB7, 0x2E, 0x2F, // 256 bit
655 0x2B, 0x8F, 0x80, 0xC1, 0x97, 0x2D, 0x24, 0xFC }
656 };
657
658 int i;
659 uint8_t blk[16];
660 mbedtls_aria_context ctx;
661
662 for( i = 0; i < 3; i++ )
663 {
664 // test encryption
665 if( verbose )
666 printf( " ARIA-ECB-%d (enc): ", 128 + 64 * i);
667
668 mbedtls_aria_setkey_enc( &ctx, aria_ecb_test_key, 128 + 64 * i );
669 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_ENCRYPT,
670 aria_ecb_test_pt, blk );
671
672 if( memcmp( blk, aria_ecb_test_ct[i], 16 ) != 0 )
673 {
674 if( verbose )
675 printf( "failed\n" );
676 return( 1 );
677 }
678 if( verbose )
679 printf( "passed\n" );
680
681 // test decryption
682
683 if( verbose )
684 printf( " ARIA-ECB-%d (dec): ", 128 + 64 * i);
685
686 mbedtls_aria_setkey_dec( &ctx, aria_ecb_test_key, 128 + 64 * i );
687 mbedtls_aria_crypt_ecb( &ctx, MBEDTLS_ARIA_DECRYPT,
688 aria_ecb_test_ct[i], blk );
689
690 if (memcmp( blk, aria_ecb_test_pt, 16 ) != 0)
691 {
692 if( verbose )
693 printf( "failed\n" );
694 return( 1 );
695 }
696 if( verbose )
697 printf( "passed\n" );
698 }
699 printf("\n");
700
701 return( 0 );
702}
703
704#endif /* MBEDTLS_SELF_TEST */
705
706#endif /* MBEDTLS_ARIA_C */